Linux Schulungen: http://www.opensource-training.de  
 
Foren > VPN mit Linux > Openswan 2.4.6 / Kernel 2.6.18-6-686 Debian Etch
Navigation
Schulungen
Foren
  Allgemeines Forum
  Intrusion Detection
  VPN mit Linux
  Firewalling mit Linux
  SELinux/AppArmor
SELinux/AppArmor Buch
IDS-Buch
VPN-Buch
Firewall-Buch
Nachrichten
Vorträge/Tutorials
Artikel
Linux-Magazin Artikel
Anmelden / Daten ändern
Messen
Impressum
Serverspiegel
Zertifizierungen
GPG Public Key

Flavours
English
German

Search

Visitors
Besucher 727662
Ansichten 508
Online 0

Openswan 2.4.6 / Kernel 2.6.18-6-686 Debian Etch

Springe zu
Thema Verfasser Letzte Antwort
Openswan 2.4.6 / Kernel 2.6.18-6-686 Debian Etch kaniggl ( ---.dip.t-dialin.net) 1 Nov 2008 10:15
Hallo,

vorweg: Ich habe mich schon ausgiebig mit den HowTos und Docs von Spenneberg (natürlich , Jacco, openswan.org und freeswan.org beschäftigt.

Dennoch komme ich an einem bestimmten Punkt nicht weiter und irgendwie ist wohl grad bei mir der Ofen aus.

ich habe einen Openswan in der aktuellen Version auf einem aktuellen Debian Etch am (naja, fast) laufen.

Ich versuche mit einem Roadwarrior (Windows Vista SP1) eine Verbindung herzusetellen. Die Verbindung soll über Zertifikate laufen. Das Zertifikat hab ich an einer Windows 2003 CA erstellt. Die cer Datei wurde im certs Verzeichnis hinterlegt. Der CN ist der Name der öffentlichen IP: vpn.firma.de.
Der Server selbst ist im Unternehmensnetzwerk, also ge"nat"ed.

Hier ist der Auszug aus der auth.log:
Oct 4 15:59:51 ke-openswan pluto[20511]: Warning: empty directory
Oct 4 15:59:52 ke-openswan pluto[20511]: loaded host cert file '/etc/ipsec.d/certs/vpn.cer' (1234 bytes)
Oct 4 15:59:52 ke-openswan pluto[20511]: added connection description "l2tp-X.509"
Oct 4 15:59:52 ke-openswan pluto[20511]: listening for IKE messages
Oct 4 15:59:52 ke-openswan pluto[20511]: adding interface eth0/eth0 10.8.74.28:500
Oct 4 15:59:52 ke-openswan pluto[20511]: adding interface eth0/eth0 10.8.74.28:4500
Oct 4 15:59:52 ke-openswan pluto[20511]: adding interface lo/lo 127.0.0.1:500
Oct 4 15:59:52 ke-openswan pluto[20511]: adding interface lo/lo 127.0.0.1:4500
Oct 4 15:59:52 ke-openswan pluto[20511]: adding interface lo/lo ::1:500
Oct 4 15:59:52 ke-openswan pluto[20511]: loading secrets from "/etc/ipsec.secrets"
Oct 4 16:00:00 ke-openswan pluto[20511]: packet from 84.156.76.28:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000006]
Oct 4 16:00:00 ke-openswan pluto[20511]: packet from 84.156.76.28:500: received Vendor ID payload [RFC 3947] method set to=110
Oct 4 16:00:00 ke-openswan pluto[20511]: packet from 84.156.76.28:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Oct 4 16:00:00 ke-openswan pluto[20511]: packet from 84.156.76.28:500: ignoring Vendor ID payload [FRAGMENTATION]
Oct 4 16:00:00 ke-openswan pluto[20511]: packet from 84.156.76.28:500: ignoring unknown Vendor ID payload [fb1de3cdf341b7ea16b7e5be0855f120]
Oct 4 16:00:00 ke-openswan pluto[20511]: packet from 84.156.76.28:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 4 16:00:00 ke-openswan pluto[20511]: packet from 84.156.76.28:500: ignoring unknown Vendor ID payload [e3a5966a76379fe707228231e5ce8652]
Oct 4 16:00:00 ke-openswan pluto[20511]: "l2tp-X.509"[1] 84.156.76.28 #1: responding to Main Mode from unknown peer 84.156.76.28
Oct 4 16:00:00 ke-openswan pluto[20511]: "l2tp-X.509"[1] 84.156.76.28 #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION
Oct 4 16:00:00 ke-openswan pluto[20511]: "l2tp-X.509"[1] 84.156.76.28 #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION
Oct 4 16:00:00 ke-openswan pluto[20511]: "l2tp-X.509"[1] 84.156.76.28 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 4 16:00:00 ke-openswan pluto[20511]: "l2tp-X.509"[1] 84.156.76.28 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 4 16:00:00 ke-openswan pluto[20511]: "l2tp-X.509"[1] 84.156.76.28 #1: NAT-Traversal: Result using 3: both are NATed
Oct 4 16:00:00 ke-openswan pluto[20511]: "l2tp-X.509"[1] 84.156.76.28 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 4 16:00:00 ke-openswan pluto[20511]: "l2tp-X.509"[1] 84.156.76.28 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 4 16:00:00 ke-openswan pluto[20511]: "l2tp-X.509"[1] 84.156.76.28 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, CN=dummy, E=dummy@firma.de'
Oct 4 16:00:00 ke-openswan pluto[20511]: "l2tp-X.509"[1] 84.156.76.28 #1: no crl from issuer "DC=local, DC=firma, CN=Firma GmbH" found (strict=no)
Oct 4 16:00:00 ke-openswan pluto[20511]: "l2tp-X.509"[1] 84.156.76.28 #1: no suitable connection for peer 'C=DE, CN=dummy, E=dummy@firma.de'

