[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Openswan IPsec problem for road-warrior connections

Posted on 2006-04-28
18
Medium Priority
?
4,889 Views
Last Modified: 2008-01-09
Hello all,

We have a Linux box running the Openswan software. The exact version is Openswan IPsec U2.4.5/K2.6.15[5.0.2].
The trouble that we have is that we can not establish a connection from dynamic ip adresses like roadwarriors, etc. Other connections between fixed ip, dyndns names are working perfect.

Our connection settings in the ipsec.conf file looks likes this:

conn roadwarrior
        left="1.1.1.2"
        leftsubnet="192.168.123.0/255.255.255.0"
        leftnexthop="1.1.1.1"
        leftid="@linux.firewall.local"
        right="0.0.0.0"
        rightsubnet="10.0.0.0/255.255.255.0"
        rightid="@roadwarrior.firewall.local"
        auto="start"
        authby="secret"
        type="tunnel"
        keyexchange="ike"
        auth="esp"
        pfs="no"
        ike="3des-md5-modp1024"
        esp="3des-md5-96"
        aggrmode="yes"
        rekey="yes"

The error message we have in the BARF output looks like this:

Apr 28 12:45:47 axsweb ipsec__plutorun: 029 "stdenijs": cannot initiate connection without knowing peer IP address (kind=CK_TEMPLATE)
Apr 28 12:45:47 axsweb ipsec__plutorun: ...could not start conn "stdenijs"

If we temporarely fill in the value "right" in the ipec.conf file with the exact address of the roadwarrior, the connection is build up in a few seconds.

Can somebody help me? I would like to work only with PRE SHARED KEYS and not with CERTIFICATES....
0
Comment
Question by:secuteamers
  • 8
  • 6
  • 2
16 Comments
 
LVL 7

Expert Comment

by:wnross
ID: 16575369
try
right=%any

Cheers,
-Bill
0
 

Author Comment

by:secuteamers
ID: 16578532
Bill,

i have already test this, but i have the same error:

cannot initiate connection without knowing peer IP address (kind=CK_TEMPLATE)

Thanks,

SecuTeamers
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16579267
maybe you need to use a default road warrior setup

conn road
    rightnexthop=%defaultroute     # correct in many situations
    right=%any                     # Wildcard: we don't know the laptop's IP
    rightid=@road.example.com      #
    ...  (all your configuration)
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 7

Expert Comment

by:wnross
ID: 16579292
How are you launching ipsec?
ipsec auto --up roadwarrior

should be
ipsec auto --add roadwarrior

alternately change the line
  auto=start
to
  auto=add

Cheers,
-Bill
0
 

Author Comment

by:secuteamers
ID: 16583507
Hello,

i have changed the things and have now the following output:

May  2 08:17:05 axsweb pluto[9314]: attempt to redefine connection "roadwarrior"
May  2 08:28:06 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116 #1: Aggressive mode peer ID is ID_FQDN: '@roadwarrior.firewall.local'
May  2 08:28:06 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116 #1: responding to Aggressive Mode, state #1, connection "roadwarrior" from 80.201.9.116
May  2 08:28:06 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116 #1: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
May  2 08:28:06 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116 #1: STATE_AGGR_R1: sent AR1, expecting AI2
May  2 08:28:07 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116 #1: packet rejected: should have been encrypted
May  2 08:28:07 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116 #1: sending notification INVALID_FLAGS to 80.201.9.116:500
May  2 08:28:08 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
May  2 08:28:08 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116 #1: sending notification PAYLOAD_MALFORMED to 80.201.9.116:500
May  2 08:28:23 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
May  2 08:28:23 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116 #1: sending notification PAYLOAD_MALFORMED to 80.201.9.116:500
May  2 08:28:38 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
May  2 08:28:38 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116 #1: sending notification PAYLOAD_MALFORMED to 80.201.9.116:500
May  2 08:28:53 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
May  2 08:28:53 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116 #1: sending notification PAYLOAD_MALFORMED to 80.201.9.116:500
May  2 08:29:08 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
May  2 08:29:08 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116 #1: sending notification PAYLOAD_MALFORMED to 80.201.9.116:500
May  2 08:29:16 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116 #1: max number of retransmissions (2) reached STATE_AGGR_R1
May  2 08:29:16 axsweb pluto[9314]: "roadwarrior"[1] 80.201.9.116: deleting connection "stdenijs" instance with peer 80.201.9.116 {isakmp=#0/ipsec=#0}
May  2 08:29:23 axsweb pluto[9314]: packet from 80.201.9.116:500: Quick Mode message is for a non-existent (expired?) ISAKMP SA
May  2 08:29:58 axsweb pluto[9314]: packet from 80.201.9.116:500: Quick Mode message is for a non-existent (expired?) ISAKMP SA
May  2 08:30:13 axsweb pluto[9314]: packet from 80.201.9.116:500: Quick Mode message is for a non-existent (expired?) ISAKMP SA

0
 
LVL 7

Expert Comment

by:wnross
ID: 16585577
Well, your almost there...

what does ipsec.secrets show?
(Please garble the PSK entry)

-Bill
0
 

Author Comment

by:secuteamers
ID: 16585786
Bill,

I do not know exactly what you like I do.

