<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16890" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN class=684560801-09092009>It seems I can not
make openswan to work with clients as a MODECFG server. Is it supposed to
work?</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=684560801-09092009></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=684560801-09092009>The client is an
openswan instance too. The client configuration is set to be both
xauthclient and modecfgclient and the server side to be xauthserver and
modecfgserver. XAUTH passed successfully and both server and client happily
moved to next phase. The client log file shows</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=684560801-09092009></SPAN></FONT> </DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009>"net-to-road-xauth" #1: XAUTH: Successfully
Authenticated</SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009>! complete state transition with
STF_OK</SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009><SPAN class=684560801-09092009>"net-to-road-xauth"
#1: transition from state STATE_XAUTH_I0 to state
STATE_XAUTH_I1</SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009><SPAN
class=684560801-09092009>...</SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009><SPAN class=684560801-09092009><SPAN
class=684560801-09092009>"net-to-road-xauth" #1: STATE_XAUTH_I1: XAUTH client
- awaiting CFG_SET</SPAN></SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=684560801-09092009>modecfg pull:
noquirk policy: pull modecfg-client </SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=684560801-09092009>modecfg client is
starting due to policy</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=684560801-09092009>"net-to-road-xauth" #1: modecfg: Sending IP request
(MODECFG_I1)</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=684560801-09092009>...</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=684560801-09092009>state object #1
found, in STATE_MODE_CFG_I1</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=684560801-09092009>processing
connection net-to-road-xauth</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009>"net-to-road-xauth" #1: Mode Config message is
unacceptable because it is for an incomplete ISAKMP SA ( state
STATE_MODE_CFG_I1)</SPAN></SPAN></FONT></DIV></BLOCKQUOTE>
<DIV><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009></SPAN></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009>And the server side log file
shows</SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009></SPAN></SPAN></FONT> </DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009>"road-warrior-host"[1] 192.168.2.66 #1: XAUTH: User
test3: Authentication Succes<BR>sful<BR>...<BR>"road-warrior-host"[1]
192.168.2.66 #1: XAUTH: xauth_inR1(STF_OK)<BR>| complete state transition with
STF_OK<BR>"road-warrior-host"[1] 192.168.2.66 #1: transition from state
STATE_XAUTH_R1 to<BR>state STATE_MAIN_R3<BR>| deleting event for #1<BR>|
inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #1<BR>| event
added after event EVENT_REINIT_SECRET<BR>"road-warrior-host"[1] 192.168.2.66
#1: STATE_MAIN_R3: sent MR3, ISAKMP SA estab<BR>lished<BR>| modecfg pull:
noquirk policy:push not-client<BR>| processing connection road-warrior-host[1]
192.168.2.66<BR>"road-warrior-host"[1] 192.168.2.66 #1: Sending MODE CONFIG
set<BR>...<BR>| ****emit ISAKMP ModeCfg attribute:<BR>|
ModeCfg attr type: INTERNAL_IP4_ADDRESS<BR>| emitting 4 raw bytes of IP4_addr
into ISAKMP ModeCfg attribute<BR>| IP4_addr c0 a8 02 42<BR>| emitting
length of ISAKMP ModeCfg attribute: 4<BR>| ****emit ISAKMP ModeCfg
attribute:<BR>| ModeCfg attr type: INTERNAL_IP4_SUBNET<BR>|
emitting 4 raw bytes of IP4_subnet into ISAKMP ModeCfg attribute<BR>|
IP4_subnet c0 a8 00 00<BR>| emitting 4 raw bytes of IP4_submsk into
ISAKMP ModeCfg attribute<BR>| IP4_submsk ff ff ff 00<BR>| emitting
length of ISAKMP ModeCfg attribute: 8<BR>| emitting length of ISAKMP Mode
Attribute: 28<BR>...<BR>| state hash entry 25<BR>| peer and cookies match on
#1, provided msgid cd7e8fcd vs 00000000/7dfadb20<BR>| p15 state object not
found<BR>| ICOOKIE: 56 be 47 76 79 60 bb d9<BR>| RCOOKIE: 4b
c8 b1 eb 91 3f 3a 12<BR>| state hash entry 25<BR>| peer and cookies
match on #1, provided msgid 00000000 vs 00000000/7dfadb20<BR>| p15 state
object #1 found, in STATE_MODE_CFG_R1<BR>| processing connection
road-warrior-host[1] 192.168.2.66<BR>| last Phase 1 IV: d8 3b 77
2d d6 49 fe 81<BR>| current Phase 1 IV: e4 46 51 94 73 5e 2b
22<BR>| computed Phase 2 IV:<BR>| 13 5b bf cc e6 30 7a
93 a5 69 37 61 1c 1d 10 1b<BR>"road-warrior-host"[1] 192.168.2.66
#1: received MODECFG message when in state S<BR>TATE_MODE_CFG_R1, and we
aren't xauth client<BR>| * processed 0 messages from cryptographic
helpers</SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009></SPAN></SPAN></FONT> </DIV></BLOCKQUOTE>
<DIV dir=ltr><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009>A couple of questions:</SPAN></SPAN></FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009></SPAN></SPAN></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009>1. Why the server tried to push IP settings? Shouldn't
it wait for the client to pull? What if the client side does not have modecfg
set? How can I stop that from happening on the server
side?</SPAN></SPAN></FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009>2. Why the internal IP4 address the server tried to
push is the public IP address of the remote peer instead of an 'internal'
one?</SPAN></SPAN></FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009>3. Does openswan support the idea of virtual adaptor? I
thought the remote must be in a different subnet, but modecfg seems to allow the
remote to join the local network.</SPAN></SPAN></FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009>4. I couldn't find anything from the document about how
to fine control what is pushed to the client. Can I only push DNS stuff and
avoid passing IP settings?</SPAN></SPAN></FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009>5. What kind of changes I need to do to make
modecfg to work with two openswan boxes?</SPAN></SPAN></FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009></SPAN></SPAN></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009>Thanks a lot</SPAN></SPAN></FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009>Freeman</SPAN></SPAN></FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009></SPAN></SPAN></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2><SPAN class=684560801-09092009><SPAN
class=684560801-09092009></SPAN></SPAN></FONT> </DIV></BODY></HTML>