Open Swan ipsec tunnel

Issues related to configuring your network
Post Reply
jamesj
Posts: 4
Joined: 2008/06/12 22:25:40

Open Swan ipsec tunnel

Post by jamesj » 2008/08/12 18:25:13

Linux Openswan IPSec tunnel problems;

This issue involves a linux workstation running Cent os 4.4 (2.6.9-42 0.10.EL kernel) and a Fortigate 1000A vpn/firewall.
I am attempting to create a full time tunnel between the Linux workstation and Fortigate unit, once the connection has been
Successfully negotiated the Linux box will have access to our internal network resources behind the Fortigate Vpn/firewall.

I am using a pre-shared-key as well as Xauth for this connection.
When I bring up the tunnel the terminal requests a user name and password for the Xauth, after I enter the required information
The tunnel is started and everything then works fine until it is time to rekey...... It looks to me as though the negotiation is partially successful.
I believe the psk is shared again and that the Xauth that is the problem.

I can confirm this theory, if I disable the Xauth and simply use a "psk" the connection rekeys and stays open, as desired.
I have read that Linux Xauth connections can/cannot be rekeyed, so I am some what confused.

Currently the only solution I see is to run a cron script every 5-6 hours that brings down the tunnel then
runs a IPSec whack command to reinitiate the tunnel, but this seems a bit crazy.

Please help!!!


here is a copy of /etc/ipsec.conf

# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
#
# Only enable *debug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
# OE is now off by default. Uncomment and change to on, to enable.
OE=off
# which IPsec stack to use. netkey,klips,mast,auto or none
protostack=netkey

# My conenction
conn test
leftxauthclient=yes
rightxauthserver=yes
left=%defaultroute
leftsourceip=xxx.xxx.xxx.xxx
right=xxx.xxx.xxx.xxx
rightsubnet=xxx.xxx.xxx.xxx/xx
keyexchange=ike
auth=esp
authby=secret
esp=3des
compress=no
pfs=yes
auto=add
ikelifetime=24h
keylife=8h
rekey=yes

I will also include a copy of the secure log (showing from the start to the end of the tunnels life) on the linux client

