Ich spiele zurzeit mit openswan herum um einen ipsec Tunnel in das Firmennetzwerk aufzubauen
ich habe zum testen einen möglichst einfache Konfiguration gewählt, folgendes Szenario:
Firma-LAN-----------Firma.router-------------home.router-----Home-LAN
192.168.0.0/24---213.xxx.xxx.19--------vpn01tngnet.dyndns.org---10.1.1.0/24
Also mein Problem ist das die Authentisierung woh klappt, aber der Tunnel n icht aufgebaut wird und ich weiss nun nicht mehr weiter.
Vielleicht kann mir jemand bitte einen Tip geben wo ich weiter suchen soll
Bin für jeden Tip echt dankbar
Gruss Thomas
anbei nun ein paar logs
ipsec.conf home.router
conn vpntunnel01
left=vpn01tngnet.dyndns.org # Local vitals
leftsubnet=10.1.1.0/24 #
# correct in many situations leftnexthop=%defaultroute
right=213.xxx.xxx.xxx # Remote vitals
rightsubnet=192.168.0/24 #
# correct in many situations rightnexthop=%defaultroute
authby=secret
auto=start # authorizes but doesn't start this
# connection at startup
ipsec.conf firma.router
conn vpntunnel01
left=213.xxx.xxx.xxx # Local vitals
leftsubnet=192.168.0.0/24 #
leftnexthop=%defaultroute # correct in many situations
right=vpn01tngnet.dyndns.org # Remote vitals
rightsubnet=10.1.1.0/24 #
rightnexthop=%defaultroute # correct in many situations
authby=secret
auto=start # authorizes but doesn't start this
# connection at startup
Nach start von ipsec von home pc aus
Nov 18 16:38:04 vpn01 ipsec_setup: KLIPS ipsec0 on ppp0 87.78.81.106/255.255.255.255 pointopoint 195.14.247.94
Nov 18 16:38:05 vpn01 ipsec_setup: ...Openswan IPsec started
Nov 18 16:38:05 vpn01 ipsec_setup: Starting Openswan IPsec 2.4.6...
Nov 18 16:38:05 vpn01 ipsec_setup: insmod /lib/modules/2.6.18-4-686/kernel/net/key/af_key.ko
Nov 18 16:38:05 vpn01 ipsec_setup: insmod /lib/modules/2.6.18-4-686/kernel/net/ipv4/xfrm4_tunnel.ko
Nov 18 16:38:05 vpn01 ipsec_setup: insmod /lib/modules/2.6.18-4-686/kernel/net/xfrm/xfrm_user.ko
Nov 18 16:38:05 vpn01 ipsec__plutorun: 104 "vpntunnel01" #1: STATE_MAIN_I1: initiate
Nov 18 16:38:05 vpn01 ipsec__plutorun: ...could not start conn "vpntunnel01"
log home.router
Nov 18 16:11:28 vpn01 ipsec__plutorun: Starting Pluto subsystem...