Hier die ipsec.conf:
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.4 2006/07/11 16:17:53 paul Exp $

# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5


version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="all"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
#
# enable this if you see "failed to find any available worker"
nhelpers=0

# Add connections here
conn l2tp-X.509
#
# Configuration for one user with any type of IPsec/L2TP client
# including the updated Windows 2000/XP (MS KB Q818043), but
# excluding the non-updated Windows 2000/XP.
#
#
# Use a certificate. Disable Perfect Forward Secrecy.
#
authby=rsasig
pfs=no
auto=add
# we cannot rekey for %any, let client rekey
rekey=no
# Do not enable the line below. It is implicitely used, and
# specifying it will currently break when using nat-t.
# type=transport. See http://bugs.xelerance.com/view.php?id=466
#
left=%defaultroute
# or you can use: left=YourIPAddress
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/vpn.cer
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
#
# The remote user.
#
right=%any
rightid="C=DE, CN=dummy, E=dummy@firma.de"
rightca=%same
rightrsasigkey=%cert
rightprotoport=17/1701
rightsubnet=vhost:%priv,%no



# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

Edit: Konnte das obige Problem lösen bzw. es löste sich von alleine. Aber natürlich hängt es nun beim nächsten Step:

Oct 6 10:41:00 ke-openswan pluto[3849]: loaded host cert file '/etc/ipsec.d/certs/vpn.cer' (1366 bytes)
Oct 6 10:41:00 ke-openswan pluto[3849]: added connection description "l2tp-X.509"
Oct 6 10:41:00 ke-openswan pluto[3849]: listening for IKE messages
Oct 6 10:41:00 ke-openswan pluto[3849]: adding interface eth0/eth0 10.8.74.28:500
Oct 6 10:41:00 ke-openswan pluto[3849]: adding interface eth0/eth0 10.8.74.28:4500
Oct 6 10:41:00 ke-openswan pluto[3849]: adding interface lo/lo 127.0.0.1:500
Oct 6 10:41:00 ke-openswan pluto[3849]: adding interface lo/lo 127.0.0.1:4500
Oct 6 10:41:01 ke-openswan pluto[3849]: adding interface lo/lo ::1:500
Oct 6 10:41:01 ke-openswan pluto[3849]: loading secrets from "/etc/ipsec.secrets"
Oct 6 10:41:01 ke-openswan pluto[3849]: loaded private key file '/etc/ipsec.d/private/key.pem' (1675 bytes)
Oct 6 10:41:07 ke-openswan pluto[3849]: packet from X.X.X.X:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000006]
Oct 6 10:41:07 ke-openswan pluto[3849]: packet from X.X.X.X:500: received Vendor ID payload [RFC 3947] method set to=110
Oct 6 10:41:07 ke-openswan pluto[3849]: packet from X.X.X.X:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Oct 6 10:41:07 ke-openswan pluto[3849]: packet from X.X.X.X:500: ignoring Vendor ID payload [FRAGMENTATION]
Oct 6 10:41:07 ke-openswan pluto[3849]: packet from X.X.X.X:500: ignoring unknown Vendor ID payload [fb1de3cdf341b7ea16b7e5be0855f120]
Oct 6 10:41:07 ke-openswan pluto[3849]: packet from X.X.X.X:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 6 10:41:07 ke-openswan pluto[3849]: packet from X.X.X.X:500: ignoring unknown Vendor ID payload [e3a5966a76379fe707228231e5ce8652]
Oct 6 10:41:07 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: responding to Main Mode from unknown peer X.X.X.X
Oct 6 10:41:07 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION
Oct 6 10:41:07 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION
Oct 6 10:41:07 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 6 10:41:07 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: NAT-Traversal: Result using 3: both are NATed
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, CN=dummy, E=dummy@aml-group.de'
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: no crl from issuer "DC=local, DC=firma, CN=Firma GmbH" found (strict=no)
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: I am sending my cert
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 6 10:41:08 ke-openswan pluto[3849]: | NAT-T: new mapping X.X.X.X:500/57374)
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #2: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #2: responding to Quick Mode {msgid:01000000}
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x2dec4032 <0x4fb09b15 xfrm=AES_128-HMAC_SHA1 NATD=X.X.X.X:57374 DPD=none}
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #3: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #3: responding to Quick Mode {msgid:02000000}
