<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hello Paul,<br>
<br>
thanks for the quick answer. I have a big "uuuuuuuh" for you if I hear
the words "firmwareupdate", because to get the firmware from cisco is a
big deal for us - the router has been installed from a external company
and they don´t support this old machine any more....so cisco also don´t
support something without getting an amount of money.<br>
The second thing is that a number of Windows XP clients can connect to
this router with absolut minimal configuration (Vista can´t connect
b.t.w). Is Linux not able to connect and Windooos can?<br>
<br>
The external server is one from an provider (1&1) and the
connection is not realy straight, but the provider says that we have "a
direct connection to internet". The trace-log ends with stars at hop
30: (first ip faked)<br>
<pre><font color="#3333ff">traceroute to </font>223.31.46.223<font
color="#3333ff"> (</font>223.31.46.223<font color="#3333ff">), 30 hops max, 40 byte packets</font></pre>
<pre><font color="#3333ff"> 1 10.255.255.253 (10.255.255.253) 0.429 ms 0.281 ms 0.262 ms</font></pre>
<pre><font color="#3333ff"> 2 vl-1980.gw-distp-a.fs.kae.de.oneandone.net (195.20.247.194) 150.229 ms 150.230 ms 131.468 ms</font></pre>
<pre><font color="#3333ff"> 3 ae-2.bb-d.bs.kae.de.oneandone.net (212.227.121.196) 0.947 ms 0.938 ms 1.083 ms</font></pre>
<pre><font color="#3333ff"> 4 vl-390.bb-d.sps.str.de.oneandone.net (212.227.120.138) 2.498 ms 2.447 ms 2.315 ms</font></pre>
<pre><font color="#3333ff"> 5 217.243.217.17 (217.243.217.17) 4.684 ms 4.603 ms 4.620 ms</font></pre>
<pre><font color="#3333ff"> 6 h-eb2.H.DE.net.DTAG.DE (62.154.49.90) 12.888 ms h-eb2.H.DE.net.DTAG.DE (62.154.49.110) 11.802 ms 11.767 ms</font></pre>
<pre><font color="#3333ff"> 7 217.5.100.221 (217.5.100.221) 13.674 ms 13.489 ms 13.569 ms</font></pre>
<pre><font color="#3333ff"> 8 * * *</font></pre>
<pre><font color="#3333ff"> 9 * * *
...
30 * * *
</font></pre>
Pings are discarded by the router. <br>
<br>
I´m even not shure about this line in the router configuration:<br>
<font color="#3333ff"><small>crypto isakmp key # address 192.199.19.91</small></font><br>
Don´t know how this came into router config, maybe this is the problem?<br>
<br>
By the way the cisco log says the following:<br>
----------- CISCO SYSLOG ----------------<br>
<font color="#006600"><small>.Dec 12 10:13:42.312 MEZ: ISAKMP (0:0):
received packet from </small></font><font color="#3333ff"><small>192.199.19.91</small></font><font
color="#006600"><small> dport 500 sport 500 Global (N) NEW SA<br>
.Dec 12 10:13:42.312 MEZ: ISAKMP: Created a peer struct for</small></font><font
color="#3333ff"><small> 192.199.19.91</small></font><font
color="#006600"><small>, peer port 500<br>
.Dec 12 10:13:42.312 MEZ: ISAKMP: New peer created peer = 0x8303D0A4
peer_handle = 0x80000112<br>
.Dec 12 10:13:42.312 MEZ: ISAKMP: Locking peer struct 0x8303D0A4,
refcount 1 for crypto_isakmp_process_block<br>
.Dec 12 10:13:42.312 MEZ: ISAKMP: local port 500, remote port 500<br>
.Dec 12 10:13:42.312 MEZ: insert sa successfully sa = 84209680<br>
.Dec 12 10:13:42.312 MEZ: ISAKMP:(0):Input = IKE_MESG_FROM_PEER,
IKE_MM_EXCH<br>
.Dec 12 10:13:42.312 MEZ: ISAKMP:(0):Old State = IKE_READY New State =
IKE_R_MM1<br>
<br>
.Dec 12 10:13:42.312 MEZ: ISAKMP:(0): processing SA payload. message ID
= 0<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP:(0): processing vendor id payload<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP:(0): vendor ID seems Unity/DPD but
major 0 mismatch<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP:(0): processing vendor id payload<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP:(0): vendor ID is DPD<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP:(0): processing vendor id payload<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP:(0): vendor ID seems Unity/DPD but
