[Openswan Users]
tunnel using XAUTH client mode to Cisco 3000 series
David Edmondson
dme at dme.org
Wed Jul 7 18:33:43 CEST 2004
Running Openswan 2.1.4 on Linux 2.6.5 smp (Debian kernel). The
2.1.4 is built from source.
I'm trying to get a tunnel to a Cisco 3000 series 'VPN Concentrator'
working, including using XAUTH client mode.
The configuration is based on that described in
docs/README.XAUTHclient, with only the IP addresses, authentication
tokens, etc. changed. No RSA signatures are involved, only a
pre-shared password.
The quickest expression of my problem is this:
: tarte-tatin#; ipsec auto --up vpngw
104 "vpngw" #3: STATE_MAIN_I1: initiate
010 "vpngw" #3: STATE_MAIN_I1: retransmission; will wait 20s for response
003 "vpngw" #3: ignoring Vendor ID payload [4048b7d56ebce885...]
106 "vpngw" #3: STATE_MAIN_I2: sent MI2, expecting MR2
010 "vpngw" #3: STATE_MAIN_I2: retransmission; will wait 20s for response
003 "vpngw" #3: ignoring informational payload, type INVALID_COOKIE
...
Looking at the pluto logs it seems that Openswan makes various IKE
proposals, one of which is accepted by the Cisco. Openswan then sends
some keying material, but the Cisco never responds. Ten seconds later
Openswan resends the same keying material and receives the
'INVALID_COOKIE' notice. The "timeout, resend, INVALID_COOKIE" loop
then continues with increasing time between attempts.
I noticed in a tcpdump of the IKE traffic that Openswan is using 'main
mode' where vpnc (which works okay, apart from not supporting
re-keying) uses 'aggressive mode'. [ I've read why Openswan doesn't
currently support aggressive mode and I'm not complaining, just
providing this as additional information. ]
I'm looking for suggestions as to how I might debug this problem
further - rebuilding the code, learning how it works, etc. are all
perfectly feasible for me - I'm really looking for pointers on how I
might start.
Ken on IRC indicated that 2.1.4 was the right release to try, as XAUTH
doesn't work correctly in 2.2.0dr1, which is what I tried first.
I have no access to the remote Cisco 3000 machine (though I can ask
the people responsible questions).
Thanks for any help, pointers or suggestions.
dme.
More information about the Users
mailing list