<HTML dir=ltr><HEAD><TITLE>RE: [Openswan Users] Getting there....</TITLE>
<META http-equiv=Content-Type content="text/html; charset=unicode">
<META content="MSHTML 6.00.6000.16608" name=GENERATOR></HEAD>
<BODY>
<DIV id=idOWAReplyText46315 dir=ltr>
<DIV dir=ltr><FONT color=#000000><FONT face=Arial size=2>I don't want to sound like a completely clueless noob, but I've only ever installed/updated stuff in Linux with apt. It appears that I am running OpenSwan 1:2.4.6+dfsg.2-1.1build2 but when I attempt to update/upgrade, I am told that there is nothing to update. I have the universe and multiverse repositories enabled but I'm guessing they don't contain the most up to date version of OpenSwan. Does anyone know a repository I could add to get it to work, or an alternative way to update my OpenSwan install?</FONT></FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Thanks</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2>-Chris</FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Peter McGill [mailto:petermcgill@goco.net]<BR><B>Sent:</B> Fri 3/14/2008 5:00 PM<BR><B>To:</B> Chris Thomas; users@openswan.org<BR><B>Subject:</B> RE: [Openswan Users] Getting there....<BR></FONT><BR></DIV>
<DIV>
<P><FONT size=2>It seems like your packets never get from Ubuntu back to<BR>linksys. Try upgrading to the latest stable version,<BR>2.4.11 I believe at <A href="http://openswan.org/code/">http://openswan.org/code/</A><BR><BR>And since it didn't help, I suggest removing the leftnexthop line.<BR><BR>Peter McGill<BR><BR><BR>> -----Original Message-----<BR>> From: Chris Thomas [<A href="mailto:cthomas@harkinsbuilders.com">mailto:cthomas@harkinsbuilders.com</A>]<BR>> Sent: March 14, 2008 4:28 PM<BR>> To: petermcgill@goco.net; users@openswan.org<BR>> Subject: RE: [Openswan Users] Getting there....<BR>><BR>> Dang. I made the change, restarted the server and tried to<BR>> establish the tunnel from the Linksys device again. I got<BR>> this in my logs, which appears to be the same as before:<BR>><BR>> Mar 14 16:19:13 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: ignoring unknown Vendor ID payload<BR>> [4f4540454371496d7a684644]<BR>> Mar 14 16:19:13 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: received Vendor ID payload [Dead Peer Detection]<BR>> Mar 14 16:19:13 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: received Vendor ID payload [RFC 3947]<BR>> meth=110, but port floating is off<BR>> Mar 14 16:19:13 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: received Vendor ID payload<BR>> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off<BR>> Mar 14 16:19:13 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: received Vendor ID payload<BR>> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off<BR>> Mar 14 16:19:13 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: ignoring Vendor ID payload<BR>> [draft-ietf-ipsec-nat-t-ike-00]<BR>> Mar 14 16:19:13 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #1: responding to Main Mode from unknown peer 66.225.x.x<BR>> Mar 14 16:19:13 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #1: transition from state STATE_MAIN_R0 to state<BR>> STATE_MAIN_R1<BR>> Mar 14 16:19:13 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #1: STATE_MAIN_R1: sent MR1, expecting MI2<BR>> Mar 14 16:19:23 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: ignoring unknown Vendor ID payload<BR>> [4f4540454371496d7a684644]<BR>> Mar 14 16:19:23 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: received Vendor ID payload [Dead Peer Detection]<BR>> Mar 14 16:19:23 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: received Vendor ID payload [RFC 3947]<BR>> meth=110, but port floating is off<BR>> Mar 14 16:19:23 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: received Vendor ID payload<BR>> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off<BR>> Mar 14 16:19:23 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: received Vendor ID payload<BR>> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off<BR>> Mar 14 16:19:23 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: ignoring Vendor ID payload<BR>> [draft-ietf-ipsec-nat-t-ike-00]<BR>> Mar 14 16:19:23 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #2: responding to Main Mode from unknown peer 66.225.x.x<BR>> Mar 14 16:19:23 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #2: transition from state STATE_MAIN_R0 to state<BR>> STATE_MAIN_R1<BR>> Mar 14 16:19:23 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #2: STATE_MAIN_R1: sent MR1, expecting MI2<BR>> Mar 14 16:19:43 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: ignoring unknown Vendor ID payload<BR>> [4f4540454371496d7a684644]<BR>> Mar 14 16:19:43 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: received Vendor ID payload [Dead Peer Detection]<BR>> Mar 14 16:19:43 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: received Vendor ID payload [RFC 3947]<BR>> meth=110, but port floating is off<BR>> Mar 14 16:19:43 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: received Vendor ID payload<BR>> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off<BR>> Mar 14 16:19:43 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: received Vendor ID payload<BR>> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off<BR>> Mar 14 16:19:43 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: ignoring Vendor ID payload<BR>> [draft-ietf-ipsec-nat-t-ike-00]<BR>> Mar 14 16:19:43 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #3: responding to Main Mode from unknown peer 66.225.x.x<BR>> Mar 14 16:19:43 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #3: transition from state STATE_MAIN_R0 to state<BR>> STATE_MAIN_R1<BR>> Mar 14 16:19:43 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #3: STATE_MAIN_R1: sent MR1, expecting MI2<BR>> Mar 14 16:20:23 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #1: max number of retransmissions (2) reached STATE_MAIN_R1<BR>> Mar 14 16:20:33 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #2: max number of retransmissions (2) reached STATE_MAIN_R1<BR>> Mar 14 16:20:53 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #3: max number of retransmissions (2) reached STATE_MAIN_R1<BR>> Mar 14 16:20:53 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x: deleting connection "pax_square" instance with<BR>> peer 66.225.x.x {isakmp=#0/ipsec=#0}<BR>><BR>><BR>> Thanks<BR>> -Chris<BR>><BR>> -----Original Message-----<BR>> From: Peter McGill [<A href="mailto:petermcgill@goco.net">mailto:petermcgill@goco.net</A>]<BR>> Sent: Friday, March 14, 2008 3:54 PM<BR>> To: Chris Thomas; users@openswan.org<BR>> Subject: RE: [Openswan Users] Getting there....<BR>><BR>> Hmm, I see that your lan (10.5..), not your wan (66.225..)<BR>> is your default route. Since leftnexthop defaults to your<BR>> default route, this might be your problem.<BR>> I suggest setting the following in ipsec.conf<BR>> conn central-site<BR>> left=66.225.Ubuntu<BR>> + leftnexthop=66.225.Cisco2950<BR>> leftsubnet=192.168.0.0/24<BR>> leftsourceip=192.168.0.20<BR>><BR>><BR>> Peter McGill<BR>> <BR>><BR>> > -----Original Message-----<BR>> > From: Chris Thomas [<A href="mailto:cthomas@harkinsbuilders.com">mailto:cthomas@harkinsbuilders.com</A>]<BR>> > Sent: March 14, 2008 3:43 PM<BR>> > To: petermcgill@goco.net; users@openswan.org<BR>> > Subject: RE: [Openswan Users] Getting there....<BR>> ><BR>> > Good to hear my configs are OK, although I guess it would<BR>> > have been better if there was something wrong, so it would be<BR>> > easier to diagnose this. <BR>> ><BR>> > Yeah, my key is specified in that format and no, my Cisco<BR>> > router isn't NAT'ing or filtering any traffic. I'm stumped.<BR>> ><BR>> > My ipsec barf is attached, if anyone out there wants to<BR>> > really help me out. I really do appreciate the assistance<BR>> > here. Hopefully I (we) can get this up and running soon.