[Openswan Users] Connectivity problem...

Yiannis Mavroukakis yiannis at jaguarfreight.com
Wed Aug 31 10:21:14 CEST 2005 

Tested again last night, here is the log

======
Aug 30 12:08:55 firewall ipsec__plutorun: Starting Pluto subsystem...
Aug 30 12:08:55 firewall pluto[4323]: Starting Pluto (Openswan Version
2.4.0rc1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OEEF^^MBhKKT)
Aug 30 12:08:55 firewall pluto[4323]: Setting NAT-Traversal port-4500
floating to on
Aug 30 12:08:55 firewall pluto[4323]:    port floating activation
criteria nat_t=1/port_fload=1
Aug 30 12:08:55 firewall pluto[4323]:   including NAT-Traversal patch
(Version 0.6c)
Aug 30 12:08:55 firewall pluto[4323]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Aug 30 12:08:55 firewall pluto[4323]: starting up 1 cryptographic
helpers
Aug 30 12:08:55 firewall pluto[4323]: started helper pid=4337 (fd:6)
Aug 30 12:08:55 firewall pluto[4323]: Using Linux 2.6 IPsec interface
code on 2.6.11-mm4
Aug 30 12:08:55 firewall pluto[4323]: Changing to directory
'/etc/ipsec.d/cacerts'
Aug 30 12:08:55 firewall pluto[4323]:   loaded CA cert file 'cacert.pem'
(1367 bytes)
Aug 30 12:08:55 firewall pluto[4323]: Changing to directory
'/etc/ipsec.d/aacerts'
Aug 30 12:08:55 firewall pluto[4323]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Aug 30 12:08:55 firewall pluto[4323]: Changing to directory
'/etc/ipsec.d/crls'
Aug 30 12:08:55 firewall pluto[4323]:   loaded crl file 'crl.pem' (536
bytes)
Aug 30 12:08:56 firewall pluto[4323]:   loaded host cert file
'/etc/ipsec.d/certs/chandra.pem' (3760 bytes)
Aug 30 12:08:56 firewall pluto[4323]: added connection description
"roadwarrior-l2tp"
Aug 30 12:08:56 firewall pluto[4323]:   loaded host cert file
'/etc/ipsec.d/certs/chandra.pem' (3760 bytes)
Aug 30 12:08:56 firewall pluto[4323]: added connection description
"roadwarrior"
Aug 30 12:08:57 firewall pluto[4323]:   loaded host cert file
'/etc/ipsec.d/certs/chandra.pem' (3760 bytes)
Aug 30 12:08:57 firewall pluto[4323]: added connection description
"roadwarrior-l2tp-updatedwin"
Aug 30 12:08:57 firewall pluto[4323]: listening for IKE messages
Aug 30 12:08:57 firewall pluto[4323]: adding interface lo/lo
127.0.0.1:500
Aug 30 12:08:57 firewall pluto[4323]: adding interface lo/lo
127.0.0.1:4500
Aug 30 12:08:57 firewall pluto[4323]: adding interface eth1/eth1
192.168.5.1:500
Aug 30 12:08:57 firewall pluto[4323]: adding interface eth1/eth1
192.168.5.1:4500
Aug 30 12:08:57 firewall pluto[4323]: adding interface eth0:0/eth0:0
217.x.x.82:500
Aug 30 12:08:57 firewall pluto[4323]: adding interface eth0:0/eth0:0
217.x.x.82:4500
Aug 30 12:08:57 firewall pluto[4323]: adding interface eth0/eth0
217.x.x.83:500
Aug 30 12:08:57 firewall pluto[4323]: adding interface eth0/eth0
217.x.x.83:4500
Aug 30 12:08:57 firewall pluto[4323]: loading secrets from
"/etc/ipsec.secrets"
Aug 30 12:08:57 firewall pluto[4323]:   loaded private key file
'/etc/ipsec.d/private/chandra.key' (1655 bytes)
Aug 30 12:15:03 firewall in.comsat[4460]: connect from 127.0.0.1
(127.0.0.1)
Aug 31 00:27:45 firewall pluto[4323]: packet from 83.x.x.241:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 31 00:27:45 firewall pluto[4323]: packet from 83.x.x.241:500:
ignoring Vendor ID payload [FRAGMENTATION]
Aug 31 00:27:45 firewall pluto[4323]: packet from 83.x.x.241:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106 
Aug 31 00:27:45 firewall pluto[4323]: packet from 83.x.x.241:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 31 00:27:45 firewall pluto[4323]: "roadwarrior-l2tp"[1] 83.x.x.241
#1: responding to Main Mode from unknown peer 83.x.x.241
Aug 31 00:27:45 firewall pluto[4323]: "roadwarrior-l2tp"[1] 83.x.x.241
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 31 00:27:45 firewall pluto[4323]: "roadwarrior-l2tp"[1] 83.x.x.241
#1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 31 00:27:45 firewall pluto[4323]: "roadwarrior-l2tp"[1] 83.x.x.241
#1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer
is NATed
Aug 31 00:27:45 firewall pluto[4323]: "roadwarrior-l2tp"[1] 83.x.x.241
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 31 00:27:45 firewall pluto[4323]: "roadwarrior-l2tp"[1] 83.x.x.241
#1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 31 00:27:46 firewall pluto[4323]: "roadwarrior-l2tp"[1] 83.x.x.241
#1: Main mode peer ID is ID_DER_ASN1_DN: 'C=UK, ST=London, L=London,
O=My Company, CN=Dummy User, E=dummy at jaguarfreight.com'
Aug 31 00:27:46 firewall pluto[4323]: "roadwarrior-l2tp"[1] 83.x.x.241
#1: crl update for "C=UK, ST=London, L=London, O=My Company, OU=IT,
CN=Jaguar Freight, E=administrator at jaguarfreight.com" is overdue since
Aug 04 12:34:52 UTC 2005
Aug 31 00:27:46 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#1: deleting connection "roadwarrior-l2tp" instance with peer 83.x.x.241
{isakmp=#0/ipsec=#0}
Aug 31 00:27:46 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#1: I am sending my cert
Aug 31 00:27:46 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 31 00:27:46 firewall pluto[4323]: | NAT-T: new mapping
83.x.x.241:500/4500)
Aug 31 00:27:46 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Aug 31 00:27:46 firewall pluto[4323]: ERROR: "roadwarrior-l2tp"[2]
83.x.x.241 #2: netlink write() of XFRM_MSG_ALLOCSPI message for Get SPI
esp.0 at 217.x.x.83 failed. Errno 111: Connection refused
Aug 31 00:27:46 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: responding to Quick Mode {msgid:f0a2e0ac}
Aug 31 00:27:46 firewall pluto[4323]: ERROR: "roadwarrior-l2tp"[2]
