Sebastian Haas
07-25-2004, 01:36 AM
Hello!
I'm setting up an VPN tunnel with FreeS/WAN 2.06 and Linux Kernel 2.4.25.
But i'm a little bit in trouble with the connection establishing.
ipsec auto --up S2I:
104 "S2I" #1: STATE_MAIN_I1: initiate
106 "S2I" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "S2I" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "S2I" #1: STATE_MAIN_I4: ISAKMP SA established
112 "S2I" #2: STATE_QUICK_I1: initiate
003 "S2I" #2: prepare-client command exited with status 127
003 "S2I" #2: route-client command exited with status 127
032 "S2I" #2: STATE_QUICK_I1: internal error
010 "S2I" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
003 "S2I" #2: prepare-client command exited with status 127
003 "S2I" #2: route-client command exited with status 127
032 "S2I" #2: STATE_QUICK_I1: internal error
010 "S2I" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
003 "S2I" #2: prepare-client command exited with status 127
003 "S2I" #2: route-client command exited with status 127
032 "S2I" #2: STATE_QUICK_I1: internal error
031 "S2I" #2: max number of retransmissions (2) reached STATE_QUICK_I1.
No acceptable response to our first Quick Mode message: perhaps peer likes
no proposal 000 "S2I" #2: starting keying attempt 2 of an unlimited
number, but releasing whack
As you could see he could exchange the keys (we're using RSA private
keys). The command errors prepare-client/route-client is caused by a
missing command (ip route but i've only route - is this the same?).
ipsec auto --status:
000 interface ipsec0/eth0 192.168.2.2
000 interface ipsec1/eth1 192.168.1.200
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmo
re
000
000 "S2I":
192.168.1.0/24===192.168.2.2[@invoices.ems-wuensche.com]...192.168.2.1
[@services.ems-wuensche.com]===192.168.0.0/24; unrouted; eroute owner: #0
000 "S2I": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0 000 "S2I": policy:
RSASIG+ENCRYPT+COMPRESS+PFS+UP; prio: 24,24; interface: eth0; 000 "S2I":
newest ISAKMP SA: #1; newest IPsec SA: #0; 000 000 #5: "S2I"
STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 33s 000 #1:
"S2I" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2654s;
newest ISAKMP 000
He hangs in phase IPSEC SA establishing.
Network setup:
Left net VPN gateway 1 VPN gateway 2 Right net
192.168.0.0 <--> 192.168.2.1 <--> 192.168.2.2 <--> 192.168.1.0
Settings gateway 1:
Interfaces:
eth0 - 192.168.2.1
eth1 - 192.168.0.200
route says:
192.168.0.0 eth1
192.168.2.0 eth0
default dev eth0
Settings gateway 2:
Interfaces:
eth0 - 192.168.2.2
eth1 - 192.168.1.200
and route says:
192.168.1.0 eth1
192.168.2.0 eth0
default dev eth0
ipsec.conf:
config setup
interfaces="ipsec0=eth0 ipsec1=eth1"
klipsdebug=all
plutodebug=all
pluto=yes
rp_filter=0
conn %default
keyingtries=0
keylife=8h
compress=yes
conn S2I
# Left security gateway, subnet behind it, next hop toward right.
left=192.168.2.1
leftsubnet=192.168.0.0/24
leftnexthop=
leftid=@service.ems-wuensche.com
leftrsasigkey=...
# Right security gateway, subnet behind it, next hop toward left.
right=192.168.2.2
rightsubnet=192.168.1.0/24
rightnexthop=
rightid=@invoices.ems-wuensche.com
rightrsasigkey=...
auto=add
Any help would be very appreciated.
--
Mit freundlichen Grüßen / Best Regards
Sebastian Haas
I'm setting up an VPN tunnel with FreeS/WAN 2.06 and Linux Kernel 2.4.25.
But i'm a little bit in trouble with the connection establishing.
ipsec auto --up S2I:
104 "S2I" #1: STATE_MAIN_I1: initiate
106 "S2I" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "S2I" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "S2I" #1: STATE_MAIN_I4: ISAKMP SA established
112 "S2I" #2: STATE_QUICK_I1: initiate
003 "S2I" #2: prepare-client command exited with status 127
003 "S2I" #2: route-client command exited with status 127
032 "S2I" #2: STATE_QUICK_I1: internal error
010 "S2I" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
003 "S2I" #2: prepare-client command exited with status 127
003 "S2I" #2: route-client command exited with status 127
032 "S2I" #2: STATE_QUICK_I1: internal error
010 "S2I" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
003 "S2I" #2: prepare-client command exited with status 127
003 "S2I" #2: route-client command exited with status 127
032 "S2I" #2: STATE_QUICK_I1: internal error
031 "S2I" #2: max number of retransmissions (2) reached STATE_QUICK_I1.
No acceptable response to our first Quick Mode message: perhaps peer likes
no proposal 000 "S2I" #2: starting keying attempt 2 of an unlimited
number, but releasing whack
As you could see he could exchange the keys (we're using RSA private
keys). The command errors prepare-client/route-client is caused by a
missing command (ip route but i've only route - is this the same?).
ipsec auto --status:
000 interface ipsec0/eth0 192.168.2.2
000 interface ipsec1/eth1 192.168.1.200
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmo
re
000
000 "S2I":
192.168.1.0/24===192.168.2.2[@invoices.ems-wuensche.com]...192.168.2.1
[@services.ems-wuensche.com]===192.168.0.0/24; unrouted; eroute owner: #0
000 "S2I": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0 000 "S2I": policy:
RSASIG+ENCRYPT+COMPRESS+PFS+UP; prio: 24,24; interface: eth0; 000 "S2I":
newest ISAKMP SA: #1; newest IPsec SA: #0; 000 000 #5: "S2I"
STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 33s 000 #1:
"S2I" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2654s;
newest ISAKMP 000
He hangs in phase IPSEC SA establishing.
Network setup:
Left net VPN gateway 1 VPN gateway 2 Right net
192.168.0.0 <--> 192.168.2.1 <--> 192.168.2.2 <--> 192.168.1.0
Settings gateway 1:
Interfaces:
eth0 - 192.168.2.1
eth1 - 192.168.0.200
route says:
192.168.0.0 eth1
192.168.2.0 eth0
default dev eth0
Settings gateway 2:
Interfaces:
eth0 - 192.168.2.2
eth1 - 192.168.1.200
and route says:
192.168.1.0 eth1
192.168.2.0 eth0
default dev eth0
ipsec.conf:
config setup
interfaces="ipsec0=eth0 ipsec1=eth1"
klipsdebug=all
plutodebug=all
pluto=yes
rp_filter=0
conn %default
keyingtries=0
keylife=8h
compress=yes
conn S2I
# Left security gateway, subnet behind it, next hop toward right.
left=192.168.2.1
leftsubnet=192.168.0.0/24
leftnexthop=
leftid=@service.ems-wuensche.com
leftrsasigkey=...
# Right security gateway, subnet behind it, next hop toward left.
right=192.168.2.2
rightsubnet=192.168.1.0/24
rightnexthop=
rightid=@invoices.ems-wuensche.com
rightrsasigkey=...
auto=add
Any help would be very appreciated.
--
Mit freundlichen Grüßen / Best Regards
Sebastian Haas