[Swan] leftsourceip functionality with libreswan-3.0
Oguz Yilmaz
oguzyilmazlist at gmail.com
Wed Jan 2 10:35:07 EET 2013
I think, this is the first support mail concerning libreswan-3.0. :) Good Luck.
I have previous leftsourceip definition. This makes the vpn gateway
itself to be able to reach remote end, without forcibly defining
sourceip. With previous openswan-2.6.38, with leftsourceip parameter I
can "ping someremoteclient". However with libreswan-3.0 it requires
"ping -I 10.14.1.5 someremoteclient" to ping. Config is exactly same.
I have thought leftsourceip param is not working.
Config is:
version 2.0
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
nat_traversal=no
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.19.32.0/24
protostack=netkey
conn %default
auto=add
conn myvpn
authby=secret
auth=esp
esp=3des-md5-96
left=LEFT_EXT_IP
leftsubnet=10.46.0.0/16
leftsourceip=10.46.1.5
right=RIGHT_EXT_IP
rightid=10.6.202.3
rightsubnets={10.6.0.0/16,192.168.2.0/24}
leftnexthop=LEFT_EXT_GW
disablearrivalcheck=no
auto=start
keylife=86400s
pfs=yes
keyexchange=ike
ikelifetime=86400s
ike=3des-md5-modp1024
dpdaction=restart
dpddelay=30
dpdtimeout=120
"ping 10.6.1.1" does not work
"ping -I 10.46.1.5 10.6.1.1" works
With openswan-2.6.38, both were working.
Kernel: 3.5.3
Libreswan: 3.0
OS: Centos 5
Stack: Netkey
Jan 2 10:18:23 2013 ipsec__plutorun: Starting Pluto subsystem...
Jan 2 10:18:23 2013 pluto[18211]: nss directory plutomain: /etc/ipsec.d
Jan 2 10:18:23 2013 pluto[18211]: NSS Initialized
Jan 2 10:18:23 2013 pluto[18211]: FIPS integrity support [disabled]
Jan 2 10:18:23 2013 pluto[18211]: libcap-ng support [enabled]
Jan 2 10:18:23 2013 pluto[18211]: Linux audit support [disabled]
Jan 2 10:18:23 2013 pluto[18211]: Starting Pluto (Libreswan Version
3.0; Vendor ID OENiHcUfspQs) pid:18211
Jan 2 10:18:23 2013 pluto[18211]: Not able to open
/proc/sys/crypto/fips_enabled, returning non-fips mode
Jan 2 10:18:23 2013 pluto[18211]: Pluto is NOT running in FIPS mode
Jan 2 10:18:23 2013 pluto[18211]: core dump dir: /var/run/pluto
Jan 2 10:18:23 2013 pluto[18211]: secrets file: /etc/ipsec.secrets
Jan 2 10:18:23 2013 pluto[18211]: LEAK_DETECTIVE support [disabled]
Jan 2 10:18:23 2013 pluto[18211]: OCF support for IKE [disabled]
Jan 2 10:18:23 2013 pluto[18211]: SAref support [disabled]: Protocol
not available
Jan 2 10:18:23 2013 pluto[18211]: SAbind support [disabled]: Protocol
not available
Jan 2 10:18:23 2013 pluto[18211]: NSS crypto [enabled]
Jan 2 10:18:23 2013 pluto[18211]: XAUTH PAM support [enabled]
Jan 2 10:18:23 2013 pluto[18211]: HAVE_STATSD notification support [disabled]
Jan 2 10:18:23 2013 pluto[18211]: Setting NAT-Traversal port-4500
floating to off
Jan 2 10:18:23 2013 pluto[18211]: port floating activation
criteria nat_t=0/port_float=1
Jan 2 10:18:23 2013 pluto[18211]: NAT-Traversal support [disabled]
Jan 2 10:18:23 2013 pluto[18211]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Jan 2 10:18:23 2013 pluto[18211]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Jan 2 10:18:23 2013 pluto[18211]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_384: Ok (ret=0)
Jan 2 10:18:23 2013 pluto[18211]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Jan 2 10:18:23 2013 pluto[18211]: no helpers will be started, all
cryptographic operations will be done inline
Jan 2 10:18:23 2013 pluto[18211]: Using Linux XFRM/NETKEY IPsec
interface code on 3.5.3
Jan 2 10:18:23 2013 pluto[18211]: ike_alg_register_enc(): Activating
aes_ccm_8: Ok (ret=0)
Jan 2 10:18:23 2013 pluto[18211]: ike_alg_add(): ERROR: algo_type
\'0\', algo_id \'0\', Algorithm type already exists
Jan 2 10:18:23 2013 pluto[18211]: ike_alg_register_enc(): Activating
aes_ccm_12: FAILED (ret=-17)
Jan 2 10:18:23 2013 pluto[18211]: ike_alg_add(): ERROR: algo_type