###### CONNECTION STARTED HERE #########
Aug 11 15:38:33 claimtools pluto[6219]: "test" #1: initiating Main Mode
Aug 11 15:38:33 claimtools pluto[6219]: "test" #1: received Vendor ID payload [RFC 3947] method set to=109
Aug 11 15:38:33 claimtools pluto[6219]: "test" #1: received Vendor ID payload [Dead Peer Detection]
Aug 11 15:38:33 claimtools pluto[6219]: "test" #1: enabling possible NAT-traversal with method 4
Aug 11 15:38:33 claimtools pluto[6219]: "test" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 11 15:38:33 claimtools pluto[6219]: "test" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 11 15:38:33 claimtools pluto[6219]: "test" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Aug 11 15:38:33 claimtools pluto[6219]: "test" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 11 15:38:33 claimtools pluto[6219]: "test" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 11 15:38:33 claimtools pluto[6219]: "test" #1: Main mode peer ID is ID_IPV4_ADDR: '70.67.129.119'
Aug 11 15:38:33 claimtools pluto[6219]: "test" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 11 15:38:33 claimtools pluto[6219]: "test" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1536}
Aug 11 15:38:39 claimtools pluto[6219]: "test" #1: XAUTH: Answering XAUTH challenge with user='claimtools-0212'
Aug 11 15:38:39 claimtools pluto[6219]: "test" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
Aug 11 15:38:39 claimtools pluto[6219]: "test" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
Aug 11 15:38:40 claimtools pluto[6219]: "test" #1: XAUTH: Successfully Authenticated
Aug 11 15:38:40 claimtools pluto[6219]: "test" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
Aug 11 15:38:40 claimtools pluto[6219]: "test" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
Aug 11 15:38:40 claimtools pluto[6219]: "test" #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_ar in duplicate_state, please report to
dev@openswan.org
Aug 11 15:38:40 claimtools pluto[6219]: "test" #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_er in duplicate_state, please report to
dev@openswan.org
Aug 11 15:38:40 claimtools pluto[6219]: "test" #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pi in duplicate_state, please report to
dev@openswan.org
Aug 11 15:38:40 claimtools pluto[6219]: "test" #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pr in duplicate_state, please report to
dev@openswan.org
Aug 11 15:38:40 claimtools pluto[6219]: "test" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:197dcd2f proposal=3DES(3)_192-MD5(1)_128, 3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1536}
Aug 11 15:38:40 claimtools pluto[6219]: "test" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=197dcd2f
Aug 11 15:38:40 claimtools pluto[6219]: "test" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 11 15:38:40 claimtools pluto[6219]: "test" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x89f86b92 192.168.80.0/24:0/0
Aug 11 17:38:30 claimtools pluto[6219]: "test" #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_ar in duplicate_state, please report to
dev@openswan.org
Aug 11 17:38:30 claimtools pluto[6219]: "test" #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_er in duplicate_state, please report to
dev@openswan.org
Aug 11 17:38:30 claimtools pluto[6219]: "test" #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pi in duplicate_state, please report to
dev@openswan.org
Aug 11 17:38:30 claimtools pluto[6219]: "test" #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pr in duplicate_state, please report to
dev@openswan.org
Aug 11 17:38:30 claimtools pluto[6219]: "test" #3: responding to Quick Mode proposal {msgid:ec4e478a}
Aug 11 17:38:30 claimtools pluto[6219]: "test" #3: us: 192.168.22.29/32===192.168.22.204[+XC+S=C]
Aug 11 17:38:30 claimtools pluto[6219]: "test" #3: them: 70.67.129.119[+XS+S=C]===192.168.80.0/24
Aug 11 17:38:30 claimtools pluto[6219]: "test" #3: keeping refhim=4294901761 during rekey
Aug 11 17:38:30 claimtools pluto[6219]: "test" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 11 17:38:30 claimtools pluto[6219]: "test" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 11 17:38:30 claimtools pluto[6219]: "test" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Aug 11 17:38:40 claimtools pluto[6219]: "test" #1: received Delete SA(0x89f86b92) payload: deleting IPSEC State #2
Aug 11 17:38:40 claimtools pluto[6219]: "test" #1: received and ignored informational message
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: initiating Main Mode
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: received Vendor ID payload [RFC 3947] method set to=109
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: received Vendor ID payload [Dead Peer Detection]
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: enabling possible NAT-traversal with method 4
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: Main mode peer ID is ID_IPV4_ADDR: '70.67.129.119'
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1536}
Aug 11 19:34:00 claimtools pluto[6219]: "test" #1: received Delete SA payload: replace IPSEC State #3 in 10 seconds
Aug 11 19:34:00 claimtools pluto[6219]: "test" #1: received and ignored informational message
Aug 11 19:34:00 claimtools pluto[6219]: "test" #1: received Delete SA payload: deleting ISAKMP State #1
Aug 11 19:34:00 claimtools pluto[6219]: packet from 70.67.129.119:4500: received and ignored informational message
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: XAUTH username requested, but no file descriptor available for prompt
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: sending encrypted notification CERTIFICATE_UNAVAILABLE to 70.67.129.119:4500
Aug 11 19:34:10 claimtools pluto[6219]: "test" #3: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_ar in duplicate_state, please report to
dev@openswan.org
Aug 11 19:34:10 claimtools pluto[6219]: "test" #3: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_er in duplicate_state, please report to
dev@openswan.org
Aug 11 19:34:10 claimtools pluto[6219]: "test" #3: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pi in duplicate_state, please report to
dev@openswan.org
Aug 11 19:34:10 claimtools pluto[6219]: "test" #3: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pr in duplicate_state, please report to
dev@openswan.org
Aug 11 19:34:10 claimtools pluto[6219]: "test" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #3 {using isakmp#4 msgid:14d475fd proposal=3DES(3)_192-MD5(1)_128, 3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1536}
Aug 11 19:34:20 claimtools pluto[6219]: "test" #3: IPsec SA expired (LATEST!)
Aug 11 19:34:20 claimtools pluto[6219]: "test" #3: request to replace with shunt a prospective erouted policy with netkey kernel --- experimental
Aug 11 19:35:20 claimtools pluto[6219]: "test" #5: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal
Aug 11 19:35:20 claimtools pluto[6219]: "test" #5: starting keying attempt 2 of at most 3
Aug 11 19:35:20 claimtools pluto[6219]: "test" #5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_ar in duplicate_state, please report to
dev@openswan.org
Aug 11 19:35:20 claimtools pluto[6219]: "test" #5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_er in duplicate_state, please report to
dev@openswan.org
Aug 11 19:35:20 claimtools pluto[6219]: "test" #5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pi in duplicate_state, please report to
dev@openswan.org
Aug 11 19:35:20 claimtools pluto[6219]: "test" #5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pr in duplicate_state, please report to
dev@openswan.org
Aug 11 19:35:20 claimtools pluto[6219]: "test" #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #5 {using isakmp#4 msgid:ac8007e7 proposal=3DES(3)_192-MD5(1)_128, 3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1536}
Aug 11 19:36:30 claimtools pluto[6219]: "test" #6: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal
Aug 11 19:36:30 claimtools pluto[6219]: "test" #6: starting keying attempt 3 of at most 3

