[Openswan Users] Re: Aggressive mode client to Netscreen w/ leftid=email

Tibor Incze tibor.incze at eservglobal.com
Fri Jun 10 10:11:20 CEST 2005


Guys,

No luck yet, but I do have some more info. Firstly I tried v.2.3.2 and it
behaves the same way, except for one additional slightly annoying thing.
Basically it seems to block any connections on the ipsec-ed interface,
until ipsec is shut down. The errors that relate to this are the
following:%hold otherwise handled during DNS lookup for Opportunistic Initiation for
192.168.165.100 to 64.233.187.99
This traffic (to google) should be going out directly, and not via the
ipsec tunnel...
Still waiting on an answer to what are all possible values for esp=. It'd
be great to include this in a doc. I've tried several ones from the
mailing list, but none seems to work. I get the errors:
ailed to build notification for spisize=0
Jun  9 21:01:47 gitz pluto[16940]: "next payload type of ISAKMP Hash
Payload has an unknown value: <number>
continuously shortly after Xauth. That would seem to indicate that xauth
is failing, but interestingly enough if I put in the wrong username and
password, it behaves correctly in prompting me again. Once I've put in the
right username and pass, it gives the above errors. Any ideas?--Tibor


> On Mon, 23 May 2005, Tibor Incze wrote:
>
>> You also need the ike=(for phase1) and esp=(for phase2) lines in
>> ipsec.conf. I now have:ike=3des-sha1-modp1024
>> esp=3des-sha1
>
> You must specify explicite ike/esp lines, because aggressive mode
> cannot negotiate those paramters. It has to be right in the first
> packet exchange.
>
>> However after putting in the xauth username and password, I now get
>> these errors:---------------------------------
>> 04 "myclient" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set 228
>> "myclient" #1: STATE_XAUTH_I1: CERTIFICATE_UNAVAILABLE
>> 003 "myclient" #1: next payload type of ISAKMP Hash Payload has an
>> unknown value: 133003 "myclient" #1: malformed payload in packet
>> 003 "myclient" #1: next payload type of ISAKMP Hash Payload has an
>> unknown value: 133003 "myclient" #1: malformed payload in packet
>> ------------------------------------------
>
> I am not sure. Your remote end wants a certificate? Do you have one?
> Did it load? Are you sending it?
>
>> The "unknown value:" number changes on each attempt, so I'm not sure
>> what the problem is. Any ideas? I'm not using certs btw, should I be?
>> On the netscreen for phase2 I have it set to 3des-sha1(with pfs) and
>> as a second option 3des-md5(with pfs)
>
> I don't know what the netscreen wants.
>
>> Another question: does openswan support "CHAP" for Xauth?
>
> No, XAUTH currently only supports passwords in /etc/ipsec.d/passwd or
> PAM. You should be able to hook up PAM to other things, such as radius
> though. See docs/README.XAUTH
>
> Paul





More information about the Users mailing list