<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content=text/html;charset=iso-8859-1>
<META content="MSHTML 6.00.6001.18294" name=GENERATOR></HEAD>
<BODY id=MailContainerBody
style="PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-TOP: 15px" leftMargin=0
topMargin=0 CanvasTabStop="true" name="Compose message area">
<DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial size=2>I think I almost got this thing licked.... I built
certs and applied them to the cacert and certs directory... My ipsec.conf looks
like this (IPs hidden to protect the innocent):</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>##################### openswan config
##########################<BR># file: /etc/ipsec.conf<BR>#<BR># openswan config
for connecting openswan <-> netgear srxn3250</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>version 2.0 # conforms to
version 2.0 and newer</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>config setup<BR>
plutodebug="none"</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>conn srxn3250<BR>
type=tunnel<BR> authby=secret<BR>
keyexchange=ike<BR> auto=start<BR>
pfs=no<BR> aggrmode=yes<BR>
ike=3des-sha1-modp1024<BR> esp=3des-sha1<BR>
# LOCAL<BR> left=%defaultroute<BR>
leftsubnet=192.168.22.0/24<BR> <A
title="mailto:leftid=me@test1.me.org CTRL + Click to follow link"
href="mailto:leftid=me@test1.me.org">leftid=me@test1.me.org</A><BR>
# REMOTE<BR> right=nextwave.org<BR>
rightsubnet=192.168.0.0/24<BR>
rightnexthop=%defaultroute # might be not
necessary<BR> <A
title="mailto:rightid=tstrike29@tordenlyn.org CTRL + Click to follow link"
href="mailto:rightid=tstrike29@tordenlyn.org">rightid=tstrike29@tordenlyn.org</A><BR>###############################################################</FONT></DIV>
<DIV> </DIV><FONT face=Arial size=2>
<DIV><BR>################# openswan preshared key ######################<BR>#
file: /etc/ipsec.secrets<BR>#<BR>: PSK "yuckmiestersblahblah"</DIV>
<DIV> </DIV>
<DIV>###############################################################</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Ok I have the cert loaded into the Netgear router... I configured it's mode
as aggressive and lined it up to match the settings from Openswan... when I make
the VPN connection I get these in my secure log:</DIV>
<DIV> </DIV>
<DIV>ransition from state STATE_MAIN_I1 to state STATE_MAIN_I2<BR>Aug 22
12:06:08 whiskers8 pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear" #3:
STATE_MAIN_I2: sent MI2, expecting MR2<BR>Aug 22 12:06:09 whiskers8
pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear" #3: ignoring Vendor ID
payload [KAME/racoon]<BR>Aug 22 12:06:09 whiskers8 pluto[18642]:
"openswan-whiskers8-whiskerslyn-netgear" #3: I am sending my cert<BR>Aug 22
12:06:09 whiskers8 pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear" #3: I
am sending a certificate request<BR>Aug 22 12:06:09 whiskers8 pluto[18642]:
"openswan-whiskers8-whiskerslyn-netgear" #3: transition from state STATE_MAIN_I2
to state STATE_MAIN_I3<BR>Aug 22 12:06:09 whiskers8 pluto[18642]:
"openswan-whiskers8-whiskerslyn-netgear" #3: STATE_MAIN_I3: sent MI3, expecting
MR3<BR>Aug 22 12:06:09 whiskers8 pluto[18642]:
"openswan-whiskers8-whiskerslyn-netgear" #3: next payload type of ISAKMP Hash
Payload has an unknown value: 61<BR>Aug 22 12:06:09 whiskers8 pluto[18642]:
"openswan-whiskers8-whiskerslyn-netgear" #3: malformed payload in packet<BR>Aug
22 12:06:09 whiskers8 pluto[18642]: | payload malformed after IV<BR>Aug 22
12:06:09 whiskers8 pluto[18642]: | 31 8a 4a f0 bd 04 24
