[Openswan Users] Odd behavior Linux Client to working 'roadwarrior' server

Rick Romero rick at havokmon.com
Thu Aug 24 15:13:57 EDT 2006 

Hi All,

I have a openswan VPN server that's successfully serving WinXP
roadwarriors.  Now I want to connect my Linux box to it in the same
manner (client is behind FW).

I followed Nate Carlson's instructions, and as far as I can see I have
everything.  When I start ipsec on the client side, I appear to load all
the proper certificates and keys.

When I do a ipsec auto --up roadwarrior, on the client end I get:
Aug 24 13:47:43 localhost pluto[8504]: "roadwarrior" #1: ISAKMP SA
established
Aug 24 13:47:43 localhost pluto[8504]: "roadwarrior" #2: initiating
Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
Aug 24 13:47:53 localhost pluto[8504]: unknown cmsg: level 0, type 8,
len 24
Aug 24 13:47:53 localhost pluto[8504]: ERROR: asynchronous network error
report on eth0 for message to 64.198.2.71 port 4500, complainant
64.198.2.71: Connection refused [errno 111, origin ICMP type 3 code 3
(not authenticated)]
Aug 24 13:48:53 localhost pluto[8504]: "roadwarrior" #2: max number of
retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to
our first Quick Mode message: perhaps peer likes no proposal

So I thought I messed something up, but the server end seems to restart
pluto?  Is that normal?

Aug 24 13:47:44 localhost pluto[5102]: "roadwarrior"[1]
64.243.213.210:4500 #2: "roadwarrior-net":   IKE algorithms found:
5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
Aug 24 13:47:44 localhost pluto[5102]: "roadwarrior"[1]
64.243.213.210:4500 #2: "roadwarrior-net":   ESP algorithms wanted:
3_000-1, 3_000-2, flags=-strict
Aug 24 13:47:44 localhost pluto[5102]: "roadwarrior"[1]
64.243.213.210:4500 #2: "roadwarrior-net":   ESP algorithms loaded:
3_000-1, 3_000-2, flags=-strict
Aug 24 13:47:44 localhost pluto[5102]: "roadwarrior"[1]
64.243.213.210:4500 #2:
Aug 24 13:47:54 localhost ipsec__plutorun: Restarting Pluto subsystem...
Aug 24 13:47:54 localhost pluto[5368]: Starting Pluto (Openswan Version
2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Aug 24 13:47:54 localhost pluto[5368]:   including NAT-Traversal patch
(Version 0.6c)


Then, since pluto restarted, the client does this:

Aug 24 13:48:13 localhost pluto[5368]: packet from 64.243.213.210:4500:
Quick Mode message is for a non-existent (expired?) ISAKMP SA
Aug 24 13:53:51 localhost pluto[5368]: packet from 64.243.213.210:4500:
Informational Exchange is for an unknown (expired?) SA

Did I do something wrong?  Maybe a major version mismatch?  The server
is debian Linux, Openswan U2.2.0/K2.6.8-3-686 (native) and the client is
Mandriva 2006, Linux Openswan U2.3.1/K2.6.12-12mdk (netkey)

Rick

More information about the Users mailing list