83.x.x.241 #2: netlink write() of XFRM_MSG_UPDSA message for Add SA
esp.0 at 217.x.x.83 failed. Errno 111: Connection refused
Aug 31 00:27:46 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: next payload type of ISAKMP Hash Payload has an unknown value: 137
Aug 31 00:27:46 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: malformed payload in packet
Aug 31 00:27:46 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: sending notification PAYLOAD_MALFORMED to 83.x.x.241:4500
Aug 31 00:27:48 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: next payload type of ISAKMP Hash Payload has an unknown value: 137
Aug 31 00:27:48 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: malformed payload in packet
Aug 31 00:27:48 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: sending notification PAYLOAD_MALFORMED to 83.x.x.241:4500
Aug 31 00:27:52 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: next payload type of ISAKMP Hash Payload has an unknown value: 137
Aug 31 00:27:52 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: malformed payload in packet
Aug 31 00:27:52 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: sending notification PAYLOAD_MALFORMED to 83.x.x.241:4500
Aug 31 00:28:00 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: next payload type of ISAKMP Hash Payload has an unknown value: 137
Aug 31 00:28:00 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: malformed payload in packet
Aug 31 00:28:00 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: sending notification PAYLOAD_MALFORMED to 83.x.x.241:4500
Aug 31 00:28:03 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#1: received Delete SA payload: deleting ISAKMP State #1
Aug 31 00:28:03 firewall pluto[4323]: packet from 83.x.x.241:4500:
received and ignored informational message
Aug 31 00:28:29 firewall pluto[4323]: packet from 83.x.x.241:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 31 00:28:29 firewall pluto[4323]: packet from 83.x.x.241:500:
ignoring Vendor ID payload [FRAGMENTATION]
Aug 31 00:28:29 firewall pluto[4323]: packet from 83.x.x.241:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106 
Aug 31 00:28:29 firewall pluto[4323]: packet from 83.x.x.241:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 31 00:28:29 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: responding to Main Mode from unknown peer 83.x.x.241
Aug 31 00:28:29 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 31 00:28:29 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 31 00:28:29 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer
is NATed
Aug 31 00:28:30 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 31 00:28:30 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 31 00:28:30 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: Main mode peer ID is ID_DER_ASN1_DN: 'C=UK, ST=London, L=London,
O=My Company, CN=Dummy User, E=dummy at jaguarfreight.com'
Aug 31 00:28:30 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: crl update for "C=UK, ST=London, L=London, O=My Company, OU=IT,
CN=Jaguar Freight, E=administrator at jaguarfreight.com" is overdue since
Aug 04 12:34:52 UTC 2005
Aug 31 00:28:30 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: I am sending my cert
Aug 31 00:28:30 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 31 00:28:30 firewall pluto[4323]: | NAT-T: new mapping
83.x.x.241:500/4500)
Aug 31 00:28:30 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Aug 31 00:28:30 firewall pluto[4323]: ERROR: "roadwarrior-l2tp"[2]
83.x.x.241 #4: netlink write() of XFRM_MSG_ALLOCSPI message for Get SPI
esp.0 at 217.x.x.83 failed. Errno 111: Connection refused
Aug 31 00:28:30 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: responding to Quick Mode {msgid:f65e397a}
Aug 31 00:28:30 firewall pluto[4323]: ERROR: "roadwarrior-l2tp"[2]
83.x.x.241 #4: netlink write() of XFRM_MSG_UPDSA message for Add SA
esp.0 at 217.x.x.83 failed. Errno 111: Connection refused
Aug 31 00:28:31 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: next payload type of ISAKMP Hash Payload has an unknown value: 153
Aug 31 00:28:31 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: malformed payload in packet
Aug 31 00:28:31 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: sending notification PAYLOAD_MALFORMED to 83.x.x.241:4500
Aug 31 00:28:33 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: next payload type of ISAKMP Hash Payload has an unknown value: 153
Aug 31 00:28:33 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: malformed payload in packet
Aug 31 00:28:33 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: sending notification PAYLOAD_MALFORMED to 83.x.x.241:4500
Aug 31 00:28:37 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: next payload type of ISAKMP Hash Payload has an unknown value: 153
Aug 31 00:28:37 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: malformed payload in packet
Aug 31 00:28:37 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: sending notification PAYLOAD_MALFORMED to 83.x.x.241:4500
Aug 31 00:28:40 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: received Delete SA payload: deleting ISAKMP State #3
Aug 31 00:28:41 firewall pluto[4323]: packet from 83.x.x.241:4500:
received and ignored informational message
Aug 31 00:33:30 firewall pluto[4323]: "roadwarrior-l2tp"[2] 83.x.x.241:
deleting connection "roadwarrior-l2tp" instance with peer 83.x.x.241
{isakmp=#0/ipsec=#0}
===========