f0<BR>Aug 22 12:06:09 whiskers8 pluto[18642]:
"openswan-whiskers8-whiskerslyn-netgear" #3: sending notification
PAYLOAD_MALFORMED to 12.234.22.224:500<BR>Aug 22 12:06:19 whiskers8
pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear" #3: discarding duplicate
packet; already STATE_MAIN_I3<BR>Aug 22 12:06:59 whiskers8 last message repeated
4 times<BR>Aug 22 12:07:19 whiskers8 pluto[18642]:
"openswan-whiskers8-whiskerslyn-netgear" #3: max number of retransmissions (2)
reached STATE_MAIN_I3. Possible authentication failure: no acceptable
response to our first encrypted message<BR>Aug 22 13:31:29 whiskers8
pluto[18642]: shutting down<BR>Aug 22 13:31:29 whiskers8 pluto[18642]:
forgetting secrets<BR>Aug 22 13:31:29 whiskers8 pluto[18642]:
"openswan-whiskers8-whiskerslyn-netgear": deleting connection<BR>Aug 22 13:31:29
whiskers8 pluto[18642]: "openswan-whiskers8-whiskerslyn-netgear": request to
delete a unrouted policy with netkey kernel --- experimental<BR>Aug 22 13:31:29
whiskers8 pluto[18642]: shutting down interface lo/lo ::1:500<BR>Aug 22 13:31:29
whiskers8 pluto[18642]: shutting down interface lo/lo 127.0.0.1:4500<BR>Aug 22
13:31:29 whiskers8 pluto[18642]: shutting down interface lo/lo
127.0.0.1:500<BR>Aug 22 13:31:29 whiskers8 pluto[18642]: shutting down interface
virbr0/virbr0 192.168.122.1:4500<BR>Aug 22 13:31:29 whiskers8 pluto[18642]:
shutting down interface virbr0/virbr0 192.168.122.1:500<BR>Aug 22 13:31:29
whiskers8 pluto[18642]: shutting down interface eth0/eth0
22.123.34.56:4500<BR>Aug 22 13:31:29 whiskers8 pluto[18642]: shutting down
interface eth0/eth0 22.123.34.56:500<BR>Aug 22 13:32:08 whiskers8 sshd[1899]:
Accepted password for root from 12.234.22.224 port 55104 ssh2<BR>Aug 22 13:32:08
whiskers8 sshd[1899]: pam_unix(sshd:session): session opened for user root by
(uid=0)<BR>Aug 22 13:32:53 whiskers8 sshd[2776]: Accepted password for root from
12.234.22.224 port 55124 ssh2<BR>Aug 22 13:32:53 whiskers8 sshd[2776]:
pam_unix(sshd:session): session opened for user root by (uid=0)<BR>Aug 22
13:39:50 whiskers8 ipsec__plutorun: Starting Pluto subsystem...<BR>Aug 22
13:39:50 whiskers8 pluto[9419]: Starting Pluto (Openswan Version 2.6.14; Vendor
ID OEoSJUweaqAX) pid:9419<BR>Aug 22 13:39:50 whiskers8 pluto[9419]: Setting
NAT-Traversal port-4500 floating to on<BR>Aug 22 13:39:50 whiskers8
pluto[9419]: port floating activation criteria
nat_t=1/port_float=1<BR>Aug 22 13:39:50 whiskers8 pluto[9419]:
including NAT-Traversal patch (Version 0.6c)<BR>Aug 22 13:39:50 whiskers8
pluto[9419]: using /dev/urandom as source of random entropy<BR>Aug 22 13:39:50
whiskers8 pluto[9419]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)<BR>Aug 22 13:39:50 whiskers8 pluto[9419]:
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)<BR>Aug 22
13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)<BR>Aug 22 13:39:50 whiskers8 pluto[9419]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<BR>Aug 22 13:39:50
whiskers8 pluto[9419]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC:
Ok (ret=0)<BR>Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)<BR>Aug 22 13:39:50 whiskers8 pluto[9419]:
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)<BR>Aug 22
13:39:50 whiskers8 pluto[9419]: starting up 3 cryptographic helpers<BR>Aug 22
13:39:50 whiskers8 pluto[9425]: using /dev/urandom as source of random
entropy<BR>Aug 22 13:39:50 whiskers8 pluto[9419]: started helper pid=9425
(fd:7)<BR>Aug 22 13:39:50 whiskers8 pluto[9427]: using /dev/urandom as source of
random entropy<BR>Aug 22 13:39:50 whiskers8 pluto[9419]: started helper pid=9427
