Topic: FreeSwan IPSEC vpn

[Terry Brummell]

OK, I've added IPSEC VPN per Darrell's contrib and can't get it working.  It looks like something on the "client" server is not working/blocking the connection.

Both servers are 5.5u2.

Here are the details:
VPN "Server": 66.46.xx.xxx
Defind Remote Local Network of 192.168.12.0

VPN "Client": 24.192.xx.xxx
Defind Remote Local Network of 192.168.33.0

Have followed Darrell's HowTo twice, with the same results both times.
Here are the relevant log files:

VPN "Server":
Jan 28 11:25:10 sme3300 ipsec_setup: Starting FreeS/WAN IPsec 1.97...
Jan 28 11:25:10 sme3300 ipsec_setup: KLIPS debug none'
Jan 28 11:25:10 sme3300 ipsec_setup: KLIPS ipsec0 on eth1 66.46.196.116/255.255.255.0 broadcast 66.46.196.255
Jan 28 11:25:10 sme3300 ipsec_setup: ...FreeS/WAN IPsec started
Jan 28 11:27:02 sme3300 ipsec__plutorun: 104 "net.local-net.192.168.12.0" #1: STATE_MAIN_I1: initiate
Jan 28 11:27:02 sme3300 ipsec__plutorun: 010 "net.local-net.192.168.12.0" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
Jan 28 11:27:02 sme3300 ipsec__plutorun: 010 "net.local-net.192.168.12.0" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
Jan 28 11:27:02 sme3300 last message repeated 2 times
Jan 28 11:27:02 sme3300 ipsec__plutorun: 106 "net.local-net.192.168.12.0" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jan 28 11:27:02 sme3300 ipsec__plutorun: 108 "net.local-net.192.168.12.0" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jan 28 11:27:02 sme3300 ipsec__plutorun: 004 "net.local-net.192.168.12.0" #1: STATE_MAIN_I4: ISAKMP SA established
Jan 28 11:27:02 sme3300 ipsec__plutorun: 112 "net.local-net.192.168.12.0" #5: STATE_QUICK_I1: initiate
Jan 28 11:27:02 sme3300 ipsec__plutorun: 004 "net.local-net.192.168.12.0" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
Jan 28 11:27:02 sme3300 ipsec__plutorun: 112 "gate.local-net.192.168.12.0" #6: STATE_QUICK_I1: initiate
Jan 28 11:27:02 sme3300 ipsec__plutorun: 004 "gate.local-net.192.168.12.0" #6: STATE_QUICK_I2: sent QI2, IPsec SA established
Jan 28 11:27:02 sme3300 ipsec__plutorun: 112 "gate.local-gate.192.168.12.0" #7: STATE_QUICK_I1: initiate
Jan 28 11:27:02 sme3300 ipsec__plutorun: 004 "gate.local-gate.192.168.12.0" #7: STATE_QUICK_I2: sent QI2, IPsec SA established
Jan 28 11:27:03 sme3300 ipsec__plutorun: 112 "net.local-gate.192.168.12.0" #8: STATE_QUICK_I1: initiate
Jan 28 11:27:03 sme3300 ipsec__plutorun: 004 "net.local-gate.192.168.12.0" #8: STATE_QUICK_I2: sent QI2, IPsec SA established