<BR>> ><BR>> > Thanks very much, and have a great weekend.<BR>> > -Chris<BR>> ><BR>> > From: Peter McGill [<A href="mailto:petermcgill@goco.net">mailto:petermcgill@goco.net</A>]<BR>> > Sent: Friday, March 14, 2008 3:17 PM<BR>> > To: Chris Thomas; users@openswan.org<BR>> > Subject: RE: [Openswan Users] Getting there....<BR>> ><BR>> > I cannot find anything wrong with your setup.<BR>> > <BR>> > Yes your correct the Ubuntu firewall is blocking/altering nothing.<BR>> > (This is as it should be if you turned it off.)<BR>> > When you get things working you should be able to turn the firewall<BR>> > back on, so long as it allows -p 50 and -p 17 -d 500<BR>> inbound/outbound,<BR>> > and excludes your remote subnet from NAT MASQUERADE/SNAT.<BR>> > iptables -t nat -I POSTROUTING -d 192.168.36.0/24 -j ACCEPT<BR>> > <BR>> > The pictures cleared a few questions up.<BR>> > Your linksys configs look just fine to me.<BR>> > <BR>> > You put your key in the Ubuntu in /etc/ipsec.secrets, like<BR>> this right?<BR>> > 66.225.UbuntuIP : PSK "my secret text key"<BR>> > <BR>> > Your Cisco 2950 Series isn't by any chance firewall filtering or<BR>> > network address translating the IPSec traffic, or trying to<BR>> > intercept it?<BR>> > <BR>> > My only other suggestion is to do an ipsec barf and post it's output<BR>> > to the list, in an attachment.<BR>> > Maybe someone else can see what your problem is.<BR>> > Best to post in plain text, not everyone can read html mail, and<BR>> > the list digests strip out html mail to links... which I<BR>> never used to<BR>> > bother to read, others might do the same.<BR>> > <BR>> > Peter McGill<BR>> > <BR>> ><BR>> > ________________________________________<BR>> > From: Chris Thomas [<A href="mailto:cthomas@harkinsbuilders.com">mailto:cthomas@harkinsbuilders.com</A>]<BR>> > Sent: March 14, 2008 2:19 PM<BR>> > To: users@openswan.org; petermcgill@goco.net<BR>> > Subject: RE: [Openswan Users] Getting there....<BR>> > Sorry about that. Here's the info:<BR>> ><BR>> > When I run the command you gave me below, I get this:<BR>> ><BR>> > root@gatekeeper:/home/administrator# iptables -t filter -L -n -v<BR>> > Chain INPUT (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts bytes target prot opt in out source <BR>> > destination<BR>> ><BR>> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts bytes target prot opt in out source <BR>> > destination<BR>> ><BR>> > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts bytes target prot opt in out source <BR>> > destination<BR>> > root@gatekeeper:/home/administrator# iptables -t nat -L -n -v<BR>> > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts bytes target prot opt in out source <BR>> > destination<BR>> ><BR>> > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts bytes target prot opt in out source <BR>> > destination<BR>> ><BR>> > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts bytes target prot opt in out source <BR>> > destination<BR>> > root@gatekeeper:/home/administrator# iptables -t mangle -L -n -v<BR>> > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts bytes target prot opt in out source <BR>> > destination<BR>> ><BR>> > Chain INPUT (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts bytes target prot opt in out source <BR>> > destination<BR>> ><BR>> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts bytes target prot opt in out source <BR>> > destination<BR>> ><BR>> > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts bytes target prot opt in out source <BR>> > destination<BR>> ><BR>> > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts bytes target prot opt in out source <BR>> > destination<BR>> > root@gatekeeper:/home/administrator#<BR>> ><BR>> > I guess this is telling me that nothing is blocked and there<BR>> > are no rules?