When using netkey, you don't get any interfaces and often no routes either Sent from my iPhone
> On Jul 9, 2014, at 21:31, Ben Lentz <[email protected]> wrote: > > >> On 7/9/14, 8:53 PM, Ben Lentz wrote: >> >>> try: >>> >>> remote_peer_type=cisco >>> esp=aes-sha1;modp1024 >>> >>> Paul >> >> Hey Paul, >> Thanks so much for your continued help with this. Unfortunately, I continue >> to struggle. I found what I believe is an acceptable phase 2 proposal in >> 3des-sha1, discovered by reviewing the debug logs from a successful tunnel >> connection from vpnc. >> >> I've tried migrating the configs into two different boxes; a RHEL 6.4 system >> running openswan-2.6.32-19.el6_3 and a Fedora 20 Live USB running >> libreswan-3.6-1.fc20. The RHEL box crashes pluto with a signal 11 (again! - >> even though I think we have an acceptable proposal) and the Fedora 20 box >> doesn't die, complains of a duplicate packet during quick mode. Oddly enough >> I end up with an updated /etc/resolv.conf but no IP alias and no routes >> added. >> >> RHEL logs (this is /var/log/secure and /var/log/messages together so the >> ipsec messages and daemon crash are shown together timing-wise): >> >> Jul 9 20:15:04 bentz pluto[18134]: "conn" #1: XAUTH: Successfully >> Authenticated >> Jul 9 20:15:04 bentz pluto[18134]: "conn" #1: transition from state >> STATE_XAUTH_I0 to state STATE_XAUTH_I1 >> Jul 9 20:15:04 bentz pluto[18134]: "conn" #1: STATE_XAUTH_I1: XAUTH client >> - awaiting CFG_set >> Jul 9 20:15:04 bentz pluto[18134]: "conn" #1: modecfg: Sending IP request >> (MODECFG_I1) >> Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: received mode cfg reply >> Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: setting client address to >> 192.168.0.79/32 >> Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: setting ip source address to >> 192.168.0.79/32 >> Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: Received IP4 NETMASK >> 255.255.255.0 >> Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: Received DNS 10.0.0.20, len=10 >> Jul 9 20:15:05 bentz pluto[18134]: | Cisco DNS info: 10.0.0.20, len=10 >> Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: Received DNS 10.0.0.240, >> len=10 >> Jul 9 20:15:05 bentz pluto[18134]: | Cisco DNS info: 10.0.0.20 10.0.0.240, >> len=21 >> Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: transition from state >> STATE_MODE_CFG_I1 to state STATE_MAIN_I4 >> Jul 9 20:15:05 bentz pluto[18134]: "conn" #1: STATE_MAIN_I4: ISAKMP SA >> established >> Jul 9 20:15:05 bentz pluto[18134]: "conn" #2: initiating Quick Mode >> PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+AGGRESSIVE {using isakmp#1 msgid:d45f73bf >> proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=no-pfs} >> Jul 9 20:15:05 bentz ipsec__plutorun: /usr/libexec/ipsec/_plutorun: line >> 250: 18134 Segmentation fault /usr/libexec/ipsec/pluto --nofork >> --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey >> --uniqueids --nat_traversal --virtual_private oe=off >> Jul 9 20:15:05 bentz ipsec__plutorun: !pluto failure!: exited with error >> status 139 (signal 11) >> Jul 9 20:15:05 bentz ipsec__plutorun: restarting IPsec after pause... >> Jul 9 20:15:15 bentz ipsec_setup: Stopping Openswan IPsec... >> Jul 9 20:15:15 bentz ipsec_setup: Removing orphaned >> /var/run/pluto/pluto.pid: >> Jul 9 20:15:15 bentz ipsec_setup: ...Openswan IPsec stopped >> Jul 9 20:15:15 bentz ipsec_setup: Starting Openswan IPsec >> U2.6.32/K2.6.32-358.el6.x86_64... >> Jul 9 20:15:15 bentz ipsec_setup: Using NETKEY(XFRM) stack >> Jul 9 20:15:15 bentz ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode >> set in /proc/sys/crypto/fips_enabled >> Jul 9 20:15:15 bentz ipsec__plutorun: Starting Pluto subsystem... >> Jul 9 20:15:15 bentz ipsec_setup: ...Openswan IPsec started >> Jul 9 20:15:15 bentz ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d >> Jul 9 20:15:15 bentz pluto: adjusting ipsec.d to /etc/ipsec.d >> Jul 9 20:15:15 bentz ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips >> mode set in /proc/sys/crypto/fips_enabled >> Jul 9 20:15:15 bentz ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips >> mode set in /proc/sys/crypto/fips_enabled >> Jul 9 20:15:15 bentz ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips >> mode set in /proc/sys/crypto/fips_enabled >> Jul 9 20:15:16 bentz pluto[18353]: nss directory plutomain: /etc/ipsec.d >> Jul 9 20:15:16 bentz pluto[18353]: NSS Initialized >> Jul 9 20:15:16 bentz pluto[18353]: Non-fips mode set in >> /proc/sys/crypto/fips_enabled >> Jul 9 20:15:16 bentz pluto[18353]: Starting Pluto (Openswan