[Openswan Users] XAUTH client problem
nils toedtmann
openswan-users at nils.toedtmann.net
Mon Oct 4 18:43:05 CEST 2004
Hi,
i try to connect to a cisco vpn using XAUTH. I get this:
[root at crusher etc]# ipsec whack --name unibi --xauthname ntoedtma --xauthpass XXXXXXXX --initiate
002 "unibi" #1: initiating Main Mode
104 "unibi" #1: STATE_MAIN_I1: initiate
003 "unibi" #1: ignoring Vendor ID payload [4048b7d56ebce885...]
002 "unibi" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "unibi" #1: STATE_MAIN_I2: sent MI2, expecting MR2
010 "unibi" #1: STATE_MAIN_I2: retransmission; will wait 20s for response
003 "unibi" #1: ignoring informational payload, type INVALID_COOKIE
[...]
So the cisco ignores our first STATE_MAIN_I2 paket and rejects our second with
"INVALID_COOKIE". WTF?
vpnc works this analogue setting (but does not know NAT-T, so i want openswan).
Any hints? If needed, i may ask the admin of the peer (probably a cisco vpn
3000 concentrator) about version numbers or configuration details.
/nils.
###############
Setup: FC2, kernel 2.6.8-1.521, openswan-2.1.4-7 from FC-devel,
/etc/ipsec.conf:
conn unibi
left=%defaultroute
leftid=@vpnuni
leftxauthclient=yes
right=vpn-gate-1.uni-bielefeld.de
rightsubnet=129.70.0.0/16
rightxauthserver=yes
authby=secret
auto=add
/etc/ipsec.secrets
@vpnuni 129.70.182.34 : PSK "XXXXXXXX"
I found nothing interesting in the pluto debug log (plutodebug="all").
Config seems to be ok:
Oct 4 16:48:18 crusher pluto[6266]: added connection description "unibi"
Oct 4 16:48:18 crusher pluto[6266]: | 172.30.30.10[@vpnuni,XC+S=C]---172.30.30.1...129.70.182.34[XS+S=C]===129.70.0.0/16
Oct 4 16:48:18 crusher pluto[6266]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS
If needed i can supply the complete pluto debug log.
--
there is no sig.
More information about the Users
mailing list