<BR>> ><BR>> > I am connecting through the internet. My company is actually<BR>> > the ISP for other companies in our building and the building<BR>> > next to us, so I am using a separate IP space outside of our<BR>> > network to put the Linksys box and set up my test remote<BR>> > site. My Linux server is using an IP in the same subnet as<BR>> > my Check Point firewall, but it is going "around" the<BR>> > firewall. To help explain all of this, I have thrown<BR>> > together a quick diagram of everything. You can access it<BR>> > here: <BR>> > <A href="http://www.imagehosting.com/show.php/1630007_OpenSwanDiagram.j">http://www.imagehosting.com/show.php/1630007_OpenSwanDiagram.j</A><BR>> > pg.html. If I have left something out, please let me know.<BR>> ><BR>> > The Ubuntu server and the Linksys router do indeed have their<BR>> > own external IP addresses. Here is my Linksys config: <BR>> > <A href="http://www.imagehosting.com/show.php/1630052_linksyscfgPage1.j">http://www.imagehosting.com/show.php/1630052_linksyscfgPage1.j</A><BR>> > pg.html and<BR>> > <A href="http://www.imagehosting.com/show.php/1630053_linksyscfgPage2.j">http://www.imagehosting.com/show.php/1630053_linksyscfgPage2.j</A><BR>> > pg.html. <BR>> ><BR>> > I am hoping these pics look OK. If you need me to provide<BR>> > additional information, please let me know.<BR>> ><BR>> > Thanks again for all of your help.<BR>> > -Chris<BR>> ><BR>> > From: Peter McGill [<A href="mailto:petermcgill@goco.net">mailto:petermcgill@goco.net</A>]<BR>> > Sent: Friday, March 14, 2008 12:50 PM<BR>> > To: Chris Thomas; users@openswan.org<BR>> > Subject: RE: [Openswan Users] Getting there....<BR>> ><BR>> > Firewall was merely a place to check, not guaranteed to be<BR>> > the problem.<BR>> > If you can get a console on your Ubuntu, you can check<BR>> > firewall with...<BR>> > iptables -t filter -L -n -v<BR>> > iptables -t nat -L -n -v<BR>> > iptables -t mangle -L -n -v<BR>> > <BR>> > Are you connecting through the internet, or are you testing<BR>> > internally?<BR>> > Do both the Ubuntu server and linksys router have public<BR>> > internet ip addresses?<BR>> > (Not 172.16...172.32... or 10... or 192.168..., etc...)<BR>> > I cannot tell as you completely edited them from your posts.<BR>> > Next time try just masking the end like: 66.11.x.x<BR>> > Testing internally sometimes needs different settings than<BR>> > production internet.<BR>> > <BR>> > Is linksys using DES or 3DES? Should be 3DES & MD5 matching<BR>> > your openswan.<BR>> > Can you show us your linksys ipsec configuration?<BR>> > <BR>> > Peter McGill<BR>> > <BR>> ><BR>> > ________________________________________<BR>> > From: users-bounces@openswan.org<BR>> > [<A href="mailto:users-bounces@openswan.org">mailto:users-bounces@openswan.org</A>] On Behalf Of Chris Thomas<BR>> > Sent: March 14, 2008 12:19 PM<BR>> > To: users@openswan.org<BR>> > Subject: Re: [Openswan Users] Getting there....<BR>> > OK, I have hit a brick wall here and it's getting a bit<BR>> > frustrating. I have disabled the Linux firewall and the<BR>> > Shoreline firewall on my server and I'm still getting the<BR>> > same error below when I attempt to establish the tunnel. Is<BR>> > this absolutely positively due to a firewall issue or is it<BR>> > possible that I've got something else incorrectly configured<BR>> > somewhere? I am fairly new to Linux so I am administering my<BR>> > Ubuntu server with Webmin. That is what I am using to verify<BR>> > that the firewall(s) are turned off. <BR>> ><BR>> > I have also disabled the firewall on the Linksys box and have<BR>> > examined it's logs. This is what shows up after I hit<BR>> > "connect" to initiate the tunnel:<BR>> ><BR>> > Mar 14 09:33:34 - [VPN Log]: "pax_square" #2: initiating Main Mode<BR>> > Mar 14 09:33:43 - [VPN Log]: initiate on demand from<BR>> > 192.168.36.100:0 to 192.168.0.30:0 proto=0 state: fos_start<BR>> > because: acquire<BR>> > Mar 14 09:34:44 - [VPN Log]: "pax_square" #2: max number of<BR>> > retransmissions (2) reached STATE_MAIN_I1. No response (or no<BR>> > acceptable response) to our first IKE message<BR>> > Mar 14 10:08:54 - [VPN Log]: "pax_square" #3: initiating Main Mode<BR>> > Mar 14 10:10:04 - [VPN Log]: "pax_square" #3: max number of<BR>> > retransmissions (2) reached STATE_MAIN_I1. No response (or no<BR>> > acceptable response) to our first IKE message<BR>> > Mar 14 10:53:58 - [VPN Log]: "pax_square" #4: initiating Main Mode<BR>> > Mar 14 10:55:08 - [VPN Log]: "pax_square" #4: max number of<BR>> > retransmissions (2) reached STATE_MAIN_I1. No response (or no<BR>> > acceptable response) to our first IKE message<BR>> ><BR>> > If it helps, this is my ipsec.conf file on the Ubuntu server<BR>> > running OpenSwan:<BR>> ><BR>> > version 2.0 # conforms to second version of<BR>> > ipsec.conf specification<BR>> ><BR>> > config setup<BR>> > interfaces=%defaultroute<BR>> > uniqueids=yes<BR>> > <BR>> > include /etc/ipsec.d/examples/no_oe.conf<BR>> > <BR>> > conn pax_square<BR>> > also=central-site<BR>> > right=%any<BR>> > rightid=@pax_square<BR>> > rightsubnet=192.168.36.0/24<BR>> > also=linksys-policy<BR>> > auto=add<BR>> > <BR>> > conn central-site<BR>> > left=(external IP of Linux server)<BR>> > leftsubnet=192.168.0.0/24<BR>> > leftsourceip=192.168.0.20<BR>> ><BR>> > conn linksys-policy<BR>> > ike=3des-md5-modp1024<BR>> > esp=3des-md5 <BR>> > compress=no<BR>> > authby=secret<BR>> ><BR>> ><BR>> > If it's definitely the firewall, I'll go back to the drawing<BR>> > board and see what I can see.<BR>> ><BR>> > As before, I appreciate the help and patience.<BR>> > Thanks<BR>> > -Chris<BR>> ><BR>> ><BR>> ><BR>> ><BR>> > From: Peter McGill [<A href="mailto:petermcgill@goco.net">mailto:petermcgill@goco.net</A>]<BR>> > Sent: Thursday, March 13, 2008 4:14 PM<BR>> > To: Chris Thomas; users@openswan.org<BR>> > Subject: RE: [Openswan Users] Getting there....<BR>> ><BR>> > Check your firewall(s) on both ends, and check the linksys logs.<BR>> > You must allow ipsec (and ipsec encapsulated traffic) in your<BR>> > firewalls.<BR>> > protocol port description<BR>> > 17 500 udp:isakmp<BR>> > 50 esp<BR>> > You must allow the above inbound and outbound on your<BR>> > internet interfaces.<BR>> > You must also allow the subnet-to-subnet traffic.<BR>> > <BR>> > Peter McGill<BR>> > <BR>> ><BR>> > ________________________________________<BR>> > From: users-bounces@openswan.org<BR>> > [<A href="mailto:users-bounces@openswan.org">mailto:users-bounces@openswan.org</A>] On Behalf Of Chris Thomas<BR>> > Sent: March 13, 2008 4:06 PM<BR>> > To: users@openswan.org<BR>> > Subject: Re: [Openswan Users] Getting there....<BR>> > OK, I changed my Linksys box to 1024 bit and I now have this:<BR>> ><BR>> > Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote<BR>> > site IP):500: ignoring unknown Vendor ID payload<BR>> > [4f4540454371496d7a684644]<BR>> > Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote<BR>> > site IP):500: received Vendor ID payload [Dead Peer Detection]<BR>> > Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote<BR>> > site IP):500: received Vendor ID payload [RFC 3947] meth=110,<BR>> > but port floating is off<BR>> > Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote<BR>> > site IP):500: received Vendor ID payload<BR>> > [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off<BR>> > Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote<BR>> > site IP):500: received Vendor ID payload<BR>> > [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off<BR>> > Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote<BR>> > site IP):500: ignoring Vendor ID payload<BR>> > [draft-ietf-ipsec-nat-t-ike-00]<BR>> > Mar 13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5]<BR>> > (remote site IP) #9: responding to Main Mode from unknown<BR>> > peer (remote site IP)<BR>> > Mar 13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5]<BR>> > (remote site IP) #9: transition from state STATE_MAIN_R0 to<BR>> > state STATE_MAIN_R1<BR>> > Mar 13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5]<BR>> > (remote site IP) #9: STATE_MAIN_R1: sent MR1, expecting MI2<BR>> > Mar 13 16:02:28 gatekeeper pluto[11850]: "pax_square"[5]<BR>> > (remote site IP) #7: max number of retransmissions (2)<BR>> > reached STATE_MAIN_R1<BR>> ><BR>> > Thanks<BR>> > -Chris<BR>> ><BR>> ><BR>> > From: Peter McGill [<A href="mailto:petermcgill@goco.net">mailto:petermcgill@goco.net</A>]<BR>> > Sent: Thursday, March 13, 2008 3:50 PM<BR>> > To: Chris Thomas; users@openswan.org<BR>> > Subject: RE: [Openswan Users] Getting there....