<font style='{font-family: Arial,Verdana, Sans-Serif;font-size: 10pt;}'>
Hello al,<br>
<br>
I try more than 2 weeks to configure the openswan, but till now without any success. Hoop you can help me.<br>
Linux ="Ubuntu 9.10" (openswan 2.6.25) <---> internet <----> Mac OS 10.6.3<br>
<br>
I try to setup the connection with PSK.<br>
<br>
I have try the different config, but that is the last one i am using:<br>
<br>
ipsec.conf:<br>
<br>
version 2.0 # conforms to second version of ipsec.conf specification<br>
<br>
# basic configuration<br>
config setup<br>
plutoopts="--perpeerlog"<br>
nat_traversal=yes<br>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12<br>
nhelpers=0<br>
uniqueids=yes<br>
oe=off<br>
protostack=netkey<br>
<br>
conn west-pual<br>
left=x.x.x.x<br>
leftprotoport=17/%any<br>
leftid=vpn-server<br>
right=%any<br>
rightid=@mac-pual<br>
rightprotoport=17/%any<br>
rightsubnet=vhost:%no,%priv<br>
authby=secret<br>
auto=add<br>
pfs=no<br>
type=transport<br>
<br>
ipsec.secrets config:<br>
x.x.x.x %any: PSK "1234"<br>
<br>
log:<br>
<br>
----log when restart the ipsec:<br>
<br>
==> /var/log/daemon.log <==<br>
Jun 4 16:27:13 vpn-server ipsec_setup: Stopping Openswan IPsec...<br>
<br>
==> /var/log/auth.log <==<br>
Jun 4 16:27:14 vpn-server ipsec__plutorun: Starting Pluto subsystem...<br>
Jun 4 16:27:14 vpn-server pluto[2973]: Starting Pluto (Openswan Version 2.6.25; Vendor ID OEC`nT{wo^XH) pid:2973<br>
Jun 4 16:27:14 vpn-server pluto[2973]: Setting NAT-Traversal port-4500 floating to on<br>
Jun 4 16:27:14 vpn-server pluto[2973]: port floating activation criteria nat_t=1/port_float=1<br>
Jun 4 16:27:14 vpn-server pluto[2973]: NAT-Traversal support [enabled]<br>
Jun 4 16:27:14 vpn-server pluto[2973]: fixup for bad virtual_private entry '%4:91.200.17.23/24', please fix your virtual_private line!<br>
Jun 4 16:27:14 vpn-server pluto[2973]: fixup for bad virtual_private entry '%4:91.200.17.23/24', please fix your virtual_private line!<br>
Jun 4 16:27:14 vpn-server pluto[2973]: using /dev/urandom as source of random entropy<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)<br>
Jun 4 16:27:14 vpn-server pluto[2973]: no helpers will be started, all cryptographic operations will be done inline<br>
Jun 4 16:27:14 vpn-server pluto[2973]: Using Linux 2.6 IPsec interface code on 2.6.31-21-server (experimental code)<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names <br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names <br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_add(): ERROR: Algorithm already exists<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names <br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_add(): ERROR: Algorithm already exists<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names <br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_add(): ERROR: Algorithm already exists<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names <br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_add(): ERROR: Algorithm already exists<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names <br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_add(): ERROR: Algorithm already exists<br>
Jun 4 16:27:14 vpn-server pluto[2973]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<br>
Jun 4 16:27:14 vpn-server pluto[2973]: Changed path to directory '/etc/ipsec.d/cacerts'<br>
Jun 4 16:27:14 vpn-server pluto[2973]: Changed path to directory '/etc/ipsec.d/aacerts'<br>
Jun 4 16:27:14 vpn-server pluto[2973]: Changed path to directory '/etc/ipsec.d/ocspcerts'<br>
Jun 4 16:27:14 vpn-server pluto[2973]: Changing to directory '/etc/ipsec.d/crls'<br>
Jun 4 16:27:14 vpn-server pluto[2973]: Warning: empty directory<br>
Jun 4 16:27:14 vpn-server pluto[2973]: added connection description "west-pual"<br>
Jun 4 16:27:14 vpn-server pluto[2973]: listening for IKE messages<br>
Jun 4 16:27:14 vpn-server pluto[2973]: NAT-Traversal: Trying new style NAT-T<br>
Jun 4 16:27:14 vpn-server pluto[2973]: NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)<br>
Jun 4 16:27:14 vpn-server pluto[2973]: NAT-Traversal: Trying old style NAT-T<br>