(fd:8)<BR>Aug 22 13:39:50 whiskers8 pluto[9433]: using /dev/urandom as source of
random entropy<BR>Aug 22 13:39:50 whiskers8 pluto[9419]: started helper pid=9433
(fd:9)<BR>Aug 22 13:39:50 whiskers8 pluto[9419]: Using Linux 2.6 IPsec interface
code on 2.6.18-128.2.1.el5xen (experimental code)<BR>Aug 22 13:39:50 whiskers8
pluto[9419]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names <BR>Aug 22 13:39:50 whiskers8 pluto[9419]:
ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)<BR>Aug 22 13:39:50
whiskers8 pluto[9419]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names <BR>Aug 22 13:39:50 whiskers8 pluto[9419]:
ike_alg_add(): ERROR: Algorithm already exists<BR>Aug 22 13:39:50 whiskers8
pluto[9419]: ike_alg_register_enc(): Activating <NULL>: FAILED
(ret=-17)<BR>Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names <BR>Aug 22
13:39:50 whiskers8 pluto[9419]: ike_alg_add(): ERROR: Algorithm already
exists<BR>Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)<BR>Aug 22 13:39:50 whiskers8
pluto[9419]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names <BR>Aug 22 13:39:50 whiskers8 pluto[9419]:
ike_alg_add(): ERROR: Algorithm already exists<BR>Aug 22 13:39:50 whiskers8
pluto[9419]: ike_alg_register_enc(): Activating <NULL>: FAILED
(ret=-17)<BR>Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names <BR>Aug 22
13:39:50 whiskers8 pluto[9419]: ike_alg_add(): ERROR: Algorithm already
exists<BR>Aug 22 13:39:50 whiskers8 pluto[9419]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)<BR>Aug 22 13:39:50 whiskers8
pluto[9419]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names <BR>Aug 22 13:39:50 whiskers8 pluto[9419]:
ike_alg_add(): ERROR: Algorithm already exists<BR>Aug 22 13:39:50 whiskers8
pluto[9419]: ike_alg_register_enc(): Activating <NULL>: FAILED
(ret=-17)<BR>Aug 22 13:39:50 whiskers8 pluto[9419]: Changed path to directory
'/etc/ipsec.d/cacerts'<BR>Aug 22 13:39:50 whiskers8 pluto[9419]:
loaded CA cert file 'ca-cert.pem' (1114 bytes)<BR>Aug 22 13:39:50 whiskers8
pluto[9419]: no passphrase available<BR>Aug 22 13:39:50 whiskers8
pluto[9419]: Could not change to directory '/etc/ipsec.d/aacerts': /<BR>Aug 22
13:39:50 whiskers8 pluto[9419]: Could not change to directory
'/etc/ipsec.d/ocspcerts': /<BR>Aug 22 13:39:50 whiskers8 pluto[9419]: Could not
change to directory '/etc/ipsec.d/crls'<BR>Aug 22 13:39:50 whiskers8
pluto[9419]: Changing back to directory '/' failed - (2 No such file or
directory)<BR>Aug 22 13:39:50 whiskers8 pluto[9419]: Changing back to directory
'/' failed - (2 No such file or directory)<BR>Aug 22 13:39:50 whiskers8
pluto[9419]: loading certificate from ca-crl.pem <BR>Aug 22 13:39:50 whiskers8
pluto[9419]: loaded host cert file '/etc/ipsec.d/certs/ca-crl.pem'
(2476 bytes)<BR>Aug 22 13:39:50 whiskers8 pluto[9419]: added connection
description "openswan-whiskers8-whiskerslyn-netgear"<BR>Aug 22 13:39:50
whiskers8 pluto[9419]: listening for IKE messages<BR>Aug 22 13:39:50 whiskers8
pluto[9419]: adding interface eth0/eth0 22.123.34.56:500<BR>Aug 22 13:39:50
whiskers8 pluto[9419]: adding interface eth0/eth0 22.123.34.56:4500<BR>Aug 22
13:39:50 whiskers8 pluto[9419]: adding interface virbr0/virbr0
192.168.122.1:500<BR>Aug 22 13:39:50 whiskers8 pluto[9419]: adding interface
virbr0/virbr0 192.168.122.1:4500<BR>Aug 22 13:39:50 whiskers8 pluto[9419]:
adding interface lo/lo 127.0.0.1:500<BR>Aug 22 13:39:50 whiskers8 pluto[9419]:
adding interface lo/lo 127.0.0.1:4500<BR>Aug 22 13:39:50 whiskers8 pluto[9419]:
adding interface lo/lo ::1:500<BR>Aug 22 13:39:50 whiskers8 pluto[9419]: loading
