<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
</style>
</head>
<body class='hmmessage'>
<br>Hi Paul,<br><br>I have more information on the difference between connecting with OpenSWAN 2.6.19 and 2.6.22dr2 to our Netgear FVS338.<br><br>To recap, using certificates phase 2 connects with OpenSWAN 2.6.19 but does not with 2.6.22dr2. <br><br>The code change that seems to break the phase 2 portion of the connection is in /programs/pluto/spdb_v1_struct.c. If I remove this change (/* add IPcomp proposal if policy asks for it */), both 2.6.20 & 2.6.22dr2 complete the IPsec SA.<br><br>marcos<br><br><br><br><hr id="stopSpelling">From: mfhacker@hotmail.com<br>To: paul@xelerance.com<br>Date: Tue, 19 May 2009 10:35:32 -0400<br>CC: users@openswan.org<br>Subject: Re: [Openswan Users] trying to connect OpenSWAN 2.6.19 to a Netgear FVS338<br><br>
<style>
.ExternalClass .EC_hmmessage P
{padding:0px;}
.ExternalClass body.EC_hmmessage
{font-size:10pt;font-family:Verdana;}
</style>
<br>> Date: Mon, 18 May 2009 21:20:29 -0400<br>> From: paul@xelerance.com<br>> To: mfhacker@hotmail.com<br>> CC: users@openswan.org<br>> Subject: Re: [Openswan Users] trying to connect OpenSWAN 2.6.19 to a Netgear FVS338<br>> <br>> On Mon, 18 May 2009, Marcos Hacker wrote:<br>> <br>> > Does it make a difference if we use the whack command line or ipsec.conf?<br>> > I'm not sure why using the whack command line was chosen. It was probably<br>> > the easier route at the time.<br>> <br>> No it does not make a difference, though the config file seems much<br>> easier to use according to me. Also, if the whack syntax changes, the<br>> config file syntax will remain the same.<br>> <br>> > If the right/Netgear certificate is not loaded on the left/Linux device<br>> > manually, then it is not sent over (after checking ipsec auto --listall).<br>> <br>> Not even with leftsendcert=always?<br>> <br>The certificate is not being sent even with leftsendcert=always, or --to --sendcert always our case.<br><br>> > After reading about the 3/30/09 security release, I upgraded from<br>> > OpenSWAN 2.6.19 to 2.6.21 and can no longer get the IPSec SA established.<br>> > If I revert back to 2.6.19, the connection establishes as expected.<br>> > Again, in both cases, we have the public certificate from the right<br>> > manually loaded on the left.<br>> <br>> Odd. Can you try openswan-2.6.22dr2, and it fails, give me the output<br>> with full pluto debug?<br>> <br>I tried openswan-2.6.22dr2. It fails to complete phase 2 as well. Below are the debug outputs from both openswan-2.6.19 (successfully connects) and openswan-2.6.22dr2. The failure case for openswan-2.6.21 looks the same as openswan-2.6.22dr2.<br><br>> > pluto[177]: "vpn_tunnel" #1: STATE_MAIN_I4: ISAKMP SA established<br>> > {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5<br>> > group=modp1024}<br>> > pluto[177]: "vpn_tunnel" #2: initiating Quick Mode<br>> > RSASIG+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1 msgid:8499abd4<br>> > proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}<br>> > pluto[177]: "vpn_tunnel" #1: ignoring informational payload, type<br>> > NO_PROPOSAL_CHOSEN msgid=00000000<br>> <br>> Odd, the proposal is the same, the phase1 is the same, yet the remote<br>> rejected it. It would definitely help to get both pluto debug logs<br>> (2.6.21 and 2.6.22dr2)<br>> <br>> Paul<br><br>OpenSWAN 2.6.22dr2 output<br><br>sh-2.05b# ipsec whack --initiate --asynchronous --name vpn_tunnel --debug-x509<br>pluto[225]: "vpn_tunnel": extra debugging enabled for connection: x509<br>pluto[225]: | processing connection vpn_tunnel<br>pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: none<br>pluto[225]: | processing connection vpn_tunnel<br>pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: none<br>pluto[225]: | processing connection vpn_tunnel<br>pluto[225]: "vpn_tunnel" #1: initiating Main Mode<br>002 "vpn_tunnel": extra debugging enabled for connection: x509<br>002 "vpn_tunnel" #1: extra debugging enabled for connection: none<br>002 "vpn_tunnel" #1: extra debugging enabled for connection: none<br>002 "vpn_tunnel" #1: initiating Main Mode<br>104 "vpn_tunnel" #1: STATE_MAIN_I1: initiate<br>sh-2.05b# pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509<br>pluto[225]: | processing connection vpn_tunnel<br>pluto[225]: "vpn_tunnel" #1: ignoring unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]<br>pluto[225]: "vpn_tunnel" #1: ignoring Vendor ID payload [KAME/racoon]<br>pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509<br>pluto[225]: | processing connection vpn_tunnel<br>pluto[225]: "vpn_tunnel" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<br>pluto[225]: "vpn_tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509<br>pluto[225]: | processing connection vpn_tunnel<br>pluto[225]: "vpn_tunnel" #1: ignoring Vendor ID payload [KAME/racoon]<br>pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509<br>pluto[225]: | processing connection vpn_tunnel<br>pluto[225]: "vpn_tunnel" #1: I am sending my cert<br>pluto[225]: "vpn_tunnel" #1: I am sending a certificate request<br>pluto[225]: "vpn_tunnel" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<br>pluto[225]: "vpn_tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509<br>pluto[225]: | processing connection vpn_tunnel<br>pluto[225]: "vpn_tunnel" #1: Main mode peer ID is ID_IPV4_ADDR: '130.168.1.2'<br>pluto[225]: | subject: 'C=US, ST=Florida, O=Corp, OU=Group, CN=Device'<br>pluto[225]: | issuer: 'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'<br>pluto[225]: | not before : May 15 13:19:17 UTC 2009<br>pluto[225]: | current time: May 19 14:53:31 UTC 2009<br>pluto[225]: | not after : May 15 13:19:17 UTC 2010<br>pluto[225]: | valid certificate for "C=US, ST=Florida, O=Corp, OU=Group, CN=Device"<br>pluto[225]: | issuer cacert "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found<br>pluto[225]: | signature algorithm: 'sha-1WithRSAEncryption'<br>pluto[225]: | valid certificate signature (C=US, ST=Florida, O=Corporation, OU=Group, CN=Device -> C=US, ST=Florida, O=Corp, OU=Group, CN=Device)<br>pluto[225]: "vpn_tunnel" #1: no crl from issuer "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found (strict=no)<br>pluto[225]: | subject: 'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'<br>pluto[225]: | issuer: 'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'<br>pluto[225]: | authkey: d3:6b:70:0c:93:8b:60:d0:78:54:24:b2:d3:7e:5e:ff:af:13:8d:0f<br>pluto[225]: | not before : Jan 01 00:00:00 UTC 2000<br>pluto[225]: | current time: May 19 14:53:31 UTC 2009<br>pluto[225]: | not after : Dec 31 23:59:59 UTC 2037<br>pluto[225]: | valid certificate for "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device"<br>pluto[225]: | issuer cacert "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found<br>pluto[225]: | signature algorithm: 'sha-1WithRSAEncryption'<br>pluto[225]: | valid certificate signature (C=US, ST=Florida, O=Corporation, OU=Group, CN=Device -> C=US, ST=Florida, O=Corporation, OU=Group, CN=Device)<br>pluto[225]: | Public key validated<br>pluto[225]: | trusted_ca called with a=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device b=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device<br>pluto[225]: "vpn_tunnel" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<br>pluto[225]: "vpn_tunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}<br>pluto[225]: "vpn_tunnel" #2: extra debugging enabled for connection: none<br>pluto[225]: | processing connection vpn_tunnel<br>pluto[225]: "vpn_tunnel" #2: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1 msgid:9b1ff4bf proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}<br>pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509<br>pluto[225]: | processing connection vpn_tunnel<br>pluto[225]: "vpn_tunnel" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<br>pluto[225]: "vpn_tunnel" #1: received and ignored informational message<br>pluto[225]: "vpn_tunnel" #2: extra debugging enabled for connection: x509<br>pluto[225]: | processing connection vpn_tunnel<br>pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509<br>pluto[225]: | processing connection vpn_tunnel<br>pluto[225]: "vpn_tunnel" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000<br>pluto[225]: "vpn_tunnel" #1: received and ignored informational message<br>pluto[225]: "vpn_tunnel" #2: extra debugging enabled for connection: x509<br>pluto[225]: | processing connection vpn_tunnel<br>pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509<br>pluto[225]: | processing connection vpn_tunnel<br>pluto[225]: "vpn_tunnel" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000<br>pluto[225]: "vpn_tunnel" #1: received and ignored informational message<br>pluto[225]: "vpn_tunnel" #2: extra debugging enabled for connection: x509<br>pluto[225]: | processing connection vpn_tunnel<br>pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509<br>pluto[225]: | processing connection vpn_tunnel<br>pluto[225]: "vpn_tunnel" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000<br>pluto[225]: "vpn_tunnel" #1: received and ignored informational message<br>pluto[225]: "vpn_tunnel" #2: extra debugging enabled for connection: x509<br>pluto[225]: | processing connection vpn_tunnel<br>pluto[225]: "vpn_tunnel" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal<br><br>OpenSWAN 2.6.19 output <br><br>sh-2.05b# ipsec whack --initiate --asynchronous --name vpn_tunnel --debug-x509<br>pluto[268]: "vpn_tunnel": extra debugging enabled for connection: x509<br>pluto[268]: | processing connection vpn_tunnel<br>pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: none<br>pluto[268]: | processing connection vpn_tunnel<br>pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: none<br>pluto[268]: | processing connection vpn_tunnel<br>pluto[268]: "vpn_tunnel" #1: initiating Main Mode<br>002 "vpn_tunnel": extra debugging enabled for connection: x509<br>002 "vpn_tunnel" #1: extra debugging enabled for connection: none<br>002 "vpn_tunnel" #1: extra debugging enabled for connection: none<br>002 "vpn_tunnel" #1: initiating Main Mode<br>104 "vpn_tunnel" #1: STATE_MAIN_I1: initiate<br>sh-2.05b# pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509<br>pluto[268]: | processing connection vpn_tunnel<br>pluto[268]: "vpn_tunnel" #1: ignoring unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]<br>pluto[268]: "vpn_tunnel" #1: ignoring Vendor ID payload [KAME/racoon]<br>pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509<br>pluto[268]: | processing connection vpn_tunnel<br>pluto[268]: "vpn_tunnel" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<br>pluto[268]: "vpn_tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509<br>pluto[268]: | processing connection vpn_tunnel<br>pluto[268]: "vpn_tunnel" #1: ignoring Vendor ID payload [KAME/racoon]<br>pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509<br>pluto[268]: | processing connection vpn_tunnel<br>pluto[268]: "vpn_tunnel" #1: I am sending my cert<br>pluto[268]: "vpn_tunnel" #1: I am sending a certificate request<br>pluto[268]: "vpn_tunnel" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<br>pluto[268]: "vpn_tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509<br>pluto[268]: | processing connection vpn_tunnel<br>pluto[268]: "vpn_tunnel" #1: Main mode peer ID is ID_IPV4_ADDR: '130.168.1.2'<br>pluto[268]: | subject: 'C=US, ST=Florida, O=Corp, OU=Group, CN=Device'<br>pluto[268]: | issuer: 'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'<br>pluto[268]: | not before : May 15 13:19:17 UTC 2009<br>pluto[268]: | current time: May 19 14:54:48 UTC 2009<br>pluto[268]: | not after : May 15 13:19:17 UTC 2010<br>pluto[268]: | valid certificate for "C=US, ST=Florida, O=Corp, OU=Group, CN=Device"<br>pluto[268]: | issuer cacert "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found<br>pluto[268]: | signature algorithm: 'sha-1WithRSAEncryption'<br>pluto[268]: | valid certificate signature (C=US, ST=Florida, O=Corporation, OU=Group, CN=Device -> C=US, ST=Florida, O=Corp, OU=Group, CN=Device)<br>pluto[268]: "vpn_tunnel" #1: no crl from issuer "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found (strict=no)<br>pluto[268]: | subject: 'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'<br>pluto[268]: | issuer: 'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'<br>pluto[268]: | authkey: d3:6b:70:0c:93:8b:60:d0:78:54:24:b2:d3:7e:5e:ff:af:13:8d:0f<br>pluto[268]: | not before : Jan 01 00:00:00 UTC 2000<br>pluto[268]: | current time: May 19 14:54:48 UTC 2009<br>pluto[268]: | not after : Dec 31 23:59:59 UTC 2037<br>pluto[268]: | valid certificate for "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device"<br>pluto[268]: | issuer cacert "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found<br>pluto[268]: | signature algorithm: 'sha-1WithRSAEncryption'<br>pluto[268]: | valid certificate signature (C=US, ST=Florida, O=Corporation, OU=Group, CN=Device -> C=US, ST=Florida, O=Corporation, OU=Group, CN=Device)<br>pluto[268]: | Public key validated<br>pluto[268]: | trusted_ca called with a=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device b=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device<br>pluto[268]: "vpn_tunnel" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<br>pluto[268]: "vpn_tunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}<br>pluto[268]: "vpn_tunnel" #2: extra debugging enabled for connection: none<br>pluto[268]: | processing connection vpn_tunnel<br>pluto[268]: "vpn_tunnel" #2: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1 msgid:2ecb3fed proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}<br>pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509<br>pluto[268]: | processing connection vpn_tunnel<br>pluto[268]: "vpn_tunnel" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<br>pluto[268]: "vpn_tunnel" #1: received and ignored informational message<br>pluto[268]: "vpn_tunnel" #2: extra debugging enabled for connection: x509<br>pluto[268]: | processing connection vpn_tunnel<br>pluto[268]: "vpn_tunnel" #2: extra debugging enabled for connection: x509<br>pluto[268]: | processing connection vpn_tunnel<br>pluto[268]: | trusted_ca called with a=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device b=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device<br>pluto[268]: | trusted_ca called with a=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device b=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device<br>pluto[268]: | trusted_ca called with a=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device b=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device<br>pluto[268]: "vpn_tunnel" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<br>pluto[268]: "vpn_tunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x066958a9 <0xa21036f0 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}<br><br>marcos<br><br><hr>Hotmail® has ever-growing storage! Don’t worry about storage limits. <a href="http://windowslive.com/Tutorial/Hotmail/Storage?ocid=TXT_TAGLM_WL_HM_Tutorial_Storage1_052009">Check it out.</a><br /><hr />Insert movie times and more without leaving Hotmail®. <a href='http://windowslive.com/Tutorial/Hotmail/QuickAdd?ocid=TXT_TAGLM_WL_HM_Tutorial_QuickAdd1_052009' target='_new'>See how.</a></body>
</html>