[Openswan Users] XAUTH client problem

nils toedtmann openswan-users at nils.toedtmann.net
Mon Oct 4 18:43:05 CEST 2004


Hi,

i try to connect to a cisco vpn using XAUTH. I get this:

  [root at crusher etc]# ipsec whack --name unibi --xauthname ntoedtma --xauthpass XXXXXXXX --initiate
  002 "unibi" #1: initiating Main Mode
  104 "unibi" #1: STATE_MAIN_I1: initiate
  003 "unibi" #1: ignoring Vendor ID payload [4048b7d56ebce885...]
  002 "unibi" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
  106 "unibi" #1: STATE_MAIN_I2: sent MI2, expecting MR2
  010 "unibi" #1: STATE_MAIN_I2: retransmission; will wait 20s for response
  003 "unibi" #1: ignoring informational payload, type INVALID_COOKIE
  [...]

So the cisco ignores our first STATE_MAIN_I2 paket and rejects our second with 
"INVALID_COOKIE". WTF?

vpnc works this analogue setting (but does not know NAT-T, so i want openswan).

Any hints? If needed, i may ask the admin of the peer (probably a cisco vpn 
3000 concentrator) about version numbers or configuration details.

/nils.


###############

Setup: FC2, kernel 2.6.8-1.521, openswan-2.1.4-7 from FC-devel,
/etc/ipsec.conf:

  conn  unibi
        left=%defaultroute
        leftid=@vpnuni
        leftxauthclient=yes
        right=vpn-gate-1.uni-bielefeld.de
        rightsubnet=129.70.0.0/16
        rightxauthserver=yes
        authby=secret
        auto=add

/etc/ipsec.secrets

  @vpnuni 129.70.182.34 : PSK "XXXXXXXX"
  

I found nothing interesting in the pluto debug log (plutodebug="all"). 
Config seems to be ok:

  Oct  4 16:48:18 crusher pluto[6266]: added connection description "unibi"
  Oct  4 16:48:18 crusher pluto[6266]: | 172.30.30.10[@vpnuni,XC+S=C]---172.30.30.1...129.70.182.34[XS+S=C]===129.70.0.0/16
  Oct  4 16:48:18 crusher pluto[6266]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS

If needed i can supply the complete pluto debug log.

-- 
there is no sig.


More information about the Users mailing list