[Openswan Users] Re: Help with Openswan setup SUSE 9.2 <-> Win2K

John Simeone jsimeone at inplex.com
Sun Jan 23 11:09:01 CET 2005 

I have enclosed the messages generated by openswan on after a Win2K 
computer establishes a ipsec connection to the SUSE 9.2 Server and pings 
the Server.

Müller's ipsec is running on the Win2K box.

My ipsec.conf on Windows is:

conn host-to-host
 left=%any
 right=192.168.32.2
 rightca="C=CA, S=Ontario, L=Toronto, O=The Corporation, CN=INC Master 
Cert"
 rightid="C=CA, O=The Corporation, CN=Buyer1"
 rightrsasigkey=%cert
 network=auto
 auto=start
 pfs=yes

Müller's ipsec starts up without any problem and gives a "Activating 
policy ..." message before exiting. I followed his instructions 
precisely in setting up the MMC on the Win machine.

It appears that the Win box is sending bad packets. Can anyone suggest 
next steps to debug this host-host connection.

Thanks.

John
______________________________________________________________________________
pluto[31977]: Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4 
PLUTO_USES_KEYRR)
pluto[31977]:   including NAT-Traversal patch (Version 0.6c) [disabled]
pluto[31977]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
pluto[31977]: Using Linux 2.6 IPsec interface code
pluto[31977]: Changing to directory '/etc/ipsec.d/cacerts'
pluto[31977]:   loaded CA cert file 'cacert.pem' (1793 bytes)
pluto[31977]: Could not change to directory '/etc/ipsec.d/aacerts'
pluto[31977]: Could not change to directory '/etc/ipsec.d/ocspcerts'
pluto[31977]: Changing to directory '/etc/ipsec.d/crls'
pluto[31977]:   loaded crl file 'crl.pem' (743 bytes)
pluto[31977]:   loaded host cert file '/etc/ipsec.d/certs/buyer1.pem' 
(4520 bytes)
pluto[31977]: added connection description "host-host"
pluto[31977]: listening for IKE messages
pluto[31977]: adding interface eth0/eth0 192.168.32.2
pluto[31977]: adding interface lo/lo 127.0.0.1
pluto[31977]: adding interface lo/lo ::1
pluto[31977]: loading secrets from "/etc/ipsec.secrets"
pluto[31977]:   loaded private key file 
'/etc/ipsec.d/private/buyer1.key' (1704 bytes)
pluto[31977]: "host-host" #1: initiating Main Mode
ipsec__plutorun: 104 "host-host" #1: STATE_MAIN_I1: initiate
ipsec__plutorun: ...could not start conn "host-host"
pluto[31977]: packet from 192.168.3.100:500: ignoring Vendor ID payload 
[MS NT5 ISAKMPOAKLEY 00000002]
pluto[31977]: "host-host" #2: responding to Main Mode
pluto[31977]: "host-host" #2: transition from state (null) to state 
STATE_MAIN_R1
pluto[31977]: "host-host" #2: transition from state STATE_MAIN_R1 to 
state STATE_MAIN_R2
pluto[31977]: "host-host" #2: next payload type of ISAKMP Hash Payload 
has an unknown value: 76
pluto[31977]: "host-host" #2: malformed payload in packet
pluto[31977]: "host-host" #2: sending encrypted notification 
PAYLOAD_MALFORMED to 192.168.3.100:500
pluto[31977]: "host-host" #1: max number of retransmissions (2) reached 
STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE 
message
pluto[31977]: "host-host" #3: initiating Main Mode
pluto[31977]: "host-host" #3: ignoring Vendor ID payload [MS NT5 
ISAKMPOAKLEY 00000002]
pluto[31977]: "host-host" #3: transition from state STATE_MAIN_I1 to 
state STATE_MAIN_I2
pluto[31977]: "host-host" #3: I am sending my cert
pluto[31977]: "host-host" #3: I am sending a certificate request
pluto[31977]: "host-host" #3: transition from state STATE_MAIN_I2 to 
state STATE_MAIN_I3
pluto[31977]: "host-host" #3: next payload type of ISAKMP Hash Payload 
has an unknown value: 225
pluto[31977]: "host-host" #3: malformed payload in packet
pluto[31977]: "host-host" #3: sending encrypted notification 
PAYLOAD_MALFORMED to 192.168.3.100:500
pluto[31977]: "host-host" #2: next payload type of ISAKMP Hash Payload 
has an unknown value: 249
pluto[31977]: "host-host" #2: malformed payload in packet
pluto[31977]: "host-host" #2: sending encrypted notification 
PAYLOAD_MALFORMED to 192.168.3.100:500
pluto[31977]: "host-host" #3: Informational Exchange message must be 
encrypted
pluto[31977]: "host-host" #2: max number of retransmissions (2) reached 
STATE_MAIN_R2
pluto[31977]: "host-host" #3: Informational Exchange message must be 
encrypted
pluto[31977]: "host-host" #3: max number of retransmissions (2) reached 
STATE_MAIN_I3.  Possible authentication failure: no acceptable response 
to our first encrypted message
pluto[31977]: "host-host" #4: initiating Main Mode
pluto[31977]: "host-host" #4: max number of retransmissions (2) reached 
STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE 
message
pluto[31977]: "host-host" #5: initiating Main Mode
pluto[31977]: "host-host" #5: max number of retransmissions (2) reached 
STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE 
message
pluto[31977]: "host-host" #6: initiating Main Mode

More information about the Users mailing list