and logs from the VPN "Client":
Jan 28 11:16:49 pdc ipsec_setup: ...FreeS/WAN IPsec started
Jan 28 11:16:51 pdc ipsec__plutorun: 003 "gate.192.168.33.0-net.local": route-client command exited with status 7
Jan 28 11:16:51 pdc ipsec__plutorun: 003 "gate.192.168.33.0-net.local": down-client command exited with status 1
Jan 28 11:16:51 pdc ipsec__plutorun: 025 "gate.192.168.33.0-net.local": could not route
Jan 28 11:16:51 pdc ipsec__plutorun: ...could not route conn "gate.192.168.33.0-net.local"
Jan 28 11:16:51 pdc ipsec__plutorun: 003 "gate.192.168.33.0-gate.local": route-host command exited with status 7
Jan 28 11:16:51 pdc ipsec__plutorun: 025 "gate.192.168.33.0-gate.local": could not route
Jan 28 11:16:51 pdc ipsec__plutorun: ...could not route conn "gate.192.168.33.0-gate.local"
Jan 28 11:16:51 pdc ipsec__plutorun: 003 "net.192.168.33.0-gate.local": route-host command exited with status 7
Jan 28 11:16:51 pdc ipsec__plutorun: 025 "net.192.168.33.0-gate.local": could not route
Jan 28 11:16:51 pdc ipsec__plutorun: ...could not route conn "net.192.168.33.0-gate.local"
Jan 28 11:16:52 pdc ipsec__plutorun: 003 "net.192.168.33.0-net.local": route-client command exited with status 7
Jan 28 11:16:52 pdc ipsec__plutorun: 025 "net.192.168.33.0-net.local": could not route
Jan 28 11:16:52 pdc ipsec__plutorun: ...could not route conn "net.192.168.33.0-net.local"
Jan 28 11:17:10 pdc kernel: ip_demasq_esp(): Inbound from 66.46.xx.xxx SPI E37FA4C1 has no masq table entry.
Jan 28 11:17:20 pdc last message repeated 10 times
Jan 28 11:17:21 pdc kernel: ip_demasq_esp(): Inbound from 66.46.xx.xxx SPI E37FA4C3 has no masq table entry.
Jan 28 11:17:52 pdc last message repeated 31 times
Jan 28 11:18:02 pdc ipsec__plutorun: 104 "gate.192.168.33.0-net.local" #1: STATE_MAIN_I1: initiate
Jan 28 11:18:02 pdc ipsec__plutorun: 106 "gate.192.168.33.0-net.local" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jan 28 11:18:02 pdc ipsec__plutorun: 108 "gate.192.168.33.0-net.local" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jan 28 11:18:02 pdc ipsec__plutorun: 004 "gate.192.168.33.0-net.local" #1: STATE_MAIN_I4: ISAKMP SA established
Jan 28 11:18:02 pdc ipsec__plutorun: 112 "gate.192.168.33.0-net.local" #2: STATE_QUICK_I1: initiate
Jan 28 11:18:02 pdc ipsec__plutorun: 003 "gate.192.168.33.0-net.local" #2: route-client command exited with status 7
Jan 28 11:18:02 pdc ipsec__plutorun: 032 "gate.192.168.33.0-net.local" #2: STATE_QUICK_I1: internal error
Jan 28 11:18:02 pdc ipsec__plutorun: 003 "gate.192.168.33.0-net.local" #2: route-client command exited with status 7
Jan 28 11:18:02 pdc ipsec__plutorun: 032 "gate.192.168.33.0-net.local" #2: STATE_QUICK_I1: internal error
Jan 28 11:18:02 pdc ipsec__plutorun: 010 "gate.192.168.33.0-net.local" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
Jan 28 11:18:02 pdc ipsec__plutorun: 010 "gate.192.168.33.0-net.local" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
Jan 28 11:18:02 pdc ipsec__plutorun: 003 "gate.192.168.33.0-net.local" #2: route-client command exited with status 7
Jan 28 11:18:02 pdc ipsec__plutorun: 032 "gate.192.168.33.0-net.local" #2: STATE_QUICK_I1: internal error
Jan 28 11:18:02 pdc ipsec__plutorun: 031 "gate.192.168.33.0-net.local" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 28 11:18:02 pdc ipsec__plutorun: 000 "gate.192.168.33.0-net.local" #2: starting keying attempt 2 of an unlimited number, but releasing whack
Jan 28 11:18:02 pdc ipsec__plutorun: ...could not start conn "gate.192.168.33.0-net.local"
Jan 28 11:18:53 pdc last message repeated 61 times
Jan 28 11:19:13 pdc ipsec__plutorun: 112 "gate.192.168.33.0-gate.local" #10: STATE_QUICK_I1: initiate
Jan 28 11:19:13 pdc ipsec__plutorun: 003 "gate.192.168.33.0-gate.local" #10: route-host command exited with status 7
Jan 28 11:19:13 pdc ipsec__plutorun: 032 "gate.192.168.33.0-gate.local" #10: STATE_QUICK_I1: internal error
Jan 28 11:19:13 pdc ipsec__plutorun: 010 "gate.192.168.33.0-gate.local" #10: STATE_QUICK_I1: retransmission; will wait 20s for response
Jan 28 11:19:13 pdc ipsec__plutorun: 003 "gate.192.168.33.0-gate.local" #10: route-host command exited with status 7
Jan 28 11:19:13 pdc ipsec__plutorun: 032 "gate.192.168.33.0-gate.local" #10: STATE_QUICK_I1: internal error
Jan 28 11:19:13 pdc ipsec__plutorun: 010 "gate.192.168.33.0-gate.local" #10: STATE_QUICK_I1: retransmission; will wait 40s for response
Jan 28 11:19:13 pdc ipsec__plutorun: 003 "gate.192.168.33.0-gate.local" #10: route-host command exited with status 7
Jan 28 11:19:13 pdc ipsec__plutorun: 032 "gate.192.168.33.0-gate.local" #10: STATE_QUICK_I1: internal error
Jan 28 11:19:13 pdc ipsec__plutorun: 031 "gate.192.168.33.0-gate.local" #10: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 28 11:19:13 pdc ipsec__plutorun: 000 "gate.192.168.33.0-gate.local" #10: starting keying attempt 2 of an unlimited number, but releasing whack
Jan 28 11:19:13 pdc ipsec__plutorun: ...could not start conn "gate.192.168.33.0-gate.local"

