[Openswan Users] Road-Warrior-Interop with Netscreen

Christoph Haas email at christoph-haas.de
Mon Feb 13 12:59:42 CET 2006 

Evening...

We are trying to establish a VPN tunnel between our Juniper Netscreen 
NS-204 (organisation) and OpenS/WAN 2.4.4 (road warrior, dynamic IP, 
initator). The tunnel works perfectly when using fixed IP addresses and a 
pre-shared key. But when changing to IDs (rightid=@foobar) to get it 
working with dynamic IPs the Netscreen get bitchy and complains like this:

--------------------------
NetScreen device_id=fire2-1  [Root]system-information-00536: IKE<80.85.1.1> 
Phase 1: Responder starts MAIN mode negotiations. (2006-02-13 12:42:25)

NetScreen device_id=fire2-1  [Root]system-information-00536: Rejected an 
IKE packet on ethernet3 from 80.85.1.1:500 to 80.85.2.2:500 with cookies 
32da62fd44589595 and f1cb940b366bb32f because Phase 1 negotiations failed. 
(The preshared keys might not match.). (2006-02-13 12:42:25)

NetScreen device_id=fire2-1  [Root]system-information-00536: Rejected an 
IKE packet on ethernet3 from 80.85.1.1:500 to 80.85.2.2:500 with cookies 
32da62fd44589595 and f1cb940b366bb32f because the peer sent a packet with 
a message ID before Phase 1 authentication was done. (2006-02-13 12:42:25)
--------------------------

OpenS/WAN shows these log lines:

--------------------------
pluto[13604]: Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4 
PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
pluto[13604]: Setting NAT-Traversal port-4500 floating to off
pluto[13604]:    port floating activation criteria nat_t=0/port_fload=1
pluto[13604]:   including NAT-Traversal patch (Version 0.6c) [disabled]
pluto[13604]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
pluto[13604]: starting up 1 cryptographic helpers
pluto[13604]: started helper pid=13610 (fd:6)
pluto[13604]: Using Linux 2.6 IPsec interface code on 2.6.15-1-686
pluto[13604]: Changing to directory '/etc/ipsec.d/cacerts'
pluto[13604]: Changing to directory '/etc/ipsec.d/aacerts'
pluto[13604]: Changing to directory '/etc/ipsec.d/ocspcerts'
pluto[13604]: Changing to directory '/etc/ipsec.d/crls'
pluto[13604]:   Warning: empty directory
pluto[13604]: added connection description "hauke1"
pluto[13604]: listening for IKE messages
pluto[13604]: adding interface eth0/eth0 80.85.1.1:500
pluto[13604]: adding interface lo/lo 127.0.0.1:500
pluto[13604]: adding interface lo/lo ::1:500
pluto[13604]: loading secrets from "/etc/ipsec.secrets"
pluto[13604]:   loaded private key file 
'/etc/ipsec.d/private/roadwarrior.pem' (1675 bytes)
pluto[13604]: "hauke1" #1: initiating Main Mode
pluto[13604]: "hauke1" #1: ignoring unknown Vendor ID payload 
[9c7a1e2a262cf21ba40bd118d98d9169ed55bce6000000050000050a]
pluto[13604]: "hauke1" #1: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
pluto[13604]: "hauke1" #1: ignoring Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-00]
pluto[13604]: "hauke1" #1: ignoring Vendor ID payload [HeartBeat Notify 
386b0100]
pluto[13604]: "hauke1" #1: transition from state STATE_MAIN_I1 to state 
STATE_MAIN_I2
pluto[13604]: "hauke1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
pluto[13604]: "hauke1" #1: I did not send a certificate because I do not 
have one.
pluto[13604]: "hauke1" #1: transition from state STATE_MAIN_I2 to state 
STATE_MAIN_I3
pluto[13604]: "hauke1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
pluto[13604]: "hauke1" #1: byte 2 of ISAKMP Hash Payload must be zero, but 
is not
pluto[13604]: "hauke1" #1: malformed payload in packet
pluto[13604]: "hauke1" #1: sending notification PAYLOAD_MALFORMED to 
80.85.2.2:500
pluto[13604]: packet from 80.85.2.2:500: phase 1 message is part of an 
unknown exchange
--------------------------

My ipsec.conf on the road warrior reads:

--------------------------
version 2.0

config setup
        interfaces=%defaultroute

conn %default
        authby=secret
        # Left = road warrior
        # Right = organisation
        right=80.85.2.2
        left=%defaultroute
        leftid=@road.warrior

conn hauke1
        rightsubnet=10.5.10.0/24
        auto=start

include /etc/ipsec.d/examples/no_oe.conf
--------------------------

The ID on the Netscreen is set as "road.warrior" (without the '@').
My goal was to get it running with RSA certificates but the documentation 
of the Netscreen appliance is a bit weird sometimes. I'd be happy with 
PSKs already.

Btw, I'm using the Linux 2.6.15 kernel's IPSEC stack (no KLIPS).

I'd be grateful for any comments.

Kindly
 Christoph
-- 
~
~
".signature" [Modified] 1 line --100%--                1,48         All

More information about the Users mailing list