[Openswan Users] Road-Warriors connecting OpenSwan

Daniela Gradim daniela.gradim at fortevisiomedica.com
Tue Jan 4 19:43:42 CET 2005


           From: 
Daniela Gradim
<daniela.gradim at fortevisiomedica.com>
             To: 
users at openswan.org
        Subject: 
Road-Warriors
connecting to
OpenSwan
           Date: 
Tue, 04 Jan 2005
19:38:30 +0100


Hi All !!!

I have the following scenario

10.x.y.z network
     I
200.a.b.c openswan
     I
Internet
     I
80.m.n.o adsl
     I
190.k.l.m dlink di-614+ (DMZ)
     I
10.n.o.p dlink dfl-200 vpn router


If i have the ipsec.conf with this configuration.

config setup
        
        interfaces=%defaultroute
        klipsdebug=all
        plutodebug=dns

conn left-right
       left=%defaultroute
       leftsubnet=10.x.y.z/25
       leftnexthop=
       right=80.m.n.o
       rightsubnet=10.n.o.p/24
       rightnexthop=
       rightid=190.k.l.m
       auto=start
       authby=secret

The connection left-right only works if I send the rightid. When I
remove the rightid, I get this error message from /var/log/secure:

Jan  4 17:46:08 server pluto[9471]: Starting Pluto (Openswan Version
2.1.5 X.509-1.4.8-1 PLUTO_USES_KEYRR)
Jan  4 17:46:08 server pluto[9471]:   including NAT-Traversal patch
(Version 0.6c) [disabled]
Jan  4 17:46:08 server pluto[9471]: Using Linux 2.6 IPsec interface code
Jan  4 17:46:08 server pluto[9471]: Changing to directory
'/etc/ipsec.d/cacerts'
Jan  4 17:46:08 server pluto[9471]:   loaded cacert file 'rootCA.cer'
(872 bytes)
Jan  4 17:46:08 server pluto[9471]: Changing to directory
'/etc/ipsec.d/crls'
Jan  4 17:46:08 server pluto[9471]:   Warning: empty directory
Jan  4 17:46:08 server pluto[9471]: added connection description
"left-right"
Jan  4 17:46:08 server pluto[9471]: listening for IKE messages
Jan  4 17:46:08 server pluto[9471]: adding interface eth1/eth1 10.x.y.z
Jan  4 17:46:08 server pluto[9471]: adding interface eth0/eth0 10.x.y.z
Jan  4 17:46:08 server pluto[9471]: adding interface lo/lo 127.0.0.1
Jan  4 17:46:08 server pluto[9471]: adding interface lo/lo ::1
Jan  4 17:46:08 server pluto[9471]: loading secrets from
"/etc/ipsec.secrets"
Jan  4 17:46:09 server pluto[9471]: "left-right" #1: initiating Main
Mode
Jan  4 17:46:09 server pluto[9471]: "left-right" #1: ignoring Vendor ID
payload [Dead Peer Detection]
Jan  4 17:46:09 server pluto[9471]: "left-right" #1: ignoring Vendor ID
payload [draft-stenberg-ipsec-nat-traversal-01]
Jan  4 17:46:09 server pluto[9471]: "left-right" #1: ignoring Vendor ID
payload [draft-stenberg-ipsec-nat-traversal-02]
Jan  4 17:46:09 server pluto[9471]: "left-right" #1: ignoring Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-00]
Jan  4 17:46:09 server pluto[9471]: "left-right" #1: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using
method 0
Jan  4 17:46:09 server pluto[9471]: "left-right" #1: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
method 0
Jan  4 17:46:09 server pluto[9471]: "left-right" #1: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using
method 0
Jan  4 17:46:09 server pluto[9471]: "left-right" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan  4 17:46:09 server pluto[9471]: "left-right" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan  4 17:46:09 server pluto[9471]: "left-right" #1: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan  4 17:46:09 server pluto[9471]: "left-right" #1: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'
Jan  4 17:46:19 server pluto[9471]: "left-right" #1: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan  4 17:46:19 server pluto[9471]: "left-right" #1: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'
Jan  4 17:46:39 server pluto[9471]: "left-right" #1: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan  4 17:46:39 server pluto[9471]: "left-right" #1: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'
Jan  4 17:47:19 server pluto[9471]: "left-right" #1: max number of
retransmissions (2) reached STATE_MAIN_I3.  Possible authentication
failure: no acceptable response to our first encrypted message
Jan  4 17:47:19 server pluto[9471]: "left-right" #1: starting keying
attempt 2 of an unlimited number
Jan  4 17:47:19 server pluto[9471]: "left-right" #2: initiating Main
Mode to replace #1
Jan  4 17:47:19 server pluto[9471]: "left-right" #2: ignoring Vendor ID
payload [Dead Peer Detection]