Version 2.6.32; >> Vendor ID OEhyLdACecfa) pid:18353 >> >> Here's the Fedora journalctl -f output: >> >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: XAUTH: Successfully >> Authenticated >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: transition from state >> STATE_XAUTH_I0 to state STATE_XAUTH_I1 >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: STATE_XAUTH_I1: XAUTH >> client - awaiting CFG_set >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: modecfg: Sending IP >> request (MODECFG_I1) >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: received mode cfg reply >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received IPv4 address: >> 192.168.0.38/32 >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: setting ip source address >> to 192.168.0.38/32 >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received IP4 NETMASK >> 255.255.255.0 >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received DNS 10.0.0.20 >> Jul 09 20:37:26 localhost pluto[2804]: | ModeCFG DNS info: 10.0.0.20, len=10 >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received DNS 10.0.0.240 >> Jul 09 20:37:26 localhost pluto[2804]: | ModeCFG DNS info: 10.0.0.20 >> 10.0.0.240, len=21 >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received Cisco ModeCFG >> Domain: conn.com >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: Received Domain: conn.com >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: transition from state >> STATE_MODE_CFG_I1 to state STATE_MAIN_I4 >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #1: STATE_MAIN_I4: ISAKMP SA >> established >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #2: initiating Quick Mode >> PSK+ENCRYPT+TUNNEL+UP+XAUTH+MODECFGPULL+AGGRESSIVE+IKE_FRAG {using isakmp#1 >> msgid:2886c6de proposal=3DES(3)_192-SHA1(2)_1...fsgroup=no-pfs} >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #2: up-client output: updating >> resolvconf >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #2: up-client output: Current >> resolv.conf is generated by Libreswan, and backup resolv.conf already >> exists, so doing nothing >> Jul 09 20:37:26 localhost pluto[2804]: "conn" #2: up-client command exited >> with status 1 >> Jul 09 20:37:34 localhost pluto[2804]: "conn" #2: discarding duplicate >> packet; already STATE_QUICK_I1 >> Jul 09 20:37:36 localhost pluto[2804]: "conn" #2: discarding duplicate >> packet; already STATE_QUICK_I1 >> Jul 09 20:37:44 localhost pluto[2804]: "conn" #2: discarding duplicate >> packet; already STATE_QUICK_I1 >> Jul 09 20:37:52 localhost pluto[2804]: "conn" #1: ignoring Delete SA >> payload: PROTO_IPSEC_ESP SA(0x8603a62d) not found (maybe expired) >> Jul 09 20:37:52 localhost pluto[2804]: "conn" #1: received and ignored empty >> informational notification payload >> Jul 09 20:37:52 localhost pluto[2804]: "conn" #1: received Delete SA >> payload: deleting ISAKMP State #1 >> Jul 09 20:37:52 localhost pluto[2804]: packet from 198.185.66.15:4500: >> received and ignored empty informational notification payload >> >> I read that leftxauthserver means rekey=no, so I did add that but it didn't >> seem to make a difference (it just doesn't 'try' as hard). >> >> My config is (scrubbed): >> >> conn conn >> auto=start >> authby=secret >> left=%defaultroute >> leftid=@vpnusers >> leftxauthclient=yes >> leftmodecfgclient=yes >> leftxauthusername=blentz >> right=1.2.3.4 >> rightxauthserver=yes >> rightmodecfgserver=yes >> modecfgpull=yes >> ike=3des-md5;modp1536 >> esp=3des-sha1 >> rekey=no >> remote_peer_type=cisco >> aggrmode=yes >> pfs=no >> ikev2=no >> sareftrack=no >> >> esp=3des-sha1 appears to have gotten me around the NO_PROPOSAL_CHOSEN >> problem but I didn't get a whole lot further. It feels like I'm 98% there >> but this last 2% is kicking my butt. >> >> I saw there was a release today, I might try pulling that down onto the >> Fedora 20 Live USB system to see if there's something in there that's fixed >> that I could benefit from. >> >> Any more ideas? > > I pulled down all the latest software for my RHEL 6Server box: > > $ rpm -q ldns unbound-libs libreswan libreswan-kmod > ldns-1.6.16-2.el6.x86_64 > unbound-libs-1.4.21-1.el6.x86_64 > libreswan-3.9-1.el6.x86_64 > libreswan-kmod-3.5-1.el6.x86_64 > > ... and with the above configuration I can start ipsec and I actually don't > get any errors at all! However I never get any new interfaces, interface > aliases, or routes still... just a running daemon and a munged > /etc/resolv.conf file. I must be missing something huge here. _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