<BR>> ><BR>> > There is a mismatch in your options, specifically your<BR>> DH/modp Group.<BR>> > Diffie-Hellman (DH) Group needs to match openswan's ike=*-modp????<BR>> > I'm guessing that your linksys is sending Diffie-Hellmen (DH)<BR>> > Group 1 (768-bit).<BR>> > Openswan will not allow this because it's too weak of security.<BR>> > If you have ike=3des-md5-modp1024 or ike=aes-sha1-modp1024 as<BR>> > I suggested,<BR>> > then change your linksys to use Group 2 (1024-bit) to match it.<BR>> > <BR>> > Peter McGill<BR>> > <BR>> ><BR>> > ________________________________________<BR>> > From: users-bounces@openswan.org<BR>> > [<A href="mailto:users-bounces@openswan.org">mailto:users-bounces@openswan.org</A>] On Behalf Of Chris Thomas<BR>> > Sent: March 13, 2008 3:40 PM<BR>> > To: users@openswan.org<BR>> > Subject: [Openswan Users] Getting there....<BR>> > Hello again, everyone. I have configured my Linksys box to<BR>> > connect to my Ubuntu server running OpenSwan, but when I<BR>> > attempt to initiate the connection, my logs on the server at<BR>> > HQ get full of this stuff:<BR>> ><BR>> ><BR>> > Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote<BR>> > site external IP):500: ignoring unknown Vendor ID payload<BR>> > [4f4540454371496d7a684644]<BR>> > Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote<BR>> > site external IP):500: received Vendor ID payload [Dead Peer<BR>> > Detection]<BR>> > Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote<BR>> > site external IP):500: received Vendor ID payload [RFC 3947]<BR>> > meth=110, but port floating is off<BR>> > Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote<BR>> > site external IP):500: received Vendor ID payload<BR>> > [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off<BR>> > Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote<BR>> > site external IP):500: received Vendor ID payload<BR>> > [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off<BR>> > Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote<BR>> > site external IP):500: ignoring Vendor ID payload<BR>> > [draft-ietf-ipsec-nat-t-ike-00]<BR>> > Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1]<BR>> > (remote site external IP) #1: responding to Main Mode from<BR>> > unknown peer (remote site external IP)<BR>> > Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1]<BR>> > (remote site external IP) #1: only OAKLEY_GROUP_MODP1024 and<BR>> > OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION<BR>> > Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1]<BR>> > (remote site external IP) #1: no acceptable Oakley Transform<BR>> > Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1]<BR>> > (remote site external IP) #1: sending notification<BR>> > NO_PROPOSAL_CHOSEN to (remote site external IP):500<BR>> > Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1]<BR>> > (remote site external IP): deleting connection "pax_square"<BR>> > instance with peer (remote site external IP) {isakmp=#0/ipsec=#0}<BR>> ><BR>> > I am assuming that it has something to do with the Preshared<BR>> > key that I am using, but I am not too sure how to go about<BR>> > fixing it. I do not want to be a nuisance, but can anyone<BR>> > give me a (another) push in the right direction? <BR>> ><BR>> > I appreciate your patience.<BR>> > -Chris<BR>> ><BR>><BR><BR></FONT></P></DIV></BODY></HTML>