[Openswan dev] trying to configure XAUTH as replacement for working Cisco VPN Client

David Lawless lawless at spamcop.net
Mon Mar 26 23:43:48 EDT 2007


Thank you for your reply.

Have no control over the Cisco server side, so can't
switch to L2TP.

It seems probable I want to be the xauth client.  Would
it help to attempt to be the server?  The other end is
a hardware Cisco VPN firewall.

I can look into building the latest Openswan version for OpenWrt 
on a MIPS CPU, but it could be a lot of work.  Perhaps could 
convince the OpenWrt developers to try it or pull a release from 
their current development build.  Is this the best approach?



At 05:27 AM 3/27/2007 +0200, Paul Wouters wrote:
>On Mon, 26 Mar 2007, David Lawless wrote:
>> I'm trying to configure Openswan v2.4.6-1 running under 
>It's unfortunately a little bit dated.
>> v0.9 on a Linksys WRT54GS v2.1 as a substitute for a working
>> Cisco VPN v4.6.03.0021 Windows client.  It seems from what I
>> can tell that XAUTH is how this type of client operates.
>You'd make life much easier if you 'ipkg install l2tpd' and use 
>with openswan. Additional benefit is that it does not require 
>to install any software on Windows or OSX.
>> If I select main mode, Openswan fails immediately with
>> pluto[24068]: "Connection" #1: initiating Main Mode
>> pluto[24068]: packet from R.R.R.R:500: ignoring informational 
>payload, type NO_PROPOSAL_CHOSEN
>> pluto[24068]: packet from R.R.R.R:500: received and ignored 
>informational message
>Did you configure with leftxauthserver=yes and 
>Or download openswan on a desktop, and check 
>> If I select aggressive mode, I can't seem to figure out which
>> algorithms to select.  Openswan says
>> pluto[22863]: "Connection" #1: multiple transforms were set in 
>aggressive mode. Only first one used.
>> pluto[22863]: "Connection" #1: transform (7,2,5,128) ignored.
>> pluto[22863]: "Connection" #1: transform (7,1,2,128) ignored.
>> pluto[22863]: "Connection" #1: transform (7,2,2,128) ignored.
>> pluto[22863]: "Connection" #1: ASSERTION FAILED at 
>spdb_struct.c:1233: trans->attr_cnt == 4
>As listed in CHANGES:
>* Fix for Aggressive Mode and NAT-T port floating, based on 
>RedHat patch [paul]
>* Fix for Aggressive Mode and NAT-T (#491) by Delta Yeh
>* bugtracker bugs fixed:
>  #git c2e23a6e16a55632d618740518d419f3fad3323d: AggressiveMode 
>with nhelpers=0
>                                                 fix from Marin 
>* bugtracker bugs fixed:
>  #474 ASSERTION FAILED at spdb_struct.c:1233: trans->attr_cnt > 
>== 4"
>> config setup
>>         interfaces=%defaultroute
>>         nat_traversal=yes
>>         klipsdebug=none
>>         plutodebug=none
>> conn Connection
>>         left=             %defaultroute
>>         leftid=           @GroupName
>>         leftxauthclient=  yes
>>         right=            R.R.R.R
>>         rightsubnet=      R.R.R.H/32
>>         rightxauthserver= yes
>I assume you want the openwrt to be the xauthserver, not the 
>You've swapped the two. Also, using a rightsubnet with /32 is 
>always a sign of NAT traversal failing to work, eg due to a 
>virtual_private=  in config setup in this case.

More information about the Dev mailing list