secrets from "/etc/ipsec.secrets"<BR>Aug 22 13:39:50 whiskers8 pluto[9419]:
loading secrets from "/etc/ipsec.d/ipsec.secrets"<BR>Aug 22 13:39:50 whiskers8
pluto[9419]: loaded private key file '/etc/ipsec.d/openswan.pem'
(887 bytes)<BR>Aug 22 13:39:50 whiskers8 pluto[9419]: loaded private key for
keyid: PPK_RSA:AwEAAejdU<BR>Aug 22 13:39:50 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear": request to add a prospective erouted
policy with netkey kernel --- experimental<BR>Aug 22 13:39:50 whiskers8
pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: initiating Main
Mode<BR>Aug 22 13:39:51 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #1: ignoring unknown Vendor ID payload
[3b9031dce4fcf88b489a923963dd0c49]<BR>Aug 22 13:39:51 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #1: ignoring Vendor ID payload
[KAME/racoon]<BR>Aug 22 13:39:51 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #1: transition from state STATE_MAIN_I1
to state STATE_MAIN_I2<BR>Aug 22 13:39:51 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #1: STATE_MAIN_I2: sent MI2, expecting
MR2<BR>Aug 22 13:39:51 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #1: ignoring Vendor ID payload
[KAME/racoon]<BR>Aug 22 13:39:51 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #1: I am sending my cert<BR>Aug 22
13:39:51 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: I
am sending a certificate request<BR>Aug 22 13:39:51 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #1: transition from state STATE_MAIN_I2
to state STATE_MAIN_I3<BR>Aug 22 13:39:51 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #1: STATE_MAIN_I3: sent MI3, expecting
MR3<BR>Aug 22 13:39:51 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #1: next payload type of ISAKMP Hash
Payload has an unknown value: 67<BR>Aug 22 13:39:51 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #1: malformed payload in packet<BR>Aug
22 13:39:51 whiskers8 pluto[9419]: | payload malformed after IV<BR>Aug 22
13:39:51 whiskers8 pluto[9419]: | 6b c1 3c 13 9b 4f 55
03<BR>Aug 22 13:39:51 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #1: sending notification
PAYLOAD_MALFORMED to 12.234.22.224:500<BR>Aug 22 13:40:01 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #1: discarding duplicate packet;
already STATE_MAIN_I3<BR>Aug 22 13:40:41 whiskers8 last message repeated 4
times<BR>Aug 22 13:41:01 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #1: max number of retransmissions (2)
reached STATE_MAIN_I3. Possible authentication failure: no acceptable
response to our first encrypted message<BR>Aug 22 13:41:01 whiskers8
pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #1: starting keying
attempt 2 of at most 3<BR>Aug 22 13:41:01 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: initiating Main Mode to replace
#1<BR>Aug 22 13:41:01 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: ignoring unknown Vendor ID payload
[3b9031dce4fcf88b489a923963dd0c49]<BR>Aug 22 13:41:01 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: ignoring Vendor ID payload
[KAME/racoon]<BR>Aug 22 13:41:01 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: transition from state STATE_MAIN_I1
to state STATE_MAIN_I2<BR>Aug 22 13:41:01 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: STATE_MAIN_I2: sent MI2, expecting
MR2<BR>Aug 22 13:41:02 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: ignoring Vendor ID payload
[KAME/racoon]<BR>Aug 22 13:41:02 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: I am sending my cert<BR>Aug 22
