<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:x =
"urn:schemas-microsoft-com:office:excel" xmlns:p =
"urn:schemas-microsoft-com:office:powerpoint" xmlns:a =
"urn:schemas-microsoft-com:office:access" xmlns:dt =
"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s =
"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs =
"urn:schemas-microsoft-com:rowset" xmlns:z = "#RowsetSchema" xmlns:b =
"urn:schemas-microsoft-com:office:publisher" xmlns:ss =
"urn:schemas-microsoft-com:office:spreadsheet" xmlns:c =
"urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:oa =
"urn:schemas-microsoft-com:office:activation" xmlns:html =
"http://www.w3.org/TR/REC-html40" xmlns:q =
"http://schemas.xmlsoap.org/soap/envelope/" XMLNS:D = "DAV:" xmlns:x2 =
"http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois =
"http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir =
"http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds =
"http://www.w3.org/2000/09/xmldsig#" xmlns:dsp =
"http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc =
"http://schemas.microsoft.com/data/udc" xmlns:xsd =
"http://www.w3.org/2001/XMLSchema" xmlns:sub =
"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec =
"http://www.w3.org/2001/04/xmlenc#" xmlns:sp =
"http://schemas.microsoft.com/sharepoint/" xmlns:sps =
"http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi =
"http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf =
"http://schemas.microsoft.com/data/udc/xmlfile" xmlns:wf =
"http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:mver =
"http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels =
"http://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t =
"http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m =
"http://schemas.microsoft.com/exchange/services/2006/messages"><HEAD><TITLE>RE: [Openswan Users] Getting there....</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16608" name=GENERATOR><!--[if !mso]>
<STYLE>v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
</STYLE>
<![endif]-->
<STYLE>@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
SPAN.EmailStyle18 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-US vLink=purple link=blue>
<DIV dir=ltr align=left><SPAN class=794104815-17032008><FONT face=Arial
color=#0000ff size=2>I suggest doing a new ipsec barf, and see if someone else
can figure out</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=794104815-17032008><FONT face=Arial
color=#0000ff size=2>the problem, maybe Paul or one of the developers can see
what I'm not.</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Chris Thomas
[mailto:cthomas@harkinsbuilders.com] <BR><B>Sent:</B> March 17, 2008 11:44
AM<BR><B>To:</B> petermcgill@goco.net; users@openswan.org<BR><B>Subject:</B>
RE: [Openswan Users] Getting there....<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=Section1>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">Wow,
talk about going above and beyond. I really appreciate you taking the
time to put together those step by step directions for me. The install
seemed to go fine and when I run IPSEC verify, it shows that I am now on
U2.4.11/K2.6.22-14-server. Unfortunately, my logs are still showing the
same errors as before.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">One
thing I thought of was that, when I started this project a month or so ago, I
had a Linksys WRVS4400N at the remote site, same as I do now, and a Linksys
WRV54G VPN router at the HQ side. I was using all the same IPs that I am
now and I was able to create the tunnel no problem. I decided to do away
with the WRV54G because it wouldn’t keep the tunnel up for more than an hour
or so and also I knew it would not handle the throughput of the 20 or 30 sites
I would eventually (hopefully) have up on the VPN. If I am correct, this
means that the IP configuration of all devices involved should be OK. As
you said though, it seems that the packets never get back to the
Linksys. This is very strange.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">Thanks
again for your help.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">-Chris<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<DIV>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P class=MsoNormal><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'"> Peter McGill
[mailto:petermcgill@goco.net] <BR><B>Sent:</B> Monday, March 17, 2008 10:55
