[Openswan Users] Problems connecting to office LAN

Torgeir Natvig togge at cklug.org
Thu Nov 25 09:32:20 CET 2004 

I get that exact same error message.
Hope you find out anything usefull to make it work :)

Cheers
Togge

On Wed, 2004-11-24 at 06:40 -0700, Cory S wrote:
> Thanks for the help. I'll get with my admins.
> 
> 
> On Tue, 23 Nov 2004 21:00:43 -0500, Ted Kaczmarek <tedkaz at optonline.net> wrote:
> > On Tue, 2004-11-23 at 11:19 -0700, Cory S wrote:
> > 
> > 
> > > Hi all,
> > >
> > > I've been working with this for weeks trying to get it to work but
> > > I've finally given up and decided to ask the experts. Here is my
> > > layout:
> > >
> > > home                 DSL modem/gateway                     Symantec
> > > firewall       work
> > > 192.168.1.2 -------- 192.168.1.1/xxx.xxx.xxx.xxx ======
> > > xxx.xxx.xxx.xxx ----------- 192.168.169.149
> > >
> > > I can connect just fine from Windows with the Symantec client but I
> > > would like to connect with Linux using openswan (installed v. 2.2.0).
> > > And yes, I got my settings from Andreas' mail post.
> > >
> > > Here is the config from Symantec's client:
> > >
> > > Tunnel Summary
> > > Security gateway: xxx.xxx.xxx.xxx
> > > Tunnel name:
> > > IP address:          192.168.169.0
> > > Network Mask:      255.255.255.0
> > > Tunnel state:        Connected
> > > VPN policy:          Custom
> > >
> > > Tunnel Settings
> > > IPSec protocol:    ESP
> > > Data integrity:      MD5
> > > Data privacy:       DES
> > > Compression:       Any
> > > Encapsulation:     Tunnel
> > > Diffie-Hellman:      None
> > > Data volume limit: 2100000
> > > Lifetime timeout:    480
> > > Inactivity timeout:   0
> > >
> > > My ipsec.secrets
> > > @#ID_IN_HEX <firewall address> : PSK "SECRET_IN_DECIMAL"
> > >
> > > My ipsec.conf
> > >
> > > version 2.0     # conforms to second version of ipsec.conf specification
> > >
> > > # basic configuration
> > > config setup
> > >         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
> > >         # klipsdebug=all
> > >         # plutodebug=dns
> > >         interfaces=%defaultroute
> > >         klipsdebug=all
> > >         plutodebug=all
> > >         nat_traversal=yes
> > >
> > > # Equis connection
> > > conn conn1
> > >         type=           tunnel
> > >         left=           192.168.1.2
> > >         leftsubnet=     192.168.1.0/0
> > >         leftnexthop=    192.168.1.1
> > >         leftid=@#637363686d696474
> > >         right=          204.246.137.26
> > >         rightsubnet=    192.168.169.0/0
> > >         keyexchange=    ike
> > >         authby=         secret
> > >         auth=           esp
> > >         auto=           add
> > >
> > > #Disable Opportunistic Encryption
> > > include /etc/ipsec.d/examples/no_oe.conf
> > >
> > > I start things up with the following commands:
> > > ipsec pluto
> > > ipsec auto --add conn1
> > > ipsec auto --ready
> > > ipsec auto --up conn1
> > >
> > > And get this in auth.log:
> > >
> > > Nov 22 18:42:37 kashmir pluto[2939]: Starting Pluto (Openswan Version
> > > 2.2.0 X.509-1.5.
> > > 4 PLUTO_USES_KEYRR)
> > > Nov 22 18:42:37 kashmir pluto[2939]:   including NAT-Traversal patch
> > > (Version 0.6c) [d
> > > isabled]
> > > Nov 22 18:42:37 kashmir pluto[2939]: ike_alg_register_enc():
> > > Activating OAKLEY_AES_CBC
> > > : Ok (ret=0)
> > > Nov 22 18:42:37 kashmir pluto[2939]: Using Linux 2.6 IPsec interface code
> > > Nov 22 18:42:37 kashmir pluto[2939]: Changing to directory
> > > '/etc/ipsec.d/cacerts'
> > > Nov 22 18:42:37 kashmir pluto[2939]: Could not change to directory
> > > '/etc/ipsec.d/aacer
> > > ts'
> > > Nov 22 18:42:37 kashmir pluto[2939]: Changing to directory
> > > '/etc/ipsec.d/ocspcerts'
> > > Nov 22 18:42:37 kashmir pluto[2939]: Changing to directory '/etc/ipsec.d/crls'
> > > Nov 22 18:42:37 kashmir pluto[2939]:   Warning: empty directory
> > > Nov 22 18:42:50 kashmir pluto[2939]: added connection description "conn1"
> > > Nov 22 18:42:58 kashmir pluto[2939]: listening for IKE messages
> > > Nov 22 18:42:58 kashmir pluto[2939]: adding interface lo/lo 127.0.0.1
> > > Nov 22 18:42:58 kashmir pluto[2939]: adding interface eth0/eth0 192.168.1.2
> > > Nov 22 18:42:58 kashmir pluto[2939]: adding interface lo/lo ::1
> > > Nov 22 18:42:58 kashmir pluto[2939]: loading secrets from "/etc/ipsec.secrets"
> > > Nov 22 18:43:04 kashmir pluto[2939]: "conn1" #1: initiating Main Mode
> > > Nov 22 18:43:04 kashmir pluto[2939]: packet from xxx.xxx.xxx.xxx:500:
> > > ignoring informat
> > > ional payload, type PAYLOAD_MALFORMED
> > > Nov 22 18:43:04 kashmir pluto[2939]: packet from xxx.xxx.xxx.xxx:500:
> > > received and igno
> > > red informational message
> > >
> > > Can anyone help?
> > >
> > > Thanks!
> > 
> > Openswan does not support single des , as it should. Make sure the
> > symantec is doing 3des.
> > 
> > If you do a tcpdump do you see it getting to phase 2?
> > 
> > I don't see any policy in your symantec config to correlate to
> > your Openswan as well. How does the symantec know to match
> > 192.168.1.0/24?
> > 
> > Have never defined leftid,  does the symantec require that?
> > 
> > What do the logs on the symantec tell you?
> > 
> > What does ipsec barf on the openswan tell you?
> > 
> > I would ask the symantec admin to set you up with polices to match your
> > proposals.
> > 
> > Good Luck,
> > 
> > Ted
> > 
> >
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>

More information about the Users mailing list