<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
Hello List,<br>
<br>
we have a serious problem here and I try to get hold of it for more
than one week now. I can't solve it although many users in the www have
a similar but not equal problem:<br>
<br>
Connection has to be established from an OpenSuse-10.3 server to an
CISCO router (876w).<br>
- Openswan IPsec U2.6.19/K2.6.27.5<br>
- Kernel as above<br>
<br>
<br>
The problem is that it simply does not work! Nearly 10000
configuration steps are being done till now.<br>
My question is: What the hell means the "Message ID of 0" and how to
hell do I get a valid Message ID!<br>
<br>
I can provide more information as you want it.<br>
<br>
<br>
Need HELP!<br>
Tanks a lot.<br>
Markus<br>
<br>
<br>
<br>
<br>
---- Protocoll of connection try --------------<br>
<small><font color="#990000">s15318887:~ # ipsec auto --verbose --up
L2TPPSKCLIENT &<br>
[1] 14575<br>
s15318887:~ # 002 "L2TPPSKCLIENT" #1: initiating Main Mode<br>
104 "L2TPPSKCLIENT" #1: STATE_MAIN_I1: initiate<br>
003 "L2TPPSKCLIENT" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108<br>
002 "L2TPPSKCLIENT" #1: enabling possible NAT-traversal with method
draft-ietf-ipsec-nat-t-ike-05<br>
002 "L2TPPSKCLIENT" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2<br>
106 "L2TPPSKCLIENT" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>
003 "L2TPPSKCLIENT" #1: received Vendor ID payload [Cisco-Unity]<br>
003 "L2TPPSKCLIENT" #1: received Vendor ID payload [Dead Peer Detection]<br>
003 "L2TPPSKCLIENT" #1: ignoring unknown Vendor ID payload
[4d20822d6c6dba9a8b29fed3780e4bb4]<br>
003 "L2TPPSKCLIENT" #1: received Vendor ID payload [XAUTH]<br>
003 "L2TPPSKCLIENT" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected<br>
002 "L2TPPSKCLIENT" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3<br>
108 "L2TPPSKCLIENT" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>
003 "L2TPPSKCLIENT" #1: <b>Informational Exchange message is invalid
because it has a Message ID of 0</b></font></small><br>
---------------------------------------------------<br>
<br>
<br>
--- LOG FROM openswan /var/log/warn ---------<br>
<font color="#3333ff"><small> Dec 11 14:12:09 s15318887 ipsec_setup:
Starting Openswan IPsec U2.6.19/K2.6.27.5-askmodified...<br>
Dec 11 14:12:09 s15318887 ipsec_setup: Using NETKEY(XFRM) stack<br>
Dec 11 14:12:09 s15318887 ipsec__plutorun: Starting Pluto subsystem...<br>
Dec 11 14:12:09 s15318887 pluto: adjusting ipsec.d to /etc/ipsec.d<br>
Dec 11 14:12:09 s15318887 ipsec__plutorun: adjusting ipsec.d to
/etc/ipsec.d<br>
Dec 11 14:12:09 s15318887 pluto[14040]: Starting Pluto (Openswan
Version 2.6.19; Vendor ID OEkqHLBPOfMD) pid:14040<br>
Dec 11 14:12:09 s15318887 pluto[14040]: Setting NAT-Traversal port-4500
floating to on<br>
Dec 11 14:12:09 s15318887 pluto[14040]: port floating activation
criteria nat_t=1/port_float=1<br>
Dec 11 14:12:09 s15318887 pluto[14040]: including NAT-Traversal
patch (Version 0.6c)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: using /dev/urandom as source of
random entropy<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: starting up 1 cryptographic
helpers<br>
Dec 11 14:12:09 s15318887 pluto[14040]: started helper pid=14047 (fd:7)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: Using Linux 2.6 IPsec interface
code on 2.6.27.5-askmodified (experimental code)<br>
Dec 11 14:12:09 s15318887 pluto[14047]: using /dev/urandom as source of
random entropy<br>
Dec 11 14:12:09 s15318887 ipsec_setup: ...Openswan IPsec started<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating <NULL>: Ok (ret=0)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_add(): ERROR: Algorithm
already exists<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_add(): ERROR: Algorithm
already exists<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_add(): ERROR: Algorithm
