Topic: openswan ?

I have openswan with l2tp working on wrt54gs (whiterussian RC5) running for last three years just perfectly. 

I have just compiled the new 8.09 for wgt634u with openswan. I am getting PROTO_ESP error whuile trying to connect. I assumed esp4.ko module is needed so I compiled that but now it won't load. I actually compiled kmod-ipsec ipsec4 all the encryption dependencies.

ah4
esp4
ipcomp

but none of these load. lsmod gives incorrect parameter error.

Should I statically link the modules? I am trying to avoid that I would have to reflash the router again.

Any help would be appreciated.

Re: openswan ?

Hur,

What kernel version are you running 2.4 or 2.6 ?

OpenSWAN for kernel 2.4 is broken. 

If your running kernel 2.6 I think you cannot use netkey as your ipsec stack.  The ipsec4  options is used for netkey.  Which I don't think will work with the version you probably downloaded which is 2.6.18. You can do a ipsec --version to confirm your openswan version.  In your ispec.conf file you should have protostack=klips, klips works fine with openwrt however, keep in mind there is not NAT-T support, you can have NAT-T support but that would mean you need to complie your own version of openwrt with the NAT-T patch. 

So as of now.

You should be running 2.6 kernel, and you should have OpenSWAN 2.6.18 and you also need these dependencies. kmod-openswan, ip, and I think libgmp.

Hope this helps.

ScarEye

3 (edited by hur 2009-02-27 03:46:18)

Re: openswan ?

I am using kernel 2.6

root@OpenWrt:~# ipsec --version
Linux Openswan 2.6.18 (klips)

Following are the errors I get,

ipsec side

pluto[2060]: "roadwarrior-net"[1] 192.168.20.80 #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x515d9829) not found (maybe expired)

cannot load esp module

root@OpenWrt:/lib/modules/2.6.25.17# insmod esp4
insmod: cannot insert '/lib/modules/2.6.25.17/esp4.ko': invalid parameters (11): Invalid argument

I did not have to do above on whiterussian I don't even have esp4 module there.


It does reach l2tp and this is what it says,

root@OpenWrt:~# l2tpd -D
This binary does not support kernel L2TP.
l2tpd version 0.69 started on OpenWrt PID:2086
Linux version 2.6.25.17 on a mips, listening on IP address 0.0.0.0, port 1701
handle_avps: handling avp's for tunnel 45175, call 0
message_type_avp: message type 1 (Start-Control-Connection-Request)
protocol_version_avp: peer is using version 1, revision 0.
framing_caps_avp: supported peer frames: sync
bearer_caps_avp: supported peer bearers:
firmware_rev_avp: peer reports firmware version 1536 (0x0600)
hostname_avp: peer reports hostname 'MYPC'
vendor_avp: peer reports vendor 'Microsoft'
assigned_tunnel_avp: using peer's tunnel 2
receive_window_size_avp: peer wants RWS of 8.  Will use flow control.
handle_avps: handling avp's for tunnel 1706, call 0
message_type_avp: message type 1 (Start-Control-Connection-Request)
protocol_version_avp: peer is using version 1, revision 0.
framing_caps_avp: supported peer frames: sync
bearer_caps_avp: supported peer bearers:
firmware_rev_avp: peer reports firmware version 1536 (0x0600)
hostname_avp: peer reports hostname 'MYPC'
vendor_avp: peer reports vendor 'Microsoft'
assigned_tunnel_avp: using peer's tunnel 2
receive_window_size_avp: peer wants RWS of 8.  Will use flow control.
control_finish: Peer requested tunnel 2 twice, ignoring second one.
handle_avps: handling avp's for tunnel 24087, call 49940
message_type_avp: message type 1 (Start-Control-Connection-Request)
protocol_version_avp: peer is using version 1, revision 0.
framing_caps_avp: supported peer frames: sync
bearer_caps_avp: supported peer bearers:
firmware_rev_avp: peer reports firmware version 1536 (0x0600)
hostname_avp: peer reports hostname 'MYPC'
vendor_avp: peer reports vendor 'Microsoft'
assigned_tunnel_avp: using peer's tunnel 2
receive_window_size_avp: peer wants RWS of 8.  Will use flow control.
control_finish: Peer requested tunnel 2 twice, ignoring second one.
control_xmit: Maximum retries exceeded for tunnel 45175.  Closing.
call_close : Connection 2 closed to 192.168.20.80, port 1701 (Timeout)
control_xmit: Unable to deliver closing message for tunnel 45175. Destroying anyway.
^Cdeath_handler: Fatal signal 2 received
root@OpenWrt:~#


