OpenWrt Forum Archive

Topic: [SOLVED] Openswan tunnel probs. Need help plz.

The content of this topic has been archived on 9 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
Adze
12 Oct 2004, 19:36

Hi,

I have been trying to get openswan running for a couple of days now, without succes. And i'm out of ideas. I desprately seeking for help.

What i have so far:
Installed packeges: gmp, mawk, openswan, openswan-module and ipsecgre. Rebuild busybox to meet openswan requirments (tr, hostname... ). Patched kernel with updates including natt patch. I have this ipsec config:

# /etc/ipsec.conf - Openswan IPsec configuration file

version 2.0

# Basic configuration

config setup
        interfaces="ipsec0=ppp0 ipsec1=br0"
        nat_traversal=yes
        uniqueids=no
        klipsdebug=none
        plutodebug=none

# Add connections here

conn wireless
        left=192.168.3.1
        leftsubnet=192.168.2.0/24
        right=%any
        authby=secret
        pfs=yes
        auto=add

conn roadwarrior
        left=80.126.97.26
        leftsubnet=192.168.2.0/24
        right=%any
        authby=secret
        pfs=yes
        auto=add

#Disable Opportunistic Encryption

include /etc/ipsec.d/examples/no_oe.conf

Looking through the syslog, everything seems to be in order (except for the empty dir message):

Jan  1 00:00:30 (none) kern.warn pluto[664]: Starting Pluto (Openswan Version 2.2.0dr2 X.509-1.4.8 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEyjIiTARI177A)
Jan  1 00:00:31 (none) kern.warn pluto[664]:   including NAT-Traversal patch (Version 0.6c)
Jan  1 00:00:32 (none) kern.warn pluto[664]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jan  1 00:00:33 (none) kern.warn pluto[664]: Changing to directory '/etc/ipsec.d/cacerts'
Jan  1 00:00:33 (none) kern.warn pluto[664]: Changing to directory '/etc/ipsec.d/aacerts'
Jan  1 00:00:33 (none) kern.warn pluto[664]: Changing to directory '/etc/ipsec.d/ocspcerts'
Jan  1 00:00:33 (none) kern.warn pluto[664]: Changing to directory '/etc/ipsec.d/crls'
Jan  1 00:00:33 (none) kern.warn pluto[664]:   Warning: empty directory
Jan  1 00:00:35 (none) kern.warn pluto[664]: listening for IKE messages
Jan  1 00:00:35 (none) kern.warn pluto[664]: adding interface ipsec0/ppp0 80.xx.xx.xx
Jan  1 00:00:35 (none) kern.warn pluto[664]: adding interface ipsec0/ppp0 80.xx.xx.xx:4500
Jan  1 00:00:35 (none) kern.warn pluto[664]: adding interface ipsec1/br0 192.168.3.1
Jan  1 00:00:35 (none) kern.warn pluto[664]: adding interface ipsec1/br0 192.168.3.1:4500
Jan  1 00:00:35 (none) kern.warn pluto[664]: loading secrets from "/etc/ipsec.secrets"

Now i try to make a ipsec-tunnel from my wireless windowsxp host to the WRTbox. As far as my knowledge goes of windows, i think i setup everything correctly. The syslog comes with the following error:

Jan  1 00:00:54 (none) kern.warn pluto[664]: packet from 192.168.3.198:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan  1 00:00:54 (none) kern.warn pluto[664]: packet from 192.168.3.198:500: ignoring Vendor ID payload [FRAGMENTATION]
Jan  1 00:00:54 (none) kern.warn pluto[664]: packet from 192.168.3.198:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jan  1 00:00:54 (none) kern.warn pluto[664]: packet from 192.168.3.198:500: ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
Jan  1 00:00:54 (none) kern.warn pluto[664]: packet from 192.168.3.198:500: initial Main Mode message received on 192.168.3.1:500 but no connection has been authorized

Searching the web for above error, i got results which all point out to an error in the ipsec.conf. But i don't know where to look now... Could someone give me a clue :?:

Thanx Y'all

Post #2
PolarWolf
12 Oct 2004, 23:19

Hi,

I have been trying to get openswan running for a couple of days now, without succes. And i'm out of ideas. I desprately seeking for help.

What i have so far:
Installed packeges: gmp, mawk, openswan, openswan-module and ipsecgre. Rebuild busybox to meet openswan requirments (tr, hostname... ). Patched kernel with updates including natt patch. I have this ipsec config:

the ipsecgre package is not something you need unless you plan on automating some advanced VPN setups. See
http://www.linuxops.net/ipsec/doc/vlan-doc/index.html

Now i try to make a ipsec-tunnel from my wireless windowsxp host to the WRTbox. As far as my knowledge goes of windows, i think i setup everything correctly. The syslog comes with the following error:

ipsec'ing from windows can be painful.

Jan  1 00:00:54 (none) kern.warn pluto[664]: packet from 192.168.3.198:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan  1 00:00:54 (none) kern.warn pluto[664]: packet from 192.168.3.198:500: ignoring Vendor ID payload [FRAGMENTATION]
Jan  1 00:00:54 (none) kern.warn pluto[664]: packet from 192.168.3.198:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jan  1 00:00:54 (none) kern.warn pluto[664]: packet from 192.168.3.198:500: ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
Jan  1 00:00:54 (none) kern.warn pluto[664]: packet from 192.168.3.198:500: initial Main Mode message received on 192.168.3.1:500 but no connection has been authorized

Searching the web for above error, i got results which all point out to an error in the ipsec.conf. But i don't know where to look now... Could someone give me a clue :?:

By the looks of it, what Windows XP is sending can't be matched with any of the defined connections in ipsec.conf. Your best bet is to have a look in Window's log file (check MS's knowledgebase on how to have it produce an oakley.log file) to see if you can get more information out of that. Else set the debug levels of openswan higher, though that might produce a lot of input.

This is more a question for the openswan support channels than openwrt's, btw. As far as I can tell, the openwrt part is working as it should.

Post #3
chimpanzee
13 Oct 2004, 01:04

left=192.168.3.1
        leftsubnet=192.168.2.0/24

Doesn't seem to match what is on your XP, I saw 192.168.3.198 in the log

Post #4
Adze
16 Oct 2004, 18:04

After reading lots and lots of docs and readme's, i came upon this readme file:

http://www.openswan.org/docs/local/README.NAT-Traversal

I followed the instructions and added "rightsubnet=vhost:%v4:192.168.3.0/24". Restarted openswan and voila; all is working  big_smile

In case of someone is interested: i will try to make a HOWTO on using the WRT54G as an ipsec endpoint with wireless windows XP roadwarriors.

Note to Polarwolf: i did need the ipsecgre package (custom updown scripts), otherwise openswan just wouldn't start...

Post #5
zibadun
16 Oct 2004, 18:21

Did you have to recompile opewrt kernel with the nat-t patch (180-openswan-natt.patch posted in another thread)?  I also had to put
[code]config setup
    nat_traversal=yes[/code]
in the ipsec.conf. 

The howto would be great, especially since windows IPSEC setup is not very straight forward (so many GUI windows, I'm getting lost smile!)
[/code]

Post #6
Adze
16 Oct 2004, 18:59

Did you have to recompile opewrt kernel with the nat-t patch?

Yes.  8)

The discussion might have continued from here.