[Swan] racoon ipsec with openswan
Ted Toth
txtoth at gmail.com
Thu Dec 11 20:44:08 EET 2014
I'm trying to get racoon (RHEL5) to talk to openswan (RHEL6) but I'm
not having any success.
Racoon
racoon.conf :
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";
sainfo anonymous
{
pfs_group 2;
lifetime time 36 hours ;
encryption_algorithm 3des, aes ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
#base
remote anonymous
{
exchange_mode main;
lifetime time 36 hours ;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
key.conf:
#!/sbin/setkey -f
spdflush;
spdadd 192.168.10.200 192.168.10.10 any -P out ipsec esp/transport//require;
spdadd 192.168.10.10 192.168.10.200 any -P in ipsec esp/transport//require;
psk.txt
192.168.10.10 123456789
Openswan
c200.conf:
conn c200
auto=start
authby=secret
type=transport
left=192.168.10.10
right=192.168.10.200
ikelifetime=24h
salifetime=24h
c200.secrets:
192.168.10.10 192.168.10.200 : PSK "123456789"
ipsec.conf
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0
#You may put your configuration (.conf) file in the "/etc/ipsec.d/"
and uncomment this.
include /etc/ipsec.d/*.conf
Logging from racoon side:
Dec 11 18:16:16 comms racoon: INFO: respond new phase 1 negotiation:
192.168.10.200[500]<=>192.168.10.10[500]
Dec 11 18:16:16 comms racoon: INFO: begin Identity Protection mode.
Dec 11 18:16:16 comms racoon: INFO: received Vendor ID: DPD
Dec 11 18:16:16 comms racoon: INFO: received Vendor ID: RFC 3947
Dec 11 18:16:16 comms racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-03
Dec 11 18:16:16 comms racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02#012
Dec 11 18:16:16 comms racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
Dec 11 18:16:16 comms racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-00
Dec 11 18:17:06 comms racoon: ERROR: phase1 negotiation failed due to
time up. 7b6f84e2992d11b6:64a1d35251dea3c0
Logging from openswan side:
Dec 11 17:08:38 comms pluto[2054]: packet from 192.168.10.200:500:
phase 1 message is part of an unknown exchange
Dec 11 17:08:48 comms pluto[2054]: packet from 192.168.10.200:500:
phase 1 message is part of an unknown exchange
Dec 11 17:08:50 comms pluto[2054]: "c200" #20: initiating Main Mode
Dec 11 17:08:50 comms pluto[2054]: "c200" #20: received Vendor ID
payload [Dead Peer Detection]
Dec 11 17:08:50 comms pluto[2054]: "c200" #20: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 11 17:08:50 comms pluto[2054]: "c200" #20: STATE_MAIN_I2: sent
MI2, expecting MR2
Dec 11 17:08:50 comms pluto[2054]: "c200" #20: I will NOT send an
initial contact payload
Dec 11 17:08:50 comms pluto[2054]: "c200" #20: Not sending INITIAL_CONTACT
Dec 11 17:08:50 comms pluto[2054]: "c200" #20: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 11 17:08:50 comms pluto[2054]: "c200" #20: STATE_MAIN_I3: sent
MI3, expecting MR3
Dec 11 17:08:59 comms pluto[2054]: packet from 192.168.10.200:500:
phase 1 message is part of an unknown exchange
Dec 11 17:09:01 comms pluto[2054]: "c200" #20: discarding duplicate
packet; already STATE_MAIN_I3
Dec 11 17:09:11 comms pluto[2054]: "c200" #20: discarding duplicate
packet; already STATE_MAIN_I3
Dec 11 17:09:21 comms pluto[2054]: "c200" #20: discarding duplicate
packet; already STATE_MAIN_I3
Dec 11 17:09:31 comms pluto[2054]: "c200" #20: discarding duplicate
packet; already STATE_MAIN_I3
Dec 11 17:10:00 comms pluto[2054]: "c200" #20: max number of
retransmissions (2) reached STATE_MAIN_I3. Possible authentication
failure: no acceptable response to our first encrypted message
Dec 11 17:10:00 comms pluto[2054]: "c200" #20: starting keying attempt
2 of an unlimited number
Dec 11 17:10:00 comms pluto[2054]: "c200" #21: initiating Main Mode to
replace #20
Dec 11 17:10:00 comms pluto[2054]: "c200" #21: received Vendor ID
payload [Dead Peer Detection]
Dec 11 17:10:00 comms pluto[2054]: "c200" #21: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 11 17:10:00 comms pluto[2054]: "c200" #21: STATE_MAIN_I2: sent
MI2, expecting MR2
Dec 11 17:10:00 comms pluto[2054]: "c200" #21: I will NOT send an
initial contact payload
Dec 11 17:10:00 comms pluto[2054]: "c200" #21: Not sending INITIAL_CONTACT
Dec 11 17:10:00 comms pluto[2054]: "c200" #21: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 11 17:10:00 comms pluto[2054]: "c200" #21: STATE_MAIN_I3: sent
MI3, expecting MR3
Dec 11 17:10:10 comms pluto[2054]: "c200" #21: discarding duplicate
packet; already STATE_MAIN_I3
Dec 11 17:10:20 comms pluto[2054]: "c200" #21: discarding duplicate
packet; already STATE_MAIN_I3
It's difficult for me a mere mortal to parse the logs and figure out
what the issue is, any ideas? Anyone successfully done this, if so can
you share your config?
Ted
More information about the Swan
mailing list