It never connects

4 (edited by ScarEye 2009-03-02 18:40:00)

Re: openswan ?

Is this a net-to-net connection?   Or is your setup like this.     

Office-PC1------(LAN)-openwrt/openswan-(WAN)--------internet-------------(WAN)-router-(LAN)--------Home-PC1

Are you trying to conenct from Home-PC1 to Office PC1 ? 

OR

Office-PC1------(LAN)-openwrt/openswan-(WAN)--------internet-------------(WAN)-openwrt/openswan-(LAN)--------Home-PC1

Is this connection from openwrt router to openwrt router running openswan (net-to-net) ?


Thanks
ScarEye


P.S. L2TP was not tested.  NET-2-NET was tested and works.

Re: openswan ?

ScarEye wrote:

Is this a net-to-net connection?   Or is your setup like this.     

Office-PC1------(LAN)-openwrt/openswan-(WAN)--------internet-------------(WAN)-router-(LAN)--------Home-PC1

Are you trying to conenct from Home-PC1 to Office PC1 ? 

OR

Office-PC1------(LAN)-openwrt/openswan-(WAN)--------internet-------------(WAN)-openwrt/openswan-(LAN)--------Home-PC1

Is this connection from openwrt router to openwrt router running openswan (net-to-net) ?


Thanks
ScarEye


P.S. L2TP was not tested.  NET-2-NET was tested and works.

I am using option one using windows L2tp/ipsec client. I have not treid net-to-net. What do you suggest I should do? I do have l2tp/ipsec windows client working fine with whiterussian 5. I cannot use 8.09 untill I fix this, and I really want to us it.

Re: openswan ?

I have made some progress but it is strange to me. May be some of you experts will have input on this. I can connect using windows l2tp/ipsec client but only while tcpdump is running on wan interface. I have tried reducing mtu on ipsec0, wan and ppp but it has no affect. This is a test setup all private ip, no NAT.  If I test it in real world on public ip, then I suppose I would need a nat patch I would need some input on that too. Any help would be greatly appreciated.

connects fine While tcpdump running:

Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000006]
Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: received Vendor ID payload [RFC 3947] meth=109, but port floating is off
Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [FRAGMENTATION]
Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [IKE CGA version 1]
Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3: responding to Main Mode from unknown peer 192.168.20.100
Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3: STATE_MAIN_R1: sent MR1, expecting MI2
Jan  1 00:15:11 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_R1
Jan  1 00:15:13 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_R1
Jan  1 00:15:15 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan  1 00:15:15 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3: STATE_MAIN_R2: sent MR2, expecting MI3
Jan  1 00:15:16 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_R2
Jan  1 00:15:18 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_R2
Jan  1 00:15:20 OpenWrt authpriv.warn pluto[879]: WARNING: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took 4832039 usec
Jan  1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.20.100'
Jan  1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan  1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Jan  1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3: the peer proposed: 192.168.20.1/32:17/0 -> 192.168.20.100/32:17/1701
Jan  1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4: responding to Quick Mode proposal {msgid:01000000}
Jan  1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4:     us: 192.168.20.1[+S=C]:17/0
Jan  1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4:   them: 192.168.20.100[+S=C]:17/1701
Jan  1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan  1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan  1 00:15:22 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan  1 00:15:22 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x5f46ef61 <0x4a92c57f xfrm=AES_128-HMAC_SHA1 NATOA=<invalid> NATD=<invalid>:500 DPD=none}
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer requested tunnel 20 twice, ignoring second one.
Jan  1 00:15:22 OpenWrt daemon.notice xl2tpd[877]: Connection established to 192.168.20.100, 1701.  Local: 63325, Remote: 20 (ref=0/0).  LNS session is 'default'
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: result_code_avp: result code not appropriate for Incoming-Call-Request.  Ignoring.
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: start_pppd: I'm running:
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "/usr/sbin/pppd"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "passive"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "-detach"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "192.168.1.1:192.168.1.10"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "refuse-pap"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "auth"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "require-chap"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "name"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "LinuxVPNserver"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "debug"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "file"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "/etc/ppp/options.l2tpd"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "/dev/pts/2"
Jan  1 00:15:23 OpenWrt daemon.notice xl2tpd[877]: Call established with 192.168.20.100, Local: 65211, Remote: 1, Serial: 0



