# Stuck with OpenSWAN

## randal1

Hi!

I am having trouble setting up an ipsec tunnel.

Here is my spec:

Gentoo Ver 3.3.6

Kernel Ver 2.6.12.5

OpenSWAN Ver 2.3.1

My OpenSWAN config is as follows (I have obviously removed IP addresses  :Smile:  )

```

# /etc/ipsec.conf - Openswan IPsec configuration file

# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# Manual:     ipsec.conf.5

version   2.0   # conforms to second version of ipsec.conf specification

# basic configuration

config setup

   # Debug-logging controls:  "none" for (almost) none, "all" for lots.

    klipsdebug=all

    plutodebug="control parsing"

# Add connections here

conn packetpatcheddefault

      # Left security gateway, subnet behind it, next hop toward right.

      authby=secret

      pfs=no

      left=xxx.xxx.xxx.xxx

      leftsubnet=xxx.xxx.xxx.xxx/xx

      #leftid=

      leftnexthop=xxx.xxx.xxx.xxx

      # Right security gateway, subnet behind it, next hop toward left.

      right=xxx.xxx.xxx.xxx

      rightsubnet=xxx.xxx.xxx.xxx

      #rightid=

      rightnexthop=xxx.xxx.xxx.xxx

      # To authorize this connection, but not actually start it, at startup,

      # uncomment this.

      #auto=start

#Disable Opportunistic Encryption

include /etc/ipsec/ipsec.d/examples/no_oe.conf

```

...and my secrets file:

```

"/etc/ipsec/ipsec.secrets"

# PSK

xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx: PSK "mypskkeygoeshere"