AM<BR><B>To:</B> Chris Thomas; users@openswan.org<BR><B>Subject:</B> RE:
[Openswan Users] Getting there....<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">It's
often the case that distribution package maintainers do not
keep</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">up
with the source package maintainers releases. This is
generally</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">not a
problem unless you need a newer bugfix or feature.</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">If you
want to keep up yourself, you'll need to manage that
package</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">locally
yourself, either creating a local updated distribution
package</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">or
simply installing directly from the source package.</SPAN><o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">It's
simpler to install direct from the source package, however
this</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">is
done separate from your distributions package management
system</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">and so
the package will not be tracked, upgraded or anything
with</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">your
package management system (apt).</SPAN><o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">First
download the compiler, build tools, etc... needed to build the
package...</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">sudo
apt-get build-dep openswan</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">Second
download the openswan source...</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">wget
-nH -nd -N <A
href="http://openswan.org/download/openswan-2.4.11.tar.gz">http://openswan.org/download/openswan-2.4.11.tar.gz</A></SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">Third
extract the source...</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">tar
-xvzf openswan-2.4.11.tar.gz</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">cd
openswan-2.4.11</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">Fourth
compile the program...</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">make
programs</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">Fifth
install the program (Note you should uninstall your old copy using apt
first.)</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">sudo
make install</SPAN><o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">The
following howto further explains the basics of installing source
packages.</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'"><A
href="http://www.linux.org/docs/ldp/howto/Software-Building-HOWTO.html">http://www.linux.org/docs/ldp/howto/Software-Building-HOWTO.html</A></SPAN><o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Peter
McGill</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<BLOCKQUOTE
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; PADDING-LEFT: 4pt; PADDING-BOTTOM: 0in; MARGIN: 5pt 0in 5pt 3.75pt; BORDER-LEFT: blue 1.5pt solid; PADDING-TOP: 0in; BORDER-BOTTOM: medium none">
<P class=MsoNormal><o:p> </o:p></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center>
<HR align=center width="100%" SIZE=2>
</DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'"> Chris Thomas
[mailto:cthomas@harkinsbuilders.com] <BR><B>Sent:</B> March 16, 2008 4:09
PM<BR><B>To:</B> petermcgill@goco.net; users@openswan.org<BR><B>Subject:</B>
RE: [Openswan Users] Getting there....</SPAN><o:p></o:p></P>
<DIV id=idOWAReplyText46315>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: 'Arial','sans-serif'">I
don't want to sound like a completely clueless noob, but I've only ever
installed/updated stuff in Linux with apt. It appears that I am
running OpenSwan 1:2.4.6+dfsg.2-1.1build2 but when I attempt to
update/upgrade, I am told that there is nothing to update. I have the
universe and multiverse repositories enabled but I'm guessing they don't
contain the most up to date version of OpenSwan. Does anyone know a
repository I could add to get it to work, or an alternative way to update my
OpenSwan install?</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Thanks</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">-Chris</SPAN><o:p></o:p></P></DIV></DIV>
<DIV>
<P class=MsoNormal><o:p> </o:p></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center>