Will not connect without tcpdump running:

Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000006]
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: received Vendor ID payload [RFC 3947] meth=109, but port floating is off
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [FRAGMENTATION]
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [IKE CGA version 1]
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: responding to Main Mode from unknown peer 192.168.20.100
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jan  1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.20.100'
Jan  1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan  1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Jan  1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: the peer proposed: 192.168.20.1/32:0/0 -> 192.168.20.100/32:0/0
Jan  1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #2: responding to Quick Mode proposal {msgid:01000000}
Jan  1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #2:     us: 192.168.20.1[+S=C]:17/0
Jan  1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #2:   them: 192.168.20.100[+S=C]:17/1701
Jan  1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan  1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan  1 00:08:30 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer requested tunnel 19 twice, ignoring second one.
Jan  1 00:08:31 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer requested tunnel 19 twice, ignoring second one.
Jan  1 00:08:35 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer requested tunnel 19 twice, ignoring second one.
Jan  1 00:08:35 OpenWrt daemon.notice xl2tpd[877]: Maximum retries exceeded for tunnel 44841.  Closing.
Jan  1 00:08:35 OpenWrt daemon.info xl2tpd[877]: Connection 19 closed to 192.168.20.100, port 1701 (Timeout)
Jan  1 00:08:35 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xb82c5a58) not found (maybe expired)
Jan  1 00:08:35 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: received and ignored informational message
Jan  1 00:08:35 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: received Delete SA payload: deleting ISAKMP State #1
Jan  1 00:08:35 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100: deleting connection "roadwarrior-net" instance with peer 192.168.20.100 {isakmp=#0/ipsec=#0}
Jan  1 00:08:35 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: received and ignored informational message

Re: openswan ?

I too am trying to get openswan running... I have it compiled and installed on a router running r14654 from CVS with kernel 2.6.28.7 and openswan 2.6.18.  I'm trying to set up a straight LAN-to-LAN connection with a Fedora workstation running openswan 2.6.19.

The connection gets to STATE_QUICK_I1 on the Fedora side and then makes no further progress... netlink on the openwrt side says there's an "errno 89: Function not implemented" when it tries to install the outgoing SA at this point.

I know that the openwrt box is configured to use the netkey stack right now.  And it seems like it's pretty close, but following this thread, and others, I see that ScarEye thinks netkey is broken or unsupported for openwrt.  Can you fill us in as to the nature of the problem with netkey and openwrt? Other documentation I've been reading seems to imply that netkey will be the preferred stack going forward.  I can retry with klips, but I'll have to backtrack some of configs and setup. 

Thanks!

Re: openswan ?

I tried using netkey on openwrt it did not seem to work for me either. But in my opinion if you are planning to use netkey there is no need to use openswan just use racoon, i.e. ipsec-tools. Openswan should only be used in my opinion when you want to use klips or else you are wasting space on your little router. I have tried both and racoon worked better than openswan. Windows l2tp/ipsec client works fine with racoon except no nat support when using l2tp natted client.

Re: openswan ?