13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: I
am sending a certificate request<BR>Aug 22 13:41:02 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: transition from state STATE_MAIN_I2
to state STATE_MAIN_I3<BR>Aug 22 13:41:02 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: STATE_MAIN_I3: sent MI3, expecting
MR3<BR>Aug 22 13:41:02 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: next payload type of ISAKMP Hash
Payload has an unknown value: 65<BR>Aug 22 13:41:02 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: malformed payload in packet<BR>Aug
22 13:41:02 whiskers8 pluto[9419]: | payload malformed after IV<BR>Aug 22
13:41:02 whiskers8 pluto[9419]: | e7 c7 a5 28 42 12 59
b4<BR>Aug 22 13:41:02 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: sending notification
PAYLOAD_MALFORMED to 12.234.22.224:500</DIV>
<DIV> </DIV>
<DIV><BR>itiating Main Mode to replace #1<BR>Aug 22 13:41:01 whiskers8
pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: ignoring unknown
Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]<BR>Aug 22 13:41:01
whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: ignoring
Vendor ID payload [KAME/racoon]<BR>Aug 22 13:41:01 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: transition from state STATE_MAIN_I1
to state STATE_MAIN_I2<BR>Aug 22 13:41:01 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: STATE_MAIN_I2: sent MI2, expecting
MR2<BR>Aug 22 13:41:02 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: ignoring Vendor ID payload
[KAME/racoon]<BR>Aug 22 13:41:02 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: I am sending my cert<BR>Aug 22
13:41:02 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: I
am sending a certificate request<BR>Aug 22 13:41:02 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: transition from state STATE_MAIN_I2
to state STATE_MAIN_I3<BR>Aug 22 13:41:02 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: STATE_MAIN_I3: sent MI3, expecting
MR3<BR>Aug 22 13:41:02 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: next payload type of ISAKMP Hash
Payload has an unknown value: 65<BR>Aug 22 13:41:02 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: malformed payload in packet<BR>Aug
22 13:41:02 whiskers8 pluto[9419]: | payload malformed after IV<BR>Aug 22
13:41:02 whiskers8 pluto[9419]: | e7 c7 a5 28 42 12 59
b4<BR>Aug 22 13:41:02 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: sending notification
PAYLOAD_MALFORMED to 12.234.22.224:500<BR>Aug 22 13:41:12 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: discarding duplicate packet;
already STATE_MAIN_I3<BR>Aug 22 13:41:52 whiskers8 last message repeated 4
times<BR>Aug 22 13:42:12 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #2: max number of retransmissions (2)
reached STATE_MAIN_I3. Possible authentication failure: no acceptable
response to our first encrypted message<BR>Aug 22 13:42:12 whiskers8
pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #2: starting keying
attempt 3 of at most 3<BR>Aug 22 13:42:12 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #3: initiating Main Mode to replace
#2<BR>Aug 22 13:42:12 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #3: ignoring unknown Vendor ID payload
[3b9031dce4fcf88b489a923963dd0c49]<BR>Aug 22 13:42:12 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #3: ignoring Vendor ID payload
[KAME/racoon]<BR>Aug 22 13:42:12 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #3: transition from state STATE_MAIN_I1
to state STATE_MAIN_I2<BR>Aug 22 13:42:12 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #3: STATE_MAIN_I2: sent MI2, expecting