already exists<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_add(): ERROR: Algorithm
already exists<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_add(): ERROR: Algorithm
already exists<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: Changed path to directory
'/etc/ipsec.d/cacerts'<br>
Dec 11 14:12:09 s15318887 pluto[14040]: Changed path to directory
'/etc/ipsec.d/aacerts'<br>
Dec 11 14:12:09 s15318887 pluto[14040]: Changed path to directory
'/etc/ipsec.d/ocspcerts'<br>
Dec 11 14:12:09 s15318887 pluto[14040]: Changing to directory
'/etc/ipsec.d/crls'<br>
Dec 11 14:12:10 s15318887 pluto[14040]: Warning: empty directory<br>
Dec 11 14:12:10 s15318887 pluto[14040]: Changing back to directory
'/root' failed - (2 No such file or directory)<br>
Dec 11 14:12:10 s15318887 pluto[14040]: Changing back to directory
'/root' failed - (2 No such file or directory)<br>
Dec 11 14:12:10 s15318887 pluto[14040]: added connection description
"L2TPPSKCLIENT"<br>
Dec 11 14:12:10 s15318887 ipsec__plutorun: 002 added connection
description "L2TPPSKCLIENT"<br>
Dec 11 14:12:10 s15318887 pluto[14040]: listening for IKE messages<br>
Dec 11 14:12:10 s15318887 pluto[14040]: adding interface eth0/eth0
87.106.244.79:500<br>
Dec 11 14:12:10 s15318887 pluto[14040]: adding interface eth0/eth0
87.106.244.79:4500<br>
Dec 11 14:12:10 s15318887 pluto[14040]: adding interface lo/lo
127.0.0.1:500<br>
Dec 11 14:12:10 s15318887 pluto[14040]: adding interface lo/lo
127.0.0.1:4500<br>
Dec 11 14:12:10 s15318887 pluto[14040]: adding interface lo/lo ::1:500<br>
Dec 11 14:12:10 s15318887 pluto[14040]: loading secrets from
"/etc/ipsec.secrets"<br>
Dec 11 14:12:10 s15318887 pluto[14040]: loaded private key for keyid:
PPK_RSA:AQN+MvCwh<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: initiating
Main Mode<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: enabling
possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1:
STATE_MAIN_I2: sent MI2, expecting MR2<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: received
Vendor ID payload [Cisco-Unity]<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: received
Vendor ID payload [Dead Peer Detection]<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: ignoring
unknown Vendor ID payload [4d20822de819cb570efd8b53ae2c0fe9]<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: received
Vendor ID payload [XAUTH]<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1:
STATE_MAIN_I3: sent MI3, expecting MR3<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1:
Informational Exchange message is invalid because it has a Message ID
of 0<br>
Dec 11 14:12:16 s15318887 ipsec_setup: Stopping Openswan IPsec...<br>
Dec 11 14:12:16 s15318887 pluto[14040]: shutting down<br>
Dec 11 14:12:16 s15318887 pluto[14040]: forgetting secrets<br>
Dec 11 14:12:16 s15318887 pluto[14040]: "L2TPPSKCLIENT": deleting
connection<br>
Dec 11 14:12:16 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: deleting
state (STATE_MAIN_I3)<br>
Dec 11 14:12:17 s15318887 pluto[14040]: shutting down interface lo/lo
::1:500<br>
Dec 11 14:12:17 s15318887 pluto[14040]: shutting down interface lo/lo
127.0.0.1:4500<br>
Dec 11 14:12:17 s15318887 pluto[14040]: shutting down interface lo/lo
127.0.0.1:500<br>
Dec 11 14:12:17 s15318887 pluto[14040]: shutting down interface
eth0/eth0 87.106.244.79:4500<br>
Dec 11 14:12:17 s15318887 pluto[14040]: shutting down interface
eth0/eth0 87.106.244.79:500<br>
Dec 11 14:12:19 s15318887 ipsec_setup: ...Openswan IPsec stopped</small></font><br>
---------end log openswan <br>
<br>
--CISCO --- CONFIG -faked!---------------<br>
<font color="#3333ff"><small>...<br>
vpdn enable<br>
!<br>
vpdn-group L2TP<br>
! Default L2TP VPDN group<br>
accept-dialin<br>
protocol l2tp<br>
virtual-template 1<br>
no l2tp tunnel authentication<br>