After a couple of months on-and-off playing with this, I finally decided to really dig in this weekend.  So, I tried a fresh image with a pure ipsec-tools install. After re-figuring out how to get all the xfrm, crypto, ah, and esp modules loaded (some package fixes may be in order here), I have what I think should be a workable system.  And it -does- seem to work.  But ONLY if I use "null" as the crypto for the esp packets.  I actually see AH and ESP packets instead of pings with tcpdump.

If I try 3des or aes (and yes, I have the des_generic and aes_generic mods loaded), I cannot establish a tunnel with shared secrets via setkey. (Racoon doesn't work either, but I am trying to keep it basic here). More specifically, when encryption is specified in the config script, setkey -D shows that the ESP SA is not loaded.

So, in re-reading your last message, I guessing that you have not gotten this to work on OpenWRT and are using ipsec-tools on another Unix environment.  I'm able to make this work in Fedora.... Below is a sample of the setkey script I'm using.  For OpenWRT, with the null rules, a setkey -D in OpenWRT shows the AH and ESP SA's.  With the 3des rules, only the AH SAs are loaded.  Both work on Fedora.

Has anyone been successful in getting ipsec-tools and netkey working on OpenWRT?  I've tried this on my own compiled 2.6.28.10 MIPS kernel and 2.6.25.20-based x86 image running through QEMU fresh from the kamikaze 8.09.1 downloads.

Thanks,
Jeremy

#!/usr/sbin/setkey -f

# Flush the SAD and SPD
flush;
spdflush;

# Attention: Use this keys only for testing purposes!
# Generate your own keys!

# AH SAs using 128 bit long keys
add 10.0.5.16 10.0.5.17 ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 10.0.5.17 10.0.5.16 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;

# ESP SAs using 192 bit long keys (168 + 24 parity)
#add 10.0.5.16 10.0.5.17 esp 0x201 -E 3des-cbc
#0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
#add 10.0.5.17 10.0.5.16 esp 0x301 -E 3des-cbc
#0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;
add 10.0.5.16 10.0.5.17 esp 0x201 -E null;
add 10.0.5.17 10.0.5.16 esp 0x301 -E null;

# Security policies
spdadd 10.0.5.17 10.0.5.16 any -P out ipsec
        esp/transport//require
        ah/transport//require;

spdadd 10.0.5.16 10.0.5.17 any -P in ipsec
        esp/transport//require
        ah/transport//require;