\'0\', algo_id \'0\', Algorithm type already exists
Jan 2 10:18:23 2013 pluto[18211]: ike_alg_register_enc(): Activating
aes_ccm_16: FAILED (ret=-17)
Jan 2 10:18:23 2013 pluto[18211]: ike_alg_add(): ERROR: algo_type
\'0\', algo_id \'0\', Algorithm type already exists
Jan 2 10:18:23 2013 pluto[18211]: ike_alg_register_enc(): Activating
aes_gcm_8: FAILED (ret=-17)
Jan 2 10:18:23 2013 pluto[18211]: ike_alg_add(): ERROR: algo_type
\'0\', algo_id \'0\', Algorithm type already exists
Jan 2 10:18:23 2013 pluto[18211]: ike_alg_register_enc(): Activating
aes_gcm_12: FAILED (ret=-17)
Jan 2 10:18:23 2013 pluto[18211]: ike_alg_add(): ERROR: algo_type
\'0\', algo_id \'0\', Algorithm type already exists
Jan 2 10:18:23 2013 pluto[18211]: ike_alg_register_enc(): Activating
aes_gcm_16: FAILED (ret=-17)
Jan 2 10:18:23 2013 pluto[18211]: loaded CA cert file
\'cacert.pem\' (1143 bytes)
Jan 2 10:18:23 2013 pluto[18211]: Could not change to directory
\'/etc/ipsec.d/aacerts\': No such file or directory
Jan 2 10:18:23 2013 pluto[18211]: Could not change to directory
\'/etc/ipsec.d/crls\': 2 No such file or directory
Jan 2 10:18:23 2013 pluto[18211]: listening for IKE messages
Jan 2 10:18:23 2013 pluto[18211]: adding interface eth9.102/eth9.102
LEFT_EXT_IP:500
Jan 2 10:18:23 2013 pluto[18211]: adding interface eth1/eth1 10.46.1.5:500
Jan 2 10:18:23 2013 pluto[18211]: adding interface eth0/eth0 169.254.1.1:500
Jan 2 10:18:23 2013 pluto[18211]: adding interface lo/lo 127.0.0.1:500
Jan 2 10:18:23 2013 pluto[18211]: adding interface lo/lo ::1:500
Jan 2 10:18:23 2013 pluto[18211]: loading secrets from \"/etc/ipsec.secrets\"
Jan 2 10:18:23 2013 pluto[18211]: no secrets filename matched
\"/etc/ipsec.*.secrets\"
Jan 2 10:18:24 2013 pluto[18211]: added connection description \"myvpn/0x1\"
Jan 2 10:18:24 2013 pluto[18211]: added connection description \"myvpn/0x2\"
Jan 2 10:18:27 2013 pluto[18211]: \"myvpn/0x2\": terminating SAs
using this connection
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: initiating Main Mode
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: STATE_MAIN_I2:
sent MI2, expecting MR2
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: received Vendor
ID payload [Cisco-Unity]
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: received Vendor
ID payload [Dead Peer Detection]
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: ignoring unknown
Vendor ID payload [0945ede6cbf922e41e391f9f0eefa0a6]
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: received Vendor
ID payload [XAUTH]
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: STATE_MAIN_I3:
sent MI3, expecting MR3
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: Main mode peer ID
is ID_IPV4_ADDR: \'10.6.202.3\'
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: Dead Peer
Detection (RFC 3706): enabled
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #2: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
msgid:827c3b24 proposal=3DES(3)_192-MD5(1)_096
pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #2: ignoring
informational payload, type IPSEC_RESPONDER_LIFETIME msgid=827c3b24
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #2: route-client
output: /usr/libexec/ipsec/_updown.netkey: doroute `ip route replace
192.168.2.0/24 via 10.46.1.5 dev lo src 10.46.1.5\' failed (RTNETLINK
answers: No such process)
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #2: Dead Peer
Detection (RFC 3706): enabled
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #2: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #2: STATE_QUICK_I2:
sent QI2, IPsec SA established tunnel mode {ESP=>0xe63085eb
<0x34323d6b xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled}
--
Oguz YILMAZ
More information about the Swan
mailing list