[Openswan Users] Re: Aggressive mode client to Netscreen w/ leftid=email

Tibor Incze tibor.incze at eservglobal.com
Mon May 23 13:13:12 CEST 2005 

Never mind, I've figured this out(or at least for phase1). The problem was
that if your ike id(or "leftid" in openswan.conf) is an email address,
then the format of ipsec.secrets needs to also be:myemailaddress at company.com : PSK "sharedsecret"

Makes sense in hindsight, wasn't so clear initially.
You also need the ike=(for phase1) and esp=(for phase2) lines in
ipsec.conf. I now have:ike=3des-sha1-modp1024
esp=3des-sha1

However after putting in the xauth username and password, I now get these
errors:---------------------------------
04 "myclient" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
228 "myclient" #1: STATE_XAUTH_I1: CERTIFICATE_UNAVAILABLE
003 "myclient" #1: next payload type of ISAKMP Hash Payload has an unknown
value: 133003 "myclient" #1: malformed payload in packet
003 "myclient" #1: next payload type of ISAKMP Hash Payload has an unknown
value: 133003 "myclient" #1: malformed payload in packet
------------------------------------------
The "unknown value:" number changes on each attempt, so I'm not sure what
the problem is. Any ideas? I'm not using certs btw, should I be? On the
netscreen for phase2 I have it set to 3des-sha1(with pfs) and as a second
option 3des-md5(with pfs)
Another question: does openswan support "CHAP" for Xauth?

--Tibor


> I'm trying to get openswan 2.3(on FC3) to talk to a Netscreen 208
> "Dialup VPN"(roadwarrior) w/ the following setup:IKE id:
> <useremail at userdomain> PFS turned on
> phase1&phase2: set to 3des+sha, but can change if necessary
>
> I currently have:
> leftid="user at domain.org" #is this correct?
> left=%defaultroute  #is this correct?
> right=<IP of netscreen>
> rightid=??? <---do I need this
> pfs=yes
> aggrmode=yes
> ike=3des...(can't remember exactly)
> esp=...(can't remember exactly)
>
> ipsec.secret: <remotegatewayip>: PSK "oursharedsecret"
>
> Anyways, it's talking to the netscreen but doesn't get past phase1. The
> error is "Rejecting packet, because it arrived from unrecognized peer
> gateway"(something like that). On the openswan side, it keeps retrying,
> but no diagnostic info, even though plutodebug and ikedebug are both
> turned on.
> So what am I missing? Has anyone gotten this to work? I've googled
> through the list archives, and other sites, but couldn't find the
> answer to my questions. Please help.--Tibor

More information about the Users mailing list