[Openswan Users] Config problem from openswan newbie

Fri Feb 17 10:51:20 CET 2006

Hi,
	I'm new to openswan and am looking to set up a simple VPN to my Linux
Server box with a small number of (NATed) windows roadwarriors.

	I followed (or think I followed) Nate Carlson's
http://www.natecarlson.com/linux/ipsec-x509.php web page but I experienced
problems. So I set up a Linux client box (also NATed) - but this yielded
similar results.

	I'll include the details below, any suggestions would be most welcome.

thanks,
Ray

Linux Server box version. 2.6.11-1.1369_FC4
openswan version. openswan-2.4.4-1

Linux Client box version. 2.6.9-1.667
openswan version. openswan-2.1.5-2

When I start IP sec and run "ipsec verify" all seems OK on both sides (apart
from opportunistic encryption).

Next on the client I run the command "ipsec auto --up roadwarrior" and get
the following...

104 "roadwarrior" #1: STATE_MAIN_I1: initiate
003 "roadwarrior" #1: ignoring Vendor ID payload [4f457a7d46464666...]
003 "roadwarrior" #1: ignoring Vendor ID payload [Dead Peer Detection]
003 "roadwarrior" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "roadwarrior" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "roadwarrior" #1: STATE_MAIN_I4: ISAKMP SA established
112 "roadwarrior" #2: STATE_QUICK_I1: initiate
003 "roadwarrior" #2: ERROR: netlink response for Add SA
comp.d28b at 192.168.1.127 included errno 22: Invalid argument032 "roadwarrior"
#2: STATE_QUICK_I1: internal error
003 "roadwarrior" #2: ERROR: netlink response for Add SA
comp.d28b at 192.168.1.127 included errno 22: Invalid argument032 "roadwarrior"
#2: STATE_QUICK_I1: internal error
010 "roadwarrior" #2: STATE_QUICK_I1: retransmission; will wait 20s for
response
^C

The server /var/log/secure shows...