```

When I start IPsec (/etc/init.d/ipsec start), and monitor /var/log/messages, I get...

```

Oct  6 09:17:46 MyOffice ipsec_setup: ...Openswan IPsec stopped

Oct  6 09:17:48 MyOffice ipsec_setup: Starting Openswan IPsec 2.3.1...

Oct  6 09:17:48 MyOffice ipsec_setup: insmod /lib/modules/2.6.12.5/kernel/net/key/af_key.ko

Oct  6 09:17:48 MyOffice NET: Registered protocol family 15

Oct  6 09:17:49 MyOffice ipsec_setup: insmod /lib/modules/2.6.12.5/kernel/net/ipv4/xfrm4_tunnel.ko

Oct  6 09:17:49 MyOffice ipsec_setup: insmod /lib/modules/2.6.12.5/kernel/net/xfrm/xfrm_user.ko

Oct  6 09:17:49 MyOffice Initializing IPsec netlink socket

Oct  6 09:17:49 MyOffice ipsec_setup: KLIPS ipsec0 on eth0 xxx.xxx.xxx.xxx/255.255.255.0 broadcast xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice ipsec__plutorun: Starting Pluto subsystem...

Oct  6 09:17:49 MyOffice pluto[2189]: Starting Pluto (Openswan Version 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEExalF{_o`m)

Oct  6 09:17:49 MyOffice pluto[2189]: Setting port floating to off

Oct  6 09:17:49 MyOffice pluto[2189]: port floating activate 0/1

Oct  6 09:17:49 MyOffice pluto[2189]:   including NAT-Traversal patch (Version 0.6c) [disabled]

Oct  6 09:17:49 MyOffice pluto[2189]: | opening /dev/urandom

Oct  6 09:17:49 MyOffice pluto[2189]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds

Oct  6 09:17:49 MyOffice pluto[2189]: | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds

Oct  6 09:17:49 MyOffice ipsec_setup: ...Openswan IPsec started

Oct  6 09:17:49 MyOffice pluto[2189]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)

Oct  6 09:17:49 MyOffice pluto[2189]: starting up 3 cryptographic helpers

Oct  6 09:17:49 MyOffice pluto[2189]: started helper pid=2194 (fd:6)

Oct  6 09:17:49 MyOffice pluto[2194]: | opening /dev/urandom

Oct  6 09:17:49 MyOffice pluto[2194]: ! helper 0 waiting on fd: 7

Oct  6 09:17:49 MyOffice pluto[2197]: | opening /dev/urandom

Oct  6 09:17:49 MyOffice pluto[2189]: started helper pid=2197 (fd:7)

Oct  6 09:17:49 MyOffice pluto[2197]: ! helper 1 waiting on fd: 8

Oct  6 09:17:49 MyOffice pluto[2189]: started helper pid=2198 (fd:8)

Oct  6 09:17:49 MyOffice pluto[2189]: Using Linux 2.6 IPsec interface code

Oct  6 09:17:49 MyOffice pluto[2198]: | opening /dev/urandom

Oct  6 09:17:49 MyOffice pluto[2198]: ! helper 2 waiting on fd: 9

Oct  6 09:17:49 MyOffice pluto[2189]: Changing to directory '/etc/ipsec/ipsec.d/cacerts'

Oct  6 09:17:49 MyOffice pluto[2189]: Changing to directory '/etc/ipsec/ipsec.d/aacerts'

Oct  6 09:17:49 MyOffice pluto[2189]: Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'

Oct  6 09:17:49 MyOffice pluto[2189]: Changing to directory '/etc/ipsec/ipsec.d/crls'

Oct  6 09:17:49 MyOffice pluto[2189]:   Warning: empty directory

Oct  6 09:17:49 MyOffice pluto[2189]: | inserting event EVENT_LOG_DAILY, timeout in 52931 seconds

Oct  6 09:17:49 MyOffice pluto[2189]: | next event EVENT_PENDING_PHASE2 in 120 seconds

Oct  6 09:17:49 MyOffice pluto[2189]: |

Oct  6 09:17:49 MyOffice pluto[2189]: | *received whack message

Oct  6 09:17:49 MyOffice pluto[2189]: listening for IKE messages

Oct  6 09:17:49 MyOffice pluto[2189]: | found lo with address 127.0.0.1

Oct  6 09:17:49 MyOffice pluto[2189]: | found bond0 with address xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice pluto[2189]: | found bond0:0 with address xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice pluto[2189]: | found bond0:11 with address xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice pluto[2189]: | found bond0:12 with address xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice pluto[2189]: | found bond0:13 with address xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice pluto[2189]: | found bond0:1 with address xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice pluto[2189]: | found bond0:2 with address xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice pluto[2189]: | found bond0:3 with address xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice pluto[2189]: | found bond0:4 with address xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice pluto[2189]: | found bond0:5 with address xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice pluto[2189]: | found bond0:6 with address xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice pluto[2189]: | found bond0:7 with address xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice pluto[2189]: | found bond0:8 with address xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice pluto[2189]: | found bond0:9 with address xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice pluto[2189]: | found bond0:10 with address xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice pluto[2189]: | found eth0 with address xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice pluto[2189]: | found eth0:0 with address xxx.xxx.xxx.xxx

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface eth0:0/eth0:0 xxx.xxx.xxx.xxx:500

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface eth0/eth0 xxx.xxx.xxx.xxx:500

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface bond0:10/bond0: xxx.xxx.xxx.xxx:500

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface bond0:9/bond0:9 xxx.xxx.xxx.xxx:500

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface bond0:8/bond0:8 xxx.xxx.xxx.xxx:500

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface bond0:7/bond0:7 xxx.xxx.xxx.xxx:500

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface bond0:6/bond0:6 xxx.xxx.xxx.xxx:500

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface bond0:5/bond0:5 xxx.xxx.xxx.xxx:500

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface bond0:4/bond0:4 xxx.xxx.xxx.xxx:500

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface bond0:3/bond0:3 xxx.xxx.xxx.xxx:500

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface bond0:2/bond0:2 xxx.xxx.xxx.xxx:500

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface bond0:1/bond0:1 xxx.xxx.xxx.xxx:500

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface bond0:13/bond0:13 xxx.xxx.xxx.xxx:500

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface bond0:12/bond0:12 xxx.xxx.xxx.xxx:500

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface bond0:11/bond0:11 xxx.xxx.xxx.xxx:500

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface bond0:0/bond0:0 xxx.xxx.xxx.xxx:500

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface bond0/bond0 xxx.xxx.xxx.xxx:500

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface lo/lo 127.0.0.1:500

Oct  6 09:17:49 MyOffice pluto[2189]: | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001

Oct  6 09:17:49 MyOffice pluto[2189]: adding interface lo/lo ::1:500

Oct  6 09:17:49 MyOffice pluto[2189]: loading secrets from "/etc/ipsec/ipsec.secrets"

Oct  6 09:17:49 MyOffice pluto[2189]: | next event EVENT_PENDING_PHASE2 in 120 seconds

