Help! ipsec not talking IKE
This is a discussion on Help! ipsec not talking IKE within the Linux Security forums, part of the System Security and Security Related category; Hi All, I'm trying to get ipsec working (TOTAL ipsec newbie). I'm trying to get a host-to-...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-15-2004
|
|||
|
|||
Help! ipsec not talking IKE
Hi All,
I'm trying to get ipsec working (TOTAL ipsec newbie). I'm trying to get a host-to-host setup, with a PSK going as a test/proof of concept. Both machines are on the same subnet, but to avoid interfering with what's happenning currently, I've setup aliases on the two machines on a new subnet (ifconfig eth0:1 netmask 255.255.255.0 192.168.2.1 and ....2). Before I startup ipsec, I can ping and ssh across the link so traffic seems to be moving OK. But when I start ipsec on both ends, it does not seem able to negotiate keys. I've tried switching off the firewall at both ends to no avail, both machines are listening on port 500. Anybody any ideas? (full details below) TIA, C. Error message is: Nov 15 13:27:45 glasgow ipsec__plutorun: 031 "test" #1: max number of retransmissions (2) reached STATE_MAIN_I1. No acceptable response to our first IKE message Nov 15 13:27:45 glasgow ipsec__plutorun: 000 "test" #1: starting keying attempt 2 of at most 5, but releasing whack Nov 15 13:27:45 glasgow ipsec__plutorun: ...could not start conn "test" Nov 15 13:28:55 glasgow pluto[21461]: "test" #4: max number of retransmissions (2) reached STATE_MAIN_I1. No acceptable response to our first IKE message Nov 15 13:28:55 glasgow pluto[21461]: "test" #4: starting keying attempt 3 of at most 5 Nov 15 13:28:55 glasgow pluto[21461]: "test" #5: initiating Main Mode to replace #4 ipsec.conf is as follows: config setup interfaces="ipsec0=eth0:1" klipsdebug=none plutodebug=all plutoload=%search plutostart=%search uniqueids=yes conn test type=transport right=192.168.2.1 rightid=192.168.2.1 left=192.168.2.2 leftid=192.168.2.2 leftnexthop=%direct keyexchange=ike keylife=8h keyingtries=5 pfs=yes rekeymargin=20m rekeyfuzz=30% auth=esp authby=secret auto=start ---------- I've not setup anything specific in DNS (my understanding is that this is not needed for PSK). Both machines have the following at the end of /etc/ipsec.secrets (after unique RSA stuff): 192.168.2.2 192.168.2.1: PSK "MyTestSecret" Both ends are running SuSE with Freeswan 1.99_0.9.34-93 
|
|
11-15-2004
|
|||
|
|||
|
Re: Help! ipsec not talking IKE
Colin McKinnon wrote:
> Hi All, > > I'm trying to get ipsec working (TOTAL ipsec newbie). I'm trying to > get a host-to-host setup, with a PSK going as a test/proof of concept. > Both machines are on the same subnet, but to avoid interfering with > what's happenning currently, I've setup aliases on the two machines on > a new subnet (ifconfig eth0:1 netmask 255.255.255.0 192.168.2.1 and > ....2). > > Before I startup ipsec, I can ping and ssh across the link so traffic > seems to be moving OK. But when I start ipsec on both ends, it does > not seem able to negotiate keys. > > I've tried switching off the firewall at both ends to no avail, both > machines are listening on port 500. > > Anybody any ideas? > > (full details below) > > TIA, > > C. > > Error message is: > Nov 15 13:27:45 glasgow ipsec__plutorun: 031 "test" #1: max number of > retransmissions (2) reached STATE_MAIN_I1. No acceptable response to > our first IKE message > Nov 15 13:27:45 glasgow ipsec__plutorun: 000 "test" #1: starting > keying attempt 2 of at most 5, but releasing whack > Nov 15 13:27:45 glasgow ipsec__plutorun: ...could not start conn > "test" Nov 15 13:28:55 glasgow pluto[21461]: "test" #4: max number of > retransmissions (2) reached STATE_MAIN_I1. No acceptable response to > our first IKE message > Nov 15 13:28:55 glasgow pluto[21461]: "test" #4: starting keying > attempt 3 of at most 5 > Nov 15 13:28:55 glasgow pluto[21461]: "test" #5: initiating Main Mode > to replace #4 > > ipsec.conf is as follows: > config setup > interfaces="ipsec0=eth0:1" > klipsdebug=none > plutodebug=all > plutoload=%search > plutostart=%search > uniqueids=yes > conn test > type=transport > right=192.168.2.1 > rightid=192.168.2.1 > left=192.168.2.2 > leftid=192.168.2.2 > leftnexthop=%direct > keyexchange=ike > keylife=8h > keyingtries=5 > pfs=yes > rekeymargin=20m > rekeyfuzz=30% > auth=esp > authby=secret > auto=start > ---------- > I've not setup anything specific in DNS (my understanding is that this > is not needed for PSK). > Both machines have the following at the end of /etc/ipsec.secrets > (after unique RSA stuff): > 192.168.2.2 192.168.2.1: PSK "MyTestSecret" > Both ends are running SuSE with Freeswan 1.99_0.9.34-93 Enabling only 500/UDP is not enough. You must also let protocol ESP pass in your firewall. That would be the first thing to check. Are there NAT boxes in between? They _will_ break the ipsec tunnel. EJ -- Remove the obvious part (including the dot) for my email address. http://www.vanwesten.net for examples of ipf and pf.
