[Openswan Users] unsupported ID type ID_FQDN and W2k-Client

Dennis Leist dl at byteeffect.de
Fri Apr 2 03:07:44 CEST 2004


Hi all helpers,

After getting freeswan-1.99.09 getting run with nat_traversal I still 
encounter some trouble while connecting
with W2k SP4 (inc. NAT-T Update).

Any help is highly appreciated!

<snip>
Apr  2 01:55:50 linuxserver pluto[18381]: packet from 213.39.182.63:500: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Apr  2 01:55:50 linuxserver pluto[18381]: packet from 213.39.182.63:500: 
ignoring Vendor ID payload [FRAGMENTATION]
Apr  2 01:55:50 linuxserver pluto[18381]: packet from 213.39.182.63:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02
_n]
Apr  2 01:55:50 linuxserver pluto[18381]: "w2k-client"[1] 213.39.182.63 
#1: responding to Main Mode from unknown peer 213.39.182.6
3
Apr  2 01:55:50 linuxserver pluto[18381]: "w2k-client"[1] 213.39.182.63 
#1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 s
upported.  Attribute OAKLEY_GROUP_DESCRIPTION
Apr  2 01:55:51 linuxserver pluto[18381]: "w2k-client"[1] 213.39.182.63 
#1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike
-02/03: peer is NATed
Apr  2 01:55:51 linuxserver pluto[18381]: "w2k-client"[1] 213.39.182.63 
#1: Peer ID is ID_DER_ASN1_DN: '<Users CN>'
Apr  2 01:55:51 linuxserver pluto[18381]: | NAT-T: new mapping 
213.39.182.63:500/4500)
Apr  2 01:55:51 linuxserver pluto[18381]: "w2k-client"[1] 
213.39.182.63:4500 #1: sent MR3, ISAKMP SA established
Apr  2 01:55:51 linuxserver pluto[18381]: "w2k-client"[1] 
213.39.182.63:4500 #1: unsupported ID type ID_FQDN
Apr  2 01:55:51 linuxserver pluto[18381]: "w2k-client"[1] 
213.39.182.63:4500 #1: sending encrypted notification INVALID_ID_INFORMA
TION to 213.39.182.63:4500
Apr  2 01:55:52 linuxserver pluto[18381]: "w2k-client"[1] 
213.39.182.63:4500 #1: Quick Mode I1 message is unacceptable because it
uses a previously used Message ID 0xcf9a4c3a (perhaps this is a 
duplicated packet)
Apr  2 01:55:52 linuxserver pluto[18381]: "w2k-client"[1] 
213.39.182.63:4500 #1: sending encrypted notification INVALID_MESSAGE_ID
 to 213.39.182.63:4500
Apr  2 01:55:54 linuxserver pluto[18381]: "w2k-client"[1] 
213.39.182.63:4500 #1: Quick Mode I1 message is unacceptable because it
uses a previously used Message ID 0xcf9a4c3a (perhaps this is a 
duplicated packet)
Apr  2 01:55:54 linuxserver pluto[18381]: "w2k-client"[1] 
213.39.182.63:4500 #1: sending encrypted notification INVALID_MESSAGE_ID
 to 213.39.182.63:4500
Apr  2 01:55:58 linuxserver pluto[18381]: "w2k-client"[1] 
213.39.182.63:4500 #1: Quick Mode I1 message is unacceptable because it
uses a previously used Message ID 0xcf9a4c3a (perhaps this is a 
duplicated packet)
Apr  2 01:55:58 linuxserver pluto[18381]: "w2k-client"[1] 
213.39.182.63:4500 #1: sending encrypted notification INVALID_MESSAGE_ID
 to 213.39.182.63:4500
Apr  2 01:56:06 linuxserver pluto[18381]: "w2k-client"[1] 
213.39.182.63:4500 #1: Quick Mode I1 message is unacceptable because it
uses a previously used Message ID 0xcf9a4c3a (perhaps this is a 
duplicated packet)
Apr  2 01:56:06 linuxserver pluto[18381]: "w2k-client"[1] 
213.39.182.63:4500 #1: sending encrypted notification INVALID_MESSAGE_ID
<snap>

My ipsec.conf....
<snip>
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes
        nat_traversal=yes

conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%dnsondemand
        rightrsasigkey=%dnsondemand

conn w2k-client
        left=%left
        leftrsasigkey=%cert
        leftcert=freeswan-cert.pem
        right=%any
        rightrsasigkey=%cert
        pfs=no
        rightsubnetwithin=192.168.1.99/24
        rightcert=client-cert.pem
        rightid=<Users CN>
        disablearrivalcheck=no
        auto=add
<snap>



More information about the Users mailing list