<HR align=center width="100%" SIZE=2>
</DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'"> Peter McGill
[mailto:petermcgill@goco.net]<BR><B>Sent:</B> Fri 3/14/2008 5:00
PM<BR><B>To:</B> Chris Thomas; users@openswan.org<BR><B>Subject:</B> RE:
[Openswan Users] Getting there....</SPAN><o:p></o:p></P></DIV>
<DIV>
<P style="MARGIN-BOTTOM: 12pt"><SPAN style="FONT-SIZE: 10pt">It seems like
your packets never get from Ubuntu back to<BR>linksys. Try upgrading to the
latest stable version,<BR>2.4.11 I believe at <A
href="http://openswan.org/code/">http://openswan.org/code/</A><BR><BR>And
since it didn't help, I suggest removing the leftnexthop line.<BR><BR>Peter
McGill<BR><BR><BR>> -----Original Message-----<BR>> From: Chris Thomas
[<A
href="mailto:cthomas@harkinsbuilders.com">mailto:cthomas@harkinsbuilders.com</A>]<BR>>
Sent: March 14, 2008 4:28 PM<BR>> To: petermcgill@goco.net;
users@openswan.org<BR>> Subject: RE: [Openswan Users] Getting
there....<BR>><BR>> Dang. I made the change, restarted the
server and tried to<BR>> establish the tunnel from the Linksys device
again. I got<BR>> this in my logs, which appears to be the same as
before:<BR>><BR>> Mar 14 16:19:13 gatekeeper pluto[4146]: packet
from<BR>> 66.225.x.x:500: ignoring unknown Vendor ID payload<BR>>
[4f4540454371496d7a684644]<BR>> Mar 14 16:19:13 gatekeeper pluto[4146]:
packet from<BR>> 66.225.x.x:500: received Vendor ID payload [Dead Peer
Detection]<BR>> Mar 14 16:19:13 gatekeeper pluto[4146]: packet
from<BR>> 66.225.x.x:500: received Vendor ID payload [RFC 3947]<BR>>
meth=110, but port floating is off<BR>> Mar 14 16:19:13 gatekeeper
pluto[4146]: packet from<BR>> 66.225.x.x:500: received Vendor ID
payload<BR>> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating
is off<BR>> Mar 14 16:19:13 gatekeeper pluto[4146]: packet from<BR>>
66.225.x.x:500: received Vendor ID payload<BR>>
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off<BR>>
Mar 14 16:19:13 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500:
ignoring Vendor ID payload<BR>> [draft-ietf-ipsec-nat-t-ike-00]<BR>>
Mar 14 16:19:13 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x
#1: responding to Main Mode from unknown peer 66.225.x.x<BR>> Mar 14
16:19:13 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #1:
transition from state STATE_MAIN_R0 to state<BR>> STATE_MAIN_R1<BR>>
Mar 14 16:19:13 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x
#1: STATE_MAIN_R1: sent MR1, expecting MI2<BR>> Mar 14 16:19:23
gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: ignoring unknown
Vendor ID payload<BR>> [4f4540454371496d7a684644]<BR>> Mar 14 16:19:23
gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: received Vendor
ID payload [Dead Peer Detection]<BR>> Mar 14 16:19:23 gatekeeper
pluto[4146]: packet from<BR>> 66.225.x.x:500: received Vendor ID payload
[RFC 3947]<BR>> meth=110, but port floating is off<BR>> Mar 14
16:19:23 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500:
received Vendor ID payload<BR>> [draft-ietf-ipsec-nat-t-ike-03] meth=108,
but port floating is off<BR>> Mar 14 16:19:23 gatekeeper pluto[4146]:
packet from<BR>> 66.225.x.x:500: received Vendor ID payload<BR>>
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off<BR>>
Mar 14 16:19:23 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500:
ignoring Vendor ID payload<BR>> [draft-ietf-ipsec-nat-t-ike-00]<BR>>
Mar 14 16:19:23 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x
#2: responding to Main Mode from unknown peer 66.225.x.x<BR>> Mar 14
16:19:23 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #2:
transition from state STATE_MAIN_R0 to state<BR>> STATE_MAIN_R1<BR>>
Mar 14 16:19:23 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x
#2: STATE_MAIN_R1: sent MR1, expecting MI2<BR>> Mar 14 16:19:43
gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: ignoring unknown
Vendor ID payload<BR>> [4f4540454371496d7a684644]<BR>> Mar 14 16:19:43
gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500: received Vendor
ID payload [Dead Peer Detection]<BR>> Mar 14 16:19:43 gatekeeper
pluto[4146]: packet from<BR>> 66.225.x.x:500: received Vendor ID payload
[RFC 3947]<BR>> meth=110, but port floating is off<BR>> Mar 14
16:19:43 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500:
received Vendor ID payload<BR>> [draft-ietf-ipsec-nat-t-ike-03] meth=108,
