[Openswan dev] trying to configure XAUTH as replacement for working Cisco VPN Client
David Lawless
lawless at spamcop.net
Mon Mar 26 23:43:48 EDT 2007
Paul,
Thank you for your reply.
Have no control over the Cisco server side, so can't
switch to L2TP.
It seems probable I want to be the xauth client. Would
it help to attempt to be the server? The other end is
a hardware Cisco VPN firewall.
I can look into building the latest Openswan version for OpenWrt
on a MIPS CPU, but it could be a lot of work. Perhaps could
convince the OpenWrt developers to try it or pull a release from
their current development build. Is this the best approach?
Regards,
David
At 05:27 AM 3/27/2007 +0200, Paul Wouters wrote:
>On Mon, 26 Mar 2007, David Lawless wrote:
>
>> I'm trying to configure Openswan v2.4.6-1 running under
>OpenWrt
>
>It's unfortunately a little bit dated.
>
>> v0.9 on a Linksys WRT54GS v2.1 as a substitute for a working
>> Cisco VPN v4.6.03.0021 Windows client. It seems from what I
>> can tell that XAUTH is how this type of client operates.
>
>You'd make life much easier if you 'ipkg install l2tpd' and use
>l2tp
>with openswan. Additional benefit is that it does not require
>you
>to install any software on Windows or OSX.
>
>> If I select main mode, Openswan fails immediately with
>>
>> pluto[24068]: "Connection" #1: initiating Main Mode
>> pluto[24068]: packet from R.R.R.R:500: ignoring informational
>payload, type NO_PROPOSAL_CHOSEN
>> pluto[24068]: packet from R.R.R.R:500: received and ignored
>informational message
>
>Did you configure with leftxauthserver=yes and
>rightxauthclient=yes?
>Or download openswan on a desktop, and check
>openswan-2.x.y/testing/pluto/xauth*
>
>> If I select aggressive mode, I can't seem to figure out which
>> algorithms to select. Openswan says
>>
>> pluto[22863]: "Connection" #1: multiple transforms were set in
>aggressive mode. Only first one used.
>> pluto[22863]: "Connection" #1: transform (7,2,5,128) ignored.
>> pluto[22863]: "Connection" #1: transform (7,1,2,128) ignored.
>> pluto[22863]: "Connection" #1: transform (7,2,2,128) ignored.
>> pluto[22863]: "Connection" #1: ASSERTION FAILED at
>spdb_struct.c:1233: trans->attr_cnt == 4
>
>As listed in CHANGES:
>
>v2.4.8
>* Fix for Aggressive Mode and NAT-T port floating, based on
>RedHat patch [paul]
>* Fix for Aggressive Mode and NAT-T (#491) by Delta Yeh
>* bugtracker bugs fixed:
> #git c2e23a6e16a55632d618740518d419f3fad3323d: AggressiveMode
>with nhelpers=0
> fix from Marin
>Hincks
>
>v2.4.7
>* bugtracker bugs fixed:
> #474 ASSERTION FAILED at spdb_struct.c:1233: trans->attr_cnt >
>== 4"
>
>> config setup
>> interfaces=%defaultroute
>> nat_traversal=yes
>> klipsdebug=none
>> plutodebug=none
>>
>> conn Connection
>> left= %defaultroute
>> leftid= @GroupName
>> leftxauthclient= yes
>> right= R.R.R.R
>> rightsubnet= R.R.R.H/32
>> rightxauthserver= yes
>
>I assume you want the openwrt to be the xauthserver, not the
>client?
>You've swapped the two. Also, using a rightsubnet with /32 is
>almost
>always a sign of NAT traversal failing to work, eg due to a
>missing
>virtual_private= in config setup in this case.
>
>Paul
More information about the Dev
mailing list