[Swan] leftsourceip functionality with libreswan-3.0

Oguz Yilmaz oguzyilmazlist at gmail.com
Fri Jan 4 00:16:00 EET 2013


leftsourceip= problem continues.



--
Oguz YILMAZ


On Wed, Jan 2, 2013 at 10:35 AM, Oguz Yilmaz <oguzyilmazlist at gmail.com> wrote:
> I think, this is the first support mail concerning libreswan-3.0. :) Good Luck.
>
> I have previous leftsourceip definition. This makes the vpn gateway
> itself to be able to reach remote end, without forcibly defining
> sourceip. With previous openswan-2.6.38, with leftsourceip parameter I
> can "ping someremoteclient". However with libreswan-3.0 it requires
> "ping -I 10.14.1.5 someremoteclient" to ping. Config is exactly same.
> I have thought leftsourceip param is not working.
>
>
> Config is:
>
> version 2.0
>
> config setup
>         interfaces=%defaultroute
>         klipsdebug=none
>         plutodebug=none
>         nat_traversal=no
>         virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.19.32.0/24
>         protostack=netkey
>
>
> conn %default
>         auto=add
>
> conn myvpn
>         authby=secret
>         auth=esp
>         esp=3des-md5-96
>         left=LEFT_EXT_IP
>         leftsubnet=10.46.0.0/16
>         leftsourceip=10.46.1.5
>         right=RIGHT_EXT_IP
>         rightid=10.6.202.3
>         rightsubnets={10.6.0.0/16,192.168.2.0/24}
>         leftnexthop=LEFT_EXT_GW
>         disablearrivalcheck=no
>         auto=start
>         keylife=86400s
>         pfs=yes
>         keyexchange=ike
>         ikelifetime=86400s
>         ike=3des-md5-modp1024
>         dpdaction=restart
>         dpddelay=30
>         dpdtimeout=120
>
>
>
> "ping 10.6.1.1" does not work
> "ping -I 10.46.1.5 10.6.1.1" works
>
> With openswan-2.6.38, both were working.
>
> Kernel: 3.5.3
> Libreswan: 3.0
> OS: Centos 5
> Stack: Netkey
>
>
>
> Jan  2 10:18:23 2013 ipsec__plutorun: Starting Pluto subsystem...
> Jan  2 10:18:23 2013 pluto[18211]: nss directory plutomain: /etc/ipsec.d
> Jan  2 10:18:23 2013 pluto[18211]: NSS Initialized
> Jan  2 10:18:23 2013 pluto[18211]: FIPS integrity support [disabled]
> Jan  2 10:18:23 2013 pluto[18211]: libcap-ng support [enabled]
> Jan  2 10:18:23 2013 pluto[18211]: Linux audit support [disabled]
> Jan  2 10:18:23 2013 pluto[18211]: Starting Pluto (Libreswan Version
> 3.0; Vendor ID OENiHcUfspQs) pid:18211
> Jan  2 10:18:23 2013 pluto[18211]: Not able to open
> /proc/sys/crypto/fips_enabled, returning non-fips mode
> Jan  2 10:18:23 2013 pluto[18211]: Pluto is NOT running in FIPS mode
> Jan  2 10:18:23 2013 pluto[18211]: core dump dir: /var/run/pluto
> Jan  2 10:18:23 2013 pluto[18211]: secrets file: /etc/ipsec.secrets
> Jan  2 10:18:23 2013 pluto[18211]: LEAK_DETECTIVE support [disabled]
> Jan  2 10:18:23 2013 pluto[18211]: OCF support for IKE [disabled]
> Jan  2 10:18:23 2013 pluto[18211]: SAref support [disabled]: Protocol
> not available
> Jan  2 10:18:23 2013 pluto[18211]: SAbind support [disabled]: Protocol
> not available
> Jan  2 10:18:23 2013 pluto[18211]: NSS crypto [enabled]
> Jan  2 10:18:23 2013 pluto[18211]: XAUTH PAM support [enabled]
> Jan  2 10:18:23 2013 pluto[18211]: HAVE_STATSD notification support [disabled]
> Jan  2 10:18:23 2013 pluto[18211]: Setting NAT-Traversal port-4500
> floating to off
> Jan  2 10:18:23 2013 pluto[18211]:    port floating activation
> criteria nat_t=0/port_float=1
> Jan  2 10:18:23 2013 pluto[18211]:    NAT-Traversal support  [disabled]
> Jan  2 10:18:23 2013 pluto[18211]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)
> Jan  2 10:18:23 2013 pluto[18211]: ike_alg_register_hash(): Activating
> OAKLEY_SHA2_512: Ok (ret=0)
> Jan  2 10:18:23 2013 pluto[18211]: ike_alg_register_hash(): Activating
> OAKLEY_SHA2_384: Ok (ret=0)
> Jan  2 10:18:23 2013 pluto[18211]: ike_alg_register_hash(): Activating
> OAKLEY_SHA2_256: Ok (ret=0)
> Jan  2 10:18:23 2013 pluto[18211]: no helpers will be started, all
> cryptographic operations will be done inline
> Jan  2 10:18:23 2013 pluto[18211]: Using Linux XFRM/NETKEY IPsec
> interface code on 3.5.3
> Jan  2 10:18:23 2013 pluto[18211]: ike_alg_register_enc(): Activating
> aes_ccm_8: Ok (ret=0)
> Jan  2 10:18:23 2013 pluto[18211]: ike_alg_add(): ERROR: algo_type
> \'0\', algo_id \'0\', Algorithm type already exists
> Jan  2 10:18:23 2013 pluto[18211]: ike_alg_register_enc(): Activating
> aes_ccm_12: FAILED (ret=-17)
> Jan  2 10:18:23 2013 pluto[18211]: ike_alg_add(): ERROR: algo_type