```

Also, please find attached my "ipsec verify":

```

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path                                 [OK]

Linux Openswan U2.3.1/K2.6.12.5 (netkey)

Checking for IPsec support in kernel                            [OK]

Checking for RSA private key (/etc/ipsec/ipsec.secrets)         [FAILED]

hostname: No address associated with name

ipsec showhostkey: no default key in "/etc/ipsec/ipsec.secrets"

Checking that pluto is running                                  [OK]

Two or more interfaces found, checking IP forwarding            [OK]

Checking NAT and MASQUERADEing                                  [N/A]

Checking for 'ip' command                                       [OK]

Checking for 'iptables' command                                 [OK]

Checking for 'setkey' command for NETKEY IPsec stack support    [OK]

grep: /etc/ipsec.conf: No such file or directory

cat: /etc/ipsec.conf: No such file or directory

Opportunistic Encryption DNS checks:

   Looking for TXT in forward dns zone: MyOffice                [MISSING]

   Does the machine have at least one non-private address?      [FAILED]

```

At the moment I am stuck at a point and can't find any documentation to help me.  

Any advice/help gratefully received!

Many thanks in advance   :Very Happy: 

----------

## jpl888

Yes I have some advise, use OpenVPN instead.

It's easier to configure, the documentation is better and it is stable (I know someone with quite a few remote laptops that has been using it for 6 months without trouble).

----------

## randal1

I really wish I could, unfortunately I am tied to OpenSWAN for corporate reasons   :Sad: 

Any ideas with the above config?

----------

## jpl888

Well a good place to start would be the RSA private key that is missing.

Looking at the openswan website there is no indication that you have to create the RSA key, it just kind of says you should do the usual install stuff (configure and make, etc.), start the service and hey presto. That would say to me there is something wrong with the basic install. 

It says type "ipsec verify" to verify your installation, so try that and see what happens.

Please also refer to this site http://wiki.openswan.org/index.php/Troubleshooting that says type "service ipsec start" to create the RSA key.

----------

## randal1

thanks for the reply   :Very Happy: 

I am not using RSA keys for this connection...it is using Pre Shared Key instead.  I have defined my PSK key in the ipsec.secrets file (shown in the first post).

----------

## jpl888

It is expecting to find an RSA key so that may be one reason why it's not starting, also it doesn't seem to find the ipsec.conf, I would say that is a fairly major error too.

----------

## jpl888

How did you define your PSK?

----------

## pava_rulez

 *jpl888 wrote:*   

> It is expecting to find an RSA key so that may be one reason why it's not starting, also it doesn't seem to find the ipsec.conf, I would say that is a fairly major error too.

 

No,that's not the reason...here's ipsec verify output from my running Openswan:

```
Orione ~ # ipsec verify

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path                                 [OK]

Linux Openswan U2.4.0dr9/K2.6.11-gentoo-r11 (netkey)

Checking for IPsec support in kernel                            [OK]

Checking for RSA private key (/etc/ipsec.secrets)               [FAILED]

ipsec showhostkey: no default key in "/etc/ipsec.secrets"

Checking that pluto is running                                  [OK]

Two or more interfaces found, checking IP forwarding            [OK]

Checking NAT and MASQUERADEing

Checking for 'ip' command                                       [OK]

Checking for 'iptables' command                                 [OK]

Checking for 'setkey' command for NETKEY IPsec stack support    [OK]

Opportunistic Encryption Support                                [DISABLED]

```

----------

## pava_rulez

 *jpl888 wrote:*   

> You've been doing some fiddling since your first post then eh?
> 
> That output is different to the original one, looks like you now have a ipsec.conf and you've disabled oppurtunistic encryption.
> 
> I would like to know how you created your PSK.

 

Ahem, I'm not Randal1...   :Laughing: 

----------

## jpl888

 *Quote:*   

> No,that's not the reason...here's ipsec verify output from my running Openswan: 

 

I did say maybe the key is causing a problem, but randal1 definitely needs an ipsec.conf and he should probably disable OE unless the other end of the tunnel is OPENSWAN or FREESWAN

----------

## jpl888

 *Quote:*   

> Ahem, I'm not Randal1...

