[Openswan Users] aggressive mode to Cisco 3000
Harald Hoyer
harald at redhat.com
Fri Apr 22 13:58:45 CEST 2005
Ken Bantoft wrote:
>On Tue, 2004-12-14 at 00:30 +0000, David Edmondson wrote:
>
>
>>Using "ipsec whack --name vpngw --initiate" to start the connection, I
>>first had a problem with the failure:
>>
>>003 "vpngw" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but ar
>>e 17/0
>>
>>
>
>Yes, we ran into this when the Cisco 3000 has NAT-Traversal support
>explicitly turned on. The Cisco proposal changes to something else
>entirely.
>
>
>>003 "vpngw" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
>>003 "vpngw" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but ar
>>e 17/0
>>002 "vpngw" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '1.2.3.4'
>>003 "vpngw" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but ar
>>e 17/0
>>....
>>
>>
>
>I suspect the phase 2 proposals don't match, since the Cisco is
>proposing something odd (17/0) and we aren't doing that.
>
>Perhaps adding leftprotoport=17/0 and/or rightprotoport=17/0 might make
>it happier.
>
>Ken
>
>
If NAT-T is turned on on the Cisco 3000 even nat_traversal=no does not
work anymore.
With the attached patch, nat_traversal=no works again. Seems like the
cisco is using 17/0 before any NAT-T handshake and the code checks, if
st->...nat_traversal is set.
For nat_traversal=yes and the patch applied, I get these error messages:
"rh-stuttgart" #2: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
| sending reply packet to xxx.xxx.xxx.xxx:4500 (from port=4500)
| NAT-T: new mapping xxx.xxx.xxx.xxx:4500/500)
| processing connection rh-stuttgart
"rh-stuttgart" #2: ERROR: netlink response for Add SA
esp.1f3f0759 at 192.168.10.1 included errno 22: Invalid argument
| processing connection rh-stuttgart
| NAT-T: updating local port to 500
| NAT-T connection has wrong interface definition 192.168.10.1:500 vs
192.168.10.1:4500
| NAT-T: using interface eth0:500
xxx.xxx.xxx.xxx is the Cisco 3000 and 192.168.10.1 my private local
client IP.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openswan-2.3.1-cisco.patch
Type: text/x-patch
Size: 794 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20050422/8f408a17/openswan-2.3.1-cisco.bin
More information about the Users
mailing list