My ipsec.secrets file looks like this:

@linux.firewall.local @roadwarrior.firewall.local: PSK "shared_key"

SecuTeamers
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16588836
I have this (I used ip's since we have fixed ip addresses)

200.16.22.12 203.3.5.221 : PSK "our_shared_key"

(left local ip, medium remote ip, then the preshared key, all obfuscated)
0
 
LVL 7

Expert Comment

by:wnross
ID: 16589456
Redimido: This is a roadwarrior setup

secuteamers:
Bingo, delete everything before the ":"

so
-------- CUT ------------
 : PSK "our_shared_key"
-------- CUT ------------

Cheers,
-Bill
0
 

Author Comment

by:secuteamers
ID: 16593634
Hello Bill,

the ipsec.secrets file looks like this:

: PSK "shared_key"

The barf output is is the following:

May  3 08:47:49 axsweb pluto[19856]: "roadwarrior"[1] 81.240.90.48 #1: Aggressive mode peer ID is ID_FQDN: '@roadwarrior.firewall.local'
May  3 08:47:49 axsweb pluto[19856]: "roadwarrior"[1] 81.240.90.48 #1: responding to Aggressive Mode, state #1, connection "roadwarrior" from 81.240.90.48
May  3 08:47:49 axsweb pluto[19856]: "roadwarrior"[1] 81.240.90.48 #1: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
May  3 08:47:49 axsweb pluto[19856]: "roadwarrior"[1] 81.240.90.48 #1: STATE_AGGR_R1: sent AR1, expecting AI2
May  3 08:47:49 axsweb pluto[19856]: "roadwarrior"[1] 81.240.90.48 #1: packet rejected: should have been encrypted
May  3 08:47:49 axsweb pluto[19856]: "roadwarrior"[1] 81.240.90.48 #1: sending notification INVALID_FLAGS to 81.240.90.48:500
May  3 08:47:51 axsweb pluto[19856]: "roadwarrior"[1] 81.240.90.48 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
May  3 08:47:51 axsweb pluto[19856]: "roadwarrior"[1] 81.240.90.48 #1: sending notification PAYLOAD_MALFORMED to 81.240.90.48:500
May  3 08:48:07 axsweb pluto[19856]: "roadwarrior"[1] 81.240.90.48 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
May  3 08:48:07 axsweb pluto[19856]: "roadwarrior"[1] 81.240.90.48 #1: sending notification PAYLOAD_MALFORMED to 81.240.90.48:500
May  3 08:48:22 axsweb pluto[19856]: "roadwarrior"[1] 81.240.90.48 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
May  3 08:48:22 axsweb pluto[19856]: "roadwarrior"[1] 81.240.90.48 #1: sending notification PAYLOAD_MALFORMED to 81.240.90.48:500
May  3 08:48:37 axsweb pluto[19856]: "roadwarrior"[1] 81.240.90.48 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
May  3 08:48:37 axsweb pluto[19856]: "roadwarrior"[1] 81.240.90.48 #1: sending notification PAYLOAD_MALFORMED to 81.240.90.48:500
May  3 08:48:52 axsweb pluto[19856]: "roadwarrior"[1] 81.240.90.48 #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
May  3 08:48:52 axsweb pluto[19856]: "roadwarrior"[1] 81.240.90.48 #1: sending notification PAYLOAD_MALFORMED to 81.240.90.48:500

Thanks for your advice,

SecuTeamers
0
 
LVL 7

Expert Comment

by:wnross
ID: 16601939
Hmm,

1) what is your "road warrior" running? XP or Windows 2000?
2) Did you restart services before running the test? (Just checking)

Looks like a NAT - NAT issue, I'll post back in a bit
0
 
LVL 7

Expert Comment

by:wnross
ID: 16602945
Oh, windows doesn't support aggressive mode: Try shutting down aggressive mode as well
        aggrmode="no"

Cheers again
-Bill
0
 

Author Comment

by:secuteamers
ID: 16603026
Hello,

It is not exactly a roadwarrior setup. De client is in fact a Netopia Router.

It is the same principle like a road-warrior setup. At the config of the Netopia router we can choose main of aggressive mode. The problem is that when we use main mode, the connection goes down after a while. When we restart ipsec at the linux box or when we restart the netopia the connection is up for a while.

I think it must be possible to use aggressive mode?

SecuTeamers
0
 
LVL 7

Accepted Solution

by:
wnross earned 2000 total points
ID: 16605086
Ok, did you fully restart the server?  I saw references to the old ipsec.secrets in that last log

Also, just for curiosity sake, can you alter your ike setting to the default:
     ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024

Cheers,
-Bill
0
 

Author Comment

by:secuteamers
ID: 16605225
Bill,

for the moment i have done a test with main mode and the connection is up. I check this first out.

I will test your ike option.

Thanks for the helpfull info.

SecuTeamers
0
 
LVL 7

Expert Comment

by:wnross
ID: 16605475
Excessive packet loss can cause VPN drops to occur, if it becomes a problem try dropping MTU in your connection, smaller packets == less data loss on noisy lines
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses
Course of the Month18 days, 11 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question