This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Evaluation of Astaro 4.010

I am trying to connect two ASL boxes using IPSec.One is a full registered version, the other still an evaluation version Despite numerous efforts, and following the PSK and RSA guides I cant get it working. Before I post any logs, I was just wondering if there is any restrictions int he evaluation version which may be preventing this from working

This thread was automatically locked due to age.

Parents

0 Andreas Steffen over 22 years ago

If you want someone to help you, you must post some details why your setup doesn't workl

Andreas
Cancel
Vote Up 0 Vote Down

Cancel
0 hits over 22 years ago in reply to Andreas Steffen

I have IPSec VPN set using RSA and 3DES. but cant get the VPNS to connect.
Here is the info from the set up
In Connections

000 "DaxtenIE__VPN_1": 192.168.35.0/24===193.95.aaa.bbb...217.110.ccc.ddd===192.168.49.0/24
000 "DaxtenIE__VPN_1":   ike_life: 7800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "DaxtenIE__VPN_1":   policy: RSASIG+ENCRYPT+TUNNEL; interface: eth1; unrouted
000 "DaxtenIE__VPN_1":   newest ISAKMP SA: #43; newest IPsec SA: #0; eroute owner: #0
000 "DaxtenIE__VPN_1":   IKE algorithms wanted: 5_000-1-5, flags=-strict
000 "DaxtenIE__VPN_1":   IKE algorithms found:  5_192-1_128-5,
000 "DaxtenIE__VPN_1":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536 (extension)
000 "DaxtenIE__VPN_1":   ESP algorithms wanted: 3_000-1, flags=-strict
000 "DaxtenIE__VPN_1":   ESP algorithms loaded: 3_168-1_128,
000
000 #46: "DaxtenIE__VPN_1" STATE_QUICK_R1 (sent QR1, inbound IPsec SA installed, expecting QI2); EVENT_RETRANSMIT in 2s
000 #41: "DaxtenIE__VPN_1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 6607s
000 #47: "DaxtenIE__VPN_1" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 9s
000 #43: "DaxtenIE__VPN_1" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 7393s; newest ISAKMP