MR2<BR>Aug 22 13:42:13 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #3: ignoring Vendor ID payload
[KAME/racoon]<BR>Aug 22 13:42:13 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #3: I am sending my cert<BR>Aug 22
13:42:13 whiskers8 pluto[9419]: "openswan-whiskers8-whiskerslyn-netgear" #3: I
am sending a certificate request<BR>Aug 22 13:42:13 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #3: transition from state STATE_MAIN_I2
to state STATE_MAIN_I3<BR>Aug 22 13:42:13 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #3: STATE_MAIN_I3: sent MI3, expecting
MR3<BR>Aug 22 13:42:13 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #3: byte 2 of ISAKMP Hash Payload must
be zero, but is not<BR>Aug 22 13:42:13 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #3: malformed payload in packet<BR>Aug
22 13:42:13 whiskers8 pluto[9419]: | payload malformed after IV<BR>Aug 22
13:42:13 whiskers8 pluto[9419]: | 94 39 d3 e8 8f b2 15
46<BR>Aug 22 13:42:13 whiskers8 pluto[9419]:
"openswan-whiskers8-whiskerslyn-netgear" #3: sending notification
PAYLOAD_MALFORMED to 12.234.22.224:500</DIV>
<DIV> </DIV>
<DIV>Ok this is what I get from Netgear:</DIV>
<DIV> </DIV>
<DIV>2009 Aug 22 13:39:50 [SRXN3205] [IKE] Configuration found for
22.123.34.56[500]._<BR>2009 Aug 22 13:39:50 [SRXN3205] [IKE] Received request
for new phase 1 negotiation:
12.234.22.224[500]<=>22.123.34.56[500]_<BR>2009 Aug 22 13:39:50 [SRXN3205]
[IKE] Beginning Identity Protection mode._<BR>2009 Aug 22 13:39:50 [SRXN3205]
[IKE] Received unknown Vendor
ID_<BR>
- Last output repeated 3 times -<BR>2009 Aug 22 13:39:50 [SRXN3205] [IKE]
Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__<BR>2009 Aug 22 13:39:50
[SRXN3205] [IKE] Received unknown Vendor ID_<BR>2009 Aug 22 13:39:51 [SRXN3205]
[IKE] _<BR>2009 Aug 22 13:39:51 [SRXN3205] [IKE] failed to get
subjectAltName_<BR>2009 Aug 22 13:39:51 [SRXN3205] [IKE] Sending Informational
Exchange: notify payload[INVALID-CERTIFICATE]_<BR>2009 Aug 22 13:39:51
[SRXN3205] [IKE] Ignore information because the message has no hash
payload._<BR>2009 Aug 22 13:40:01 [SRXN3205] [IKE] Received Malformed packet of
payload length 47129 and total length
896._<BR>
- Last output repeated twice -<BR>2009 Aug 22 13:40:51 [SRXN3205] [IKE] Phase 1
negotiation failed due to time up for 22.123.34.56[500].
68d87053cd47ca7d:f63c79f3ab9eb9f0_<BR>2009 Aug 22 13:41:01 [SRXN3205] [IKE]
Configuration found for 22.123.34.56[500]._<BR>2009 Aug 22 13:41:01 [SRXN3205]
[IKE] Received request for new phase 1 negotiation:
12.234.22.224[500]<=>22.123.34.56[500]_<BR>2009 Aug 22 13:41:01 [SRXN3205]
[IKE] Beginning Identity Protection mode._<BR>2009 Aug 22 13:41:01 [SRXN3205]
[IKE] Received unknown Vendor
ID_<BR>
- Last output repeated 3 times -<BR>2009 Aug 22 13:41:01 [SRXN3205] [IKE]
Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__<BR>2009 Aug 22 13:41:01
[SRXN3205] [IKE] Received unknown Vendor ID_<BR>2009 Aug 22 13:41:02 [SRXN3205]
[IKE] _<BR>2009 Aug 22 13:41:02 [SRXN3205] [IKE] failed to get
subjectAltName_<BR>2009 Aug 22 13:41:02 [SRXN3205] [IKE] Sending Informational
Exchange: notify payload[INVALID-CERTIFICATE]_<BR>2009 Aug 22 13:41:02
[SRXN3205] [IKE] Ignore information because the message has no hash
payload._<BR>2009 Aug 22 13:41:12 [SRXN3205] [IKE] Received Malformed packet of
payload length 3943 and total length
896._<BR>
- Last output repeated twice -<BR>2009 Aug 22 13:42:02 [SRXN3205] [IKE] Phase 1
negotiation failed due to time up for 22.123.34.56[500].