And after trying to ping the remote gateway of each box, here is the ipsec0 ifconfig data:

VPN "Server:
ipsec0    Link encap:Ethernet  HWaddr 00:A0:CC:D7:94:2A
          inet addr:66.46.xx.xxx  Mask:255.255.255.0
          UP RUNNING NOARP  MTU:16260  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:312 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b)  TX bytes:87632 (85.5 Kb)

VPN "Client":
ipsec0    Link encap:Ethernet  HWaddr 00:01:02:73:05:D5
          inet addr:24.192.xx.xxx  Mask:255.255.255.224
          UP RUNNING NOARP  MTU:16260  Metric:1
          RX packets:76 errors:0 dropped:76 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


You can see that the client isn't even trying to transmit pings, and the server is pinging, client is receiving but dropping the packets.  I am sooo confused at this point...

It seems that something on the "Client" is not setup properly, but everything in the server manager has been checked twice.
Any help on this would be greatly appreciated.

Terry

[Luis]

Same Problem.. i double check the howto and can't connect.
I have use 2 SME 5.5 U2 .

The client side log say:

Jan 28 15:49:04 e-smith kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.97
Jan 28 15:49:04 e-smith e-smith-bg: ipsec_setup: Starting FreeS/WAN IPsec 1.97...
Jan 28 15:49:04 e-smith ipsec_setup: Starting FreeS/WAN IPsec 1.97...
Jan 28 15:49:04 e-smith ipsec_setup: KLIPS debug none'
Jan 28 15:49:05 e-smith ipsec_setup: KLIPS ipsec0 on eth1 200.81.19.41/255.255.255.240 broadcast 200.81.19.47
Jan 28 15:49:05 e-smith ipsec_setup: ...FreeS/WAN IPsec started
Jan 28 15:50:48 e-smith ipsec__plutorun: 104 "gate.192.168.1.0-net.local" #1: STATE_MAIN_I1: initiate
Jan 28 15:50:48 e-smith ipsec__plutorun: 010 "gate.192.168.1.0-net.local" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
Jan 28 15:50:48 e-smith ipsec__plutorun: 010 "gate.192.168.1.0-net.local" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
Jan 28 15:50:48 e-smith ipsec__plutorun: 106 "gate.192.168.1.0-net.local" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jan 28 15:50:48 e-smith ipsec__plutorun: 108 "gate.192.168.1.0-net.local" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jan 28 15:50:48 e-smith ipsec__plutorun: 003 "gate.192.168.1.0-net.local" #1: discarding duplicate packet; already STATE_MAIN_I3
Jan 28 15:50:48 e-smith ipsec__plutorun: 010 "gate.192.168.1.0-net.local" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
Jan 28 15:50:48 e-smith ipsec__plutorun: 003 "gate.192.168.1.0-net.local" #1: discarding duplicate packet; already STATE_MAIN_I3
Jan 28 15:50:48 e-smith ipsec__plutorun: 010 "gate.192.168.1.0-net.local" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
Jan 28 15:50:48 e-smith ipsec__plutorun: 031 "gate.192.168.1.0-net.local" #1: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
Jan 28 15:50:48 e-smith ipsec__plutorun: 000 "gate.192.168.1.0-net.local" #1: starting keying attempt 2 of an unlimited number, but releasing whack
Jan 28 15:50:48 e-smith ipsec__plutorun: ...could not start conn "gate.192.168.1.0-net.local"