but port floating is off<BR>> Mar 14 16:19:43 gatekeeper pluto[4146]:
packet from<BR>> 66.225.x.x:500: received Vendor ID payload<BR>>
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off<BR>>
Mar 14 16:19:43 gatekeeper pluto[4146]: packet from<BR>> 66.225.x.x:500:
ignoring Vendor ID payload<BR>> [draft-ietf-ipsec-nat-t-ike-00]<BR>>
Mar 14 16:19:43 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x
#3: responding to Main Mode from unknown peer 66.225.x.x<BR>> Mar 14
16:19:43 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #3:
transition from state STATE_MAIN_R0 to state<BR>> STATE_MAIN_R1<BR>>
Mar 14 16:19:43 gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x
#3: STATE_MAIN_R1: sent MR1, expecting MI2<BR>> Mar 14 16:20:23
gatekeeper pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #1: max number of
retransmissions (2) reached STATE_MAIN_R1<BR>> Mar 14 16:20:33 gatekeeper
pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #2: max number of
retransmissions (2) reached STATE_MAIN_R1<BR>> Mar 14 16:20:53 gatekeeper
pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x #3: max number of
retransmissions (2) reached STATE_MAIN_R1<BR>> Mar 14 16:20:53 gatekeeper
pluto[4146]: "pax_square"[1]<BR>> 66.225.x.x: deleting connection
"pax_square" instance with<BR>> peer 66.225.x.x
{isakmp=#0/ipsec=#0}<BR>><BR>><BR>> Thanks<BR>>
-Chris<BR>><BR>> -----Original Message-----<BR>> From: Peter McGill
[<A
href="mailto:petermcgill@goco.net">mailto:petermcgill@goco.net</A>]<BR>>
Sent: Friday, March 14, 2008 3:54 PM<BR>> To: Chris Thomas;
users@openswan.org<BR>> Subject: RE: [Openswan Users] Getting
there....<BR>><BR>> Hmm, I see that your lan (10.5..), not your wan
(66.225..)<BR>> is your default route. Since leftnexthop defaults to
your<BR>> default route, this might be your problem.<BR>> I suggest
setting the following in ipsec.conf<BR>> conn central-site<BR>>
left=66.225.Ubuntu<BR>>
+
leftnexthop=66.225.Cisco2950<BR>>
leftsubnet=192.168.0.0/24<BR>>
leftsourceip=192.168.0.20<BR>><BR>><BR>> Peter
McGill<BR>> <BR>><BR>> > -----Original Message-----<BR>>
> From: Chris Thomas [<A
href="mailto:cthomas@harkinsbuilders.com">mailto:cthomas@harkinsbuilders.com</A>]<BR>>
> Sent: March 14, 2008 3:43 PM<BR>> > To: petermcgill@goco.net;
users@openswan.org<BR>> > Subject: RE: [Openswan Users] Getting
there....<BR>> ><BR>> > Good to hear my configs are OK, although
I guess it would<BR>> > have been better if there was something wrong,
so it would be<BR>> > easier to diagnose this. <BR>>
><BR>> > Yeah, my key is specified in that format and no, my
Cisco<BR>> > router isn't NAT'ing or filtering any traffic. I'm
stumped.<BR>> ><BR>> > My ipsec barf is attached, if anyone out
there wants to<BR>> > really help me out. I really do appreciate
the assistance<BR>> > here. Hopefully I (we) can get this up and
running soon.<BR>> ><BR>> > Thanks very much, and have a great
weekend.<BR>> > -Chris<BR>> ><BR>> > From: Peter McGill
[<A
href="mailto:petermcgill@goco.net">mailto:petermcgill@goco.net</A>]<BR>>
> Sent: Friday, March 14, 2008 3:17 PM<BR>> > To: Chris Thomas;
users@openswan.org<BR>> > Subject: RE: [Openswan Users] Getting
there....<BR>> ><BR>> > I cannot find anything wrong with your
setup.<BR>> > <BR>> > Yes your correct the Ubuntu firewall
is blocking/altering nothing.<BR>> > (This is as it should be if you
turned it off.)<BR>> > When you get things working you should be able
to turn the firewall<BR>> > back on, so long as it allows -p 50 and -p
17 -d 500<BR>> inbound/outbound,<BR>> > and excludes your remote
subnet from NAT MASQUERADE/SNAT.<BR>> > iptables -t nat -I POSTROUTING
-d 192.168.36.0/24 -j ACCEPT<BR>> > <BR>> > The pictures
cleared a few questions up.<BR>> > Your linksys configs look just fine
to me.<BR>> > <BR>> > You put your key in the Ubuntu in
/etc/ipsec.secrets, like<BR>> this right?<BR>> > 66.225.UbuntuIP :
PSK "my secret text key"<BR>> > <BR>> > Your Cisco 2950
Series isn't by any chance firewall filtering or<BR>> > network
address translating the IPSec traffic, or trying to<BR>> > intercept
it?<BR>> > <BR>> > My only other suggestion is to do an
ipsec barf and post it's output<BR>> > to the list, in an
attachment.<BR>> > Maybe someone else can see what your problem
is.<BR>> > Best to post in plain text, not everyone can read html
mail, and<BR>> > the list digests strip out html mail to links...