major 69 mismatch<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP:(0): processing vendor id payload<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP:(0): vendor ID seems Unity/DPD but
major 157 mismatch<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP:(0): vendor ID is NAT-T v3<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP:(0): processing vendor id payload<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP:(0): vendor ID seems Unity/DPD but
major 123 mismatch<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP:(0): vendor ID is NAT-T v2<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP:(0): processing vendor id payload<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP:(0): vendor ID seems Unity/DPD but
major 164 mismatch<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP:(0):found peer pre-shared key matching
87.106.244.79<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP:(0): local preshared key found<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP : Scanning profiles for xauth ...<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP:(0):Checking ISAKMP transform 0
against priority 1 policy<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP: life type in seconds<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP: life duration (basic) of 3600<br>
.Dec 12 10:13:42.316 MEZ: ISAKMP: encryption 3DES-CBC<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP: hash SHA<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP: auth pre-share<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP: default group 2<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP:(0):atts are acceptable. Next payload
is 0<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP:(0): processing vendor id payload<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP:(0): vendor ID seems Unity/DPD but
major 0 mismatch<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP:(0): processing vendor id payload<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP:(0): vendor ID is DPD<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP:(0): processing vendor id payload<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP:(0): vendor ID seems Unity/DPD but
major 69 mismatch<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP:(0): processing vendor id payload<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP:(0): vendor ID seems Unity/DPD but
major 157 mismatch<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP:(0): vendor ID is NAT-T v3<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP:(0): processing vendor id payload<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP:(0): vendor ID seems Unity/DPD but
major 123 mismatch<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP:(0): vendor ID is NAT-T v2<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP:(0): processing vendor id payload<br>
.Dec 12 10:13:42.320 MEZ: ISAKMP:(0): vendor ID seems Unity/DPD but
major 164 mismatch<br>
.Dec 12 10:13:42.324 MEZ: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE<br>
.Dec 12 10:13:42.324 MEZ: ISAKMP:(0):Old State = IKE_R_MM1 New State =
IKE_R_MM1<br>
<br>
.Dec 12 10:13:42.324 MEZ: ISAKMP:(0): constructed NAT-T vendor-03 ID<br>
.Dec 12 10:13:42.324 MEZ: ISAKMP:(0): sending packet to </small></font><font
color="#3333ff"><small>192.199.19.91 </small></font><font
color="#006600"><small>my_port 500 peer_port 500 (R) MM_SA_SETUP<br>
.Dec 12 10:13:42.324 MEZ: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE<br>
.Dec 12 10:13:42.324 MEZ: ISAKMP:(0):Old State = IKE_R_MM1 New State =
IKE_R_MM2<br>
<br>
.Dec 12 10:13:42.468 MEZ: ISAKMP (0:0): received packet from </small></font><font
color="#3333ff"><small>192.199.19.91</small></font><font
color="#006600"><small> dport 500 sport 500 Global (R) MM_SA_SETUP<br>
