[Openswan Users] Almost connected from WinXP...
José Julio Hernández Fernández
jhernandez at sgi.es
Fri May 28 17:20:59 CEST 2004
Hi all,
Thanks Paul Wouters and Ken Bantoft I'm running Openswan 2.1.2 on a SuSE
9.0 (kernel 2.6.6):
-----------
May 28 15:51:34 localhost pluto[14320]: Starting Pluto (Openswan Version
2.1.2 X.509-1.4.8 PLUTO_USES_KEYRR)
May 28 15:51:34 localhost pluto[14320]: including NAT-Traversal patch
(Version 0.6c)
May 28 15:51:34 localhost pluto[14320]: Using Linux 2.6 IPsec interface
code
May 28 15:51:34 localhost ipsec_setup: ...Openswan IPsec started
-----------
With NAT-T 0.6c I've got no more "unsupported ID type ID_FQDN" error
when trying to connect from Windows XP VPN client. But now I've got
this:
-----------
May 28 15:52:23 localhost pluto[14320]: packet from a.b.c.d:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
May 28 15:52:23 localhost pluto[14320]: packet from a.b.c.d:500:
ignoring Vendor ID payload [FRAGMENTATION]
May 28 15:52:23 localhost pluto[14320]: packet from a.b.c.d:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
May 28 15:52:23 localhost pluto[14320]: packet from a.b.c.d:500:
ignoring Vendor ID payload [26244d38eddb61b3...]
May 28 15:52:23 localhost pluto[14320]: "test"[1] a.b.c.d #1: responding
to Main Mode from unknown peer a.b.c.d
May 28 15:52:23 localhost pluto[14320]: "test"[1] a.b.c.d #1: only
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute
OAKLEY_GROUP_DESCRIPTION
May 28 15:52:23 localhost pluto[14320]: "test"[1] a.b.c.d #1: transition
from state (null) to state STATE_MAIN_R1
May 28 15:52:24 localhost pluto[14320]: "test"[1] a.b.c.d #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
May 28 15:52:24 localhost pluto[14320]: "test"[1] a.b.c.d #1: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 28 15:52:24 localhost pluto[14320]: "test"[1] a.b.c.d #1: Peer ID is
ID_DER_ASN1_DN: 'C=US, ST=xxx, L=xxx, O=yyy, OU=yyy, CN=test04 at none.com,
E=test04 at none.com'
May 28 15:52:24 localhost pluto[14320]: "test"[1] a.b.c.d #1: issuer crl
not found
May 28 15:52:24 localhost pluto[14320]: "test"[1] a.b.c.d #1: issuer crl
not found
May 28 15:52:24 localhost pluto[14320]: "test4"[1] a.b.c.d #1: deleting
connection "test" instance with peer a.b.c.d {isakmp=#0/ipsec=#0}
May 28 15:52:24 localhost pluto[14320]: "test4"[1] a.b.c.d #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 28 15:52:24 localhost pluto[14320]: | NAT-T: new mapping
a.b.c.d:500/45017)
May 28 15:52:24 localhost pluto[14320]: "test4"[1] a.b.c.d:45017 #1:
sent MR3, ISAKMP SA established
May 28 15:52:24 localhost pluto[14320]: "test4"[1] a.b.c.d:45017 #1:
received Delete SA payload: deleting ISAKMP State #1
May 28 15:52:24 localhost pluto[14320]: "test4"[1] a.b.c.d:45017:
deleting connection "test4" instance with peer a.b.c.d
{isakmp=#0/ipsec=#0}
-----------
..and on Windows side I got "error 800" with no connection, and pluto
makes no rise attempt for "test4_NAT" ¿Any ideas of what I'm doing
wrong?
Here's my ipsec.conf:
-----------
version 2.0
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=1
disablearrivalcheck=no
authby=rsasig
auth=esp
keyexchange=ike
ikelifetime=240m
keylife=20m
rekey=yes
pfs=yes
compress=no
right=%any
rightrsasigkey=%cert
left=%defaultroute
leftrsasigkey=%cert
leftcert=pulpo.pem
auto=add
conn block
auto=ignore
conn clear
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn packetdefault
auto=ignore
#conn OEself
# auto=ignore
conn test4
type=tunnel
rightid="C=US, ST=xxx, L=xxx, O=yyy, OU=yyy, CN=test04 at none.com,
E=test04 at none.com"
leftsubnet=192.168.50.0/24
conn test4_NAT
type=tunnel
rightid="C=US, ST=xxx, L=xxx, O=yyy, OU=yyy, CN=test04 at none.com,
E=test04 at none.com"
rightsubnet=vnet:%priv
leftsubnet=192.168.50.0/24
-----------
Thanks in advance, JJ.
More information about the Users
mailing list