 

whoops yeah I know deleted that post   :Wink: 

----------

## pava_rulez

 *jpl888 wrote:*   

>  *Quote:*   No,that's not the reason...here's ipsec verify output from my running Openswan:  
> 
> I did say maybe the key is causing a problem, but randal1 definitely needs an ipsec.conf and he should probably disable OE unless the other end of the tunnel is OPENSWAN or FREESWAN

 

```
version 2.0     # conforms to second version of ipsec.conf specification

config setup

        interfaces=%defaultroute

        klipsdebug=none

        plutodebug=none

        nat_traversal=yes

        virtual_private=%v4:172.16.0.0/12,%v4:!192.168.0.0/24

      

conn %default

        keyingtries=3

        compress=yes

        disablearrivalcheck=no

        authby=secret

        type=tunnel

        

conn Home-Openswan

        pfs=no

        left=%defaultroute

        leftprotoport=17/1701

        rightprotoport=17/1701

        right=%any

        rightsubnet=vhost:%no,%priv

        auto=add

include /etc/ipsec.d/examples/no_oe.conf

```

Hope it can be useful...   :Very Happy: 

----------

## randal1

Im pretty confused...!!! who is this new person - pava_rulez?!

Anyway, I have defined my PSK in the ipsec.secrets file (this is where I think it should be put)

I thought that OE was disable in my ipsec.conf file (at the bottom) -

```

#Disable Opportunistic Encryption

include /etc/ipsec/ipsec.d/examples/no_oe.conf

```

(have I missed something?...I have already previously posted my ipsec.conf, ipsec.secrets files, and I am using PSK, not RSA)

Thanks for the ongoing help

----------

## pava_rulez

Hi, I'm the new one, Pava_rulez!   :Very Happy: 

Just a question, is your tunnel between an Openswan server and a windows client, more than one client, or whatever? It'd be important to have more information to help you (I can tell you I had to try some weeks before having my system work...)

----------

## jpl888

Ok going back to the first post, your "ipsec verify" says it can't find /etc/ipsec.conf, which would be why it isn't starting.

I think this is the fundamental problem at the moment. So either the file isn't in that location or there is a permissions problem.

Other than that pava_rulez is probably more qualified to help as I don't have a working Openswan server and I have alot more experience with Openvpn.

----------

## randal1

Hi Pava_rulez!!

It doesn't say that it can't find the file /etc/ipsec/ipsec.conf...it says that it can't find the RSA key...because I'm not using one, im using a PSK.  Is that the case?? or does it actually mean that it can't find the file full stop?

Ownership of the file is as follows:

```

MyBox ~ # ls -la /etc/ipsec/ipsec.conf

-rwxr-xr-x  1 root root 1619 Oct  6 08:17 /etc/ipsec/ipsec.conf

```

Also, the extra info you want - It is one Gentoo Box Running OpenSWAN connected to a Cisco ADSL (827/837) router on the other side.  Does this help?

Thanks!   :Very Happy: 

----------

## pava_rulez

Hi randal1,

this is my ipsec.secrets:

```
VPN_Server_Extern_IP  %any: PSK "dsfjn33sdibfa6sdhfdsfb8sdhffcd8475dri0q64vr"
```

I suppose you can try with a ipsec.conf looking like mine. Use my values for right, rightsubnet and left. Make sure all of your firewall ports are wide open (if you're trying to set a Ipsec-L2tp tunnel you need to open port 500, 4500 and 1701 and accept packets belonging to protocol 50 and 51).  I suggest you to read  this great howto (thanks againg my great master Dashnu for you help!!!    :Cool:  ).

----------

## jpl888

 *Quote:*   

> grep: /etc/ipsec.conf: No such file or directory
> 
> cat: /etc/ipsec.conf: No such file or directory

 

The above is from your original ipsec verify randal1, "grep" and "cat" are core utilities so when it says "No such file or directory" it is referring to "ipsec.conf", or am I completely mad?

You seem to have your ipsec.conf in /etc/ipsec and it should just be in /etc.

----------