.Dec 12 10:13:42.468 MEZ: ISAKMP:(0):Input = IKE_MESG_FROM_PEER,
IKE_MM_EXCH<br>
.Dec 12 10:13:42.468 MEZ: ISAKMP:(0):Old State = IKE_R_MM2 New State =
IKE_R_MM3<br>
<br>
.Dec 12 10:13:42.472 MEZ: ISAKMP:(0): processing KE payload. message ID
= 0<br>
.Dec 12 10:13:42.476 MEZ: ISAKMP:(0): processing NONCE payload. message
ID = 0<br>
.Dec 12 10:13:42.476 MEZ: ISAKMP:(0):found peer pre-shared key matching
87.106.244.79<br>
.Dec 12 10:13:42.476 MEZ: ISAKMP:received payload type 20<br>
.Dec 12 10:13:42.480 MEZ: ISAKMP:received payload type 20<br>
.Dec 12 10:13:42.480 MEZ: ISAKMP:(2107):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE<br>
.Dec 12 10:13:42.480 MEZ: ISAKMP:(2107):Old State = IKE_R_MM3 New
State = IKE_R_MM3<br>
<br>
.Dec 12 10:13:42.480 MEZ: ISAKMP:(2107): sending packet to </small></font><font
color="#3333ff"><small>192.199.19.91</small></font><font
color="#006600"><small> my_port 500 peer_port 500 (R) MM_KEY_EXCH<br>
.Dec 12 10:13:42.480 MEZ: ISAKMP:(2107):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE<br>
.Dec 12 10:13:42.480 MEZ: ISAKMP:(2107):Old State = IKE_R_MM3 New
State = IKE_R_MM4<br>
<br>
.Dec 12 10:13:42.624 MEZ: ISAKMP (0:2107): received packet from </small></font><font
color="#3333ff"><small>192.199.19.91</small></font><font
color="#006600"><small> dport 500 sport 500 Global (R) MM_KEY_EXCH<br>
.Dec 12 10:13:42.628 MEZ: ISAKMP: reserved not zero on ID payload!<br>
.Dec 12 10:13:42.628 MEZ: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from </small></font><font
color="#3333ff"><small>192.199.19.91</small></font><font
color="#006600"><small> failed its sanity check or is malformed<br>
.Dec 12 10:13:42.628 MEZ: ISAKMP (0:2107): incrementing error counter
on sa, attempt 1 of 5: PAYLOAD_MALFORMED<br>
.Dec 12 10:13:42.628 MEZ: ISAKMP:(2107): sending packet to </small></font><font
color="#3333ff"><small>192.199.19.91</small></font><font
color="#006600"><small> my_port 500 peer_port 500 (R) MM_KEY_EXCH<br>
.Dec 12 10:13:42.628 MEZ: ISAKMP (0:2107): incrementing error counter
on sa, attempt 2 of 5: reset_retransmission<br>
.Dec 12 10:13:43.627 MEZ: ISAKMP:(2107): no outgoing phase 1 packet to
retransmit. MM_KEY_EXCH4.79 my_port 500 peer_port 500 (R) MM_SA_SETUP</small></font><br>
--------end cisco syslog ----------------------<br>
<br>
Thanks Markus<br>
<br>
Paul Wouters schrieb:
<blockquote cite="mid:4942229D.9000403@as-support.com" type="cite"><br>
<hr size="4" width="90%"><br>
<table class="header-part1" border="0" cellpadding="0" cellspacing="0"
width="100%">
<tbody>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">Betreff:
</div>
Re: [Openswan Users] Message ID is 0 with openswan as client to cisco
876W</td>
</tr>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">Von: </div>
Paul Wouters <a class="moz-txt-link-rfc2396E" href="mailto:paul@xelerance.com"><paul@xelerance.com></a></td>
</tr>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">Datum: </div>
Thu, 11 Dec 2008 14:44:45 -0500 (EST)</td>
</tr>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">An: </div>
Markus Locher <a class="moz-txt-link-rfc2396E" href="mailto:ml@as-support.com"><ml@as-support.com></a></td>
</tr>
</tbody>
</table>
<table class="header-part2" border="0" cellpadding="0" cellspacing="0"
width="100%">
<tbody>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">An: </div>
Markus Locher <a class="moz-txt-link-rfc2396E" href="mailto:ml@as-support.com"><ml@as-support.com></a></td>
</tr>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">CC: </div>
<a class="moz-txt-link-abbreviated" href="mailto:users@openswan.org">users@openswan.org</a></td>
</tr>
</tbody>
</table>
<br>
On Thu, 11 Dec 2008, Markus Locher wrote:
<br>
<br>
<blockquote type="cite">Connection has to be established from an
OpenSuse-10.3 server to an CISCO router (876w).
