[Openswan Users] OpenSwan with SafeNet/SoftRemote LT

Tue May 25 16:04:06 CEST 2004

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,
i'm looking to create VPN trought a SoftRemote LT Roadwarrionr and an Intranet 
with OpenSwan 1.0.4.

Here's the net topology:

[10.0.q.x/16]--+
			[10.0.0.1-217.222.f.s]----{Internet}----[151.8.y.t-10.0.0.1]--[10.0.0.150]
[10.0.q.y/16]--+

I'm the 10.0.0.150 with SoftRemote LT installed. Both the VPN support NAT-T 
but i'm unable to connect. With SSH Sentinel all works well.

Here's the config of 217.222.f.s:
[/etc/ipsec.conf]
config setup
          interfaces="ipsec0=eth0"
          klipsdebug=none
          plutodebug=control
          plutoload=%search
          plutostart=%search
          nat_traversal=yes
          uniqueids=yes

conn %default
          keyingtries=0
          disablearrivalcheck=yes

conn roadwarrior
          ikelifetime=3h
          keylife=1h
          leftsubnet=0.0.0.0/0
          leftupdown=/usr/local/lib/ipsec/_updown.x509
          left=217.222.f.s
          leftnexthop=217's router
          right=%any
          rightsubnetwithin=10.1.0.0/24
          esp=aes128,3des
          auth=esp
          dpddelay=30
          dpdtimeout=160
          dpdaction=clear
          authby=secret
          auto=add

...and this is the LOG when try to connect:

