<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi,<br>
<br>
I'm trying to configure openswan on the client side. The VPN server
is a Cisco VPN 3000 Series, but i can't know about their
configuration. It works with vpnc (cisco vpn client) with some
problems, so i'm trying with openswan. People running the VPN server
does not give any support on this, so i'm asking here.<br>
<br>
The configuration i'm trying:<br>
<br>
version 2.0<br>
<br>
config setup<br>
plutodebug="all"<br>
plutowait=yes<br>
dumpdir=/var/run/pluto/<br>
nat_traversal=yes<br>
protostack=netkey<br>
plutostderrlog=/dev/null<br>
interfaces=%defaultroute<br>
<br>
# Left is server, right is this machine<br>
conn vpncon<br>
auto=add<br>
keyexchange=ike<br>
authby=secret<br>
aggrmode=yes<br>
ike=3des-md5;modp1024<br>
ikev2=no<br>
#phase2alg=3des-md5;modp1024<br>
phase2alg=aes128-md5;modp1024<br>
ikelifetime=86400s<br>
phase2=esp<br>
rekey=no<br>
forceencaps=yes<br>
pfs=no<br>
left=xx.xx.xx.xx (their public ip)<br>
remote_peer_type=cisco<br>
leftxauthserver=yes<br>
leftmodecfgserver=yes<br>
modecfgpull=yes<br>
rightid=@groupname<br>
right=%defaultroute<br>
rightsourceip=xx.xx.xx.xx (our public ip)<br>
rightmodecfgclient=yes<br>
rightxauthusername=groupname<br>
<br>
Some things may be unnecessary, as i'm trying everything
(with/without ikev2, rekey, pfs, rightsourceip, modecfgpull and
plutowait, and also diffrent phase2alg params).<br>
<br>
ipsec.secrets:<br>
@groupname : PSK "the-psk-key"<br>
@groupname : XAUTH "the-xauth-pass"<br>
<br>
They gave us a xauth username which is the same as the group name.<br>
<br>
Connection fails:<br>
<a class="moz-txt-link-abbreviated" href="mailto:root@ubuntu:/etc/ipsec.d#">root@ubuntu:/etc/ipsec.d#</a> ipsec auto --up vpncon<br>
112 "cqg" #1: STATE_AGGR_I1: initiate<br>
003 "cqg" #1: received Vendor ID payload [Cisco-Unity]<br>
003 "cqg" #1: received Vendor ID payload [XAUTH]<br>
003 "cqg" #1: received Vendor ID payload [Dead Peer Detection]<br>
003 "cqg" #1: received Vendor ID payload [RFC 3947] method set
to=115 <br>
003 "cqg" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]<br>
003 "cqg" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]<br>
003 "cqg" #1: protocol/port in Phase 1 ID Payload MUST be 0/0 or
17/500 but are 17/0 (attempting to continue)<br>
003 "cqg" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike
(MacOS X): both are NATed<br>
004 "cqg" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}<br>
010 "cqg" #1: STATE_MODE_CFG_I1: retransmission; will wait 20s for
response<br>
010 "cqg" #1: STATE_MODE_CFG_I1: retransmission; will wait 40s for
response<br>
031 "cqg" #1: max number of retransmissions (2) reached
STATE_MODE_CFG_I1<br>
000 "cqg" #1: starting keying attempt 2 of an unlimited number, but
releasing whack<br>
<br>
Seeing the "oakley" lines i wonder if my cipher configuration is ok
(but i don't know what to test instead).<br>
<br>
I can connect correctly with vpnc (Cisco VPN client), so i traced
both cases with tcpdump (192.168.0.38 being my openswan machine
local ip):<br>
<br>
VPNC (OK):<br>
root@ubuntu:~# tcpdump -i eth0 -n -p udp port 500 or udp port 4500<br>
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode<br>
listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes<br>
12:28:25.671600 IP 192.168.0.38.500 > theirip.500: isakmp: phase
1 I agg<br>
12:28:25.815335 IP theirip.500 > 192.168.0.38.500: isakmp: phase
1 R agg<br>
12:28:25.852098 IP 192.168.0.38.4500 > theirip.4500:
NONESP-encap: isakmp: phase 1 I agg[E]<br>
12:28:26.012885 IP theirip.4500 > 192.168.0.38.4500:
NONESP-encap: isakmp: phase 2/others R #6[E]<br>
12:28:26.013193 IP 192.168.0.38.4500 > theirip.4500:
NONESP-encap: isakmp: phase 2/others I #6[E]<br>
12:28:26.163199 IP theirip.4500 > 192.168.0.38.4500:
NONESP-encap: isakmp: phase 2/others R #6[E]<br>
12:28:26.163657 IP 192.168.0.38.4500 > theirip.4500:
NONESP-encap: isakmp: phase 2/others I #6[E]<br>
12:28:26.164065 IP 192.168.0.38.4500 > theirip.4500:
NONESP-encap: isakmp: phase 2/others I #6[E]<br>
12:28:26.318767 IP 208.48.16.11.4500 > theirip.4500:
NONESP-encap: isakmp: phase 2/others R #6[E]<br>
12:28:26.333606 IP 192.168.0.38.4500 > theirip.4500:
NONESP-encap: isakmp: phase 2/others I oakley-quick[E]<br>
12:28:26.491409 IP theirip.4500 > 192.168.0.38.4500:
NONESP-encap: isakmp: phase 2/others R inf[E]<br>
12:28:26.493153 IP theirip.4500 > 192.168.0.38.4500:
NONESP-encap: isakmp: phase 2/others R oakley-quick[E]<br>
12:28:26.493344 IP 192.168.0.38.4500 > theirip.4500:
NONESP-encap: isakmp: phase 2/others I oakley-quick[E]<br>
12:28:36.004868 IP 192.168.0.38.4500 > theirip.4500:
NONESP-encap: [|isakmp]<br>
...<br>
<br>
OpenSwan (failing):<br>
root@ubuntu:~# tcpdump -i eth0 -n -p udp port 500 or udp port 4500<br>
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode<br>
listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes<br>
12:26:26.980829 IP 192.168.0.38.500 > theirip.500: isakmp: phase
1 I agg<br>
12:26:27.125619 IP theirip.500 > 192.168.0.38.500: isakmp: phase
1 R agg<br>
12:26:27.131340 IP 192.168.0.38.4500 > theirip.4500:
NONESP-encap: isakmp: phase 1 I agg[E]<br>
12:26:27.131651 IP 192.168.0.38.4500 > theirip.4500:
NONESP-encap: isakmp: phase 2/others I #6[E]<br>
12:26:57.162505 IP 192.168.0.38.4500 > theirip.4500:
NONESP-encap: isakmp: phase 2/others I #6[E]<br>
12:27:17.183204 IP 192.168.0.38.4500 > theirip.4500:
NONESP-encap: isakmp: phase 2/others I #6[E]<br>
<br>
The difference i see here is that in the vpnc case it is their side
the first sending a phase2 packet, while it is my side in the
openswan case.<br>
<br>
I've tried everything i know about, which is not very much actually
(not an expert) :( Any ideas?<br>
<br>
Thank you,<br>
Roi Rodriguez<br>
<br>
<div class="moz-signature">
<table width="600px">
<tbody>
<tr>
<td><br>
</td>
</tr>
<tr>
<td><br>
</td>
</tr>
<tr>
<td><br>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>