[Openswan Users] openswan - zyxel problem

Thu Apr 21 22:08:40 CEST 2005

I have a little problem with my openswan-zyxel vpn connection.
Some tips would be great.

Thanks Dominik

Configuration
-------------

192.168.2.0/24===192.168.0.104[S=C]...192.168.0.187[S=C]===192.168.10.34/32
VPN-Subnet       VPN-Gateway          Zyxel-Router       Home-PC

The default route for the zyxel-router and the vpn-gateway is 192.168.0.1

ipsec.conf:

version 2.0
config setup
        interfaces="ipsec0=eth0"
        nat_traversal=yes
        klipsdebug=none
        plutodebug=none
conn %default
        keyingtries=3
conn zywall
        left=192.168.0.104
        leftsubnet=192.168.2.0/24
        right=192.168.0.187
        rightsubnet=192.168.10.0/24
        auto=start
        pfs=yes
        authby=secret
conn block
        auto=ignore
conn private
        auto=ignore
conn private-or-clear
        auto=ignore
conn clear-or-private
        auto=ignore
conn clear
        auto=ignore
conn packetdefault
        auto=ignore

ipsec.secrets:
192.168.0.104 192.168.0.187 : PSK  "xxxxxx"

Openswan-Init
-------------

Apr 21 22:07:53 gibraltar pluto[4254]: shutting down interface lo/lo ::1
Apr 21 22:07:53 gibraltar pluto[4254]: shutting down interface lo/lo 
127.0.0.1
Apr 21 22:07:53 gibraltar pluto[4254]: shutting down interface eth0/eth0 
192.168.0.104
Apr 21 22:07:53 gibraltar pluto[4254]: shutting down interface eth1/eth1 
192.168.2.1
Apr 21 22:07:53 gibraltar pluto[4254]: shutting down interface 
eth1:1/eth1:1 192.168.2.5
Apr 21 22:07:55 gibraltar ipsec__plutorun: Starting Pluto subsystem...
Apr 21 22:07:55 gibraltar pluto[4584]: Starting Pluto (Openswan Version 
2.1.3 X.509-1.4.8-1 PLUTO_USES_KEYRR)
Apr 21 22:07:55 gibraltar pluto[4584]:   including NAT-Traversal patch 
(Version 0.6c)
Apr 21 22:07:55 gibraltar pluto[4584]: Using Linux 2.6 IPsec interface code
Apr 21 22:07:56 gibraltar pluto[4584]: Changing to directory 
'/etc/ipsec.d/cacerts'
Apr 21 22:07:56 gibraltar pluto[4584]:   loaded cacert file 'cacert.pem' 
(1399 bytes)
Apr 21 22:07:56 gibraltar pluto[4584]: Changing to directory 
'/etc/ipsec.d/crls'
Apr 21 22:07:56 gibraltar pluto[4584]:   loaded crl file 'crl.pem' (556 
bytes)
Apr 21 22:07:57 gibraltar pluto[4584]: listening for IKE messages
Apr 21 22:07:57 gibraltar pluto[4584]: adding interface eth1:1/eth1:1 
192.168.2.5
Apr 21 22:07:57 gibraltar pluto[4584]: adding interface eth1:1/eth1:1 
192.168.2.5:4500
Apr 21 22:07:57 gibraltar pluto[4584]: adding interface eth1/eth1 
192.168.2.1
Apr 21 22:07:57 gibraltar pluto[4584]: adding interface eth1/eth1 
192.168.2.1:4500
Apr 21 22:07:57 gibraltar pluto[4584]: adding interface eth0/eth0 
192.168.0.104
Apr 21 22:07:57 gibraltar pluto[4584]: adding interface eth0/eth0 
192.168.0.104:4500
Apr 21 22:07:57 gibraltar pluto[4584]: adding interface lo/lo 127.0.0.1
Apr 21 22:07:57 gibraltar pluto[4584]: adding interface lo/lo 127.0.0.1:4500
Apr 21 22:07:57 gibraltar pluto[4584]: loading secrets from 
"/etc/ipsec.secrets"