Livelog

Aug 12 15:06:11 (none) pluto[16644]: "DaxtenIE__VPN_1" #326: responding to Main Mode
Aug 12 15:06:11 (none) pluto[16644]: "DaxtenIE__VPN_1" #326: Main mode peer ID is ID_IPV4_ADDR: '193.95.aaa.bbb'
Aug 12 15:06:11 (none) pluto[16644]: "DaxtenIE__VPN_1" #326: sent MR3, ISAKMP SA established
Aug 12 15:06:12 (none) pluto[16644]: "DaxtenIE__VPN_1" #327: responding to Quick Mode
Aug 12 15:06:15 (none) pluto[16644]: "DaxtenIE__VPN_1" #325: Main mode peer ID is ID_IPV4_ADDR: '193.95.aaa.bbb
Aug 12 15:06:15 (none) pluto[16644]: "DaxtenIE__VPN_1" #325: ISAKMP SA established
Aug 12 15:06:15 (none) pluto[16644]: "DaxtenIE__VPN_1" #328: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL
Aug 12 15:06:16 (none) pluto[16644]: "DaxtenIE__VPN_1" #328: route-client command exited with status 7
Aug 12 15:06:22 (none) pluto[16644]: "DaxtenIE__VPN_1" #327: discarding duplicate packet; already STATE_QUICK_R1
Aug 12 15:06:26 (none) pluto[16644]: "DaxtenIE__VPN_1" #328: route-client command exited with status 7
Aug 12 15:06:42 (none) pluto[16644]: "DaxtenIE__VPN_1" #327: discarding duplicate packet; already STATE_QUICK_R1
Aug 12 15:06:46 (none) pluto[16644]: "DaxtenIE__VPN_1" #328: route-client command exited with status 7
Aug 12 15:07:22 (none) pluto[16644]: "DaxtenIE__VPN_1" #329: responding to Quick Mode
Aug 12 15:07:22 (none) pluto[16644]: "DaxtenIE__VPN_1" #327: max number of retransmissions (2) reached STATE_QUICK_R1
Aug 12 15:07:25 (none) pluto[16644]: "DaxtenIE__VPN_1" #328: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Aug 12 15:07:25 (none) pluto[16644]: "DaxtenIE__VPN_1" #328: starting keying attempt 2 of an unlimited number
Aug 12 15:07:25 (none) pluto[16644]: "DaxtenIE__VPN_1" #330: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL to replace #328
Aug 12 15:07:25 (none) pluto[16644]: "DaxtenIE__VPN_1" #330: route-client command exited with status 7
Aug 12 15:07:32 (none) pluto[16644]: "DaxtenIE__VPN_1" #329: discarding duplicate packet; already STATE_QUICK_R1
Aug 12 15:07:36 (none) pluto[16644]: "DaxtenIE__VPN_1" #330: route-client command exited with status 7
Aug 12 15:07:52 (none) pluto[16644]: "DaxtenIE__VPN_1" #329: discarding duplicate packet; already STATE_QUICK_R1
Aug 12 15:07:55 (none) pluto[16644]: "DaxtenIE__VPN_1" #330: route-client command exited with status 7
Aug 12 15:08:32 (none) pluto[16644]: "DaxtenIE__VPN_1" #331: responding to Quick Mode
Aug 12 15:08:32 (none) pluto[16644]: "DaxtenIE__VPN_1" #329: max number of retransmissions (2) reached STATE_QUICK_R1
Aug 12 15:08:35 (none) pluto[16644]: "DaxtenIE__VPN_1" #330: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Aug 12 15:08:35 (none) pluto[16644]: "DaxtenIE__VPN_1" #330: starting keying attempt 3 of an unlimited number
Aug 12 15:08:35 (none) pluto[16644]: "DaxtenIE__VPN_1" #332: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL to replace #330
Aug 12 15:08:35 (none) pluto[16644]: "DaxtenIE__VPN_1" #332: route-client command exited with status 7
Aug 12 15:08:42 (none) pluto[16644]: "DaxtenIE__VPN_1" #331: discarding duplicate packet; already STATE_QUICK_R1
Aug 12 15:08:45 (none) pluto[16644]: "DaxtenIE__VPN_1" #332: route-client command exited with status 7
Aug 12 15:09:02 (none) pluto[16644]: "DaxtenIE__VPN_1" #331: discarding duplicate packet; already STATE_QUICK_R1
Aug 12 15:09:05 (none) pluto[16644]: "DaxtenIE__VPN_1" #332: route-client command exited with status 7
Aug 12 15:09:42 (none) pluto[16644]: "DaxtenIE__VPN_1" #333: responding to Quick Mode
Aug 12 15:09:42 (none) pluto[16644]: "DaxtenIE__VPN_1" #331: max number of retransmissions (2) reached STATE_QUICK_R1
Aug 12 15:09:45 (none) pluto[16644]: "DaxtenIE__VPN_1" #332: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Aug 12 15:09:45 (none) pluto[16644]: "DaxtenIE__VPN_1" #332: starting keying attempt 4 of an unlimited number
Aug 12 15:09:45 (none) pluto[16644]: "DaxtenIE__VPN_1" #334: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL to replace #332
Aug 12 15:09:46 (none) pluto[16644]: "DaxtenIE__VPN_1" #334: route-client command exited with status 7
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 hits over 22 years ago in reply to Andreas Steffen

I have IPSec VPN set using RSA and 3DES. but cant get the VPNS to connect.
Here is the info from the set up
In Connections

000 "DaxtenIE__VPN_1": 192.168.35.0/24===193.95.aaa.bbb...217.110.ccc.ddd===192.168.49.0/24
000 "DaxtenIE__VPN_1":   ike_life: 7800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "DaxtenIE__VPN_1":   policy: RSASIG+ENCRYPT+TUNNEL; interface: eth1; unrouted
000 "DaxtenIE__VPN_1":   newest ISAKMP SA: #43; newest IPsec SA: #0; eroute owner: #0
000 "DaxtenIE__VPN_1":   IKE algorithms wanted: 5_000-1-5, flags=-strict
000 "DaxtenIE__VPN_1":   IKE algorithms found:  5_192-1_128-5,
000 "DaxtenIE__VPN_1":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536 (extension)
000 "DaxtenIE__VPN_1":   ESP algorithms wanted: 3_000-1, flags=-strict
000 "DaxtenIE__VPN_1":   ESP algorithms loaded: 3_168-1_128,
000
000 #46: "DaxtenIE__VPN_1" STATE_QUICK_R1 (sent QR1, inbound IPsec SA installed, expecting QI2); EVENT_RETRANSMIT in 2s
000 #41: "DaxtenIE__VPN_1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 6607s
000 #47: "DaxtenIE__VPN_1" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 9s
000 #43: "DaxtenIE__VPN_1" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 7393s; newest ISAKMP

