[Openswan Users] Problems between Openswan 2.1.2 and VPN Tracker

Brian Daniels bdaniels at fpoint.com
Wed Jun 2 18:20:02 CEST 2004 

We have a Openswan 2.1.2 server that is supporting a mix of users.  We have 
been trying to add a Mac user with the VPN Tracker client.
We have followed their interop guide and added the connection to ipsec.conf:

conn vpntracker-keys
	auto=add
	authby=rsasig
	keyingtries=0
	leftid=@freeswan
	leftrsasigkey=0x03...
	left=207.203.252.2
         # next hop to reach right
         leftnexthop=207.203.252.1
         # subnet behind left (omit if there is no subnet)
         leftsubnet=10.0.0.0/8
	rightid=@vpntracker
	rightrsasigkey=0x03...
	right=%any
	rightsubnet=
	rightnexthop=

and we have added the RSA key info to ipsec.secrets.

When we try to bring the connection up, the VPN Tracker client fails with 
the following error:
2004-06-02 16:49:28: ERROR: oakley.c:1258:oakley_validate_auth(): no peer's 
CERT payload found

The Openswan log seems happy enough:
Jun  2 16:20:41 gate pluto[8762]: "vpntracker-keys"[1] 207.203.252.5 #178: 
responding to Main Mode from unknown peer 207.203.252.5
Jun  2 16:20:41 gate pluto[8762]: "vpntracker-keys"[1] 207.203.252.5 #178: 
transition from state (null) to state STATE_MAIN_R1
Jun  2 16:20:42 gate pluto[8762]: "vpntracker-keys"[1] 207.203.252.5 #178: 
ignoring Vendor ID payload [KAME/racoon]
Jun  2 16:20:42 gate pluto[8762]: "vpntracker-keys"[1] 207.203.252.5 #178: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun  2 16:20:43 gate pluto[8762]: "vpntracker-keys"[1] 207.203.252.5 #178: 
Peer ID is ID_FQDN: '@vpntracker'
Jun  2 16:20:43 gate pluto[8762]: "vpntracker-keys"[1] 207.203.252.5 #178: 
multiple ipsec.secrets entries with distinct secrets match endpoints: first 
secret used
Jun  2 16:20:43 gate last message repeated 3 times
Jun  2 16:20:43 gate pluto[8762]: "vpntracker-keys"[1] 207.203.252.5 #178: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun  2 16:20:43 gate pluto[8762]: "vpntracker-keys"[1] 207.203.252.5 #178: 
sent MR3, ISAKMP SA established

This setup used to work with Freeswan.  We have tried creating a new 
connection from the ground up, a different client machine, the leftsendcert 
directive and upgrading Openswan from 2.1.0 to 2.1.2 without success.  Any 
suggestions appreciated!

--Brian
Brian Daniels
Network Administrator

------------------------------------------------------
FarPoint Technologies
808 Aviation Pkwy, Suite 1300
Morrisville, NC 27560
Phones:
Tech Support - 919-460-1887
Sales - 800-645-5913            Main - 919-460-4551
FTP - ftp.fpoint.com  /fpoint.com
WEB - www.fpoint.com
Sales email: fpsales at fpoint.com
Technical support: fpsupport at fpoint.com
-------------------------------------------------------

More information about the Users mailing list