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #3: STATE_QUICK_R2: IPsec SA established {ESP=>0x5de54907 <0x3524a153 xfrm=AES_128-HMAC_SHA1 NATD=X.X.X.X:57374 DPD=none}
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: received Delete SA(0x2dec4032) payload: deleting IPSEC State #2
Oct 6 10:41:08 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: received and ignored informational message
Oct 6 10:41:15 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #4: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Oct 6 10:41:15 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #4: responding to Quick Mode {msgid:03000000}
Oct 6 10:41:15 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 6 10:41:15 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 6 10:41:17 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #4: discarding duplicate packet; already STATE_QUICK_R1
Oct 6 10:41:18 ke-openswan pluto[3849]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to X.X.X.X port 57374, complainant 10.8.74.28: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Oct 6 10:41:19 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #4: discarding duplicate packet; already STATE_QUICK_R1
Oct 6 10:41:23 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #4: discarding duplicate packet; already STATE_QUICK_R1
Oct 6 10:41:28 ke-openswan pluto[3849]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to X.X.X.X port 57374, complainant 10.8.74.28: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Oct 6 10:41:31 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #4: discarding duplicate packet; already STATE_QUICK_R1
Oct 6 10:41:43 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: received Delete SA(0x5de54907) payload: deleting IPSEC State #3
Oct 6 10:41:43 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: received and ignored informational message
Oct 6 10:41:43 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #1: received Delete SA payload: deleting ISAKMP State #1
Oct 6 10:41:43 ke-openswan pluto[3849]: packet from X.X.X.X:57374: received and ignored informational message
Oct 6 10:41:46 ke-openswan pluto[3849]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to X.X.X.X port 57374, complainant 10.8.74.28: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Oct 6 10:41:46 ke-openswan pluto[3849]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to X.X.X.X port 57374, complainant 10.8.74.28: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Oct 6 10:54:25 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X #4: max number of retransmissions (20) reached STATE_QUICK_R1
Oct 6 10:54:25 ke-openswan pluto[3849]: "l2tp-X.509"[1] X.X.X.X: deleting connection "l2tp-X.509" instance with peer X.X.X.X {isakmp=#0/ipsec=#0}
Oct 6 11:17:01 ke-openswan CRON[3959]: (pam_unix) session opened for user root by (uid=0)
Oct 6 11:17:01 ke-openswan CRON[3959]: (pam_unix) session closed for user root

Ich nehme an, das nun die l2tp Verbindung dran ist, aber es tut sich nichts.



RE: Openswan 2.4.6 / Kernel 2.6.18-6-686 Debian EtchRalf ( ---.dip.t-dialin.net)14 Oct 2008 13:34
Hallo,

das könnte mit dem L2TP zusammenhängen, es kann aber auch sein, dass auf der Windows-Seite schon vorher ein Problem auftritt. Wie sieht denn dort das Protokoll aus?
RE: RE: Openswan 2.4.6 / Kernel 2.6.18-6-686 Debian Etchkaniggl ( ---.dip.t-dialin.net)1 Nov 2008 10:15
Hallo,

hatte in letzter Zeit viel um die Ohren.

Es wird zum Test ein Vista Client mit SP1 benutzt.
Welcher Teil von der Protokollierung wird den benötigt?
Der Bericht ist ja ellenlang.

[ Zurück ] Um ein neues Thema hinzu zu fügen müssen sie eingeloggt sein.
Umfrage

Welche Distribution verwenden Sie?

 A) Fedora Core
 B) SuSE
 C) Debian
 D) Mandriva
 E) Red Hat Enterprise Linux
 F) SuSE Enterprise Linux
 G) Slackware
 H) Ubuntu
 I) Gentoo
 J) Andere


Latest News
17 Oct 2008: Neue Schulung: Netzwerküberwachung mit Nagio...
17 Oct 2008: Neue Schulung: Virtualisierung mit KVM
24 Sep 2008: Business-Online Messe in Münster
24 Sep 2008: Eröffnungskonferenz am 25. September 2008
28 Aug 2008: Zertifizierung nach LPIC-3
Weitere News...

Login
eMail


Passwort
© 2002-2005 Ralf Spenneberg, OpenSource Security, Germany