May 25 15:34:45 linproxy pluto[11245]: | _natd_hash: ip=  c0 a8 01 03
May 25 15:34:45 linproxy pluto[11245]: | _natd_hash: port=62465
May 25 15:34:45 linproxy pluto[11245]: | _natd_hash: hash=  b9 d8 fb 52  8f cd 
41 46  c8 38 dd c7  d7 74 91 9f
May 25 15:34:45 linproxy pluto[11245]: | NAT_TRAVERSAL_NAT_BHND_ME
May 25 15:34:45 linproxy pluto[11245]: | expected NAT-D:  b9 d8 fb 52  8f cd 
41 46  c8 38 dd c7  d7 74 91 9f
May 25 15:34:45 linproxy pluto[11245]: | received NAT-D:  61 3d 6e 99  e7 b0 
cc 0e  24 6e 71 2e  71 85 81 03
May 25 15:34:45 linproxy pluto[11245]: | _natd_hash: hasher=0x80d6fa0(16)
May 25 15:34:45 linproxy pluto[11245]: | _natd_hash: icookie=
May 25 15:34:45 linproxy pluto[11245]: |   04 e2 2e ee  f8 af f0 7f
May 25 15:34:45 linproxy pluto[11245]: | _natd_hash: rcookie=
May 25 15:34:45 linproxy pluto[11245]: |   48 d6 89 03  9f 02 4e 3e
May 25 15:34:45 linproxy pluto[11245]: | _natd_hash: ip=  97 08 2f 52
May 25 15:34:45 linproxy pluto[11245]: | _natd_hash: port=3840
May 25 15:34:45 linproxy pluto[11245]: | _natd_hash: hash=  5d a7 92 a4  a9 b8 
ff 8a  5c b2 9e 54  a7 fd 72 36
May 25 15:34:45 linproxy pluto[11245]: | NAT_TRAVERSAL_NAT_BHND_PEER
....
May 25 15:34:46 linproxy pluto[11245]: | ***emit ISAKMP NAT-D Payload:
May 25 15:34:46 linproxy pluto[11245]: |    next payload type: 
ISAKMP_NEXT_NAT-D
May 25 15:34:46 linproxy pluto[11245]: | emitting 16 raw bytes of NAT-D into 
ISAKMP NAT-D Payload
May 25 15:34:46 linproxy pluto[11245]: | NAT-D  5d a7 92 a4  a9 b8 ff 8a  5c 
b2 9e 54  a7 fd 72 36
May 25 15:34:46 linproxy pluto[11245]: | emitting length of ISAKMP NAT-D 
Payload: 20
May 25 15:34:46 linproxy pluto[11245]: | _natd_hash: hasher=0x80d6fa0(16)
May 25 15:34:46 linproxy pluto[11245]: | _natd_hash: icookie=
May 25 15:34:46 linproxy pluto[11245]: |   04 e2 2e ee  f8 af f0 7f
May 25 15:34:46 linproxy pluto[11245]: | _natd_hash: rcookie=
May 25 15:34:46 linproxy pluto[11245]: |   48 d6 89 03  9f 02 4e 3e
May 25 15:34:46 linproxy pluto[11245]: | _natd_hash: ip=  c0 a8 01 03
May 25 15:34:46 linproxy pluto[11245]: | _natd_hash: port=62465
May 25 15:34:46 linproxy pluto[11245]: | _natd_hash: hash=  b9 d8 fb 52  8f cd 
41 46  c8 38 dd c7  d7 74 91 9f
May 25 15:34:46 linproxy pluto[11245]: | ***emit ISAKMP NAT-D Payload:
May 25 15:34:46 linproxy pluto[11245]: |    next payload type: 
ISAKMP_NEXT_NONE
May 25 15:34:46 linproxy pluto[11245]: | emitting 16 raw bytes of NAT-D into 
ISAKMP NAT-D Payload
May 25 15:34:46 linproxy pluto[11245]: | NAT-D  b9 d8 fb 52  8f cd 41 46  c8 
38 dd c7  d7 74 91 9f
May 25 15:34:46 linproxy pluto[11245]: | emitting length of ISAKMP NAT-D 
Payload: 20
May 25 15:34:46 linproxy pluto[11245]: | emitting length of ISAKMP Message: 
220
May 25 15:34:47 linproxy pluto[11245]: | compute_dh_shared(): time elapsed 
(OAKLEY_GROUP_MODP1024): 18299 usec
....
the connection DIE. On SafeNet LOG's there are:
 5-25: 14:57:10.033  
 5-25: 14:57:10.314 My Connections\IMER - Initiating IKE Phase 1 (IP 
ADDR=217.222.94.98)
 5-25: 14:57:10.324 My Connections\IMER - SENDING>>>> ISAKMP OAK MM (SA, VID 
2x)
 5-25: 14:57:13.859 My Connections\IMER - RECEIVED<<< ISAKMP OAK MM (SA, VID 
2x)
 5-25: 14:57:15.631 My Connections\IMER - Peer is NAT-T draft-02 capable
 5-25: 14:57:15.812 My Connections\IMER - SENDING>>>> ISAKMP OAK MM (KE, NON, 
NAT-D 2x, VID 3x)
 5-25: 14:57:20.378 My Connections\IMER - RECEIVED<<< ISAKMP OAK MM (KE, NON, 
NAT-D 2x)
 5-25: 14:57:20.378 My Connections\IMER - NAT is detected for Client and Peer
 5-25: 14:57:20.378 My Connections\IMER - Floating to IKE non-500 port
 5-25: 14:57:21.079 My Connections\IMER - SENDING>>>> ISAKMP OAK MM *(ID, 
HASH, NOTIFY:STATUS_INITIAL_CONTACT)
 5-25: 14:57:30.963 My Connections\IMER - RECEIVED<<< ISAKMP OAK MM 
(Retransmission)
 5-25: 14:57:30.963 My Connections\IMER - SENDING>>>> ISAKMP OAK MM 
*(Retransmission)
 5-25: 14:57:36.101 My Connections\IMER - message not received! 
Retransmitting!
 5-25: 14:57:36.101 My Connections\IMER - SENDING>>>> ISAKMP OAK MM 
*(Retransmission)
 5-25: 14:57:51.122 My Connections\IMER - message not received! 
Retransmitting!
 5-25: 14:57:51.122 My Connections\IMER - SENDING>>>> ISAKMP OAK MM 
*(Retransmission)
 5-25: 14:57:51.122 My Connections\IMER - RECEIVED<<< ISAKMP OAK MM 
(Retransmission)
 5-25: 14:57:51.122 My Connections\IMER - SENDING>>>> ISAKMP OAK MM 
*(Retransmission)
 5-25: 14:58:06.184 My Connections\IMER - message not received! 
Retransmitting!
 5-25: 14:58:06.184 My Connections\IMER - SENDING>>>> ISAKMP OAK MM 
*(Retransmission)
 5-25: 14:58:21.206 My Connections\IMER - message not received! 
Retransmitting!
 5-25: 14:58:21.206 My Connections\IMER - SENDING>>>> ISAKMP OAK MM 
*(Retransmission)
 5-25: 14:58:36.227 My Connections\IMER - message not received! 
Retransmitting!
 5-25: 14:58:36.227 My Connections\IMER - SENDING>>>> ISAKMP OAK MM 
*(Retransmission)
 5-25: 14:58:51.259 My Connections\IMER - message not received! 
Retransmitting!
 5-25: 14:58:51.259 My Connections\IMER - SENDING>>>> ISAKMP OAK MM 
*(Retransmission)
 5-25: 14:59:06.280 My Connections\IMER - message not received! 
Retransmitting!
 5-25: 14:59:06.280 My Connections\IMER - SENDING>>>> ISAKMP OAK MM 
*(Retransmission)
 5-25: 14:59:21.302 My Connections\IMER - message not received! 
Retransmitting!
 5-25: 14:59:21.302 My Connections\IMER - SENDING>>>> ISAKMP OAK MM 
*(Retransmission)

Someone have idea what happen ?

Oz
- -- 
Abstract:
	This study examined the incidence of neckwear tightness among a group
of 94 white-collar working men and the effect of a tight business-shirt collar
and tie on the visual performance of 22 male subjects.  Of the white-collar
men measured, 67% were found to be wearing neckwear that was tighter than
their neck circumference.  The visual discrimination of the 22 subjects was
evaluated using a critical flicker frequency (CFF) test.  Results of the CFF
test indicated that tight neckwear significantly decreased the visual
performance of the subjects and that visual performance did not improve
immediately when tight neckwear was removed.
		-- Langan, L.M. and Watkins, S.M. "Pressure of Menswear on the
		   Neck in Relation to Visual Performance."  Human Factors 29,
		   #1 (Feb. 1987), pp. 67-71.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAs0RJYuBSFbgkEysRAoRrAKCiI7wTDqaxIO8N/v7n4FocAUtaygCgie3a
auhFm7Kd7LHZ0vcuSlYrN5I=
=ccL2
-----END PGP SIGNATURE-----