search

xelerance / Openswan

Openswan
Other
849 stars 214 forks source link

VPN not working as responder #437

Open abobakrahmed opened 3 years ago

abobakrahmed commented 3 years ago

Hello , have issue with openswan not working as responder execpt initate traffic that's my configuration :

conn my_vpn2 type=tunnel authby=secret auto=start pfs=no auth=esp

Phase1

    ike=aes256-sha1;modp1536
    phase2alg=aes256-sha1
    aggrmode=no
    keyexchange=ike
    ikelifetime=86400s
    #salifetime=28800s
    keylife=3600s
    #dpddelay=10
    #dpdtimeout=20
    #dpdaction=restart
    #keyingtries=%forever
    forceencaps=yes
    left=4.4.4.4
    leftsubnet=5.5.5.5/32
    leftsourceip=4.4.4.4
    right=6.6.6.6
    rightsubnets={1.1.1.1/32,2.2.2.2/32,3.3.3.3/32}
shussain commented 3 years ago

Hi, what version of OSW rae you using? Can you post the content of ipsec barf?

abobakrahmed commented 3 years ago

Linux Openswan U2.6.43/K4.14.171-105.231.amzn1.x86_64 (netkey)

letoams commented 3 years ago

On Wed, 15 Jul 2020, Abobakr_Ahmed wrote:

Linux Openswan U2.6.43/K4.14.171-105.231.amzn1.x86_64 (netkey)

Not sure why a version was asked, other than to punt the problem to "please upgrade".

If you have auto=start and the service starts on startup, check the logs for a message on why it fails. grep the logs for "pluto".

Paul

abobakrahmed commented 3 years ago

packet from 6.6.6.6:500: ignoring unknown Vendor ID payload [a9b9b1034f7e50a2513b47b100bb85a9] | find_host_connection2 called from main_inI1_outR1, me=4.4.4.4:500 him=6.6.6.6:500 policy=none | find_host_pair: comparing to 4.4.4.4:500 6.6.6.6:500 | find_host_pair_conn (find_host_connection2): 4.4.4.4:500 6.6.6.6:500 -> hp:my_vpn2/0x1 | started looking for secret for 4.4.4.4->6.6.6.6 of kind PPK_PSK | actually looking for secret for 4.4.4.4->6.6.6.6 of kind PPK_PSK

abobakrahmed commented 3 years ago

can destination telnet but when initiate traffic by telnet 1.1.1.1 443

letoams commented 3 years ago

On Wed, 15 Jul 2020, Abobakr_Ahmed wrote:

packet from 196.43.201.208:500: ignoring unknown Vendor ID payload [a9b9b1034f7e50a2513b47b100bb85a9] | find_host_connection2 called from main_inI1_outR1, me=4.4.4.4:500 him=6.6.6.6:500 policy=none

This is a responding exchange, so has nothing to do with whether your connection starts on boot or not ?

Maybe should more logs and clarify the problem. More likely the connection never works?

Paul

abobakrahmed commented 3 years ago

How can get more logs ! works when I start connection by using telnet cmd but when finished this connection , another destination 6.6.6.6 cannot cannot telnet .

letoams commented 3 years ago

The logs will already be there. Check your system on how it handles logs. Eg via /var/log/secure or journalctl etc....

Sent from my iPhone

On Jul 15, 2020, at 16:29, Abobakr_Ahmed notifications@github.com wrote:

 How can get more logs ! works when I start connection by using telnet cmd but when finished this connection , another destination 6.6.6.6 cannot cannot telnet .

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

abobakrahmed commented 3 years ago

ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; force_encaps: yes 000 "my_vpn3/0x1": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,8; interface: eth0; 000 "my_vpn3/0x1": dpd: action:clear; delay:0; timeout:0; 000 "my_vpn3/0x1": newest ISAKMP SA: #0; newest IPsec SA: #9; 000 "my_vpn3/0x1": aliases: my_vpn3 000 "my_vpn3/0x1": IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict 000 "my_vpn3/0x1": IKE algorithms found: AES_CBC(7)_256-SHA1(2)_160-MODP1024(2) 000 "my_vpn3/0x1": ESP algorithms wanted: AES(12)_256-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict 000 "my_vpn3/0x1": ESP algorithms loaded: AES(12)_256-SHA1(2)_160 000 "my_vpn3/0x1": ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=<N/A>

abobakrahmed commented 3 years ago

002 "my_vpn2/0x3" #42: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 004 "my_vpn2/0x3" #42: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536} 002 "my_vpn2/0x3" #42: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it 002 "my_vpn2/0x1" #43: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#42 msgid:c6c1e035 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs} 002 "my_vpn2/0x2" #44: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#42 msgid:24dbed3f proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs} 002 "my_vpn2/0x3" #45: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#42 msgid:6d48017b proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs} 117 "my_vpn2/0x1" #43: STATE_QUICK_I1: initiate 117 "my_vpn2/0x2" #44: STATE_QUICK_I1: initiate 117 "my_vpn2/0x3" #45: STATE_QUICK_I1: initiate 002 "my_vpn2/0x3" #45: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it 002 "my_vpn2/0x3" #45: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 004 "my_vpn2/0x3" #45: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xafcd430e <0x40b2edb7 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none} 002 "my_vpn2/0x1" #43: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it 002 "my_vpn2/0x1" #43: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 004 "my_vpn2/0x1" #43: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xf74eead5 <0x9fbf8a5d xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none} 002 "my_vpn2/0x2" #44: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it 002 "my_vpn2/0x2" #44: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 004 "my_vpn2/0x2" #44: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xdaa8b71b <0x4b555d19 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}

abobakrahmed commented 3 years ago

i know this logs is huge but if can help me with any commends , will be appreciate

letoams commented 3 years ago

So that looks like it came up fine ? Was this from system startup or a manual ipsec auto —up command ?

there were some fixes in the subnets= vs subnet= code in libreswan so on openswan perhaps first try with one subnet ?

Sent from my iPhone

On Jul 15, 2020, at 22:06, Abobakr_Ahmed notifications@github.com wrote:

 i know this logs is huge but if can help me with any commends , will be appreciate

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

abobakrahmed commented 3 years ago

ipsec whack --initiate --name my_vpn2 ipsec whack --status ipsec auto --status

deef2020 commented 1 year ago

Please help me, there was no response when I entered IPSec auto -- up