e402c68e7572d7ff:8b4106bf8a772257_<BR>2009 Aug 22 13:42:12 [SRXN3205] [IKE]
Configuration found for 22.123.34.56[500]._<BR>2009 Aug 22 13:42:12 [SRXN3205]
[IKE] Received request for new phase 1 negotiation:
12.234.22.224[500]<=>22.123.34.56[500]_<BR>2009 Aug 22 13:42:12 [SRXN3205]
[IKE] Beginning Identity Protection mode._<BR>2009 Aug 22 13:42:12 [SRXN3205]
[IKE] Received unknown Vendor
ID_<BR>
- Last output repeated 3 times -<BR>2009 Aug 22 13:42:12 [SRXN3205] [IKE]
Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__<BR>2009 Aug 22 13:42:12
[SRXN3205] [IKE] Received unknown Vendor ID_<BR>2009 Aug 22 13:42:13 [SRXN3205]
[IKE] _<BR>2009 Aug 22 13:42:13 [SRXN3205] [IKE] failed to get
subjectAltName_<BR>2009 Aug 22 13:42:13 [SRXN3205] [IKE] Sending Informational
Exchange: notify payload[INVALID-CERTIFICATE]_<BR>2009 Aug 22 13:42:13
[SRXN3205] [IKE] Ignore information because the message has no hash
payload._<BR>2009 Aug 22 13:42:23 [SRXN3205] [IKE] Received Malformed packet of
payload length 10579 and total length
896._<BR>
- Last output repeated twice -<BR>2009 Aug 22 13:43:13 [SRXN3205] [IKE] Phase 1
negotiation failed due to time up for 22.123.34.56[500].
4534cc75d0e8c5f5:5d9a4bd2419acb90_<BR></DIV>
<DIV> </DIV>
<DIV>Did I completely screw something up in my config?</DIV>
<DIV> </DIV>
<DIV>Wait there is more, ipsec verify</DIV>
<DIV> </DIV>
<DIV><SPAN lang=EN>
<P>Checking your system to see if IPsec got installed and started correctly:</P>
<P>Version check and ipsec on-path [�[1;32mOK�[0;39m]</P>
<P>Linux Openswan U2.6.14/K2.6.18-128.2.1.el5xen (netkey)</P>
<P>Checking for IPsec support in kernel [�[1;32mOK�[0;39m]</P>
<P>NETKEY detected, testing for disabled ICMP send_redirects
[�[1;31mFAILED�[0;39m]</P>
<P>Please disable /proc/sys/net/ipv4/conf/*/send_redirects</P>
<P>or NETKEY will cause the sending of bogus ICMP redirects!</P>
<P>NETKEY detected, testing for disabled ICMP accept_redirects
[�[1;31mFAILED�[0;39m]</P>
<P>Please disable /proc/sys/net/ipv4/conf/*/accept_redirects</P>
<P>or NETKEY will accept bogus ICMP redirects!</P>
<P>Checking for RSA private key (/etc/ipsec.secrets) [�[1;32mOK�[0;39m]</P>
<P>Checking that pluto is running [�[1;32mOK�[0;39m]</P>
<P>Two or more interfaces found, checking IP forwarding [�[1;32mOK�[0;39m]</P>
<P>Checking NAT and MASQUERADEing </P>
<P>Checking for 'ip' command [�[1;32mOK�[0;39m]</P>
<P>Checking for 'iptables' command [�[1;32mOK�[0;39m]</P>
<P>Opportunistic Encryption DNS checks:</P>
<P>Looking for TXT in forward dns zone: whiskers8.me.org
[�[1;31mMISSING�[0;39m]</P>
<P>Does the machine have at least one non-private address?
[�[1;32mOK�[0;39m]</P>
<P>Looking for TXT in reverse dns zone: 6.137.198.209.in-addr.arpa.
[�[1;31mMISSING�[0;39m]</P></SPAN></DIV>
<DIV> </DIV>
<DIV>Did I screw this up?</DIV>
<DIV> </DIV>
<DIV>JT</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV></FONT><FONT face="Times New Roman"
size=3></FONT> </DIV></FONT></DIV></BODY></HTML>