[Openswan Users] Road warrior XAuth-PSK

Rob Hasselbaum rhasselbaum at alumni.ithaca.edu
Tue Apr 25 23:59:10 CEST 2006


Hi,

 

I'm trying to use Openswan 2.4.5 (KLIPS) as a road warrior connecting to a
NetScreen firewall. The NetScreen box uses XAuth-PSK and the Openswan client
is behind a NAT router. When I try to bring up the connection, I'm getting
the following output, and I don't know how to interpret the problem. Could
someone give me a hint as to what causes this?

 

[root at indigo ~]# ipsec auto --up netscreen

112 "netscreen" #1: STATE_AGGR_I1: initiate

003 "netscreen" #1: ignoring unknown Vendor ID payload
[92d27a9ecb31d99246986d3453d0c3d57a222a610000000700000500]

003 "netscreen" #1: received Vendor ID payload [XAUTH]

003 "netscreen" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]

004 "netscreen" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}

041 "netscreen" #1: netscreen prompt for Username:

Name enter:   myusername

040 "netscreen" #1: netscreen prompt for Password:

Enter secret:

004 "netscreen" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set

003 "netscreen" #1: discarding duplicate packet; already STATE_XAUTH_I1

228 "netscreen" #1: STATE_XAUTH_I1: CERTIFICATE_UNAVAILABLE

003 "netscreen" #1: next payload type of ISAKMP Hash Payload has an unknown
value: 248

003 "netscreen" #1: malformed payload in packet

003 "netscreen" #1: next payload type of ISAKMP Hash Payload has an unknown
value: 248

003 "netscreen" #1: malformed payload in packet

003 "netscreen" #1: next payload type of ISAKMP Hash Payload has an unknown
value: 248

003 "netscreen" #1: malformed payload in packet

.

 

My configuration follows:

 

config setup

  klipsdebug="none"

  plutodebug="all"

  interfaces=%defaultroute

  forwardcontrol=no

  nat_traversal=yes

 

conn netscreen

  left=%defaultroute

  leftid=user at mycompany.com

  leftxauthclient=yes

  right=xx.xx.xx.xx

  rightsubnet=172.20.0.0/16

  rightxauthserver=yes

  authby=secret

  auto=add

  aggrmode=yes

  ike=3des-sha1-modp1024

  esp=3des-sha1

 

Thanks!

-Rob Hasselbaum

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060425/4695d883/attachment.htm


More information about the Users mailing list