<br>
- Openswan IPsec U2.6.19/K2.6.27.5
<br>
- Kernel as above
<br>
<br>
<br>
The problem is that it simply does not work! Nearly 10000
configuration steps are being done till now.
<br>
My question is: What the hell means the "Message ID of 0" and how to
hell do I get a valid Message ID!
<br>
</blockquote>
<br>
<blockquote type="cite">002 "L2TPPSKCLIENT" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
<br>
108 "L2TPPSKCLIENT" #1: STATE_MAIN_I3: sent MI3, expecting MR3
<br>
003 "L2TPPSKCLIENT" #1: Informational Exchange message is invalid
because it has a Message ID of 0
<br>
</blockquote>
<br>
That looks like a broken implementation or something messing with the
packets. Try upgrading the
<br>
firmware of the Cisco, and check if there is any NAT router on the path
with "ipsec passthrough"
<br>
enabled.
<br>
<br>
Paul
<br>
<br>
</blockquote>
<br>
On Thu, 11 Dec 2008, Markus Locher wrote:
<br>
<blockquote cite="mid:4942229D.9000403@as-support.com" type="cite">
<div class="moz-text-html" lang="x-western">Hello List,<br>
<br>
we have a serious problem here and I try to get hold of it for more
than one week now. I can't solve it although many users in the www have
a similar but not equal problem:<br>
<br>
Connection has to be established from an OpenSuse-10.3 server to an
CISCO router (876w).<br>
- Openswan IPsec U2.6.19/K2.6.27.5<br>
- Kernel as above<br>
<br>
<br>
The problem is that it simply does not work! Nearly 10000
configuration steps are being done till now.<br>
My question is: What the hell means the "Message ID of 0" and how to
hell do I get a valid Message ID!<br>
<br>
I can provide more information as you want it.<br>
<br>
<br>
Need HELP!<br>
Tanks a lot.<br>
Markus<br>
<br>
<br>
<br>
<br>
---- Protocoll of connection try --------------<br>
<small><font color="#990000">s15318887:~ # ipsec auto --verbose --up
L2TPPSKCLIENT &<br>
[1] 14575<br>
s15318887:~ # 002 "L2TPPSKCLIENT" #1: initiating Main Mode<br>
104 "L2TPPSKCLIENT" #1: STATE_MAIN_I1: initiate<br>
003 "L2TPPSKCLIENT" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108<br>
002 "L2TPPSKCLIENT" #1: enabling possible NAT-traversal with method
draft-ietf-ipsec-nat-t-ike-05<br>
002 "L2TPPSKCLIENT" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2<br>
106 "L2TPPSKCLIENT" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>
003 "L2TPPSKCLIENT" #1: received Vendor ID payload [Cisco-Unity]<br>
003 "L2TPPSKCLIENT" #1: received Vendor ID payload [Dead Peer Detection]<br>
003 "L2TPPSKCLIENT" #1: ignoring unknown Vendor ID payload
[4d20822d6c6dba9a8b29fed3780e4bb4]<br>
003 "L2TPPSKCLIENT" #1: received Vendor ID payload [XAUTH]<br>
003 "L2TPPSKCLIENT" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected<br>
002 "L2TPPSKCLIENT" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3<br>
108 "L2TPPSKCLIENT" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>
003 "L2TPPSKCLIENT" #1: <b>Informational Exchange message is invalid
because it has a Message ID of 0</b></font></small><br>
---------------------------------------------------<br>
<br>
<br>
--- LOG FROM openswan /var/log/warn ---------<br>
<font color="#3333ff"><small> Dec 11 14:12:09 s15318887 ipsec_setup:
Starting Openswan IPsec U2.6.19/K2.6.27.5-askmodified...<br>
Dec 11 14:12:09 s15318887 ipsec_setup: Using NETKEY(XFRM) stack<br>
