[Openswan Users] Openswan 2.4.7 and juniper ns208

Thu Dec 7 13:01:45 EST 2006

Re,

My openswan box is in a ISP Lan, so i can't tell you if NAT-T is used or
not.
Anyway there no ESP nor UDP 4500 frames in my tcpdump log.

In the other side the juniper shows no established connexion with my box.

Is there any success stories with juniper ns208 ?

On 12/7/06, Paul Overton <paul at trusted-management.com> wrote:
>
>  You appear to be using NAT-T so you will not see ESP frames with tcpdump,
> you are more likeley to see encap UDP 4500 frames.
>
>
>
> Paul
>
>  ------------------------------
> *From:* users-bounces at openswan.org [mailto:users-bounces at openswan.org] *On
> Behalf Of *Didine
> *Sent:* 07 December 2006 17:45
> *To:* users at openswan.org
> *Subject:* [Openswan Users] Openswan 2.4.7 and juniper ns208
>
> Hello,
> I'm a new user of openswan.
> I try to set up a connexion between openswan (Linux Openswan U2.4.7
> /K2.6.18-1.2798.fc6 (netkey)) and a Juniper ns208.
> When i try to setup the link i have the folowing messages.
>
> =====================================================================
> [root at lt85 ~]# ipsec auto --verbose --up lt85_to_centre
> 002 "lt85_to_centre" #11: initiating Main Mode
> 104 "lt85_to_centre" #11: STATE_MAIN_I1: initiate
> 003 "lt85_to_centre" #11: ignoring unknown Vendor ID payload
> [166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000]
> 003 "lt85_to_centre" #11: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> 003 "lt85_to_centre" #11: received Vendor ID payload [Dead Peer Detection]
> 003 "lt85_to_centre" #11: ignoring Vendor ID payload [HeartBeat Notify
> 386b0100]
> 002 "lt85_to_centre" #11: enabling possible NAT-traversal with method
> draft-ietf-ipsec-nat-t-ike-02/03
> 002 "lt85_to_centre" #11: discarding packet received during asynchronous
> work (DNS or crypto) in STATE_MAIN_I1
> 002 "lt85_to_centre" #11: transition from state STATE_MAIN_I1 to state
> STATE_MAIN_I2
> 106 "lt85_to_centre" #11: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "lt85_to_centre" #11: discarding duplicate packet; already
> STATE_MAIN_I2
> 002 "lt85_to_centre" #11: I did not send a certificate because I do not
> have one.
> 003 "lt85_to_centre" #11: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
> 002 "lt85_to_centre" #11: transition from state STATE_MAIN_I2 to state
> STATE_MAIN_I3
> 108 "lt85_to_centre" #11: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "lt85_to_centre" #11: discarding duplicate packet; already
> STATE_MAIN_I3
> 002 "lt85_to_centre" #11: Main mode peer ID is ID_IPV4_ADDR: '194.250.x.x'
> 002 "lt85_to_centre" #11: transition from state STATE_MAIN_I3 to state
> STATE_MAIN_I4
> 004 "lt85_to_centre" #11: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp1024}
> 002 "lt85_to_centre" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP
> {using isakmp#11}
> 117 "lt85_to_centre" #12: STATE_QUICK_I1: initiate
> 002 "lt85_to_centre" #12: transition from state STATE_QUICK_I1 to state
> STATE_QUICK_I2
> 004 "lt85_to_centre" #12: STATE_QUICK_I2: sent QI2, IPsec SA established
> {ESP=>0x7593622b <0x6859dbc5 xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}
> =====================================================================
> IPsec SA established ?!
>
> A made a test by sending a ping to the 194.250.x.x.
> A tcpdump shows the following (no ESP msg):
>
> =====================================================================
> [root at lt85 ~]# tcpdump host 194.250.x.x
> 19:48:37.441373 IP lt85.xxx.xxx > 194.250.x.x : ICMP echo request, id
> 1024, seq 55960, length 24
> =====================================================================
>
> Any help is appreciated.
> Thanks a lot.
>
> --
> Didine
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
>
> --
> This message has been scanned for viruses and
> dangerous content by *Trusted Management Limitedf*<http://www.trusted-management.com/>,
> and is
> believed to be clean.

-- 
Didine
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061207/8682bdaa/attachment.html 