[Swan] racoon ipsec with openswan

Paul Wouters paul at nohats.ca
Sun Dec 14 05:37:22 EET 2014 

On Thu, 11 Dec 2014, Ted Toth wrote:

> sainfo anonymous
> {
>    pfs_group 2;
>    lifetime time 36 hours ;
>    encryption_algorithm 3des, aes ;
>    authentication_algorithm hmac_sha1 ;
>    compression_algorithm deflate ;
> }

ok, 3des-sha1

> #base
> remote anonymous
> {
>    exchange_mode main;
>    lifetime time 36 hours ;
>    proposal {
>        encryption_algorithm 3des;
>        hash_algorithm sha1;
>        authentication_method pre_shared_key;
>        dh_group 2;

3des-sha1 and dh2 (modp1024)

> spdadd 192.168.10.200 192.168.10.10 any -P out ipsec esp/transport//require;
> spdadd 192.168.10.10 192.168.10.200 any -P in  ipsec esp/transport//require;

transport mode.

> psk.txt
> 192.168.10.10        123456789
>
>
> Openswan
> c200.conf:
> conn c200
>     auto=start
>     authby=secret
>     type=transport
>     left=192.168.10.10
>     right=192.168.10.200
>     ikelifetime=24h
>     salifetime=24h

 	type=transport
 	ike=3des-sha1;modp1024
 	esp=3des-sha1

> # basic configuration
> config setup
>    # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>    # klipsdebug=none
>    # plutodebug="control parsing"
>    # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
>    protostack=netkey
>    nat_traversal=yes
>    virtual_private=

don't leave it empty. either set it or comment out the entire option.

> Dec 11 18:16:16 comms racoon: INFO: respond new phase 1 negotiation:
> 192.168.10.200[500]<=>192.168.10.10[500]
> Dec 11 18:16:16 comms racoon: INFO: begin Identity Protection mode.
> Dec 11 18:16:16 comms racoon: INFO: received Vendor ID: DPD
> Dec 11 18:16:16 comms racoon: INFO: received Vendor ID: RFC 3947
> Dec 11 18:16:16 comms racoon: INFO: received Vendor ID:
> draft-ietf-ipsec-nat-t-ike-03
> Dec 11 18:16:16 comms racoon: INFO: received Vendor ID:
> draft-ietf-ipsec-nat-t-ike-02#012
> Dec 11 18:16:16 comms racoon: INFO: received Vendor ID:
> draft-ietf-ipsec-nat-t-ike-02
> Dec 11 18:16:16 comms racoon: INFO: received Vendor ID:
> draft-ietf-ipsec-nat-t-ike-00
> Dec 11 18:17:06 comms racoon: ERROR: phase1 negotiation failed due to
> time up. 7b6f84e2992d11b6:64a1d35251dea3c0

Those logs look incomplete. That is receiving the first packet, but
nothing else?

> Logging from openswan side:
> Dec 11 17:08:38 comms pluto[2054]: packet from 192.168.10.200:500:
> phase 1 message is part of an unknown exchange
> Dec 11 17:08:48 comms pluto[2054]: packet from 192.168.10.200:500:
> phase 1 message is part of an unknown exchange

Those are from a previous attempet, you've restarted racoon since then.

> Dec 11 17:08:50 comms pluto[2054]: "c200" #20: initiating Main Mode
> Dec 11 17:08:50 comms pluto[2054]: "c200" #20: received Vendor ID
> payload [Dead Peer Detection]
> Dec 11 17:08:50 comms pluto[2054]: "c200" #20: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> Dec 11 17:08:50 comms pluto[2054]: "c200" #20: STATE_MAIN_I2: sent
> MI2, expecting MR2

So it started by sending a packet seen above by racoon, then it sent a
second packet that it seems racoon never shows in the log?

> Dec 11 17:08:50 comms pluto[2054]: "c200" #20: I will NOT send an
> initial contact payload
> Dec 11 17:08:50 comms pluto[2054]: "c200" #20: Not sending INITIAL_CONTACT
> Dec 11 17:08:50 comms pluto[2054]: "c200" #20: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> Dec 11 17:08:50 comms pluto[2054]: "c200" #20: STATE_MAIN_I3: sent
> MI3, expecting MR3

But we did receive a reply and send our 3rd packet

> Dec 11 17:08:59 comms pluto[2054]: packet from 192.168.10.200:500:
> phase 1 message is part of an unknown exchange

and racoon has been restarted again??

> Dec 11 17:09:01 comms pluto[2054]: "c200" #20: discarding duplicate
> packet; already STATE_MAIN_I3
> Dec 11 17:09:11 comms pluto[2054]: "c200" #20: discarding duplicate
> packet; already STATE_MAIN_I3
> Dec 11 17:09:21 comms pluto[2054]: "c200" #20: discarding duplicate
> packet; already STATE_MAIN_I3
> Dec 11 17:09:31 comms pluto[2054]: "c200" #20: discarding duplicate
> packet; already STATE_MAIN_I3

and retransmitting every 10s ?

> It's difficult for me a mere mortal to parse the logs and figure out
> what the issue is, any ideas? Anyone successfully done this, if so can
> you share your config?

racoon2 is configured very similarly, we have an example test case at:

https://github.com/libreswan/libreswan/tree/master/testing/pluto/interop-ikev2-racoon-02-psk-responder

Obviously that's for IKEv2, not IKEv1 as you need, but otherwise might
be helpful.

You might want to look at the linux machines not dropping syslog
messages or use plutostderrlog=/var/log/pluto.log to ensure a log
file that didnt get some log messages rate limited.

Paul

More information about the Swan mailing list