Dec 11 14:12:09 s15318887 ipsec__plutorun: Starting Pluto subsystem...<br>
Dec 11 14:12:09 s15318887 pluto: adjusting ipsec.d to /etc/ipsec.d<br>
Dec 11 14:12:09 s15318887 ipsec__plutorun: adjusting ipsec.d to
/etc/ipsec.d<br>
Dec 11 14:12:09 s15318887 pluto[14040]: Starting Pluto (Openswan
Version 2.6.19; Vendor ID OEkqHLBPOfMD) pid:14040<br>
Dec 11 14:12:09 s15318887 pluto[14040]: Setting NAT-Traversal port-4500
floating to on<br>
Dec 11 14:12:09 s15318887 pluto[14040]: port floating activation
criteria nat_t=1/port_float=1<br>
Dec 11 14:12:09 s15318887 pluto[14040]: including NAT-Traversal
patch (Version 0.6c)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: using /dev/urandom as source of
random entropy<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: starting up 1 cryptographic
helpers<br>
Dec 11 14:12:09 s15318887 pluto[14040]: started helper pid=14047 (fd:7)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: Using Linux 2.6 IPsec interface
code on 2.6.27.5-askmodified (experimental code)<br>
Dec 11 14:12:09 s15318887 pluto[14047]: using /dev/urandom as source of
random entropy<br>
Dec 11 14:12:09 s15318887 ipsec_setup: ...Openswan IPsec started<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating <NULL>: Ok (ret=0)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_add(): ERROR: Algorithm
already exists<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_add(): ERROR: Algorithm
already exists<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_add(): ERROR: Algorithm
already exists<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_add(): ERROR: Algorithm
already exists<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_add(): ERROR: Algorithm
already exists<br>
Dec 11 14:12:09 s15318887 pluto[14040]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)<br>
Dec 11 14:12:09 s15318887 pluto[14040]: Changed path to directory
'/etc/ipsec.d/cacerts'<br>
Dec 11 14:12:09 s15318887 pluto[14040]: Changed path to directory
'/etc/ipsec.d/aacerts'<br>
Dec 11 14:12:09 s15318887 pluto[14040]: Changed path to directory
'/etc/ipsec.d/ocspcerts'<br>
Dec 11 14:12:09 s15318887 pluto[14040]: Changing to directory
'/etc/ipsec.d/crls'<br>
Dec 11 14:12:10 s15318887 pluto[14040]: Warning: empty directory<br>
Dec 11 14:12:10 s15318887 pluto[14040]: Changing back to directory
'/root' failed - (2 No such file or directory)<br>
Dec 11 14:12:10 s15318887 pluto[14040]: Changing back to directory
'/root' failed - (2 No such file or directory)<br>
Dec 11 14:12:10 s15318887 pluto[14040]: added connection description
"L2TPPSKCLIENT"<br>
Dec 11 14:12:10 s15318887 ipsec__plutorun: 002 added connection
description "L2TPPSKCLIENT"<br>
Dec 11 14:12:10 s15318887 pluto[14040]: listening for IKE messages<br>
Dec 11 14:12:10 s15318887 pluto[14040]: adding interface eth0/eth0 </small></font><font
color="#3333ff"><small>192.199.19.91</small></font><font
color="#3333ff"><small>:500<br>
Dec 11 14:12:10 s15318887 pluto[14040]: adding interface eth0/eth0 </small></font><font
color="#3333ff"><small>192.199.19.91</small></font><font
color="#3333ff"><small>:4500<br>
Dec 11 14:12:10 s15318887 pluto[14040]: adding interface lo/lo
127.0.0.1:500<br>
Dec 11 14:12:10 s15318887 pluto[14040]: adding interface lo/lo
127.0.0.1:4500<br>
