[Openswan dev] trying to configure XAUTH as replacement for working Cisco VPN Client
David Lawless
lawless at spamcop.net
Mon Mar 26 21:59:26 EDT 2007
Hello,
I'm trying to configure Openswan v2.4.6-1 running under OpenWrt
v0.9 on a Linksys WRT54GS v2.1 as a substitute for a working
Cisco VPN v4.6.03.0021 Windows client. It seems from what I
can tell that XAUTH is how this type of client operates.
If I select main mode, Openswan fails immediately with
pluto[24068]: "Connection" #1: initiating Main Mode
pluto[24068]: packet from R.R.R.R:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
pluto[24068]: packet from R.R.R.R:500: received and ignored informational message
If I select aggressive mode, I can't seem to figure out which
algorithms to select. Openswan says
pluto[22863]: "Connection" #1: multiple transforms were set in aggressive mode. Only first one used.
pluto[22863]: "Connection" #1: transform (7,2,5,128) ignored.
pluto[22863]: "Connection" #1: transform (7,1,2,128) ignored.
pluto[22863]: "Connection" #1: transform (7,2,2,128) ignored.
pluto[22863]: "Connection" #1: ASSERTION FAILED at spdb_struct.c:1233: trans->attr_cnt == 4
pluto[22863]: "Connection" #1: interface ipsec0/vlan1 L.L.L.L
pluto[22863]: "Connection" #1: interface ipsec0/vlan1 L.L.L.L
pluto[22863]: "Connection" #1: %myid = (none)
pluto[22863]: "Connection" #1: debug none
And then lists the available algorithms.
Here's the config. I've been using the commented lines in the
second case above.
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
klipsdebug=none
plutodebug=none
conn Connection
left= %defaultroute
leftid= @GroupName
leftxauthclient= yes
right= R.R.R.R
rightsubnet= R.R.R.H/32
rightxauthserver= yes
#aggrmode= yes
#ike= aes128
#esp= 3des-sha1-96
authby= secret
xauth= yes
auto= add
Below is the verbose output from the Cisco VPN client for a
successful session setup. This session passes through the exact
same WRT54GS that I'm attempting to configure. Private network
is 172.29.87.0/24 and the Windows client runs on 172.29.87.12.
Router is 172.29.87.1.
I'm posting this to the dev group as well as the users group
because I saw a similar error that was an issue in Openswan.
Would like to figure out if this is the same one, though I'm
not using certificates as was the earlier case.
Thanks for your help!
David
Cisco Systems VPN Client Version 4.6.03.0021
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client
1 15:23:04.355 03/26/07 Sev=Info/4 CM/0x63100002
Begin connection process
2 15:23:04.371 03/26/07 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
3 15:23:04.371 03/26/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "R.R.R.R"
4 15:23:04.386 03/26/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with R.R.R.R.
5 15:23:04.402 03/26/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to R.R.R.R
6 15:23:04.433 03/26/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = R.R.R.R
7 15:23:04.433 03/26/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, HASH) from R.R.R.R
8 15:23:04.433 03/26/07 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
9 15:23:04.433 03/26/07 Sev=Info/5 IKE/0x63000001
Peer supports DPD
10 15:23:04.433 03/26/07 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
11 15:23:04.433 03/26/07 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x00000025
12 15:23:04.464 03/26/07 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
13 15:23:04.464 03/26/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to R.R.R.R
14 15:23:04.464 03/26/07 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x01F4, Remote Port = 0x01F4
15 15:23:04.464 03/26/07 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
16 15:23:04.464 03/26/07 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
17 15:23:04.496 03/26/07 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
18 15:23:04.496 03/26/07 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client, Capability= (Centralized Protection Policy).
