Mailinglist Archive: opensuse-security (332 mails)
| < Previous | Next > |
Freeswan, suse 9.1 ipsec initialization problem
- From: Dimitris Stamatoulis <dstam@xxxxxxxxxxx>
- Date: Fri, 10 Sep 2004 00:38:24 +0300
- Message-id: <200409100038.24426.dstam@xxxxxxxxxxx>
Dear all,
I have successfully set-up an ipsec tunnel between a suse 9.0 linux with
freeswan 2.04_1_4_8 and a Cisco PIX 515. I decided to install suse 9.1to a
new PC because the previous suse kernel was not working normally after
freeswan was doing rekeying( ...incoming packet policy failed..blah, blah.).
If anyone knows something about this please tell me.
Anyway, I set-up a suse 9.1 with kernel 2.6. I installed freeswan 2.04_1_5_3
(included in the distribution) during the installation.
I copied the ipsec.conf and ipsec.secrets files as well as the private, public
and CA certificates from my previous successfull set-up with suse 9.0(kernel
2.4.21) to my new installation.
I have a big problem now because I cannot even set-up the tunnel.
PIX configuration has not been changed and my old setup is working.
Here is the debug:
Sep 9 16:31:37 linux pluto[21125]: added connection description "myconn"
Sep 9 16:31:37 linux pluto[21125]: listening for IKE messages
Sep 9 16:31:37 linux pluto[21125]: adding interface eth0/eth0 192.168.11.46
Sep 9 16:31:37 linux pluto[21125]: adding interface lo/lo 127.0.0.1
Sep 9 16:31:37 linux pluto[21125]: adding interface lo/lo ::1
Sep 9 16:31:37 linux pluto[21125]: loading secrets from "/etc/ipsec.secrets"
Sep 9 16:31:37 linux pluto[21125]: loaded private key file
'/etc/ipsec.d/newsuse91.pem' (887 bytes)
Sep 9 16:31:37 linux pluto[21125]: "myconn" #1: initiating Main Mode
Sep 9 16:31:37 linux ipsec__plutorun: 104 "myconn" #1: STATE_MAIN_I1:
initiate
Sep 9 16:31:37 linux ipsec__plutorun: ...could not start conn "myconn"
Sep 9 16:31:37 linux pluto[21125]: "myconn" #1: ignoring Vendor ID payload
[XAUTH]
Sep 9 16:31:37 linux pluto[21125]: "myconn" #1: received Vendor ID payload
[Dead Peer Detection]
Sep 9 16:31:37 linux pluto[21125]: "myconn" #1: ignoring Vendor ID payload
[Cisco-Unity]
Sep 9 16:31:37 linux pluto[21125]: "myconn" #1: ignoring Vendor ID payload
[3341804bef4cc911...]
Sep 9 16:31:38 linux pluto[21125]: "myconn" #1: Peer ID is ID_FQDN:
'@pixfw2.x.com'
Sep 9 16:31:38 linux pluto[21125]: "myconn" #1: issuer crl not found
Sep 9 16:31:38 linux pluto[21125]: "myconn" #1: ISAKMP SA established
Sep 9 16:31:38 linux pluto[21125]: "myconn" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+UP {using isakmp#1}
Sep 9 16:31:38 linux pluto[21125]: "myconn" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN
Sep 9 16:31:38 linux pluto[21125]: "myconn" #1: ignoring informational
payload, type IPSEC_INITIAL_CONTACT
Sep 9 16:31:48 linux pluto[21125]: packet from x.x.x.x:500: not enough room
in input packet for ISAKMP Message (remain=0, sd->size=28)
Sep 9 16:31:48 linux pluto[21125]: packet from x.x.x.x:500: sending
notification PAYLOAD_MALFORMED to x.x.x.x:500
And here is my ipsec.conf:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
forwardcontrol=yes
# default settings for connections
conn %default
ikelifetime=120
keylife=120
rekeymargin=30
#rekeyfuzz=0%
keyexchange=ike
esp=3des-md5-96
# Add connections here.
conn myconn
authby=rsasig
left=%defaultroute
leftcert=/etc/ipsec.d/newsuse91.crt
right=1.1.1.1
rightid=@xxxxxxxxxxxx
rightsubnet=x.x.0.0/16
rightrsasigkey=%cert
rightca=%same
pfs=no
auto=start # authorizes but doesn't start this
# connection at startup
# Switch off Opportunistic Encryption -- BEGIN
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
# Needed?
conn OEself
auto=ignore
# Switch off Opportunistic Encryption -- END
I receive this NO_PROPOSAL_CHOSEN which I don't receive using suse 9.0.