Dec 11 14:12:10 s15318887 pluto[14040]: adding interface lo/lo ::1:500<br>
Dec 11 14:12:10 s15318887 pluto[14040]: loading secrets from
"/etc/ipsec.secrets"<br>
Dec 11 14:12:10 s15318887 pluto[14040]: loaded private key for keyid:
PPK_RSA:AQN+MvCwh<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: initiating
Main Mode<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: enabling
possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1:
STATE_MAIN_I2: sent MI2, expecting MR2<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: received
Vendor ID payload [Cisco-Unity]<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: received
Vendor ID payload [Dead Peer Detection]<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: ignoring
unknown Vendor ID payload [4d20822de819cb570efd8b53ae2c0fe9]<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: received
Vendor ID payload [XAUTH]<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1:
STATE_MAIN_I3: sent MI3, expecting MR3<br>
Dec 11 14:12:11 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1:
Informational Exchange message is invalid because it has a Message ID
of 0<br>
Dec 11 14:12:16 s15318887 ipsec_setup: Stopping Openswan IPsec...<br>
Dec 11 14:12:16 s15318887 pluto[14040]: shutting down<br>
Dec 11 14:12:16 s15318887 pluto[14040]: forgetting secrets<br>
Dec 11 14:12:16 s15318887 pluto[14040]: "L2TPPSKCLIENT": deleting
connection<br>
Dec 11 14:12:16 s15318887 pluto[14040]: "L2TPPSKCLIENT" #1: deleting
state (STATE_MAIN_I3)<br>
Dec 11 14:12:17 s15318887 pluto[14040]: shutting down interface lo/lo
::1:500<br>
Dec 11 14:12:17 s15318887 pluto[14040]: shutting down interface lo/lo
127.0.0.1:4500<br>
Dec 11 14:12:17 s15318887 pluto[14040]: shutting down interface lo/lo
127.0.0.1:500<br>
Dec 11 14:12:17 s15318887 pluto[14040]: shutting down interface
eth0/eth0 </small></font><font color="#3333ff"><small>192.199.19.91</small></font><font
color="#3333ff"><small>:4500<br>
Dec 11 14:12:17 s15318887 pluto[14040]: shutting down interface
eth0/eth0 </small></font><font color="#3333ff"><small>192.199.19.91</small></font><font
color="#3333ff"><small>:500<br>
Dec 11 14:12:19 s15318887 ipsec_setup: ...Openswan IPsec stopped</small></font><br>
---------end log openswan <br>
<br>
--CISCO --- CONFIG -faked!---------------<br>
<font color="#3333ff"><small>...<br>
vpdn enable<br>
!<br>
vpdn-group L2TP<br>
! Default L2TP VPDN group<br>
accept-dialin<br>
protocol l2tp<br>
virtual-template 1<br>
no l2tp tunnel authentication<br>
!<br>
!<br>
...<br>
!<br>
crypto keyring L2TP<br>
pre-shared-key address 0.0.0.0 0.0.0.0 key mykey<br>
!<br>
crypto isakmp policy 1<br>
encr 3des<br>
authentication pre-share<br>
group 2<br>
lifetime 3600<br>
crypto isakmp key # address </small></font>192.199.19.91<br>
<font color="#3333ff"><small>crypto isakmp keepalive 3600<br>
!<br>
crypto ipsec security-association lifetime seconds 600<br>
!<br>
crypto ipsec transform-set L2TP-SET esp-3des esp-sha-hmac<br>
mode transport<br>
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac<br>
!<br>
crypto dynamic-map DYN_MAP 10<br>
set nat demux<br>
set transform-set L2TP-SET<br>
!<br>
!<br>
crypto map CRYP_MAP 6000 ipsec-isakmp dynamic DYN_MAP<br>
!<br>
bridge irb<br>
!</small></font><br>
...<br>
<br>
----------------end cisco config<br>
<br>
