[Openswan Users] Problems connecting to OpenSwan setup using x509 Certs

Daniel Bartlett dbartlett at pmsi-consulting.com
Thu Oct 14 15:56:35 CEST 2004 

Hi there,
I have been battleing for the last few days to get this to work.
 
If anyone could shead any light on this I'd be most grateful.
 
The errors I am recieving are:
 
Oct 14 14:47:25 fedora-1 pluto[8279]: packet from 192.168.42.29:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Oct 14 14:47:25 fedora-1 pluto[8279]: packet from 192.168.42.29:500:
ignoring Vendor ID payload [FRAGMENTATION]
Oct 14 14:47:25 fedora-1 pluto[8279]: packet from 192.168.42.29:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 0
Oct 14 14:47:25 fedora-1 pluto[8279]: packet from 192.168.42.29:500:
ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
Oct 14 14:47:25 fedora-1 pluto[8279]: "roadwarriorB"[1] 192.168.42.29
#1: responding to Main Mode from unknown peer 192.168.42.29
Oct 14 14:47:25 fedora-1 pluto[8279]: "roadwarriorB"[1] 192.168.42.29
#1: transition from state (null) to state STATE_MAIN_R1
Oct 14 14:47:25 fedora-1 pluto[8279]: "roadwarriorB"[1] 192.168.42.29
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 14 14:47:25 fedora-1 pluto[8279]: "roadwarriorB"[1] 192.168.42.29
#1: Peer ID is ID_DER_ASN1_DN: 'C=GB, L=London, O=PMSI Ltd,
OU=PMSI-IT-DB, CN=PMSI0044, E=dbartlett at pmsi-consulting.com'
Oct 14 14:47:25 fedora-1 pluto[8279]: "roadwarriorB"[1] 192.168.42.29
#1: I am sending my cert
Oct 14 14:47:25 fedora-1 pluto[8279]: "roadwarriorB"[1] 192.168.42.29
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 14 14:47:25 fedora-1 pluto[8279]: "roadwarriorB"[1] 192.168.42.29
#1: sent MR3, ISAKMP SA established
Oct 14 14:47:25 fedora-1 pluto[8279]: "roadwarriorB"[1] 192.168.42.29
#1: cannot respond to IPsec SA request because no connection is known
for 192.168.42.250[C=GB, L=London, O=PMSI Ltd, OU=PMSI-IT-VPN,
CN=vpn.pmsi-consulting.com]:17/1701...192.168.42.29[C=GB, L=London,
O=PMSI Ltd, OU=PMSI-IT-DB, CN=PMSI0044,
E=dbartlett at pmsi-consulting.com]:17/1701
Oct 14 14:47:25 fedora-1 pluto[8279]: "roadwarriorB"[1] 192.168.42.29
#1: sending encrypted notification INVALID_ID_INFORMATION to
192.168.42.29:500
Oct 14 14:47:27 fedora-1 pluto[8279]: "roadwarriorB"[1] 192.168.42.29
#1: Quick Mode I1 message is unacceptable because it uses a previously
used Message ID 0x4f9ce486 (perhaps this is a duplicated packet)
Oct 14 14:47:27 fedora-1 pluto[8279]: "roadwarriorB"[1] 192.168.42.29
#1: sending encrypted notification INVALID_MESSAGE_ID to
192.168.42.29:500
Oct 14 14:47:27 fedora-1 pluto[8279]: "roadwarriorB"[1] 192.168.42.29
#1: received Delete SA payload: deleting ISAKMP State #1
Oct 14 14:47:27 fedora-1 pluto[8279]: "roadwarriorB"[1] 192.168.42.29:
deleting connection "roadwarriorB" instance with peer 192.168.42.29
{isakmp=#0/ipsec=#0}
Oct 14 14:47:27 fedora-1 pluto[8279]: packet from 192.168.42.29:500:
received and ignored informational message

Here is my current ipsec.conf:
 
version 2.0
 
config setup
        interfaces="ipsec0=eth0 ipsec2=eth2"
        virtual_private=%v4:192.168.42.0/24
        klipsdebug=none
        plutodebug=none

conn %default
        keyingtries=1
        compress=yes
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        keyexchange=ike
        leftid="C=GB, L=London, O=PMSI Ltd, OU=PMSI-IT-VPN,
CN=vpn.pmsi-consulting.com"
        leftcert=vpn.pmsi-consulting.com.pem
        leftsubnetwithin=192.168.42.0/24
        right=%any
        auto=add
        pfs=yes
        auth=esp
 
conn roadwarrior
        disablearrivalcheck=no
        rightsubnet=vhost:%no,%priv,%all
        left=%any
        forceencaps=yes
 
conn roadwarriorB
        disablearrivalcheck=no
        rightid="C=GB, L=London, O=PMSI Ltd, OU=PMSI-IT-DB, CN=PMSI0044,
E=dbartlett at pmsi-consulting.com"
        right=%any
        left=192.168.42.250
        forceencaps=yes
        leftprotoport=0/0
        rightprotoport=0/0
 
I am testing the VPN from a Windows XP box. While I am testing it I am
actually sitting on the same subnet so I have enabled the eth2=ipsec2
and am using the roadwarriorB connection.
 
Kind regards,
Daniel.
 
PS. HELP - I'm begining to pull my hair out!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20041014/b6db2aab/attachment-0001.htm

More information about the Users mailing list