which I<BR>> never used to<BR>> > bother to read, others might do
the same.<BR>> > <BR>> > Peter McGill<BR>> >
<BR>> ><BR>> >
________________________________________<BR>> > From: Chris Thomas [<A
href="mailto:cthomas@harkinsbuilders.com">mailto:cthomas@harkinsbuilders.com</A>]<BR>>
> Sent: March 14, 2008 2:19 PM<BR>> > To: users@openswan.org;
petermcgill@goco.net<BR>> > Subject: RE: [Openswan Users] Getting
there....<BR>> > Sorry about that. Here's the info:<BR>>
><BR>> > When I run the command you gave me below, I get
this:<BR>> ><BR>> > root@gatekeeper:/home/administrator#
iptables -t filter -L -n -v<BR>> > Chain INPUT (policy ACCEPT 0
packets, 0 bytes)<BR>> > pkts bytes
target prot opt in
out
source <BR>> >
destination<BR>> ><BR>> > Chain
FORWARD (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts bytes
target prot opt in
out
source <BR>> >
destination<BR>> ><BR>> > Chain
OUTPUT (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts bytes
target prot opt in
out
source <BR>> >
destination<BR>> >
root@gatekeeper:/home/administrator# iptables -t nat -L -n -v<BR>> >
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts
bytes target prot opt in
out
source <BR>>
> destination<BR>> ><BR>>
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)<BR>> >
pkts bytes target prot opt
in out
source <BR>> >
destination<BR>> ><BR>> > Chain
OUTPUT (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts bytes
target prot opt in
out
source <BR>> >
destination<BR>> >
root@gatekeeper:/home/administrator# iptables -t mangle -L -n -v<BR>>
> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)<BR>> >
pkts bytes target prot opt
in out
source <BR>> >
destination<BR>> ><BR>> >
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts bytes
target prot opt in
out
source <BR>> >
destination<BR>> ><BR>> > Chain
FORWARD (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts bytes
target prot opt in
out source
<BR>> >
destination<BR>> ><BR>> >
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts
bytes target prot opt in
out
source <BR>> >
destination<BR>> ><BR>> > Chain
POSTROUTING (policy ACCEPT 0 packets, 0 bytes)<BR>> > pkts bytes
target prot opt in
out
source <BR>>
> destination<BR>> >
root@gatekeeper:/home/administrator#<BR>> ><BR>> > I guess this
is telling me that nothing is blocked and there<BR>> > are no
rules?<BR>> ><BR>> > I am connecting through the internet.
My company is actually<BR>> > the ISP for other companies in our
building and the building<BR>> > next to us, so I am using a separate
IP space outside of our<BR>> > network to put the Linksys box and set
up my test remote<BR>> > site. My Linux server is using an IP in
the same subnet as<BR>> > my Check Point firewall, but it is going
"around" the<BR>> > firewall. To help explain all of this, I
have thrown<BR>> > together a quick diagram of everything. You
can access it<BR>> > here: <BR>> > <A
href="http://www.imagehosting.com/show.php/1630007_OpenSwanDiagram.j">http://www.imagehosting.com/show.php/1630007_OpenSwanDiagram.j</A><BR>>
> pg.html. If I have left something out, please let me
know.<BR>> ><BR>> > The Ubuntu server and the Linksys router do
indeed have their<BR>> > own external IP addresses. Here is my
Linksys config: <BR>> > <A
href="http://www.imagehosting.com/show.php/1630052_linksyscfgPage1.j">http://www.imagehosting.com/show.php/1630052_linksyscfgPage1.j</A><BR>>
> pg.html and<BR>> > <A
href="http://www.imagehosting.com/show.php/1630053_linksyscfgPage2.j">http://www.imagehosting.com/show.php/1630053_linksyscfgPage2.j</A><BR>>
> pg.html. <BR>> ><BR>> > I am hoping these pics look
OK. If you need me to provide<BR>> > additional information,
please let me know.<BR>> ><BR>> > Thanks again for all of your
help.<BR>> > -Chris<BR>> ><BR>> > From: Peter McGill [<A
href="mailto:petermcgill@goco.net">mailto:petermcgill@goco.net</A>]<BR>>
> Sent: Friday, March 14, 2008 12:50 PM<BR>> > To: Chris Thomas;
users@openswan.org<BR>> > Subject: RE: [Openswan Users] Getting
there....<BR>> ><BR>> > Firewall was merely a place to check,
not guaranteed to be<BR>> > the problem.<BR>> > If you can get a
console on your Ubuntu, you can check<BR>> > firewall with...<BR>>
> iptables -t filter -L -n -v<BR>> > iptables -t nat -L -n
-v<BR>> > iptables -t mangle -L -n -v<BR>> > <BR>> >
Are you connecting through the internet, or are you testing<BR>> >
internally?<BR>> > Do both the Ubuntu server and linksys router have
public<BR>> > internet ip addresses?<BR>> > (Not
172.16...172.32... or 10... or 192.168..., etc...)<BR>> > I cannot
tell as you completely edited them from your posts.<BR>> > Next time
try just masking the end like: 66.11.x.x<BR>> > Testing internally
sometimes needs different settings than<BR>> > production
internet.<BR>> > <BR>> > Is linksys using DES or 3DES?