Nov 18 16:11:28 vpn01 pluto[5810]: Starting Pluto (Openswan Version 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OElLO]RdWNRD)
Nov 18 16:11:28 vpn01 pluto[5810]: Setting NAT-Traversal port-4500 floating to on
Nov 18 16:11:28 vpn01 pluto[5810]: port floating activation criteria nat_t=1/port_fload=1
Nov 18 16:11:28 vpn01 pluto[5810]: including NAT-Traversal patch (Version 0.6c)
Nov 18 16:11:28 vpn01 pluto[5810]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random
Nov 18 16:11:28 vpn01 pluto[5810]: WARNING: Using /dev/urandom as the source of random
Nov 18 16:11:28 vpn01 pluto[5810]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 18 16:11:28 vpn01 pluto[5810]: no helpers will be started, all cryptographic operations will be done inline
Nov 18 16:11:28 vpn01 pluto[5810]: Using Linux 2.6 IPsec interface code on 2.6.18-4-686
Nov 18 16:11:28 vpn01 pluto[5810]: Changing to directory '/etc/ipsec.d/cacerts'
Nov 18 16:11:28 vpn01 pluto[5810]: Changing to directory '/etc/ipsec.d/aacerts'
Nov 18 16:11:28 vpn01 pluto[5810]: Changing to directory '/etc/ipsec.d/ocspcerts'
Nov 18 16:11:28 vpn01 pluto[5810]: Changing to directory '/etc/ipsec.d/crls'
Nov 18 16:11:28 vpn01 pluto[5810]: Warning: empty directory
Nov 18 16:11:29 vpn01 pluto[5810]: added connection description "vpntunnel01"
Nov 18 16:11:29 vpn01 pluto[5810]: listening for IKE messages
Nov 18 16:11:29 vpn01 pluto[5810]: adding interface ppp0/ppp0 87.78.81.106:500
Nov 18 16:11:29 vpn01 pluto[5810]: adding interface ppp0/ppp0 87.78.81.106:4500
Nov 18 16:11:29 vpn01 pluto[5810]: adding interface eth0/eth0 10.1.1.6:500
Nov 18 16:11:29 vpn01 pluto[5810]: adding interface eth0/eth0 10.1.1.6:4500
Nov 18 16:11:29 vpn01 pluto[5810]: adding interface lo/lo 127.0.0.1:500
Nov 18 16:11:29 vpn01 pluto[5810]: adding interface lo/lo 127.0.0.1:4500
Nov 18 16:11:29 vpn01 pluto[5810]: adding interface lo/lo ::1:500
Nov 18 16:11:29 vpn01 pluto[5810]: loading secrets from "/etc/ipsec.secrets"
Nov 18 16:11:29 vpn01 pluto[5810]: "vpntunnel01" #1: initiating Main Mode
Nov 18 16:11:29 vpn01 pluto[5810]: "vpntunnel01" #1: received Vendor ID payload [Openswan (this version) 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Nov 18 16:11:29 vpn01 pluto[5810]: "vpntunnel01" #1: received Vendor ID payload [Dead Peer Detection]
Nov 18 16:11:29 vpn01 pluto[5810]: "vpntunnel01" #1: received Vendor ID payload [RFC 3947] method set to=110
Nov 18 16:11:29 vpn01 pluto[5810]: "vpntunnel01" #1: enabling possible NAT-traversal with method 3
Nov 18 16:11:29 vpn01 pluto[5810]: "vpntunnel01" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 18 16:11:29 vpn01 pluto[5810]: "vpntunnel01" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Nov 18 16:11:29 vpn01 pluto[5810]: "vpntunnel01" #1: I did not send a certificate because I do not have one.
Nov 18 16:11:29 vpn01 pluto[5810]: "vpntunnel01" #1: NAT-Traversal: Result using 3: no NAT detected
Nov 18 16:11:29 vpn01 pluto[5810]: "vpntunnel01" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 18 16:11:29 vpn01 pluto[5810]: "vpntunnel01" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Nov 18 16:11:29 vpn01 pluto[5810]: "vpntunnel01" #1: Main mode peer ID is ID_IPV4_ADDR: '213.xxx.xxx.xxx'
Nov 18 16:11:29 vpn01 pluto[5810]: "vpntunnel01" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 18 16:11:29 vpn01 pluto[5810]: "vpntunnel01" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Nov 18 16:11:29 vpn01 pluto[5810]: "vpntunnel01" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Nov 18 16:11:29 vpn01 pluto[5810]: "vpntunnel01" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Nov 18 16:11:29 vpn01 pluto[5810]: "vpntunnel01" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x3c3fc51c <0x7087ea52 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
Nov 18 16:11:46 vpn01 pluto[5810]: "vpntunnel01" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x59f033d6) not found (maybe expired)
Nov 18 16:11:46 vpn01 pluto[5810]: "vpntunnel01" #1: received and ignored informational message
log firma.router
Nov 18 23:16:47 vpn01 pluto[27404]: packet from 87.78.81.106:500: received Vendor ID payload [Openswan (this version) 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Nov 18 23:16:47 vpn01 pluto[27404]: packet from 87.78.81.106:500: received Vendor ID payload [Dead Peer Detection]