!<br>
!<br>
...<br>
!<br>
crypto keyring L2TP<br>
pre-shared-key address 0.0.0.0 0.0.0.0 key mykey<br>
!<br>
crypto isakmp policy 1<br>
encr 3des<br>
authentication pre-share<br>
group 2<br>
lifetime 3600<br>
crypto isakmp key # address </small></font>192.199.19.91<br>
<font color="#3333ff"><small>crypto isakmp keepalive 3600<br>
!<br>
crypto ipsec security-association lifetime seconds 600<br>
!<br>
crypto ipsec transform-set L2TP-SET esp-3des esp-sha-hmac<br>
mode transport<br>
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac<br>
!<br>
crypto dynamic-map DYN_MAP 10<br>
set nat demux<br>
set transform-set L2TP-SET<br>
!<br>
!<br>
crypto map CRYP_MAP 6000 ipsec-isakmp dynamic DYN_MAP<br>
!<br>
bridge irb<br>
!</small></font><br>
...<br>
<br>
----------------end cisco config<br>
<br>
--- OPENSWAN --- /etc/ipsec.conf<br>
<font color="#3333ff"><small>version 2.0 # conforms to second
version of ipsec.conf specification<br>
<br>
# basic configuration<br>
config setup<br>
# Do not set debug= options to debug configuration issues!<br>
# plutodebug / klipsdebug = "all", "none" or a combation from
below:<br>
# "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"<br>
# eg:<br>
plutodebug="control parsing"<br>
#<br>
# enable to get logs per-peer<br>
# plutoopts="--perpeerlog"<br>
#<br>
# Only enable *debug=all if you are a developer<br>
#<br>
# NAT-TRAVERSAL support, see README.NAT-Traversal<br>
nat_traversal=yes<br>
# exclude networks used on server side by adding %v4:!a.b.c.0/24<br>
#virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12<br>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/24<br>
# OE is now off by default. Uncomment and change to on, to
enable.<br>
OE=off<br>
# which IPsec stack to use. netkey,klips,mast,auto or none<br>
#protostack=netkey<br>
protostack=auto<br>
<br>
<br>
# Add connections here<br>
<br>
conn L2TPPSKCLIENT<br>
#<br>
# ----------------------------------------------------------<br>
# Use a Preshared Key. Disable Perfect Forward Secrecy.<br>
# Initiate rekeying.<br>
# Connection type _must_ be Transport Mode.<br>
#<br>
authby=secret<br>
pfs=yes<br>
#rekey=yes<br>
keyingtries=3<br>
type=transport<br>
#<br>
# Specify type of encryption for ISAKAMP SA (IPsec Phase 1)<br>
# Cipher= 3des, Hash = sha, DH-Group = 2<br>
ike=3des-sha1-modp1024<br>
# Specify type of encryption for IPSEC SA (IPsec Phase 2)<br>
esp=3des-sha1<br>
#<br>
# Keep connection alive through DPD (Dead Peer Detection)<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=clear<br>
#<br>
#<br>
# Try XAUTH authentication<br>
#leftxauthclient=yes<br>
# ----------------------------------------------------------<br>
# The local Linux machine that connects as a client.<br>
#<br>
# The external network interface is used to connect to the
server.<br>
# If you want to use a different interface or if there is no<br>
# defaultroute, you can use: left=your.ip.addr.ess<br>
left=</small></font>192.199.19.91<br>
<font color="#3333ff"><small> leftid=</small></font>192.199.19.91<br>
<font color="#3333ff"><small> leftprotoport=17/1701<br>
#<br>
# ----------------------------------------------------------<br>
# The remote server.<br>
#<br>
# Connect to the server at this IP address.<br>
right=</small></font>223.31.46.223<br>
<font color="#3333ff"><small> rightid=</small></font>223.31.46.223<br>
<font color="#3333ff"><small> rightsubnet=192.168.0.0/24<br>
rightprotoport=17/1701<br>
# ----------------------------------------------------------<br>
#<br>
# Change 'ignore' to 'add' to enable this configuration.<br>
#<br>
auto=add</small></font><br>
<br>
<br>
----------end ipsec.conf<br>
<br>
<br>
--- OPENSWAN --- /etc/ipsec.secrets -faked!---------------<br>
<br>
192.199.19.91 223.31.46.223: PSK 'mykey'<br>
<br>
----------end ipsec.secrets<br>
<br>
<br>
<br>
</body>
</html>