Livelog

Aug 12 15:06:11 (none) pluto[16644]: "DaxtenIE__VPN_1" #326: responding to Main Mode
Aug 12 15:06:11 (none) pluto[16644]: "DaxtenIE__VPN_1" #326: Main mode peer ID is ID_IPV4_ADDR: '193.95.aaa.bbb'
Aug 12 15:06:11 (none) pluto[16644]: "DaxtenIE__VPN_1" #326: sent MR3, ISAKMP SA established
Aug 12 15:06:12 (none) pluto[16644]: "DaxtenIE__VPN_1" #327: responding to Quick Mode
Aug 12 15:06:15 (none) pluto[16644]: "DaxtenIE__VPN_1" #325: Main mode peer ID is ID_IPV4_ADDR: '193.95.aaa.bbb
Aug 12 15:06:15 (none) pluto[16644]: "DaxtenIE__VPN_1" #325: ISAKMP SA established
Aug 12 15:06:15 (none) pluto[16644]: "DaxtenIE__VPN_1" #328: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL
Aug 12 15:06:16 (none) pluto[16644]: "DaxtenIE__VPN_1" #328: route-client command exited with status 7
Aug 12 15:06:22 (none) pluto[16644]: "DaxtenIE__VPN_1" #327: discarding duplicate packet; already STATE_QUICK_R1
Aug 12 15:06:26 (none) pluto[16644]: "DaxtenIE__VPN_1" #328: route-client command exited with status 7
Aug 12 15:06:42 (none) pluto[16644]: "DaxtenIE__VPN_1" #327: discarding duplicate packet; already STATE_QUICK_R1
Aug 12 15:06:46 (none) pluto[16644]: "DaxtenIE__VPN_1" #328: route-client command exited with status 7
Aug 12 15:07:22 (none) pluto[16644]: "DaxtenIE__VPN_1" #329: responding to Quick Mode
Aug 12 15:07:22 (none) pluto[16644]: "DaxtenIE__VPN_1" #327: max number of retransmissions (2) reached STATE_QUICK_R1
Aug 12 15:07:25 (none) pluto[16644]: "DaxtenIE__VPN_1" #328: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Aug 12 15:07:25 (none) pluto[16644]: "DaxtenIE__VPN_1" #328: starting keying attempt 2 of an unlimited number
Aug 12 15:07:25 (none) pluto[16644]: "DaxtenIE__VPN_1" #330: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL to replace #328
Aug 12 15:07:25 (none) pluto[16644]: "DaxtenIE__VPN_1" #330: route-client command exited with status 7
Aug 12 15:07:32 (none) pluto[16644]: "DaxtenIE__VPN_1" #329: discarding duplicate packet; already STATE_QUICK_R1
Aug 12 15:07:36 (none) pluto[16644]: "DaxtenIE__VPN_1" #330: route-client command exited with status 7
Aug 12 15:07:52 (none) pluto[16644]: "DaxtenIE__VPN_1" #329: discarding duplicate packet; already STATE_QUICK_R1
Aug 12 15:07:55 (none) pluto[16644]: "DaxtenIE__VPN_1" #330: route-client command exited with status 7
Aug 12 15:08:32 (none) pluto[16644]: "DaxtenIE__VPN_1" #331: responding to Quick Mode
Aug 12 15:08:32 (none) pluto[16644]: "DaxtenIE__VPN_1" #329: max number of retransmissions (2) reached STATE_QUICK_R1
Aug 12 15:08:35 (none) pluto[16644]: "DaxtenIE__VPN_1" #330: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Aug 12 15:08:35 (none) pluto[16644]: "DaxtenIE__VPN_1" #330: starting keying attempt 3 of an unlimited number
Aug 12 15:08:35 (none) pluto[16644]: "DaxtenIE__VPN_1" #332: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL to replace #330
Aug 12 15:08:35 (none) pluto[16644]: "DaxtenIE__VPN_1" #332: route-client command exited with status 7
Aug 12 15:08:42 (none) pluto[16644]: "DaxtenIE__VPN_1" #331: discarding duplicate packet; already STATE_QUICK_R1
Aug 12 15:08:45 (none) pluto[16644]: "DaxtenIE__VPN_1" #332: route-client command exited with status 7
Aug 12 15:09:02 (none) pluto[16644]: "DaxtenIE__VPN_1" #331: discarding duplicate packet; already STATE_QUICK_R1
Aug 12 15:09:05 (none) pluto[16644]: "DaxtenIE__VPN_1" #332: route-client command exited with status 7
Aug 12 15:09:42 (none) pluto[16644]: "DaxtenIE__VPN_1" #333: responding to Quick Mode
Aug 12 15:09:42 (none) pluto[16644]: "DaxtenIE__VPN_1" #331: max number of retransmissions (2) reached STATE_QUICK_R1
Aug 12 15:09:45 (none) pluto[16644]: "DaxtenIE__VPN_1" #332: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Aug 12 15:09:45 (none) pluto[16644]: "DaxtenIE__VPN_1" #332: starting keying attempt 4 of an unlimited number
Aug 12 15:09:45 (none) pluto[16644]: "DaxtenIE__VPN_1" #334: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL to replace #332
Aug 12 15:09:46 (none) pluto[16644]: "DaxtenIE__VPN_1" #334: route-client command exited with status 7
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Andreas Steffen over 22 years ago in reply to hits