|
|
11-15-2004
|
|||
|
|||
|
Re: Help! ipsec not talking IKE
Colin McKinnon wrote:
> Hi All, > > I'm trying to get ipsec working (TOTAL ipsec newbie). > > I've tried switching off the firewall at both ends to no avail, both > machines are listening on port 500. > > Anybody any ideas? > Protocols involved in IPSec tunnel setup and connection are three (3). 1) 500/UDP = initiation 2) IP type 50 (ESP) = used during session 3) IP type 51 (AH) = used during session the first should be straight forward enough the second and third may be elusive for the less robust firewall and/or natting devices out there - these are under the IP protocol, which has types not ports, per se -- "Never have so many understood so little about so much." -- James Burke
|
|
11-16-2004
|
|||
|
|||
|
Re: Help! ipsec not talking IKE
Gregory W Zill wrote:
> Colin McKinnon wrote: >> >> I've tried switching off the firewall at both ends to no avail, both >> machines are listening on port 500. >> >> Anybody any ideas? >> > > Protocols involved in IPSec tunnel setup and connection are three (3). > > 1) 500/UDP = initiation > 2) IP type 50 (ESP) = used during session > 3) IP type 51 (AH) = used during session > > the first should be straight forward enough > > the second and third may be elusive for the less robust firewall and/or > natting devices out there - these are under the IP protocol, which has > types not ports, per se > Might be the answer - neither machine is listening on port 50/51 (both machines on same ethernet segment, and both had firewalls off during testing). I guess it may be a config issue - off to experiment. Ta, C.
|
|
11-16-2004
|
|||
|
|||
|
Re: Help! ipsec not talking IKE
Colin McKinnon wrote:
> Gregory W Zill wrote: > >> Protocols involved in IPSec tunnel setup and connection are three (3). >> >> 1) 500/UDP = initiation >> 2) IP type 50 (ESP) = used during session >> 3) IP type 51 (AH) = used during session >> > > Might be the answer - neither machine is listening on port 50/51 (both > machines on same ethernet segment, and both had firewalls off during > testing). I guess it may be a config issue - off to experiment. > Nope - can't het the machines to start listening on ports 50 or 51. I already had auth=esp in the config, tried sepcifically adding the algorithms, but to no avail. Any other ideas? TIA, C.
|
|
11-16-2004
|
|||
|
|||
|
Re: Help! ipsec not talking IKE
<snip>
>>> Protocols involved in IPSec tunnel setup and connection are three (3). >>> >>> 1) 500/UDP = initiation >>> 2) IP type 50 (ESP) = used during session >>> 3) IP type 51 (AH) = used during session <snip> > Nope - can't het the machines to start listening on ports 50 or 51. I > already had auth=esp in the config, tried sepcifically adding the > algorithms, but to no avail. 50 (ESP) and 51 (AH) are no port numbers, but protocol numbers (6=tcp, 17=udp). If you have a firewall, you have to allow this traffic... these protocols CAN NOT be NAT-ted. prompt
|
Linear Mode
