[Openswan Users] Road-Warriors connecting to OpenSwan
Daniela Gradim
daniela.gradim at fortevisiomedica.com
Tue Jan 4 19:38:30 CET 2005
Hi All !!!
I have the following scenario
10.x.y.z network
I
200.a.b.c openswan
I
Internet
I
80.m.n.o adsl
I
190.k.l.m dlink di-614+ (DMZ)
I
10.n.o.p dlink dfl-200 vpn router
If i have the ipsec.conf with this configuration.
config setup
interfaces=%defaultroute
klipsdebug=all
plutodebug=dns
conn left-right
left=%defaultroute
leftsubnet=10.x.y.z/25
leftnexthop=
right=80.m.n.o
rightsubnet=10.n.o.p/24
rightnexthop=
rightid=190.k.l.m
auto=start
authby=secret
The connection left-right only works if I send the rightid. When I
remove the rightid, I get this error message from /var/log/secure:
Jan 4 17:46:08 server pluto[9471]: Starting Pluto (Openswan Version
2.1.5 X.509-1.4.8-1 PLUTO_USES_KEYRR)
Jan 4 17:46:08 server pluto[9471]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Jan 4 17:46:08 server pluto[9471]: Using Linux 2.6 IPsec interface code
Jan 4 17:46:08 server pluto[9471]: Changing to directory
'/etc/ipsec.d/cacerts'
Jan 4 17:46:08 server pluto[9471]: loaded cacert file 'rootCA.cer'
(872 bytes)
Jan 4 17:46:08 server pluto[9471]: Changing to directory
'/etc/ipsec.d/crls'
Jan 4 17:46:08 server pluto[9471]: Warning: empty directory
Jan 4 17:46:08 server pluto[9471]: added connection description
"left-right"
Jan 4 17:46:08 server pluto[9471]: listening for IKE messages
Jan 4 17:46:08 server pluto[9471]: adding interface eth1/eth1 10.x.y.z
Jan 4 17:46:08 server pluto[9471]: adding interface eth0/eth0 10.x.y.z
Jan 4 17:46:08 server pluto[9471]: adding interface lo/lo 127.0.0.1
Jan 4 17:46:08 server pluto[9471]: adding interface lo/lo ::1
Jan 4 17:46:08 server pluto[9471]: loading secrets from
"/etc/ipsec.secrets"
Jan 4 17:46:09 server pluto[9471]: "left-right" #1: initiating Main
Mode
Jan 4 17:46:09 server pluto[9471]: "left-right" #1: ignoring Vendor ID
payload [Dead Peer Detection]
Jan 4 17:46:09 server pluto[9471]: "left-right" #1: ignoring Vendor ID
payload [draft-stenberg-ipsec-nat-traversal-01]
Jan 4 17:46:09 server pluto[9471]: "left-right" #1: ignoring Vendor ID
payload [draft-stenberg-ipsec-nat-traversal-02]
Jan 4 17:46:09 server pluto[9471]: "left-right" #1: ignoring Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-00]
Jan 4 17:46:09 server pluto[9471]: "left-right" #1: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using
method 0
Jan 4 17:46:09 server pluto[9471]: "left-right" #1: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
method 0
Jan 4 17:46:09 server pluto[9471]: "left-right" #1: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using
method 0
Jan 4 17:46:09 server pluto[9471]: "left-right" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 4 17:46:09 server pluto[9471]: "left-right" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 4 17:46:09 server pluto[9471]: "left-right" #1: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan 4 17:46:09 server pluto[9471]: "left-right" #1: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'
Jan 4 17:46:19 server pluto[9471]: "left-right" #1: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan 4 17:46:19 server pluto[9471]: "left-right" #1: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'
Jan 4 17:46:39 server pluto[9471]: "left-right" #1: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan 4 17:46:39 server pluto[9471]: "left-right" #1: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'
Jan 4 17:47:19 server pluto[9471]: "left-right" #1: max number of
retransmissions (2) reached STATE_MAIN_I3. Possible authentication
failure: no acceptable response to our first encrypted message
Jan 4 17:47:19 server pluto[9471]: "left-right" #1: starting keying
attempt 2 of an unlimited number
Jan 4 17:47:19 server pluto[9471]: "left-right" #2: initiating Main
Mode to replace #1
Jan 4 17:47:19 server pluto[9471]: "left-right" #2: ignoring Vendor ID
payload [Dead Peer Detection]
Jan 4 17:47:19 server pluto[9471]: "left-right" #2: ignoring Vendor ID
payload [draft-stenberg-ipsec-nat-traversal-01]