I don't know what's going wrong.
Please, give me some advise.
Any thoughts would be appreciated too.
Dimitris Stamatoulis
I have successfully set-up an ipsec tunnel between a suse 9.0 linux with
freeswan 2.04_1_4_8 and a Cisco PIX 515. I decided to install suse 9.1to a
new PC because the previous suse kernel was not working normally after
freeswan was doing rekeying( ...incoming packet policy failed..blah, blah.).
If anyone knows something about this please tell me.
Anyway, I set-up a suse 9.1 with kernel 2.6. I installed freeswan 2.04_1_5_3
(included in the distribution) during the installation.
I copied the ipsec.conf and ipsec.secrets files as well as the private, public
and CA certificates from my previous successfull set-up with suse 9.0(kernel
2.4.21) to my new installation.
I have a big problem now because I cannot even set-up the tunnel.
PIX configuration has not been changed and my old setup is working.
Here is the debug:
Sep 9 16:31:37 linux pluto[21125]: added connection description "myconn"
Sep 9 16:31:37 linux pluto[21125]: listening for IKE messages
Sep 9 16:31:37 linux pluto[21125]: adding interface eth0/eth0 192.168.11.46
Sep 9 16:31:37 linux pluto[21125]: adding interface lo/lo 127.0.0.1
Sep 9 16:31:37 linux pluto[21125]: adding interface lo/lo ::1
Sep 9 16:31:37 linux pluto[21125]: loading secrets from "/etc/ipsec.secrets"
Sep 9 16:31:37 linux pluto[21125]: loaded private key file
'/etc/ipsec.d/newsuse91.pem' (887 bytes)
Sep 9 16:31:37 linux pluto[21125]: "myconn" #1: initiating Main Mode
Sep 9 16:31:37 linux ipsec__plutorun: 104 "myconn" #1: STATE_MAIN_I1:
initiate
Sep 9 16:31:37 linux ipsec__plutorun: ...could not start conn "myconn"
Sep 9 16:31:37 linux pluto[21125]: "myconn" #1: ignoring Vendor ID payload
[XAUTH]
Sep 9 16:31:37 linux pluto[21125]: "myconn" #1: received Vendor ID payload
[Dead Peer Detection]
Sep 9 16:31:37 linux pluto[21125]: "myconn" #1: ignoring Vendor ID payload
[Cisco-Unity]
Sep 9 16:31:37 linux pluto[21125]: "myconn" #1: ignoring Vendor ID payload
[3341804bef4cc911...]
Sep 9 16:31:38 linux pluto[21125]: "myconn" #1: Peer ID is ID_FQDN:
'@pixfw2.x.com'
Sep 9 16:31:38 linux pluto[21125]: "myconn" #1: issuer crl not found
Sep 9 16:31:38 linux pluto[21125]: "myconn" #1: ISAKMP SA established
Sep 9 16:31:38 linux pluto[21125]: "myconn" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+UP {using isakmp#1}
Sep 9 16:31:38 linux pluto[21125]: "myconn" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN
Sep 9 16:31:38 linux pluto[21125]: "myconn" #1: ignoring informational
payload, type IPSEC_INITIAL_CONTACT
Sep 9 16:31:48 linux pluto[21125]: packet from x.x.x.x:500: not enough room
in input packet for ISAKMP Message (remain=0, sd->size=28)
Sep 9 16:31:48 linux pluto[21125]: packet from x.x.x.x:500: sending
notification PAYLOAD_MALFORMED to x.x.x.x:500
And here is my ipsec.conf:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
forwardcontrol=yes
# default settings for connections
conn %default
ikelifetime=120
keylife=120
rekeymargin=30
#rekeyfuzz=0%
keyexchange=ike
esp=3des-md5-96
# Add connections here.
conn myconn
authby=rsasig
left=%defaultroute
leftcert=/etc/ipsec.d/newsuse91.crt
right=1.1.1.1
rightid=@xxxxxxxxxxxx
rightsubnet=x.x.0.0/16
rightrsasigkey=%cert
rightca=%same
pfs=no
auto=start # authorizes but doesn't start this
# connection at startup
# Switch off Opportunistic Encryption -- BEGIN
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
# Needed?
conn OEself
auto=ignore
# Switch off Opportunistic Encryption -- END
I receive this NO_PROPOSAL_CHOSEN which I don't receive using suse 9.0.
I don't know what's going wrong.
Please, give me some advise.
Any thoughts would be appreciated too.
Dimitris Stamatoulis
| < Previous | Next > |