[Openswan dev] trying to configure XAUTH as replacement for working Cisco VPN Client

Paul Wouters paul at xelerance.com
Mon Mar 26 23:27:18 EDT 2007

On Mon, 26 Mar 2007, David Lawless wrote:

> I'm trying to configure Openswan v2.4.6-1 running under OpenWrt

It's unfortunately a little bit dated.

> v0.9 on a Linksys WRT54GS v2.1 as a substitute for a working
> Cisco VPN v4.6.03.0021 Windows client.  It seems from what I
> can tell that XAUTH is how this type of client operates.

You'd make life much easier if you 'ipkg install l2tpd' and use l2tp
with openswan. Additional benefit is that it does not require you
to install any software on Windows or OSX.

> If I select main mode, Openswan fails immediately with
> pluto[24068]: "Connection" #1: initiating Main Mode
> pluto[24068]: packet from R.R.R.R:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
> pluto[24068]: packet from R.R.R.R:500: received and ignored informational message

Did you configure with leftxauthserver=yes and rightxauthclient=yes?
Or download openswan on a desktop, and check openswan-2.x.y/testing/pluto/xauth*

> If I select aggressive mode, I can't seem to figure out which
> algorithms to select.  Openswan says
> pluto[22863]: "Connection" #1: multiple transforms were set in aggressive mode. Only first one used.
> pluto[22863]: "Connection" #1: transform (7,2,5,128) ignored.
> pluto[22863]: "Connection" #1: transform (7,1,2,128) ignored.
> pluto[22863]: "Connection" #1: transform (7,2,2,128) ignored.
> pluto[22863]: "Connection" #1: ASSERTION FAILED at spdb_struct.c:1233: trans->attr_cnt == 4

As listed in CHANGES:

* Fix for Aggressive Mode and NAT-T port floating, based on RedHat patch [paul]
* Fix for Aggressive Mode and NAT-T (#491) by Delta Yeh
* bugtracker bugs fixed:
  #git c2e23a6e16a55632d618740518d419f3fad3323d: AggressiveMode with nhelpers=0
                                                 fix from Marin Hincks

* bugtracker bugs fixed:
  #474 ASSERTION FAILED at spdb_struct.c:1233: trans->attr_cnt > == 4"

> config setup
>         interfaces=%defaultroute
>         nat_traversal=yes
>         klipsdebug=none
>         plutodebug=none
> conn Connection
>         left=             %defaultroute
>         leftid=           @GroupName
>         leftxauthclient=  yes
>         right=            R.R.R.R
>         rightsubnet=      R.R.R.H/32
>         rightxauthserver= yes

I assume you want the openwrt to be the xauthserver, not the client?
You've swapped the two. Also, using a rightsubnet with /32 is almost
always a sign of NAT traversal failing to work, eg due to a missing
virtual_private=  in config setup in this case.


More information about the Dev mailing list