Connection
----------

Apr 21 23:02:41 gibraltar pluto[7739]: | ***parse ISAKMP Identification 
Payload (IPsec DOI):
Apr 21 23:02:41 gibraltar pluto[7739]: |    next payload type: 
ISAKMP_NEXT_NONE
Apr 21 23:02:41 gibraltar pluto[7739]: |    length: 16
Apr 21 23:02:41 gibraltar pluto[7739]: |    ID type: ID_IPV4_ADDR_SUBNET
Apr 21 23:02:41 gibraltar pluto[7739]: |    Protocol ID: 0
Apr 21 23:02:41 gibraltar pluto[7739]: |    port: 0
Apr 21 23:02:41 gibraltar pluto[7739]: | HASH(1) computed:
Apr 21 23:02:41 gibraltar pluto[7739]: |   ee 33 a1 27  55 11 35 89  e5 
e9 a2 ed  ef c4 a5 4a
Apr 21 23:02:41 gibraltar pluto[7739]: |   5d 63 a7 2a
Apr 21 23:02:41 gibraltar pluto[7739]: | peer client is 192.168.10.34
Apr 21 23:02:41 gibraltar pluto[7739]: | peer client protocol/port is 0/0
Apr 21 23:02:41 gibraltar pluto[7739]: | our client is subnet 192.168.2.0/24
Apr 21 23:02:41 gibraltar pluto[7739]: | our client protocol/port is 0/0
Apr 21 23:02:41 gibraltar pluto[7739]: | find_client_connection starting 
with zywall
Apr 21 23:02:41 gibraltar pluto[7739]: |   looking for 
192.168.2.0/24:0/0 -> 192.168.10.34/32:0/0
Apr 21 23:02:41 gibraltar pluto[7739]: |   concrete checking against 
sr#0 192.168.2.0/24 -> 192.168.10.0/24
Apr 21 23:02:41 gibraltar pluto[7739]: |   fc_try trying 
zywall:192.168.2.0/24:0/0 -> 192.168.10.34/32:0/0 vs zywall:192.168.
2.0/24:0/0 -> 192.168.10.0/24:0/0
Apr 21 23:02:41 gibraltar pluto[7739]: |   fc_try concluding with none [0]
Apr 21 23:02:41 gibraltar pluto[7739]: |   fc_try zywall gives none
Apr 21 23:02:41 gibraltar pluto[7739]: |   checking hostpair 
192.168.2.0/24 -> 192.168.10.0/24 is not found
Apr 21 23:02:41 gibraltar pluto[7739]: |   concluding with d = none
Apr 21 23:02:41 gibraltar pluto[7739]: "zywall" #3: cannot respond to 
IPsec SA request because no connection is known for 192
.168.2.0/24===192.168.0.104[S=C]...192.168.0.187[S=C]===192.168.10.34/32
Apr 21 23:02:41 gibraltar pluto[7739]: | state transition function for 
STATE_QUICK_R0 failed: INVALID_ID_INFORMATION
Apr 21 23:02:41 gibraltar pluto[7739]: | next event EVENT_RETRANSMIT in 
38 seconds for #2

Zyxel-Router
-------------

                     Menu 27.1.1 - IPSec Setup

   Index #= 1        Name= Rule_1
   Active= Yes       Keep Alive= No    Nat Traversal= Yes
   Local ID type= IP         Content= 0.0.0.0
   My IP Addr= 192.168.0.187
   Peer ID type= IP          Content= 0.0.0.0
   Secure Gateway Address= 192.168.0.104
   Protocol= 0       DNS Server= 192.168.2.4
   Local:  Addr Type= SINGLE
       Local IP Addr= 192.168.10.34
          Port Start= 0                End= N/A
   Remote: Addr Type= SUBNET
       IP Addr Start= 192.168.2.0      End/Subnet Mask= 255.255.255.0
          Port Start= 0                End= N/A
   Enable Replay Detection= Yes
   Key Management= IKE
   Edit Key Management Setup= No

                        Menu 27.1.1.1 - IKE Setup

  Phase 1
    Negotiation Mode= Main
    Pre-Shared Key= vpnadmin9200
    Encryption Algorithm= 3DES
    Authentication Algorithm= SHA1
    SA Life Time (Seconds)= 28800
    Key Group= DH2

  Phase 2
    Active Protocol= ESP
    Encryption Algorithm= 3DES
    Authentication Algorithm= SHA1
    SA Life Time (Seconds)= 28800
    Encapsulation= Tunnel
    Perfect Forward Secrecy (PFS)= DH2