[Openswan Users] could not understand problem guess i am going to loose my job

Randy Burton randy at pillowfactory.org
Thu Feb 24 20:31:21 CET 2005


I ran into and solved a very similar problem today - I was just using 
PSK as a temporary proof-of-concept solution and kept getting messages 
that it couldn't authenticate the user.  I found a blurb on some web 
page (not sure I recall where) that said to drop your ipsec.secrets PSK 
entry down to:

    : PSK "thisisnowmypass"

I didn't have time to fiddle around and figure out why my "192.168.1.1 
%any" part of it was making problems, but as soon as I reduced that 
entry, the PSK exchange succeeded on the first try.  Might be worth a 
try, then work backwards...

RB

Jacco de Leeuw wrote:

> rohit sahi wrote:
>
>> I want to setup the road warrior setup with l2tp  and psk . an ip
>> address address will be given to the client.
>
>
> OK, so you want to use L2TP over IPsec. And a virtual IP address from the
> 10.140.0.0/16 network should be assigned to the client through L2TP.
>
>> the problem is the psk is compared and choosen properly. but before
>> the new tunnel is made the rekey event is fired
>
>
> I don't understand what you mean with this. Does it work, briefly or none
> at all? What events does the client see?
>
>> for your reference i am here by attatching my /var/log/secure and 
>> barf output.
>
>
> There is a lot of debugging output there (better post it to some 
> website or
> at least compress the files). There are some strange things
> (EVENT_CRYPTO_FAILED, ASSERTION FAILED) which I leave to others but here
> are some other comments:
>
> > config setup
> >        
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
>
> Your internal subnet should be excluded, i.e.:
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.140.0.0/16 
>
>
> > conn roadwarrior-l2tp-updatewin
> >        leftprotoport=17/0
>
> This should be leftprotoport=17/1701 for XP clients with SP2 or
> Q818043 installed.
>
> >        rightprotoport=17/1701
> >        also=roadwarrior
> > conn roadwarrior
> >        pfs=no
> >        left=203.200.79.57
> >        leftnexthop=203.200.79.33
> >        right=%any
> >        rightsubnet=vhost:%no,%priv
> >        auto=add
> > conn %default
> >        authby=secret
> >
> > /etc/ipsec.secrets:
> > 203.200.79.57  %any : PSK "[sums to f644...]"
>
> You are trying to use a Preshared Key for Road Warriors. This might or 
> might
> not work but I would suggest you start with a fixed IP address for the 
> client.
> I.e. replace %any with 61.95.143.60 (or whatever IP address your XP 
> client
> has).
>
> Jacco




More information about the Users mailing list