[Openswan Users] NAT-T broken with Netscreen
sean at obstacle9.com
sean at obstacle9.com
Mon Dec 5 09:16:41 CET 2005
(Looks like my subject line was stripped)
On Sun, 4 Dec 2005 sean at obstacle9.com wrote:
> It looks like OpenSWAN isn't recognizing draft-ietf-ipsec-nat-t-ike-02
> Vendor ID/payload sent by the Netscreen and/or vice versa. I've confirmed
> this is the case with the latest version of OpenSWAN.
>
> linux:~ # ipsec auto --up dmz
> 104 "dmz" #1: STATE_MAIN_I1: initiate
> 003 "dmz" #1: ignoring unknown Vendor ID payload
> [166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000]
> 003 "dmz" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> 003 "dmz" #1: received Vendor ID payload [Dead Peer Detection]
> 003 "dmz" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
> 106 "dmz" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "dmz" #1: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-00/01: i am NATed
> 108 "dmz" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "dmz" #1: STATE_MAIN_I4: ISAKMP SA established
> 117 "dmz" #2: STATE_QUICK_I1: initiate
> 003 "dmz" #2: ignoring informational payload, type
> IPSEC_RESPONDER_LIFETIME
> 004 "dmz" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
> {ESP=>0x24d1f2a3 <0x71a6a403 NATOA=0.0.0.0}
>
> While researching the same problem with VPN Tracker clients to a
> Netscreen, Juniper said this was the problem:
>
> "Some vendors use the MD5 hash value in the draft, while others use the
> vendor id string, and do the hash in the code....From the IETF interop
> meetings, it was specified that the vendor ID string in draft 02 was
> wrong for the hash value. Implementers should use the MD5 hash hex value,
> not the string to interoperate with other implementations.
>
> Because VPNTracker is using the vendor id string, instead of the MD5 hash,
> ScreenOS is not recognizing this is a draft-02 NAT-T implementation."
>
> What format is OpenSwan sending draft-ietf-ipsec-nat-t-ike-02 to peers?
>
> thanks,
> Sean
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
More information about the Users
mailing list