--- OPENSWAN --- /etc/ipsec.conf<br>
<font color="#3333ff"><small>version 2.0 # conforms to second
version of ipsec.conf specification<br>
<br>
# basic configuration<br>
config setup<br>
# Do not set debug= options to debug configuration issues!<br>
# plutodebug / klipsdebug = "all", "none" or a combation from
below:<br>
# "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"<br>
# eg:<br>
plutodebug="control parsing"<br>
#<br>
# enable to get logs per-peer<br>
# plutoopts="--perpeerlog"<br>
#<br>
# Only enable *debug=all if you are a developer<br>
#<br>
# NAT-TRAVERSAL support, see README.NAT-Traversal<br>
nat_traversal=yes<br>
# exclude networks used on server side by adding %v4:!a.b.c.0/24<br>
#virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12<br>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/24<br>
# OE is now off by default. Uncomment and change to on, to
enable.<br>
OE=off<br>
# which IPsec stack to use. netkey,klips,mast,auto or none<br>
#protostack=netkey<br>
protostack=auto<br>
<br>
<br>
# Add connections here<br>
<br>
conn L2TPPSKCLIENT<br>
#<br>
# ----------------------------------------------------------<br>
# Use a Preshared Key. Disable Perfect Forward Secrecy.<br>
# Initiate rekeying.<br>
# Connection type _must_ be Transport Mode.<br>
#<br>
authby=secret<br>
pfs=yes<br>
#rekey=yes<br>
keyingtries=3<br>
type=transport<br>
#<br>
# Specify type of encryption for ISAKAMP SA (IPsec Phase 1)<br>
# Cipher= 3des, Hash = sha, DH-Group = 2<br>
ike=3des-sha1-modp1024<br>
# Specify type of encryption for IPSEC SA (IPsec Phase 2)<br>
esp=3des-sha1<br>
#<br>
# Keep connection alive through DPD (Dead Peer Detection)<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=clear<br>
#<br>
#<br>
# Try XAUTH authentication<br>
#leftxauthclient=yes<br>
# ----------------------------------------------------------<br>
# The local Linux machine that connects as a client.<br>
#<br>
# The external network interface is used to connect to the
server.<br>
# If you want to use a different interface or if there is no<br>
# defaultroute, you can use: left=your.ip.addr.ess<br>
left=</small></font>192.199.19.91<br>
<font color="#3333ff"><small> leftid=</small></font>192.199.19.91<br>
<font color="#3333ff"><small> leftprotoport=17/1701<br>
#<br>
# ----------------------------------------------------------<br>
# The remote server.<br>
#<br>
# Connect to the server at this IP address.<br>
right=</small></font>223.31.46.223<br>
<font color="#3333ff"><small> rightid=</small></font>223.31.46.223<br>
<font color="#3333ff"><small> rightsubnet=192.168.0.0/24<br>
rightprotoport=17/1701<br>
# ----------------------------------------------------------<br>
#<br>
# Change 'ignore' to 'add' to enable this configuration.<br>
#<br>
auto=add</small></font><br>
<br>
<br>
----------end ipsec.conf<br>
<br>
<br>
--- OPENSWAN --- /etc/ipsec.secrets -faked!---------------<br>
<br>
192.199.19.91 223.31.46.223: PSK 'mykey'<br>
<br>
----------end ipsec.secrets<br>
<br>
<br>
<br>
</div>
<br>
<pre wrap=""><hr size="4" width="90%">
Eingehende eMail ist virenfrei.
Von AVG überprüft - <a class="moz-txt-link-freetext" href="http://www.grisoft.de">http://www.grisoft.de</a>
Version: 8.0.176 / Virendatenbank: 270.9.16/1843 - Ausgabedatum: 11.12.2008 08:36
</pre>
</blockquote>
<br>
</body>
</html>