Should be 3DES & MD5 matching<BR>> > your openswan.<BR>> >
Can you show us your linksys ipsec configuration?<BR>> >
<BR>> > Peter McGill<BR>> > <BR>> ><BR>>
> ________________________________________<BR>> > From:
users-bounces@openswan.org<BR>> > [<A
href="mailto:users-bounces@openswan.org">mailto:users-bounces@openswan.org</A>]
On Behalf Of Chris Thomas<BR>> > Sent: March 14, 2008 12:19 PM<BR>>
> To: users@openswan.org<BR>> > Subject: Re: [Openswan Users]
Getting there....<BR>> > OK, I have hit a brick wall here and it's
getting a bit<BR>> > frustrating. I have disabled the Linux
firewall and the<BR>> > Shoreline firewall on my server and I'm still
getting the<BR>> > same error below when I attempt to establish the
tunnel. Is<BR>> > this absolutely positively due to a firewall
issue or is it<BR>> > possible that I've got something else
incorrectly configured<BR>> > somewhere? I am fairly new to
Linux so I am administering my<BR>> > Ubuntu server with Webmin.
That is what I am using to verify<BR>> > that the firewall(s) are
turned off. <BR>> ><BR>> > I have also disabled the
firewall on the Linksys box and have<BR>> > examined it's logs.
This is what shows up after I hit<BR>> > "connect" to initiate the
tunnel:<BR>> ><BR>> > Mar 14 09:33:34 - [VPN Log]: "pax_square"
#2: initiating Main Mode<BR>> > Mar 14 09:33:43 - [VPN Log]: initiate
on demand from<BR>> > 192.168.36.100:0 to 192.168.0.30:0 proto=0
state: fos_start<BR>> > because: acquire<BR>> > Mar 14 09:34:44
- [VPN Log]: "pax_square" #2: max number of<BR>> > retransmissions (2)
reached STATE_MAIN_I1. No response (or no<BR>> > acceptable response)
to our first IKE message<BR>> > Mar 14 10:08:54 - [VPN Log]:
"pax_square" #3: initiating Main Mode<BR>> > Mar 14 10:10:04 - [VPN
Log]: "pax_square" #3: max number of<BR>> > retransmissions (2)
reached STATE_MAIN_I1. No response (or no<BR>> > acceptable response)
to our first IKE message<BR>> > Mar 14 10:53:58 - [VPN Log]:
"pax_square" #4: initiating Main Mode<BR>> > Mar 14 10:55:08 - [VPN
Log]: "pax_square" #4: max number of<BR>> > retransmissions (2)
reached STATE_MAIN_I1. No response (or no<BR>> > acceptable response)
to our first IKE message<BR>> ><BR>> > If it helps, this is my
ipsec.conf file on the Ubuntu server<BR>> > running OpenSwan:<BR>>
><BR>> > version
2.0 # conforms to
second version of<BR>> > ipsec.conf specification<BR>> ><BR>>
> config setup<BR>> >
interfaces=%defaultroute<BR>> >
uniqueids=yes<BR>> >
<BR>> > include /etc/ipsec.d/examples/no_oe.conf<BR>> >
<BR>> > conn pax_square<BR>> >
also=central-site<BR>> >
right=%any<BR>> >
rightid=@pax_square<BR>> >
rightsubnet=192.168.36.0/24<BR>> >
also=linksys-policy<BR>> >
auto=add<BR>> >
<BR>> > conn central-site<BR>> >
left=(external IP of Linux
server)<BR>> >
leftsubnet=192.168.0.0/24<BR>> >
leftsourceip=192.168.0.20<BR>>
><BR>> > conn linksys-policy<BR>> >
ike=3des-md5-modp1024<BR>> >
esp=3des-md5 <BR>>
> compress=no<BR>> >
authby=secret<BR>>
><BR>> ><BR>> > If it's definitely the firewall, I'll go back
to the drawing<BR>> > board and see what I can see.<BR>>
><BR>> > As before, I appreciate the help and patience.<BR>>
> Thanks<BR>> > -Chris<BR>> ><BR>> ><BR>>
><BR>> ><BR>> > From: Peter McGill [<A
