[lug] This is a very irritating problem

Dan Ferris dan at usrsbin.com
Tue Jan 4 21:50:13 MST 2005 

Howdy,

I just got done setting up L2TP over IPSec for my wireless network. 

The box is a SuSE Linux 9.2 box with OpenSwan.  Before anyone asks, I 
picked OpenSWAN because

a)  I've used it before
b)  I found a really good l2tp/ipsec tutorial that used it.

Anyway, this is an extremely irritating problem.

Here's the ipsec status.  Notice that there is an Active SA. 

an:~ # ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.10.10.1
000 interface eth1/eth1 192.168.253.2
000 %myid = (none)
000 debug none
000 
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, 
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, 
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, 
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000 
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
trans={0,0,0} attrs={0,0,0}
000 
000 "ipsec-l2tp": 10.10.10.1:17/1701...%any:17/%any; unrouted; eroute 
owner: #0
000 "ipsec-l2tp":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 3
000 "ipsec-l2tp":   policy: PSK+ENCRYPT+TUNNEL; prio: 32,32; interface: 
eth0;
000 "ipsec-l2tp":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "ipsec-l2tp":   IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 
5_000-2-5, 5_000-2-2, flags=-strict
000 "ipsec-l2tp":   IKE algorithms found:  5_192-1_128-5, 5_192-1_128-2, 
5_192-2_160-5, 5_192-2_160-2,
000 "ipsec-l2tp":   ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "ipsec-l2tp":   ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
000 "ipsec-l2tp"[1]: 10.10.10.1:17/1701...10.10.10.253:17/49633; 
erouted; eroute owner: #2
000 "ipsec-l2tp"[1]:   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "ipsec-l2tp"[1]:   policy: PSK+ENCRYPT+TUNNEL; prio: 32,32; 
interface: eth0;
000 "ipsec-l2tp"[1]:   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "ipsec-l2tp"[1]:   IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 
5_000-2-5, 5_000-2-2, flags=-strict
000 "ipsec-l2tp"[1]:   IKE algorithms found:  5_192-1_128-5, 
5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "ipsec-l2tp"[1]:   IKE algorithm newest: 3DES_CBC_192-SHA-MODP1024
000 "ipsec-l2tp"[1]:   ESP algorithms wanted: 3_000-1, 3_000-2, 
flags=-strict
000 "ipsec-l2tp"[1]:   ESP algorithms loaded: 3_000-1, 3_000-2, 
flags=-strict
000 "ipsec-l2tp"[1]:   ESP algorithm newest: AES_128-HMAC_SHA1; 
pfsgroup=<N/A>
000 
000 #2: "ipsec-l2tp"[1] 10.10.10.253 STATE_QUICK_R2 (IPsec SA 
established); EVENT_SA_REPLACE in 2941s; newest IPSEC; eroute owner
000 #2: "ipsec-l2tp"[1] 10.10.10.253 esp.af9431 at 10.10.10.253 
esp.59c8a2f at 10.10.10.1
000 #1: "ipsec-l2tp"[1] 10.10.10.253 STATE_MAIN_R3 (sent MR3, ISAKMP SA 
established); EVENT_SA_REPLACE in 2940s; newest ISAKMP
000 

Now the best part, and this is where I may be going nuts, but I must be 
missing something really stupid:
dan:~ # ifconfig
eth0      Link encap:Ethernet  HWaddr 00:01:03:67:FF:49 
          inet addr:10.10.10.1  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: fe80::201:3ff:fe67:ff49/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:167398 errors:0 dropped:0 overruns:1 frame:0
          TX packets:298929 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:22551386 (21.5 Mb)  TX bytes:159344883 (151.9 Mb)
          Interrupt:9 Base address:0xec80

eth1      Link encap:Ethernet  HWaddr 00:B0:D0:7C:92:80 
          inet addr:192.168.253.2  Bcast:192.168.253.255  Mask:255.255.255.0
          inet6 addr: fe80::2b0:d0ff:fe7c:9280/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:198493 errors:0 dropped:0 overruns:0 frame:0
          TX packets:151272 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:180426138 (172.0 Mb)  TX bytes:18204111 (17.3 Mb)
          Interrupt:10 Base address:0xe880

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1878 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1878 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:254119 (248.1 Kb)  TX bytes:254119 (248.1 Kb)

ppp0      Link encap:Point-to-Point Protocol 
          inet addr:10.10.10.4  P-t-P:10.10.10.10  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1410  Metric:1
          RX packets:558 errors:0 dropped:0 overruns:0 frame:0
          TX packets:634 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:48460 (47.3 Kb)  TX bytes:461801 (450.9 Kb)

Notice something missing?  I do.....There is NO ipsec0 interface.  WTF?  
Is this something new with OpenSWAN?  I admit I haven't used it in a few 
years.

If I do a tcpdump on eth0 I see lots of nice little ESP encrypted packets.

So, like, what am I missing here.

Here's ipsec.conf:

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        #klipsdebug=all
        #plutodebug="control parsing"
        #plutodebug=all
        # Certificate Revocation List handling
        #crlcheckinterval=600
        #strictcrlpolicy=yes
        # Change rp_filter setting, default = 0 (switch off)
        rp_filter=0
        # Switch on NAT-Traversal (if patch is installed)
        nat_traversal=no
        interfaces="ipsec0=eth0"

# default settings for connections
conn %default
        ikelifetime=20m
        keylife=1h
        rekeymargin=8m

conn ipsec-l2tp
        #
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        #
        authby=secret
        pfs=no
        #
        left=10.10.10.1
        #
        # Required for original (non-updated) Windows 2000/XP clients.
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        rightprotoport=17/%any
        #
        # Authorize this connection, and wait for connection from user.
        #
        auto=add
        keyingtries=3

Anyone know what I did wrong and how I can get my ipsec0 interface back :-)

Dan

More information about the LUG mailing list