There is some problem with the routability of your subnets. Setting up a route for 192.168.49.0/24 fails ( route-client command exited with status 7). Is the subnet on your side really 192.168.35.0/24 or does it encompass 192.168.49.0/24 ?
A listing of route -n might help.

Regards

Andreas
Cancel
Vote Up 0 Vote Down

Cancel
0 hits over 22 years ago in reply to Andreas Steffen

Here is a list of the route -n on one of the boxes. Is this how it is supposed to look
Destination Gateway GenMask Flags Metric Ref Use Int
10.0.0.1 0.0.0.0 UH 0 0 0 ETH1
10.0.0.1 0.0.0.0 UH 0 0 0 ETH1
10.0.0.1 0.0.0.0 UH 0 0 0 ETH1
10.0.0.1 0.0.0.0 UH 0 0 0 ETH1
10.0.0.1 0.0.0.0 UH 0 0 0 ETH1
193.95.165.96 0.0.0.0 U 0 0 0 ETH1
193.95.165.96 0.0.0.0 U 0 0 0 ETH1
193.95.165.96 0.0.0.0 U 0 0 0 ETH1
193.95.165.96 0.0.0.0 U 0 0 0 ETH1
193.95.165.96 0.0.0.0 U 0 0 0 ETH1
193.95.165.96 0.0.0.0 U 0 0 0 IPSEC0
127.0.0.0 0.0.0.0 U 0 0 0 LO
0.0.0.0 10.0.0.1 UG 0 0 0 ETH1
0.0.0.0 10.0.0.1 UG 0 0 0 ETH1
0.0.0.0 10.0.0.1 UG 0 0 0 ETH1
0.0.0.0 10.0.0.1 UG 0 0 0 ETH1
0.0.0.0 10.0.0.1 UG 0 0 0 ETH1
Cancel
Vote Up 0 Vote Down

Cancel
0 hits over 22 years ago in reply to Andreas Steffen

I forgot say I cant see anywhere where the two subnets are linked in any way.
Cancel
Vote Up 0 Vote Down

Cancel
0 cyclops over 22 years ago in reply to Andreas Steffen

[ QUOTE ]

route-client command exited with status 7

[/ QUOTE ]

also happens if the interface bitmask is set to 32 bit and pluto isn't able
to set the ipsec interface. While surfing through the directories I have
just found a debug file located in /var/chroot-ipsec/tmp , might be helpful

Greetings
cyclops
Cancel
Vote Up 0 Vote Down

Cancel
0 Andreas Steffen over 22 years ago in reply to hits

I don't see the netmasks in your listing. Where is your 192.168.35.0/24 network?

Andreas
Cancel
Vote Up 0 Vote Down

Cancel
0 hits over 22 years ago in reply to Andreas Steffen

I missed that line out somehow
the listing is from the route command is
192.168.35.0 0.0.0.0 255.255.255.0 U 0 0 0 ETH0
Cancel
Vote Up 0 Vote Down

Cancel