Any suggestions guys?

Thanks!
 

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: 30 August 2005 12:20
To: Yiannis Mavroukakis
Cc: users at openswan.org
Subject: Re: [Openswan Users] Connectivity problem...

On Tue, 30 Aug 2005, Yiannis Mavroukakis wrote:

> Aug 29 09:37:43 firewall pluto[29266]:   including NAT-Traversal patch
> (Version 0.6c)
> Aug 29 09:37:43 firewall pluto[29266]: 1 bad entries in 
> virtual_private
> - none loaded

That needs fixing.

> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established 
> {auth=OAKLEY_RSA_SIG
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048} Aug 29 
> 09:38:08 firewall pluto[29266]: ERROR: "roadwarrior-l2tp"[2]
> 83.x.x.241 #2: netlink write() of XFRM_MSG_ALLOCSPI message for Get 
> SPI
> esp.0 at 217.x.x.83 failed. Errno 111: Connection refused

Did you load on the netkey modules properly? including xfrm4_tunnel?

> #2: next payload type of ISAKMP Hash Payload has an unknown value: 180

> Aug 29 09:38:11 firewall pluto[29266]: "roadwarrior-l2tp"[2] 
> 83.x.x.241
> #2: malformed payload in packet

This is either a wrong PSK, or a bad openswan version. (I believe some
2.2 and 2.3.0 sometimes showed this error)

Paul

________________________________________________________________________
This e-mail has been scanned for all known viruses.

Note:__________________________________________________________________
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please immediately delete it and
all copies of it from your system, destroy any hard copies of it and
notify the sender. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the
intended recipient. Jaguar Freight Services and any of its subsidiaries
each reserve the right to monitor all e-mail communications through its
networks.
Any views expressed in this message are those of the individual sender,
except where the message states otherwise and the sender is authorized
to state them to be the views of any such entity.
________________________________________________________________________
This e-mail has been scanned for all known viruses.

More information about the Users mailing list