lsmod output (from the 2.6.28.10 MIPS system):
Module                  Size  Used by    Not tainted                           
cts                     3776  0                                                 
ctr                     3168  0                                                 
nf_nat_tftp              448  0                                                 
nf_conntrack_tftp       2544  1 nf_nat_tftp                                     
nf_nat_irc               992  0                                                 
nf_conntrack_irc        3168  1 nf_nat_irc                                     
nf_nat_ftp              1568  0                                                 
nf_conntrack_ftp        5376  1 nf_nat_ftp                                     
ipt_MASQUERADE          1248  2                                                 
iptable_nat             3568  1                                                 
nf_nat                 12544  5 nf_nat_tftp,nf_nat_irc,nf_nat_ftp,ipt_MASQUERADE,iptable_nat                                                                   
xt_NOTRACK               576  0                                                 
iptable_raw              800  1                                                 
xt_state                 864  3                                                 
nf_conntrack_ipv4       8160  6 iptable_nat,nf_nat                             
nf_defrag_ipv4           672  1 nf_conntrack_ipv4                               
nf_conntrack           41536 12 nf_nat_tftp,nf_conntrack_tftp,nf_nat_irc,nf_conntrack_irc,nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,xt_NOTRACK,xt_state,nf_conntrack_ipv4                                                   
ipt_REJECT              2048  2                                                 
xt_TCPMSS               2240  2                                                 
ipt_LOG                 5152  0                                                 
xt_multiport            2048  0
xt_mac                   608  0
xt_limit                1088  1
iptable_mangle          1184  0
iptable_filter           960  1
ip_tables               8976  4 iptable_nat,iptable_raw,iptable_mangle,iptable_filter
xt_tcpudp               2112  4
x_tables                9520 12 ipt_MASQUERADE,iptable_nat,xt_NOTRACK,xt_state,ipt_REJECT,xt_TCPMSS,ipt_LOG,xt_multiport,xt_mac,xt_limit,ip_tables,xt_tcpudp
esp6                    4672  0
ah6                     4256  0
xfrm6_mode_beet         1376  0
xfrm6_tunnel            4336  0
xfrm6_mode_tunnel       1248  0
xfrm6_mode_transport      768  0
esp4                    4832  0
ah4                     3520  2
xfrm4_mode_beet         1568  0
xfrm4_tunnel            1152  0
xfrm4_mode_tunnel       1344  0
xfrm4_mode_transport      704  4
ipcomp                  1632  0
xfrm_user              17952  0
xfrm_ipcomp             3152  1 ipcomp
tunnel6                 1808  1 xfrm6_tunnel
tunnel4                 1904  1 xfrm4_tunnel
ipv6                  272384 22 esp6,ah6,xfrm6_mode_beet,xfrm6_tunnel,xfrm6_mode_tunnel,tunnel6
crc_ccitt                992  0
sha1_generic            1568  0
crypto_null             1664  0
md5                     4512  2
hmac                    2944  2
des_generic            18784  0
authenc                 4160  0
aes_generic            28848  0
deflate                 1600  0
zlib_deflate           19184  1 deflate
ecb                     1440  0
cbc                     2272  0
cryptomgr              71920  0
crypto_hash             2656  2 hmac,authenc
crypto_blkcipher        8272  7 cts,ctr,crypto_null,authenc,ecb,cbc,cryptomgr
aead                    4000  4 esp6,esp4,authenc,cryptomgr
crypto_algapi          10400 15 cts,ctr,sha1_generic,crypto_null,md5,hmac,des_generic,authenc,aes_generic,deflate,ecb,cbc,cryptomgr,crypto_blkcipher,aead

Re: openswan ?

any update hur?  i need to set up l2tp soon; hoping thing've gotten better.

11

Re: openswan ?

As an update, I have been able to get ipsec and racoon working.  I my previous problems down to the fact that I wasn't able to use the kernel crypto modules for some reason.  They were loading into memory, but if I loaded the kernel's crypto test module, the tests would fail.  I updated to use kernel 2.6.30.4 and it all started working.  I'll try to post some more details... I'm currently wrestling with getting an XP client to connect. IPSec connections with XP are not playing nice just yet.

12

Re: openswan ?

Sorry for the delayed response. Latest Openswan/L2tp is no go for me, it has a bug check out their site. Racoon has been working for me with vista and xp, but you have to get the trunk i.e. IPsec-tools 0.8.0 from http://ipsec-tools.sourceforge.net/ and compile it yourself. You must use the trunk to get ipsec/l2tp functionality.

-HUR

Re: openswan ?

hi;
I'm working with 2 linksys wrt54gl routers configured as u mentioned

Office-PC1------(LAN)-openwrt/openswan-(WAN)--------internet-------------(WAN)-openwrt/openswan-(LAN)------Home-PC1

but before enabling ipsec office-pc1 canntot ping home-pc1
however it can ping the lan address of my home router.
can anybody tell me why?
and how i can overcome.
btw i disabled the firewall
and also tried to add route to the routing table but it fails i'm getting depressed.

14 (edited by ttsherpa 2010-01-08 09:37:20)

Re: openswan ?

i am relieved not to be the only one with such problems although my setup is somewhat different
i try to access a remote network behind a fortigate appliance as you can see in other post.
i also disabled the openwrt firewall to no avail. we desperately need someone to tell us how to configure the firewalll and routes

Re: openswan ?

ooops they finally ping each others, it a problem of routing which i've solved by adding a static route but unforunately the route disappears on reboot. so how 2 keep it permenant...
also i have an error on starting openswan

root@R1:/# ipsec auto --up net-to-net
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")

thanks in advance