href="mailto:petermcgill@goco.net">mailto:petermcgill@goco.net</A>]<BR>>
> Sent: Thursday, March 13, 2008 4:14 PM<BR>> > To: Chris Thomas;
users@openswan.org<BR>> > Subject: RE: [Openswan Users] Getting
there....<BR>> ><BR>> > Check your firewall(s) on both ends, and
check the linksys logs.<BR>> > You must allow ipsec (and ipsec
encapsulated traffic) in your<BR>> > firewalls.<BR>> >
protocol port description<BR>> >
17
500 udp:isakmp<BR>> >
50 esp<BR>>
> You must allow the above inbound and outbound on your<BR>> >
internet interfaces.<BR>> > You must also allow the subnet-to-subnet
traffic.<BR>> > <BR>> > Peter McGill<BR>> >
<BR>> ><BR>> >
________________________________________<BR>> > From:
users-bounces@openswan.org<BR>> > [<A
href="mailto:users-bounces@openswan.org">mailto:users-bounces@openswan.org</A>]
On Behalf Of Chris Thomas<BR>> > Sent: March 13, 2008 4:06 PM<BR>>
> To: users@openswan.org<BR>> > Subject: Re: [Openswan Users]
Getting there....<BR>> > OK, I changed my Linksys box to 1024 bit and
I now have this:<BR>> ><BR>> > Mar 13 16:01:48 gatekeeper
pluto[11850]: packet from (remote<BR>> > site IP):500: ignoring
unknown Vendor ID payload<BR>> > [4f4540454371496d7a684644]<BR>>
> Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote<BR>>
> site IP):500: received Vendor ID payload [Dead Peer Detection]<BR>>
> Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote<BR>>
> site IP):500: received Vendor ID payload [RFC 3947] meth=110,<BR>>
> but port floating is off<BR>> > Mar 13 16:01:48 gatekeeper
pluto[11850]: packet from (remote<BR>> > site IP):500: received Vendor
ID payload<BR>> > [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port
floating is off<BR>> > Mar 13 16:01:48 gatekeeper pluto[11850]: packet
from (remote<BR>> > site IP):500: received Vendor ID payload<BR>>
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is
off<BR>> > Mar 13 16:01:48 gatekeeper pluto[11850]: packet from
(remote<BR>> > site IP):500: ignoring Vendor ID payload<BR>> >
[draft-ietf-ipsec-nat-t-ike-00]<BR>> > Mar 13 16:01:48 gatekeeper
pluto[11850]: "pax_square"[5]<BR>> > (remote site IP) #9: responding
to Main Mode from unknown<BR>> > peer (remote site IP)<BR>> >
Mar 13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5]<BR>> >
(remote site IP) #9: transition from state STATE_MAIN_R0 to<BR>> >
state STATE_MAIN_R1<BR>> > Mar 13 16:01:48 gatekeeper pluto[11850]:
"pax_square"[5]<BR>> > (remote site IP) #9: STATE_MAIN_R1: sent MR1,
expecting MI2<BR>> > Mar 13 16:02:28 gatekeeper pluto[11850]:
"pax_square"[5]<BR>> > (remote site IP) #7: max number of
retransmissions (2)<BR>> > reached STATE_MAIN_R1<BR>> ><BR>>
> Thanks<BR>> > -Chris<BR>> ><BR>> ><BR>> > From:
Peter McGill [<A
href="mailto:petermcgill@goco.net">mailto:petermcgill@goco.net</A>]<BR>>
> Sent: Thursday, March 13, 2008 3:50 PM<BR>> > To: Chris Thomas;
users@openswan.org<BR>> > Subject: RE: [Openswan Users] Getting
there....<BR>> ><BR>> > There is a mismatch in your options,
specifically your<BR>> DH/modp Group.<BR>> > Diffie-Hellman (DH)
Group needs to match openswan's ike=*-modp????<BR>> > I'm guessing
that your linksys is sending Diffie-Hellmen (DH)<BR>> > Group 1