8(...  i will repeat any pass ..

[Luis]

i ping to other side local ip address and then check ifconfig command

i have dropped paquet



ipsec0    Link encap:Ethernet  HWaddr 00:01:02:68:4B:61
          inet addr:200.81.XX.XX  Mask:255.255.255.240
          UP RUNNING NOARP  MTU:16260  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:205 errors:0 dropped:819 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b)  TX bytes:64246 (62.7 Kb)

[David Woolley]

I have 2x v5.5u2 running a FreeSwan vpn, so I know it works.  The breakthrough for me was switching off data encryption on the interface.  Did you do that yet?  Search this forum for info.

HTH

David

[Luis]

Hi David and thank you  for your time.

I like Terry Brummell are using the "IPSEC VPN  Darrell's HowTo" for smith 5.5.

I disable any encryption setting in the vpn manager in both extremes of vpn (server and client or left and right) and nothing, Just reduce de number of entries in output of route command for ipsec from 3 to 1 entries

I have a couple of questions..

What are the method do you use for configure IPSEC in 2 SME?

How many entries do you have in output from route command for ipsec interface?

How many "local network" do you add  in each server ?

THANK YOU AGAIN and sorry by my english is very poor... 8(..

Luis

[Terry Brummell]

Interesting note, now that I'm at home I find I am unable to access the server manager (or ssh) on the other box, which is defined in the Remote Access panel.  So, through another server I was able to access the server manager and set all the encryption to "No".  It did allow me to access the server manager (and ssh) again (strange!) but still no IPSEC traffic.  I put the encryption back to "Yes" and again I'm unable to access the server manager (strange!).  The only difference I noticed without the encryption is there are no entries in the messages logfile when I try and ping from either side.
I think alot of my problem is in this part of the log I see when I try and ping my local network from the far side:
Jan 28 17:01:11 pdc kernel: ip_demasq_esp(): Inbound from 66.46.xx.xxx SPI D349E074 has no masq table entry.
Jan 28 17:01:12 pdc kernel: ip_demasq_esp(): Inbound from 66.46.xx.xxx SPI D349E073 has no masq table entry.

Anybody have any idea's?

Terry

[Luis]

I check 2 files:

/etc/ipsec.conf  
/etc/ipsec.secret

the public key are not the same in both file, then I re-run

/sbin/e-smith/signal-event ipsec-install  

that rebuid new public key and now the 2 file have the same public key!!

I can connect both network with all encrypted setting ON, just do a change of public key in remote location and WOOOWWW...!!

I am very happy ..

Luis Ludovico

[Jono]

Where can i find "IPSEC VPN Darrell's HowTo" for smith 5.5.

I'm trying to get at IPSEC tunel working but i can see from your log files that my SME's are not atarting the "pluto_run" ??

[Jono]

Nevermind! i got it here

http://myezserver.com/downloads/mitel/contrib/freeswan/sme55/freeswan-howto.html