Jun 4 16:27:14 vpn-server pluto[2973]: adding interface eth0/eth0 x.x.x.x:500<br>
Jun 4 16:27:14 vpn-server pluto[2973]: adding interface eth0/eth0 x.x.x.x:4500<br>
Jun 4 16:27:14 vpn-server pluto[2973]: adding interface lo/lo 127.0.0.1:500<br>
Jun 4 16:27:14 vpn-server pluto[2973]: adding interface lo/lo 127.0.0.1:4500<br>
Jun 4 16:27:14 vpn-server pluto[2973]: adding interface lo/lo ::1:500<br>
Jun 4 16:27:14 vpn-server pluto[2973]: loading secrets from "/etc/ipsec.secrets"<br>
<br>
==> /var/log/daemon.log <==<br>
Jun 4 16:27:14 vpn-server ipsec_setup: ...Openswan IPsec stopped<br>
Jun 4 16:27:14 vpn-server ipsec_setup: Starting Openswan IPsec U2.6.25/K2.6.31-21-server...<br>
Jun 4 16:27:14 vpn-server ipsec_setup: Using NETKEY(XFRM) stack<br>
Jun 4 16:27:14 vpn-server ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d<br>
Jun 4 16:27:14 vpn-server ipsec_setup: ...Openswan IPsec started<br>
Jun 4 16:27:14 vpn-server ipsec__plutorun: 002 added connection description "west-pual"<br>
Jun 4 16:27:14 vpn-server ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T<br>
Jun 4 16:27:14 vpn-server ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)<br>
Jun 4 16:27:14 vpn-server ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T<br>
<br>
==> /var/log/kern.log <==<br>
Jun 4 16:27:14 vpn-server kernel: [ 2341.330663] NET: Unregistered protocol family 15<br>
Jun 4 16:27:14 vpn-server kernel: [ 2341.350129] NET: Registered protocol family 15<br>
Jun 4 16:27:14 vpn-server kernel: [ 2341.494255] Initializing XFRM netlink socket<br>
Jun 4 16:27:14 vpn-server kernel: [ 2341.497440] padlock: VIA PadLock not detected.<br>
Jun 4 16:27:14 vpn-server kernel: [ 2341.523342] padlock: VIA PadLock Hash Engine not detected.<br>
Jun 4 16:27:14 vpn-server kernel: [ 2341.575592] Intel AES-NI instructions are not detected.<br>
Jun 4 16:27:14 vpn-server kernel: [ 2341.602313] padlock: VIA PadLock not detected.<br>
<br>
==> /var/log/auth.log <==<br>
Jun 4 16:28:50 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #1: max number of retransmissions (2) reached STATE_MAIN_R1<br>
Jun 4 16:28:53 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #2: max number of retransmissions (2) reached STATE_MAIN_R1<br>
Jun 4 16:28:56 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #3: max number of retransmissions (2) reached STATE_MAIN_R1<br>
Jun 4 16:28:59 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #4: max number of retransmissions (2) reached STATE_MAIN_R1<br>
Jun 4 16:28:59 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y:
deleting connection "west-pual" instance with peer y.y.y.y
{isakmp=#0/ipsec=#0}<br>
Jun 4 16:30:01 vpn-server CRON[3017]: pam_unix(cron:session): session opened for user root by (uid=0)<br>
Jun 4 16:30:45 vpn-server CRON[3017]: pam_unix(cron:session): session closed for user root<br>
<br>
==> /var/log/ntpdate.log <==<br>
4 Jun 16:30:45 ntpdate[3020]: step time server x.x.x.x offset -0.004801 sec<br>
<br>
<br>
==========================<br>
<br>
<br>
log on linux when try to bring the connection up from the Mac OS:<br>
<br>
==> /var/log/auth.log <==<br>
Jun 4 16:27:40 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [RFC 3947] method set to=109 <br>
Jun 4 16:27:40 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 <br>
Jun 4 16:27:40 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]<br>
Jun 4 16:27:40 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]<br>
Jun 4 16:27:40 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]<br>
Jun 4 16:27:40 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]<br>
Jun 4 16:27:40 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]<br>
Jun 4 16:27:40 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110<br>
Jun 4 16:27:40 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110<br>
Jun 4 16:27:40 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110<br>
Jun 4 16:27:40 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [Dead Peer Detection]<br>
Jun 4 16:27:40 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #1: responding to Main Mode from unknown peer y.y.y.y<br>