(768-bit).<BR>> > Openswan will not allow this because it's too weak
of security.<BR>> > If you have ike=3des-md5-modp1024 or
ike=aes-sha1-modp1024 as<BR>> > I suggested,<BR>> > then change
your linksys to use Group 2 (1024-bit) to match it.<BR>> >
<BR>> > Peter McGill<BR>> > <BR>> ><BR>>
> ________________________________________<BR>> > From:
users-bounces@openswan.org<BR>> > [<A
href="mailto:users-bounces@openswan.org">mailto:users-bounces@openswan.org</A>]
On Behalf Of Chris Thomas<BR>> > Sent: March 13, 2008 3:40 PM<BR>>
> To: users@openswan.org<BR>> > Subject: [Openswan Users] Getting
there....<BR>> > Hello again, everyone. I have configured my
Linksys box to<BR>> > connect to my Ubuntu server running OpenSwan,
but when I<BR>> > attempt to initiate the connection, my logs on the
server at<BR>> > HQ get full of this stuff:<BR>> ><BR>>
><BR>> > Mar 13 15:31:54 gatekeeper pluto[11850]: packet from
(remote<BR>> > site external IP):500: ignoring unknown Vendor ID
payload<BR>> > [4f4540454371496d7a684644]<BR>> > Mar 13 15:31:54
gatekeeper pluto[11850]: packet from (remote<BR>> > site external
IP):500: received Vendor ID payload [Dead Peer<BR>> >
Detection]<BR>> > Mar 13 15:31:54 gatekeeper pluto[11850]: packet from
(remote<BR>> > site external IP):500: received Vendor ID payload [RFC
3947]<BR>> > meth=110, but port floating is off<BR>> > Mar 13
15:31:54 gatekeeper pluto[11850]: packet from (remote<BR>> > site
external IP):500: received Vendor ID payload<BR>> >
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off<BR>>
> Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote<BR>>
> site external IP):500: received Vendor ID payload<BR>> >
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off<BR>>
> Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote<BR>>
> site external IP):500: ignoring Vendor ID payload<BR>> >
[draft-ietf-ipsec-nat-t-ike-00]<BR>> > Mar 13 15:31:54 gatekeeper
pluto[11850]: "pax_square"[1]<BR>> > (remote site external IP) #1:
responding to Main Mode from<BR>> > unknown peer (remote site external
IP)<BR>> > Mar 13 15:31:54 gatekeeper pluto[11850]:
"pax_square"[1]<BR>> > (remote site external IP) #1: only
OAKLEY_GROUP_MODP1024 and<BR>> > OAKLEY_GROUP_MODP1536
supported. Attribute OAKLEY_GROUP_DESCRIPTION<BR>> > Mar 13
15:31:54 gatekeeper pluto[11850]: "pax_square"[1]<BR>> > (remote site
external IP) #1: no acceptable Oakley Transform<BR>> > Mar 13 15:31:54
gatekeeper pluto[11850]: "pax_square"[1]<BR>> > (remote site external
IP) #1: sending notification<BR>> > NO_PROPOSAL_CHOSEN to (remote site
external IP):500<BR>> > Mar 13 15:31:54 gatekeeper pluto[11850]:
"pax_square"[1]<BR>> > (remote site external IP): deleting connection
"pax_square"<BR>> > instance with peer (remote site external IP)
{isakmp=#0/ipsec=#0}<BR>> ><BR>> > I am assuming that it has
something to do with the Preshared<BR>> > key that I am using, but I
am not too sure how to go about<BR>> > fixing it. I do not want
to be a nuisance, but can anyone<BR>> > give me a (another) push in
the right direction? <BR>> ><BR>> > I appreciate your
patience.<BR>> > -Chris<BR>>
><BR>></SPAN><o:p></o:p></P></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></BODY></HTML>