19 15:23:04.496 03/26/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to R.R.R.R
20 15:23:04.496 03/26/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = R.R.R.R
21 15:23:04.496 03/26/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from R.R.R.R
22 15:23:04.511 03/26/07 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
23 15:23:04.511 03/26/07 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now
24 15:23:04.511 03/26/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = R.R.R.R
25 15:23:04.511 03/26/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from R.R.R.R
26 15:23:04.511 03/26/07 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.70.10.50
27 15:23:04.511 03/26/07 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
28 15:23:04.511 03/26/07 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = R.R.R.H
mask = 255.255.255.255
protocol = 0
src port = 0
dest port=0
29 15:23:04.527 03/26/07 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
30 15:23:04.527 03/26/07 Sev=Info/4 CM/0x63100019
Mode Config data received
31 15:23:04.527 03/26/07 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.70.10.50, GW IP = R.R.R.R, Remote IP = 0.0.0.0
32 15:23:04.527 03/26/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to R.R.R.R
33 15:23:04.542 03/26/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = R.R.R.R
34 15:23:04.558 03/26/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from R.R.R.R
35 15:23:04.558 03/26/07 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
36 15:23:04.558 03/26/07 Sev=Info/5 IKE/0x63000046
RESPONDER-LIFETIME notify has value of 4608000 kb
37 15:23:04.558 03/26/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to R.R.R.R
38 15:23:04.558 03/26/07 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=EFEAEFC5 OUTBOUND SPI = 0x91C6935C INBOUND SPI = 0x3D88560E)
39 15:23:04.558 03/26/07 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0x91C6935C
40 15:23:04.558 03/26/07 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0x3D88560E
41 15:23:04.667 03/26/07 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.29.87.1 172.29.87.12 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.29.87.0 255.255.255.0 172.29.87.12 172.29.87.12 10
172.29.87.12 255.255.255.255 127.0.0.1 127.0.0.1 10
172.29.255.255 255.255.255.255 172.29.87.12 172.29.87.12 10
224.0.0.0 240.0.0.0 172.29.87.12 172.29.87.12 10
255.255.255.255 255.255.255.255 172.29.87.12 172.29.87.12 1
42 15:23:05.449 03/26/07 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=10.70.10.50/255.0.0.0
DNS=0.0.0.0,0.0.0.0
WINS=0.0.0.0,0.0.0.0
Domain=
Split DNS Names=
43 15:23:05.449 03/26/07 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.29.87.1 172.29.87.12 10
10.0.0.0 255.0.0.0 10.70.10.50 10.70.10.50 10
10.70.10.50 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.70.10.50 10.70.10.50 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.29.87.0 255.255.255.0 172.29.87.12 172.29.87.12 10
172.29.87.12 255.255.255.255 127.0.0.1 127.0.0.1 10
172.29.255.255 255.255.255.255 172.29.87.12 172.29.87.12 10
224.0.0.0 240.0.0.0 10.70.10.50 10.70.10.50 10
224.0.0.0 240.0.0.0 172.29.87.12 172.29.87.12 10
255.255.255.255 255.255.255.255 10.70.10.50 10.70.10.50 1
255.255.255.255 255.255.255.255 172.29.87.12 172.29.87.12 1
44 15:23:05.464 03/26/07 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
45 15:23:05.464 03/26/07 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.29.87.1 172.29.87.12 10
10.0.0.0 255.0.0.0 10.70.10.50 10.70.10.50 10
10.70.10.50 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.70.10.50 10.70.10.50 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.29.87.0 255.255.255.0 172.29.87.12 172.29.87.12 10
172.29.87.1 255.255.255.255 172.29.87.12 172.29.87.12 1
172.29.87.12 255.255.255.255 127.0.0.1 127.0.0.1 10
172.29.255.255 255.255.255.255 172.29.87.12 172.29.87.12 10
R.R.R.R 255.255.255.255 172.29.87.1 172.29.87.12 1
R.R.R.H 255.255.255.255 10.70.10.50 10.70.10.50 1
224.0.0.0 240.0.0.0 10.70.10.50 10.70.10.50 10
224.0.0.0 240.0.0.0 172.29.87.12 172.29.87.12 10
255.255.255.255 255.255.255.255 10.70.10.50 10.70.10.50 1
255.255.255.255 255.255.255.255 172.29.87.12 172.29.87.12 1
46 15:23:05.464 03/26/07 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
47 15:23:05.496 03/26/07 Sev=Info/4 CM/0x6310001A
One secure connection established
48 15:23:05.574 03/26/07 Sev=Info/4 CM/0x6310003B
Address watch added for 172.29.87.12. Current hostname: geileis, Current address(es): 10.70.10.50, 172.29.87.12.
49 15:23:05.605 03/26/07 Sev=Info/4 CM/0x6310003B
Address watch added for 10.70.10.50. Current hostname: geileis, Current address(es): 10.70.10.50, 172.29.87.12.
50 15:23:05.605 03/26/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
51 15:23:05.605 03/26/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
52 15:23:05.605 03/26/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
53 15:23:05.605 03/26/07 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
54 15:23:05.605 03/26/07 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x5c93c691 into key list
55 15:23:05.621 03/26/07 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
56 15:23:05.621 03/26/07 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x0e56883d into key list
57 15:23:05.621 03/26/07 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 10.70.10.50
More information about the Dev
mailing list