Feb 17 10:21:46 nmaps ipsec__plutorun: Starting Pluto subsystem...
Feb 17 10:21:46 nmaps pluto[12300]: Starting Pluto (Openswan Version 2.4.4
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;
Vendor ID OEz}FFFfgr_e)
Feb 17 10:21:46 nmaps pluto[12300]: Setting NAT-Traversal port-4500 floating
to on
Feb 17 10:21:46 nmaps pluto[12300]:    port floating activation criteria
nat_t=1/port_fload=1
Feb 17 10:21:46 nmaps pluto[12300]:   including NAT-Traversal patch (Version
0.6c)
Feb 17 10:21:46 nmaps pluto[12300]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Feb 17 10:21:46 nmaps pluto[12300]: starting up 1 cryptographic helpers
Feb 17 10:21:46 nmaps pluto[12300]: started helper pid=12320 (fd:6)
Feb 17 10:21:46 nmaps pluto[12300]: Using Linux 2.6 IPsec interface code on
2.6.11-1.1369_FC4smp
Feb 17 10:21:46 nmaps pluto[12300]: Changing to directory
'/etc/ipsec.d/cacerts'
Feb 17 10:21:46 nmaps pluto[12300]:   loaded CA cert file 'cacert.pem' (1269
bytes)
Feb 17 10:21:46 nmaps pluto[12300]: Could not change to directory
'/etc/ipsec.d/aacerts'
Feb 17 10:21:46 nmaps pluto[12300]: Could not change to directory
'/etc/ipsec.d/ocspcerts'
Feb 17 10:21:46 nmaps pluto[12300]: Changing to directory
'/etc/ipsec.d/crls'
Feb 17 10:21:46 nmaps pluto[12300]:   loaded crl file 'crl.pem' (503 bytes)
Feb 17 10:21:46 nmaps pluto[12300]:   loaded host cert file
'/etc/ipsec.d/certs/nmaps.pem' (3626 bytes)
Feb 17 10:21:46 nmaps pluto[12300]: added connection description
"roadwarrior"
Feb 17 10:21:46 nmaps pluto[12300]:   loaded host cert file
'/etc/ipsec.d/certs/nmaps.pem' (3626 bytes)
Feb 17 10:21:46 nmaps pluto[12300]: added connection description
"roadwarrior-net"
Feb 17 10:21:46 nmaps pluto[12300]: listening for IKE messages
Feb 17 10:21:46 nmaps pluto[12300]: adding interface eth2/eth2 10.1.1.44:500
Feb 17 10:21:46 nmaps pluto[12300]: adding interface eth2/eth2
10.1.1.44:4500
Feb 17 10:21:46 nmaps pluto[12300]: adding interface eth1/eth1
<publicIP>:500
Feb 17 10:21:46 nmaps pluto[12300]: adding interface eth1/eth1
<publicIP>:4500
Feb 17 10:21:46 nmaps pluto[12300]: adding interface eth0/eth0 10.1.1.51:500
Feb 17 10:21:46 nmaps pluto[12300]: adding interface eth0/eth0
10.1.1.51:4500
Feb 17 10:21:46 nmaps pluto[12300]: adding interface lo/lo 127.0.0.1:500
Feb 17 10:21:46 nmaps pluto[12300]: adding interface lo/lo 127.0.0.1:4500
Feb 17 10:21:46 nmaps pluto[12300]: adding interface lo/lo ::1:500
Feb 17 10:21:46 nmaps pluto[12300]: loading secrets from
"/etc/ipsec.secrets"
Feb 17 10:21:46 nmaps pluto[12300]:   loaded private key file
'/etc/ipsec.d/private/nmaps.key' (1643 bytes)
Feb 17 10:36:23 nmaps pluto[12300]: packet from <NATed Client IP>:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] m
ethod set to=108
Feb 17 10:36:23 nmaps pluto[12300]: packet from <NATed Client IP>:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] m
eth=107, but already using method 108
Feb 17 10:36:23 nmaps pluto[12300]: packet from <NATed Client IP>:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Feb 17 10:36:23 nmaps pluto[12300]: "roadwarrior"[1] <NATed Client IP> #1:
responding to Main Mode from unknown peer <NATed Client IP>
Feb 17 10:36:23 nmaps pluto[12300]: "roadwarrior"[1] <NATed Client IP> #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_
R1
Feb 17 10:36:23 nmaps pluto[12300]: "roadwarrior"[1] <NATed Client IP> #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Feb 17 10:36:23 nmaps pluto[12300]: "roadwarrior"[1] <NATed Client IP> #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-0
2/03: peer is NATed
Feb 17 10:36:23 nmaps pluto[12300]: "roadwarrior"[1] <NATed Client IP> #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_
R2
Feb 17 10:36:23 nmaps pluto[12300]: "roadwarrior"[1] <NATed Client IP> #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Feb 17 10:36:23 nmaps pluto[12300]: "roadwarrior"[1] <NATed Client IP> #1:
Main mode peer ID is ID_DER_ASN1_DN: 'C=IE, ST=Cork, L=C
ork, O=HSDS, OU=HSDS, CN=LabLinux, E=<myemail>
Feb 17 10:36:23 nmaps pluto[12300]: "roadwarrior"[2] <NATed Client IP> #1:
deleting connection "roadwarrior" instance with peer 62.
231.47.13 {isakmp=#0/ipsec=#0}
Feb 17 10:36:23 nmaps pluto[12300]: "roadwarrior"[2] <NATed Client IP> #1: I
am sending my cert
Feb 17 10:36:23 nmaps pluto[12300]: "roadwarrior"[2] <NATed Client IP> #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_
R3
Feb 17 10:36:23 nmaps pluto[12300]: | NAT-T: new mapping <NATed Client
IP>:500/4500)
Feb 17 10:36:23 nmaps pluto[12300]: "roadwarrior"[2] <NATed Client IP> #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAK
LEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Feb 17 10:36:23 nmaps pluto[12300]: "roadwarrior"[2] <NATed Client IP> #2:
responding to Quick Mode {msgid:1c3c8feb}
Feb 17 10:36:23 nmaps pluto[12300]: "roadwarrior"[2] <NATed Client IP> #2:
transition from state STATE_QUICK_R0 to state STATE_QUIC
K_R1
Feb 17 10:36:23 nmaps pluto[12300]: "roadwarrior"[2] <NATed Client IP> #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, ex
pecting QI2
Feb 17 10:36:34 nmaps pluto[12300]: "roadwarrior"[2] <NATed Client IP> #2:
next payload type of ISAKMP Hash Payload has an unknown
value: 92
Feb 17 10:36:34 nmaps pluto[12300]: "roadwarrior"[2] <NATed Client IP> #2:
malformed payload in packet
Feb 17 10:36:34 nmaps pluto[12300]: "roadwarrior"[2] <NATed Client IP> #2:
sending notification PAYLOAD_MALFORMED to <NATed Client IP>:4
500
Feb 17 10:36:53 nmaps pluto[12300]: "roadwarrior"[2] <NATed Client IP> #2:
next payload type of ISAKMP Hash Payload has an unknown
value: 92
Feb 17 10:36:53 nmaps pluto[12300]: "roadwarrior"[2] <NATed Client IP> #2:
malformed payload in packet
Feb 17 10:36:53 nmaps pluto[12300]: "roadwarrior"[2] <NATed Client IP> #2:
sending notification PAYLOAD_MALFORMED to <NATed Client IP>:4
500
[root at nmaps log]#