Jan  4 17:47:19 server pluto[9471]: "left-right" #2: ignoring Vendor ID
payload [draft-stenberg-ipsec-nat-traversal-01]
Jan  4 17:47:19 server pluto[9471]: "left-right" #2: ignoring Vendor ID
payload [draft-stenberg-ipsec-nat-traversal-02]
Jan  4 17:47:19 server pluto[9471]: "left-right" #2: ignoring Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-00]
Jan  4 17:47:19 server pluto[9471]: "left-right" #2: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using
method 0
Jan  4 17:47:19 server pluto[9471]: "left-right" #2: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
method 0
Jan  4 17:47:19 server pluto[9471]: "left-right" #2: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using
method 0
Jan  4 17:47:19 server pluto[9471]: "left-right" #2: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan  4 17:47:20 server pluto[9471]: "left-right" #2: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan  4 17:47:20 server pluto[9471]: "left-right" #2: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan  4 17:47:20 server pluto[9471]: "left-right" #2: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'
Jan  4 17:47:30 server pluto[9471]: "left-right" #2: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan  4 17:47:30 server pluto[9471]: "left-right" #2: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'
Jan  4 17:47:50 server pluto[9471]: "left-right" #2: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan  4 17:47:50 server pluto[9471]: "left-right" #2: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'
Jan  4 17:48:30 server pluto[9471]: "left-right" #2: max number of
retransmissions (2) reached STATE_MAIN_I3.  Possible authentication
failure: no acceptable response to our first encrypted message
Jan  4 17:48:30 server pluto[9471]: "left-right" #2: starting keying
attempt 3 of an unlimited number
Jan  4 17:48:30 server pluto[9471]: "left-right" #3: initiating Main
Mode to replace #2
Jan  4 17:48:30 server pluto[9471]: "left-right" #3: ignoring Vendor ID
payload [Dead Peer Detection]
Jan  4 17:48:30 server pluto[9471]: "left-right" #3: ignoring Vendor ID
payload [draft-stenberg-ipsec-nat-traversal-01]
Jan  4 17:48:30 server pluto[9471]: "left-right" #3: ignoring Vendor ID
payload [draft-stenberg-ipsec-nat-traversal-02]
Jan  4 17:48:30 server pluto[9471]: "left-right" #3: ignoring Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-00]
Jan  4 17:48:30 server pluto[9471]: "left-right" #3: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using
method 0
Jan  4 17:48:30 server pluto[9471]: "left-right" #3: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
method 0
Jan  4 17:48:30 server pluto[9471]: "left-right" #3: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using
method 0
Jan  4 17:48:30 server pluto[9471]: "left-right" #3: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan  4 17:48:31 server pluto[9471]: "left-right" #3: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan  4 17:48:31 server pluto[9471]: "left-right" #3: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan  4 17:48:31 server pluto[9471]: "left-right" #3: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'
Jan  4 17:48:41 server pluto[9471]: "left-right" #3: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan  4 17:48:41 server pluto[9471]: "left-right" #3: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'
Jan  4 17:49:01 server pluto[9471]: "left-right" #3: Peer ID is
ID_IPV4_ADDR: '190.k.l.m'
Jan  4 17:49:01 server pluto[9471]: "left-right" #3: we require peer to
have ID '80.m.n.o', but peer declares '190.k.l.m'

I don't want to send the rightid every time because I will work with
many different users connecting to the server and I can't have one
connection for each one and I can not have the same rightid for
everyone.

What can I do ?
Any idea how to solve this ?

One more problem. I need to work with road-warriors in this scenario and
I don't get it working. Because the same problem occurs where the server
doesn't recognize the Peer ID.

How can I configure my road-warriors to connect to openswan as the setup
as above?

conn road-warrior
       left=%defaultroute
       leftsubnet=10.x.y.z/25
       right=%any
       rightsubnet=
       authby=secret
       auto=add
                                     
I use ipsec.secrets PSK 

                           
Danny




More information about the Users mailing list