Aug 11 17:38:40 claimtools pluto[6219]: "test" #1: received Delete SA(0x89f86b92) payload: deleting IPSEC State #2
Aug 11 17:38:40 claimtools pluto[6219]: "test" #1: received and ignored informational message
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: initiating Main Mode
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: received Vendor ID payload [RFC 3947] method set to=109
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: received Vendor ID payload [Dead Peer Detection]
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: enabling possible NAT-traversal with method 4
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: Main mode peer ID is ID_IPV4_ADDR: '70.67.129.119'
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1536}
Aug 11 19:34:00 claimtools pluto[6219]: "test" #1: received Delete SA payload: replace IPSEC State #3 in 10 seconds
Aug 11 19:34:00 claimtools pluto[6219]: "test" #1: received and ignored informational message
Aug 11 19:34:00 claimtools pluto[6219]: "test" #1: received Delete SA payload: deleting ISAKMP State #1
Aug 11 19:34:00 claimtools pluto[6219]: packet from 70.67.129.119:4500: received and ignored informational message
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: XAUTH username requested, but no file descriptor available for prompt
Aug 11 19:34:00 claimtools pluto[6219]: "test" #4: sending encrypted notification CERTIFICATE_UNAVAILABLE to 70.67.129.119:4500
Aug 11 19:34:10 claimtools pluto[6219]: "test" #3: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_ar in duplicate_state, please report to
dev@openswan.org
Aug 11 19:34:10 claimtools pluto[6219]: "test" #3: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_er in duplicate_state, please report to
dev@openswan.org
Aug 11 19:34:10 claimtools pluto[6219]: "test" #3: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pi in duplicate_state, please report to
dev@openswan.org
Aug 11 19:34:10 claimtools pluto[6219]: "test" #3: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pr in duplicate_state, please report to
dev@openswan.org
Aug 11 19:34:10 claimtools pluto[6219]: "test" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #3 {using isakmp#4 msgid:14d475fd proposal=3DES(3)_192-MD5(1)_128, 3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1536}
Aug 11 19:34:20 claimtools pluto[6219]: "test" #3: IPsec SA expired (LATEST!)
Aug 11 19:34:20 claimtools pluto[6219]: "test" #3: request to replace with shunt a prospective erouted policy with netkey kernel --- experimental
Aug 11 19:35:20 claimtools pluto[6219]: "test" #5: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal
Aug 11 19:35:20 claimtools pluto[6219]: "test" #5: starting keying attempt 2 of at most 3
Aug 11 19:35:20 claimtools pluto[6219]: "test" #5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_ar in duplicate_state, please report to
dev@openswan.org
Aug 11 19:35:20 claimtools pluto[6219]: "test" #5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_er in duplicate_state, please report to
dev@openswan.org
Aug 11 19:35:20 claimtools pluto[6219]: "test" #5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pi in duplicate_state, please report to
dev@openswan.org
Aug 11 19:35:20 claimtools pluto[6219]: "test" #5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pr in duplicate_state, please report to
dev@openswan.org
Aug 11 19:35:20 claimtools pluto[6219]: "test" #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #5 {using isakmp#4 msgid:ac8007e7 proposal=3DES(3)_192-MD5(1)_128, 3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1536}
Aug 11 19:36:30 claimtools pluto[6219]: "test" #6: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal
Aug 11 19:36:30 claimtools pluto[6219]: "test" #6: starting keying attempt 3 of at most 3

Aug 11 19:36:30 claimtools pluto[6219]: "test" #6: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_ar in duplicate_state, please report to
dev@openswan.org
Aug 11 19:36:30 claimtools pluto[6219]: "test" #6: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_er in duplicate_state, please report to
dev@openswan.org
Aug 11 19:36:30 claimtools pluto[6219]: "test" #6: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pi in duplicate_state, please report to
dev@openswan.org
Aug 11 19:36:30 claimtools pluto[6219]: "test" #6: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pr in duplicate_state, please report to
dev@openswan.org
Aug 11 19:36:30 claimtools pluto[6219]: "test" #7: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #6 {using isakmp#4 msgid:386b5bbe proposal=3DES(3)_192-MD5(1)_128, 3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1536}
Aug 11 19:37:40 claimtools pluto[6219]: "test" #7: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal
Aug 11 20:36:26 claimtools pluto[6219]: "test" #4: DPD Info: received old or duplicate R_U_THERE
Aug 11 20:36:31 claimtools pluto[6219]: "test" #4: DPD Info: received old or duplicate R_U_THERE
Aug 11 20:36:36 claimtools pluto[6219]: "test" #4: received Delete SA payload: deleting ISAKMP State #4
Aug 11 20:36:36 claimtools pluto[6219]: packet from 70.67.129.119:4500: received and ignored informational message


Thank you everyone.
JJ

Post Reply

Return to “CentOS 4 - Networking Support”