Jan 4 17:47:19 server pluto[9471]: "left-right" #2: ignoring Vendor ID
payload [draft-stenberg-ipsec-nat-traversal-02]
Jan 4 17:47:19 server pluto[9471]: "left-right" #2: ignoring Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-00]
Jan 4 17:47:19 server pluto[9471]: "left-right" #2: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using
method 0
Jan 4 17:47:19 server pluto[9471]: "left-right" #2: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
method 0
Jan 4 17:47:19 server pluto[9471]: "left-right" #2: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using
method 0
Jan 4 17:47:19 server pluto[9471]: "left-right" #2: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 4 17:47:20 server pluto[9471]: "left-right" #2: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 4 17:47:20 server pluto[9471]: "left-right" #2: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan 4 17:47:20 server pluto[9471]: "left-right" #2: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'
Jan 4 17:47:30 server pluto[9471]: "left-right" #2: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan 4 17:47:30 server pluto[9471]: "left-right" #2: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'
Jan 4 17:47:50 server pluto[9471]: "left-right" #2: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan 4 17:47:50 server pluto[9471]: "left-right" #2: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'
Jan 4 17:48:30 server pluto[9471]: "left-right" #2: max number of
retransmissions (2) reached STATE_MAIN_I3. Possible authentication
failure: no acceptable response to our first encrypted message
Jan 4 17:48:30 server pluto[9471]: "left-right" #2: starting keying
attempt 3 of an unlimited number
Jan 4 17:48:30 server pluto[9471]: "left-right" #3: initiating Main
Mode to replace #2
Jan 4 17:48:30 server pluto[9471]: "left-right" #3: ignoring Vendor ID
payload [Dead Peer Detection]
Jan 4 17:48:30 server pluto[9471]: "left-right" #3: ignoring Vendor ID
payload [draft-stenberg-ipsec-nat-traversal-01]
Jan 4 17:48:30 server pluto[9471]: "left-right" #3: ignoring Vendor ID
payload [draft-stenberg-ipsec-nat-traversal-02]
Jan 4 17:48:30 server pluto[9471]: "left-right" #3: ignoring Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-00]
Jan 4 17:48:30 server pluto[9471]: "left-right" #3: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using
method 0
Jan 4 17:48:30 server pluto[9471]: "left-right" #3: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
method 0
Jan 4 17:48:30 server pluto[9471]: "left-right" #3: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using
method 0
Jan 4 17:48:30 server pluto[9471]: "left-right" #3: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 4 17:48:31 server pluto[9471]: "left-right" #3: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 4 17:48:31 server pluto[9471]: "left-right" #3: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan 4 17:48:31 server pluto[9471]: "left-right" #3: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'
Jan 4 17:48:41 server pluto[9471]: "left-right" #3: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan 4 17:48:41 server pluto[9471]: "left-right" #3: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'
Jan 4 17:49:01 server pluto[9471]: "left-right" #3: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan 4 17:49:01 server pluto[9471]: "left-right" #3: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'
I don't want to send the rightid every time because I will work with
many different users connecting to the server and I can't have one
connection for each one and I can not have the same rightid for
everyone.
What can I do ?
Any idea how to solve this ?
One more problem. I need to work with road-warriors in this scenario and
I don't get it working. Because the same problem occurs where the server
doesn't recognize the Peer ID.
How can I configure my road-warriors to connect to openswan as the setup
as above?
conn road-warrior
left=%defaultroute
leftsubnet=10.x.y.z/25
right=%any
rightsubnet=
authby=secret
auto=add
I use ipsec.secrets PSK
Danny
More information about the Users
mailing list