[Openswan Users] Roadwarrior Help

Kyle Hultman khultman at sch-farmville.org
Fri Aug 6 10:13:16 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm having trouble getting a road warrior vpn setup correctly. Here is
the topology that we're trying to implement.

~                                                        DHCP Assigned
~                                                        Private IP
+--------------+   +-----------+   +--------+   +---+   +-----+
|128.1.0.0/16  |<->|Firewall   |   |internet|   |DSL|<->|Host |
|Private subnet|   |207.27.3.58|<->+--------+<->|RTR|   |XP PC|
+--------------+   +-----------+                +---+   +-----+
~                                        DHCP Assigned
~                                            Public IP

What I'm seeing in the logs, are unknown peer messages, and duplicate
packet messages. I cant get the XP machine to connect to the firewall in
anyway/shape/form using any combination of configs.

I've got several other connections terminating into the firewall,
including a pix, firebox, sonicwall, and several zywalls. None using a
road-warrior type setup, these are all remote offices. They work with no
problems, and one is set up much like the topology above, where the
remote end is behind a nated interface. Any advice would be helpful,
I'll keep trying different configs, and post a fix if I come across it.

Logs and configs below:



<Firewall Log>

<snip>
Aug 6 08:21:18 forculus pluto[30381]: packet from 65.41.104.3:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Aug 6 08:21:18 forculus pluto[30381]: "roadwarrior"[3] 65.41.104.3
#231: responding to Main Mode from unknown peer 65.41.104.3
Aug 6 08:21:18 forculus pluto[30381]: "roadwarrior"[3] 65.41.104.3
#231: transition from state (null) to state STATE_MAIN_R1
Aug 6 08:21:18 forculus pluto[30381]: "roadwarrior"[3] 65.41.104.3
#231: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 6 08:21:19 forculus pluto[30381]: "roadwarrior"[3] 65.41.104.3
#231: Peer ID is ID_IPV4_ADDR: '10.0.0.99'
Aug 6 08:21:19 forculus pluto[30381]: "roadwarrior"[4] 65.41.104.3
#231: deleting connection "roadwarrior" instance with peer 65.41.104.3
{isakmp=#0/ipsec=#0}
Aug 6 08:21:19 forculus pluto[30381]: "roadwarrior"[4] 65.41.104.3
#231: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 6 08:21:19 forculus pluto[30381]: "roadwarrior"[4] 65.41.104.3
#231: sent MR3, ISAKMP SA established
Aug 6 08:21:19 forculus pluto[30381]: "roadwarrior"[4] 65.41.104.3
#231: cannot respond to IPsec SA request because no connection is known
for
128.1.0.0/16===208.27.3.58[S=C]...65.41.104.3[10.0.0.99,S=C]===10.0.0.99/32
Aug 6 08:21:20 forculus pluto[30381]: "roadwarrior"[4] 65.41.104.3
#231: Quick Mode I1 message is unacceptable because it uses a previously
used Message ID 0x8ee43163 (perhaps this is a duplicated packet)
Aug 6 08:21:22 forculus pluto[30381]: "roadwarrior"[4] 65.41.104.3
#231: Quick Mode I1 message is unacceptable because it uses a previously
used Message ID 0x8ee43163 (perhaps this is a duplicated packet)
Aug 6 08:21:26 forculus pluto[30381]: "roadwarrior"[4] 65.41.104.3
#231: Quick Mode I1 message is unacceptable because it uses a previously
used Message ID 0x8ee43163 (perhaps this is a duplicated packet)
Aug 6 08:21:34 forculus pluto[30381]: "roadwarrior"[4] 65.41.104.3
#231: Quick Mode I1 message is unacceptable because it uses a previously
used Message ID 0x8ee43163 (perhaps this is a duplicated packet)




<Firewall ipsec.conf>

<snip>
conn roadwarrior
~    type=tunnel
~    auth=esp
~    esp=3des-md5-96
~    authby=secret
~    keyexchange=ike
~    keyingtries=0
~    keylife=9600s
~    left=208.27.3.58
~    leftsubnet=128.1.0.0/16
~    leftnexthop=208.27.3.57
~    right=%any
~    auto=start
~    pfs=yes




<Firewall ipsec.secrets>

<snip>
208.27.3.58 0.0.0.0 : PSK "***hidden***"
208.27.3.58 %any : PSK "***hidden***"

<IP Sec Status>

<snip>
000 "roadwarrior":
128.1.0.0/16===208.27.3.58[S=C]---208.27.3.57...%any[S=C]; unrouted;
eroute owner: #0
000 "roadwarrior":   ike_life: 3600s; ipsec_life: 9600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "roadwarrior":   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 16,32;
interface: eth0;
000 "roadwarrior":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior"[2]:
128.1.0.0/16===208.27.3.58[S=C]---208.27.3.57...65.41.104.3[10.0.0.99,S=C];
unrouted; eroute owner: #0
000 "roadwarrior"[2]:   ike_life: 3600s; ipsec_life: 9600s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "roadwarrior"[2]:   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 16,32;
interface: eth0;
000 "roadwarrior"[2]:   newest ISAKMP SA: #237; newest IPsec SA: #0;



<Client ipsec.conf>

conn sch
	type=tunnel
	left=%any
	right=208.27.3.58
	rightsubnet=128.1.0.0/16
	auth=esp
	esp=3des-md5-96
	authby=secret
	keyexchange=ike
	keyringtries=0
	keylife=9600s
	auto=start
	pfs=yes
	presharedkey=***hidden***






- --
Kyle Hultman
Security Analyst
Southside Community Hospital
Farmville Virginia
(434) 315 - 2656
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBE4PiWom6UCHIugIRAkejAKCS7lFqVjXwA2ofA185104uphLTPQCgj0NK
597pWAEu7jbxkNYig2GB2l8=
=B3IR
-----END PGP SIGNATURE-----

More information about the Users mailing list