[Openswan Users] Road-Warrior-Interop with Netscreen
Christoph Haas
email at christoph-haas.de
Mon Feb 13 12:59:42 CET 2006
Evening...
We are trying to establish a VPN tunnel between our Juniper Netscreen
NS-204 (organisation) and OpenS/WAN 2.4.4 (road warrior, dynamic IP,
initator). The tunnel works perfectly when using fixed IP addresses and a
pre-shared key. But when changing to IDs (rightid=@foobar) to get it
working with dynamic IPs the Netscreen get bitchy and complains like this:
--------------------------
NetScreen device_id=fire2-1 [Root]system-information-00536: IKE<80.85.1.1>
Phase 1: Responder starts MAIN mode negotiations. (2006-02-13 12:42:25)
NetScreen device_id=fire2-1 [Root]system-information-00536: Rejected an
IKE packet on ethernet3 from 80.85.1.1:500 to 80.85.2.2:500 with cookies
32da62fd44589595 and f1cb940b366bb32f because Phase 1 negotiations failed.
(The preshared keys might not match.). (2006-02-13 12:42:25)
NetScreen device_id=fire2-1 [Root]system-information-00536: Rejected an
IKE packet on ethernet3 from 80.85.1.1:500 to 80.85.2.2:500 with cookies
32da62fd44589595 and f1cb940b366bb32f because the peer sent a packet with
a message ID before Phase 1 authentication was done. (2006-02-13 12:42:25)
--------------------------
OpenS/WAN shows these log lines:
--------------------------
pluto[13604]: Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4
PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
pluto[13604]: Setting NAT-Traversal port-4500 floating to off
pluto[13604]: port floating activation criteria nat_t=0/port_fload=1
pluto[13604]: including NAT-Traversal patch (Version 0.6c) [disabled]
pluto[13604]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
pluto[13604]: starting up 1 cryptographic helpers
pluto[13604]: started helper pid=13610 (fd:6)
pluto[13604]: Using Linux 2.6 IPsec interface code on 2.6.15-1-686
pluto[13604]: Changing to directory '/etc/ipsec.d/cacerts'
pluto[13604]: Changing to directory '/etc/ipsec.d/aacerts'
pluto[13604]: Changing to directory '/etc/ipsec.d/ocspcerts'
pluto[13604]: Changing to directory '/etc/ipsec.d/crls'
pluto[13604]: Warning: empty directory
pluto[13604]: added connection description "hauke1"
pluto[13604]: listening for IKE messages
pluto[13604]: adding interface eth0/eth0 80.85.1.1:500
pluto[13604]: adding interface lo/lo 127.0.0.1:500
pluto[13604]: adding interface lo/lo ::1:500
pluto[13604]: loading secrets from "/etc/ipsec.secrets"
pluto[13604]: loaded private key file
'/etc/ipsec.d/private/roadwarrior.pem' (1675 bytes)
pluto[13604]: "hauke1" #1: initiating Main Mode
pluto[13604]: "hauke1" #1: ignoring unknown Vendor ID payload
[9c7a1e2a262cf21ba40bd118d98d9169ed55bce6000000050000050a]
pluto[13604]: "hauke1" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
pluto[13604]: "hauke1" #1: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
pluto[13604]: "hauke1" #1: ignoring Vendor ID payload [HeartBeat Notify
386b0100]
pluto[13604]: "hauke1" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
pluto[13604]: "hauke1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
pluto[13604]: "hauke1" #1: I did not send a certificate because I do not
have one.
pluto[13604]: "hauke1" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
pluto[13604]: "hauke1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
pluto[13604]: "hauke1" #1: byte 2 of ISAKMP Hash Payload must be zero, but
is not
pluto[13604]: "hauke1" #1: malformed payload in packet
pluto[13604]: "hauke1" #1: sending notification PAYLOAD_MALFORMED to
80.85.2.2:500
pluto[13604]: packet from 80.85.2.2:500: phase 1 message is part of an
unknown exchange
--------------------------
My ipsec.conf on the road warrior reads:
--------------------------
version 2.0
config setup
interfaces=%defaultroute
conn %default
authby=secret
# Left = road warrior
# Right = organisation
right=80.85.2.2
left=%defaultroute
leftid=@road.warrior
conn hauke1
rightsubnet=10.5.10.0/24
auto=start
include /etc/ipsec.d/examples/no_oe.conf
--------------------------
The ID on the Netscreen is set as "road.warrior" (without the '@').
My goal was to get it running with RSA certificates but the documentation
of the Netscreen appliance is a bit weird sometimes. I'd be happy with
PSKs already.
Btw, I'm using the Linux 2.6.15 kernel's IPSEC stack (no KLIPS).
I'd be grateful for any comments.
Kindly
Christoph
--
~
~
".signature" [Modified] 1 line --100%-- 1,48 All
More information about the Users
mailing list