> \'0\', algo_id \'0\', Algorithm type already exists
> Jan  2 10:18:23 2013 pluto[18211]: ike_alg_register_enc(): Activating
> aes_ccm_16: FAILED (ret=-17)
> Jan  2 10:18:23 2013 pluto[18211]: ike_alg_add(): ERROR: algo_type
> \'0\', algo_id \'0\', Algorithm type already exists
> Jan  2 10:18:23 2013 pluto[18211]: ike_alg_register_enc(): Activating
> aes_gcm_8: FAILED (ret=-17)
> Jan  2 10:18:23 2013 pluto[18211]: ike_alg_add(): ERROR: algo_type
> \'0\', algo_id \'0\', Algorithm type already exists
> Jan  2 10:18:23 2013 pluto[18211]: ike_alg_register_enc(): Activating
> aes_gcm_12: FAILED (ret=-17)
> Jan  2 10:18:23 2013 pluto[18211]: ike_alg_add(): ERROR: algo_type
> \'0\', algo_id \'0\', Algorithm type already exists
> Jan  2 10:18:23 2013 pluto[18211]: ike_alg_register_enc(): Activating
> aes_gcm_16: FAILED (ret=-17)
> Jan  2 10:18:23 2013 pluto[18211]:   loaded CA cert file
> \'cacert.pem\' (1143 bytes)
> Jan  2 10:18:23 2013 pluto[18211]: Could not change to directory
> \'/etc/ipsec.d/aacerts\': No such file or directory
> Jan  2 10:18:23 2013 pluto[18211]: Could not change to directory
> \'/etc/ipsec.d/crls\': 2 No such file or directory
> Jan  2 10:18:23 2013 pluto[18211]: listening for IKE messages
> Jan  2 10:18:23 2013 pluto[18211]: adding interface eth9.102/eth9.102
> LEFT_EXT_IP:500
> Jan  2 10:18:23 2013 pluto[18211]: adding interface eth1/eth1 10.46.1.5:500
> Jan  2 10:18:23 2013 pluto[18211]: adding interface eth0/eth0 169.254.1.1:500
> Jan  2 10:18:23 2013 pluto[18211]: adding interface lo/lo 127.0.0.1:500
> Jan  2 10:18:23 2013 pluto[18211]: adding interface lo/lo ::1:500
> Jan  2 10:18:23 2013 pluto[18211]: loading secrets from \"/etc/ipsec.secrets\"
> Jan  2 10:18:23 2013 pluto[18211]: no secrets filename matched
> \"/etc/ipsec.*.secrets\"
> Jan  2 10:18:24 2013 pluto[18211]: added connection description \"myvpn/0x1\"
> Jan  2 10:18:24 2013 pluto[18211]: added connection description \"myvpn/0x2\"
> Jan  2 10:18:27 2013 pluto[18211]: \"myvpn/0x2\": terminating SAs
> using this connection
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: initiating Main Mode
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: transition from
> state STATE_MAIN_I1 to state STATE_MAIN_I2
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: STATE_MAIN_I2:
> sent MI2, expecting MR2
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: received Vendor
> ID payload [Cisco-Unity]
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: received Vendor
> ID payload [Dead Peer Detection]
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: ignoring unknown
> Vendor ID payload [0945ede6cbf922e41e391f9f0eefa0a6]
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: received Vendor
> ID payload [XAUTH]
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: transition from
> state STATE_MAIN_I2 to state STATE_MAIN_I3
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: STATE_MAIN_I3:
> sent MI3, expecting MR3
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: Main mode peer ID
> is ID_IPV4_ADDR: \'10.6.202.3\'
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: transition from
> state STATE_MAIN_I3 to state STATE_MAIN_I4
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: STATE_MAIN_I4:
> ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #1: Dead Peer
> Detection (RFC 3706): enabled
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #2: initiating Quick
> Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
> msgid:827c3b24 proposal=3DES(3)_192-MD5(1)_096
> pfsgroup=OAKLEY_GROUP_MODP1024}
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #2: ignoring
> informational payload, type IPSEC_RESPONDER_LIFETIME msgid=827c3b24
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #2: route-client
> output: /usr/libexec/ipsec/_updown.netkey: doroute `ip route replace
> 192.168.2.0/24 via 10.46.1.5 dev lo  src 10.46.1.5\' failed (RTNETLINK
> answers: No such process)
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #2: Dead Peer
> Detection (RFC 3706): enabled
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #2: transition from
> state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #2: STATE_QUICK_I2:
> sent QI2, IPsec SA established tunnel mode {ESP=>0xe63085eb
> <0x34323d6b xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled}
>
>
>
> --
> Oguz YILMAZ


More information about the Swan mailing list