<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content=text/html;charset=iso-8859-1>
<META content="MSHTML 6.00.6001.18294" name=GENERATOR></HEAD>
<BODY id=MailContainerBody
style="PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-TOP: 15px" leftMargin=0
topMargin=0 CanvasTabStop="true" name="Compose message area">
<DIV>To all:<BR><BR>I have researched all the material that in the
archives.<BR><BR>I configured V-IPSecure for Ike VPN with certificates. After
following the instructions for generating certificates (to include a key) I
attempted to start connection to a Openswan VPN gateway. We reach the 2nd stage
of the Ike negotiations when I get these messages:<BR><BR>ep 1 17:58:13 wizbang8
pluto[31132]: "ait-to-home"[1] 22.45.6 #1: transition from state STATE_MAIN_R0
to state STATE_MAIN_R1<BR>Sep 1 17:58:13 wizbang8 pluto[31132]: "ait-to-home"[1]
22.45. #1: STATE_MAIN_R1: sent MR1, expecting MI2<BR>Sep 1 17:58:13 wizbang8
pluto[31132]: "ait-to-home"[1] 22.45. #1: ignoring Vendor ID payload
[KAME/racoon]<BR>Sep 1 17:58:13 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45.
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<BR>Sep 1 17:58:13
wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1: STATE_MAIN_R2: sent MR2,
expecting MI3<BR>Sep 1 17:58:14 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45.
#1: Main mode peer ID is ID_IPV4_ADDR: '22.45.'<BR>Sep 1 17:58:14 wizbang8
pluto[31132]: "ait-to-home"[1] 22.45. #1: no suitable connection for peer
'22.45.'<BR>Sep 1 17:58:14 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1:
sending encrypted notification INVALID_ID_INFORMATION to 22.45. :500<BR><BR>On
the router here is what the VPN log reads (wished it was more
verbose)<BR><BR>2009 Sep 1 18:47:31 [SRXN3205] [IKE] Ignore information because
ISAKMP-SA has not been established yet._<BR>2009 Sep 1 18:47:40 [SRXN3205] [IKE]
The packet is retransmitted by 16.16.[500]._<BR>2009 Sep 1 18:47:40 [SRXN3205]
[IKE] Ignore information because ISAKMP-SA has not been established yet._<BR>-
Last output repeated twice -<BR>2009 Sep 1 18:47:46 [SRXN3205] [IKE] an undead
schedule has been deleted: 'isakmp_chkph1there'._<BR>2009 Sep 1 18:47:46
[SRXN3205] [IKE] IPSec configuration with identifer "ait_torden" deleted
sucessfully_<BR>2009 Sep 1 18:47:46 [SRXN3205] [IKE] no phase2 bounded._<BR>2009
Sep 1 18:47:46 [SRXN3205] [IKE] Purged ISAKMP-SA with
spi=f3a834564cf15bf4:a5645e2c7414e4fd._<BR>2009 Sep 1 18:47:46 [SRXN3205] [IKE]
an undead schedule has been deleted: 'purge_remote'._<BR>2009 Sep 1 18:47:46
[SRXN3205] [IKE] an undead schedule has been deleted:
'isakmp_ph1resend'._<BR>2009 Sep 1 18:47:46 [SRXN3205] [IKE] IKE configuration
with identifier "wizbang8" deleted sucessfully_<BR>2009 Sep 1 18:48:00
[SRXN3205] [IKE] The packet is retransmitted by 209.198.[500]._<BR><BR>I
followed the certs instructions to a T.... Where am I going wrong? Is there some
way I can see what is being transmitted to the Openswan server and what it is
sending back?</DIV>
<DIV>Here is what I am trying to do... I am trying to get my SRXN3207 to connect
to a Openswan VPN server using certificates.... The vender ID of the Ike
negotiations identify V-IPSecure as a vendor racoon.<BR><BR>I guess I could look
up racoon to openswan VPN gateway to gateway connections.<BR><BR>PSK is rather
insecure and at times doesnt work.<BR><FONT face=Arial size=2></FONT><BR></DIV>
<DIV><FONT face=Arial size=2>JT Edwards<BR>Senior Solutions Architect
(Automation and Service Management)<BR>IBM Tivoli Certified<BR>Direct:
281-226-0284<BR>Direct: 512-772-3266<BR>Follow Me: 1866-866-4391 ext 1<BR>AIM
tstrike34<BR>GoogleTalk <A
href="mailto:tstrike34@gmail.com">tstrike34@gmail.com</A></FONT></DIV></BODY></HTML>