Jun 4 16:27:40 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Jun 4 16:27:40 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #1: <span style="font-weight: bold;">STATE_MAIN_R1: sent MR1, expecting MI2</span><br>
Jun 4 16:27:43 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [RFC 3947] method set to=109 <br>
Jun 4 16:27:43 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 <br>
Jun 4 16:27:43 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]<br>
Jun 4 16:27:43 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]<br>
Jun 4 16:27:43 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]<br>
Jun 4 16:27:43 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]<br>
Jun 4 16:27:43 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]<br>
Jun 4 16:27:43 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110<br>
Jun 4 16:27:43 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110<br>
Jun 4 16:27:43 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110<br>
Jun 4 16:27:43 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [Dead Peer Detection]<br>
Jun 4 16:27:43 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #2: responding to Main Mode from unknown peer y.y.y.y<br>
Jun 4 16:27:43 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
<span style="font-weight: bold;">Jun 4 16:27:43 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #2: STATE_MAIN_R1: sent MR1, expecting MI2</span><br>
Jun 4 16:27:46 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [RFC 3947] method set to=109 <br>
Jun 4 16:27:46 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 <br>
Jun 4 16:27:46 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]<br>
Jun 4 16:27:46 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]<br>
Jun 4 16:27:46 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]<br>
Jun 4 16:27:46 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]<br>
Jun 4 16:27:46 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]<br>
Jun 4 16:27:46 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110<br>
Jun 4 16:27:46 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110<br>
Jun 4 16:27:46 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110<br>
Jun 4 16:27:46 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [Dead Peer Detection]<br>
Jun 4 16:27:46 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #3: responding to Main Mode from unknown peer y.y.y.y<br>
Jun 4 16:27:46 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
<span style="font-weight: bold;">Jun 4 16:27:46 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #3: STATE_MAIN_R1: sent MR1, expecting MI2</span><br>
Jun 4 16:27:49 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [RFC 3947] method set to=109 <br>
Jun 4 16:27:49 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 <br>
Jun 4 16:27:49 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]<br>
Jun 4 16:27:49 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]<br>
Jun 4 16:27:49 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]<br>
Jun 4 16:27:49 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]<br>
Jun 4 16:27:49 vpn-server pluto[2973]: packet from y.y.y.y:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]<br>
Jun 4 16:27:49 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110<br>
Jun 4 16:27:49 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110<br>
Jun 4 16:27:49 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110<br>
Jun 4 16:27:49 vpn-server pluto[2973]: packet from y.y.y.y:500: received Vendor ID payload [Dead Peer Detection]<br>
Jun 4 16:27:49 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #4: responding to Main Mode from unknown peer y.y.y.y<br>
Jun 4 16:27:49 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
<span style="font-weight: bold;">Jun 4 16:27:49 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #4: STATE_MAIN_R1: sent MR1, expecting MI2</span><br>
<br>
==> /var/log/user.log <==<br>
Jun 4 16:27:14 vpn-server pluto: adjusting ipsec.d to /etc/ipsec.d<br>
<br>
As you see it is hanging on: STATE_MAIN_R1: sent MR1, expecting MI2.<br>
<br>
Please let me know what i am doing wrong, so i can bring <br>
<br>
many thanks for your help.<br>
Cheers, Pual<br>
</font>