[Openswan Users] Quick Mode I1 message is unacceptable
Sergio Simone
s.simone at consulenti.kataweb.it
Fri Mar 26 16:01:14 CET 2004
Hi,
I've just set up Openswan 2.1.1.
I need it to do l2tp over ipsec for win2k/XP roadwarriors.
This is what i'm seeing in the log when I attempt a connection from the
win2k client:
Mar 26 16:44:32 luciphero pluto[9223]: packet from 10.10.10.214:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Mar 26 16:44:32 luciphero pluto[9223]: packet from 10.10.10.214:500:
ignoring Vendor ID payload [FRAGMENTATION]
Mar 26 16:44:32 luciphero pluto[9223]: packet from 10.10.10.214:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Mar 26 16:44:32 luciphero pluto[9223]: "roadwarrior-l2tp"[1]
10.10.10.214 #1: responding to Main Mode from unknown peer 10.10.10.214
Mar 26 16:44:32 luciphero pluto[9223]: "roadwarrior-l2tp"[1]
10.10.10.214 #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536
supported. Attribute OAKLEY_GROUP_DESCRIPTION
Mar 26 16:44:32 luciphero pluto[9223]: "roadwarrior-l2tp"[1]
10.10.10.214 #1: transition from state (null) to state STATE_MAIN_R1
Mar 26 16:44:32 luciphero pluto[9223]: "roadwarrior-l2tp"[1]
10.10.10.214 #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Mar 26 16:44:32 luciphero pluto[9223]: "roadwarrior-l2tp"[1]
10.10.10.214 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Mar 26 16:44:33 luciphero pluto[9223]: "roadwarrior-l2tp"[1]
10.10.10.214 #1: Peer ID is ID_DER_ASN1_DN: 'C=IT, ST=RM, L=Roma,
O=Kataweb S.p.A., OU=Direzione Tecnica, CN=w2k-test,
E=s.simone at consulenti.kataweb.it'
Mar 26 16:44:33 luciphero pluto[9223]: "roadwarrior-l2tp"[2]
10.10.10.214 #1: deleting connection "roadwarrior-l2tp" instance with
peer 10.10.10.214 {isakmp=#0/ipsec=#0}
Mar 26 16:44:33 luciphero pluto[9223]: "roadwarrior-l2tp"[2]
10.10.10.214 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Mar 26 16:44:33 luciphero pluto[9223]: | NAT-T: new mapping
10.10.10.214:500/4500)
Mar 26 16:44:33 luciphero pluto[9223]: "roadwarrior-l2tp"[2]
10.10.10.214:4500 #1: sent MR3, ISAKMP SA established
Mar 26 16:44:33 luciphero pluto[9223]: "roadwarrior-l2tp"[2]
10.10.10.214:4500 #2: NAT-Traversal: Transport mode disabled due to
security concerns
Mar 26 16:44:34 luciphero pluto[9223]: "roadwarrior-l2tp"[2]
10.10.10.214:4500 #1: Quick Mode I1 message is unacceptable because it
uses a previously used Message ID 0x2b6b8cf6 (perhaps this is a
duplicated packet)
Mar 26 16:44:40 luciphero last message repeated 2 times
Mar 26 16:44:41 luciphero pluto[9223]: "roadwarrior-l2tp"[2]
10.10.10.214:4500 #1: received Delete SA payload: deleting ISAKMP State
#1
Mar 26 16:44:41 luciphero pluto[9223]: "roadwarrior-l2tp"[2]
10.10.10.214:4500: deleting connection "roadwarrior-l2tp" instance with
peer 10.10.10.214 {isakmp=#0/ipsec=#0}
This is my ipsec.conf:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=all
# plutodebug="control"
nat_traversal=yes
virtual_private=%v4:192.168.204.0/22
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=yes
authby=rsasig
left=192.168.45.30
leftrsasigkey=%cert
leftcert=luciphero.kataweb.it.pem
rightrsasigkey=%cert
pfs=no
auto=add
conn roadwarrior-l2tp
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
rightsubnet=vhost:%no,%priv
conn block
auto=ignore
[...]
Any clue?
Bye,
sergio
More information about the Users
mailing list