Nov 18 23:16:47 vpn01 pluto[27404]: packet from 87.78.81.106:500: received Vendor ID payload [RFC 3947] method set to=110
Nov 18 23:16:47 vpn01 pluto[27404]: packet from 87.78.81.106:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Nov 18 23:16:47 vpn01 pluto[27404]: packet from 87.78.81.106:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Nov 18 23:16:47 vpn01 pluto[27404]: packet from 87.78.81.106:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Nov 18 23:16:47 vpn01 pluto[27404]: packet from 87.78.81.106:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Nov 18 23:16:47 vpn01 pluto[27404]: "vpntunnel01" #13: responding to Main Mode
Nov 18 23:16:47 vpn01 pluto[27404]: "vpntunnel01" #13: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 18 23:16:47 vpn01 pluto[27404]: "vpntunnel01" #13: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 18 23:16:47 vpn01 pluto[27404]: "vpntunnel01" #13: NAT-Traversal: Result using 3: no NAT detected
Nov 18 23:16:47 vpn01 pluto[27404]: "vpntunnel01" #13: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 18 23:16:47 vpn01 pluto[27404]: "vpntunnel01" #13: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 18 23:16:47 vpn01 pluto[27404]: "vpntunnel01" #13: Main mode peer ID is ID_IPV4_ADDR: '87.78.81.106'
Nov 18 23:16:47 vpn01 pluto[27404]: "vpntunnel01" #13: I did not send a certificate because I do not have one.
Nov 18 23:16:47 vpn01 pluto[27404]: "vpntunnel01" #13: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 18 23:16:47 vpn01 pluto[27404]: "vpntunnel01" #13: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Nov 18 23:16:47 vpn01 pluto[27404]: "vpntunnel01" #14: responding to Quick Mode {msgid:b6041a82}
Nov 18 23:16:47 vpn01 pluto[27404]: "vpntunnel01" #14: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov 18 23:16:47 vpn01 pluto[27404]: "vpntunnel01" #14: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Nov 18 23:16:47 vpn01 pluto[27404]: "vpntunnel01" #14: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov 18 23:16:47 vpn01 pluto[27404]: "vpntunnel01" #14: STATE_QUICK_R2: IPsec SA established {ESP=>0x7087ea52 <0x3c3fc51c xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
ipsec auto --status home.router
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.1.1.6
000 interface eth0/eth0 10.1.1.6
000 interface ppp0/ppp0 87.78.81.106
000 interface ppp0/ppp0 87.78.81.106
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "vpntunnel01": 10.1.1.0/24===87.78.81.106...213.xxx.xxx.xxx===192.168.0.0/24; erouted; eroute owner: #2
000 "vpntunnel01": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "vpntunnel01": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "vpntunnel01": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: ppp0;
000 "vpntunnel01": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "vpntunnel01": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #2: "vpntunnel01":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 26935s; newest IPSEC; eroute owner
000 #2: "vpntunnel01" esp.3c3fc51c@213.23.251.19 esp.7087ea52@87.78.81.106 tun.0@213.23.251.19 tun.0@87.78.81.106
000 #1: "vpntunnel01":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1819s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
vpn01:~#
ipsec auto --status firma.router
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.0.226
000 interface eth0/eth0 192.168.0.226
000 interface eth1/eth1 213.xxx.xxx.xxx
000 interface eth1/eth1 213.xxx.xxx.xxx
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "vpntunnel01": 192.168.0.0/24===213.xxx.xxx.19---213.xxx.xxx.17...213.xxx.xxx.17---87.78.81.106===10.1.1.0/24; erouted; eroute owner: #14
000 "vpntunnel01": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "vpntunnel01": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "vpntunnel01": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth1;
000 "vpntunnel01": newest ISAKMP SA: #13; newest IPsec SA: #14;
000 "vpntunnel01": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #14: "vpntunnel01":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 27296s; newest IPSEC; eroute owner
000 #14: "vpntunnel01" esp.7087ea52@87.78.81.106 esp.3c3fc51c@213.23.251.19 tun.0@87.78.81.106 tun.0@213.23.251.19
000 #13: "vpntunnel01":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2096s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
vpn01:~#