[Openswan Users] Zyxel Autentication problem

sila sila at network-city.it
Mon Feb 20 11:39:30 CET 2006


Hello, i have try to create tunnel openswan <--> zyxel router.
I have used a configuration used in openswan Site 
http://wiki.openswan.org/index.php/interoperatingZyxel.

When the zyxel try to connect i see in the log this:

Feb 20 11:18:41 Vpn ipsec_setup: ...Openswan IPsec stopped
Feb 20 11:18:41 Vpn ipsec_setup: Stopping Openswan IPsec...
Feb 20 11:18:43 Vpn ipsec_setup: KLIPS debug `none'
Feb 20 11:18:44 Vpn kernel: 
Feb 20 11:18:44 Vpn ipsec_setup: KLIPS ipsec0 on eth1 
81.174.16.70/255.255.255.248 broadcast 81.174.16.71 
Feb 20 11:18:44 Vpn ipsec__plutorun: Starting Pluto subsystem...
Feb 20 11:18:44 Vpn ipsec_setup: ...Openswan IPsec started
Feb 20 11:18:44 Vpn ipsec_setup: Starting Openswan IPsec 2.4.5rc5...
Feb 20 11:18:44 Vpn pluto[4153]: Starting Pluto (Openswan Version 2.4.5rc5 
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEi at vORSfbbz)
Feb 20 11:18:44 Vpn pluto[4153]: Setting NAT-Traversal port-4500 floating to 
off
Feb 20 11:18:44 Vpn pluto[4153]:    port floating activation criteria 
nat_t=0/port_fload=1
Feb 20 11:18:44 Vpn pluto[4153]:   including NAT-Traversal patch (Version 
0.6c) [disabled]
Feb 20 11:18:44 Vpn pluto[4153]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Feb 20 11:18:44 Vpn pluto[4153]: starting up 1 cryptographic helpers
Feb 20 11:18:44 Vpn pluto[4153]: started helper pid=4154 (fd:6)
Feb 20 11:18:44 Vpn pluto[4153]: Using KLIPS IPsec interface code on 2.4.31
Feb 20 11:18:44 Vpn pluto[4153]: Changing to directory '/etc/ipsec.d/cacerts'
Feb 20 11:18:44 Vpn pluto[4153]: Changing to directory '/etc/ipsec.d/aacerts'
Feb 20 11:18:44 Vpn pluto[4153]: Changing to 
directory '/etc/ipsec.d/ocspcerts'
Feb 20 11:18:44 Vpn pluto[4153]: Changing to directory '/etc/ipsec.d/crls'
Feb 20 11:18:44 Vpn pluto[4153]:   Warning: empty directory
Feb 20 11:18:44 Vpn pluto[4153]: added connection description "medimatica-
zyxel"
Feb 20 11:18:44 Vpn pluto[4153]: added connection description "medimatica-
winxp"
Feb 20 11:18:44 Vpn pluto[4153]: listening for IKE messages
Feb 20 11:18:44 Vpn pluto[4153]: adding interface ipsec0/eth1 81.174.16.70:500
Feb 20 11:18:44 Vpn pluto[4153]: loading secrets from "/etc/ipsec.secrets"
Feb 20 11:19:15 Vpn pluto[4153]: packet from 82.49.3.138:500: ignoring 
unknown Vendor ID payload [625027749d5ab97f5616c1602765cf480a3b7d0b]
Feb 20 11:19:15 Vpn pluto[4153]: "medimatica-zyxel"[1] 82.49.3.138 #1: 
responding to Main Mode from unknown peer 82.49.3.138
Feb 20 11:19:15 Vpn pluto[4153]: "medimatica-zyxel"[1] 82.49.3.138 #1: only 
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute 
OAKLEY_GROUP_DESCRIPTION
Feb 20 11:19:15 Vpn pluto[4153]: "medimatica-zyxel"[1] 82.49.3.138 #1: no 
acceptable Oakley Transform
Feb 20 11:19:15 Vpn pluto[4153]: "medimatica-zyxel"[1] 82.49.3.138 #1: 
sending notification NO_PROPOSAL_CHOSEN to 82.49.3.138:500
Feb 20 11:19:15 Vpn pluto[4153]: "medimatica-zyxel"[1] 82.49.3.138: deleting 
connection "medimatica-zyxel" instance with peer 82.49.3.138 
{isakmp=#0/ipsec=#0}
Feb 20 11:19:19 Vpn pluto[4153]: packet from 82.49.3.138:500: ignoring 
unknown Vendor ID payload [625027749d5ab97f5616c1602765cf480a3b7d0b]
Feb 20 11:19:19 Vpn pluto[4153]: "medimatica-zyxel"[2] 82.49.3.138 #2: 
responding to Main Mode from unknown peer 82.49.3.138
Feb 20 11:19:19 Vpn pluto[4153]: "medimatica-zyxel"[2] 82.49.3.138 #2: only 
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute 
OAKLEY_GROUP_DESCRIPTION
Feb 20 11:19:19 Vpn pluto[4153]: "medimatica-zyxel"[2] 82.49.3.138 #2: no 
acceptable Oakley Transform
Feb 20 11:19:19 Vpn pluto[4153]: "medimatica-zyxel"[2] 82.49.3.138 #2: 
sending notification NO_PROPOSAL_CHOSEN to 82.49.3.138:500
Feb 20 11:19:19 Vpn pluto[4153]: "medimatica-zyxel"[2] 82.49.3.138: deleting 
connection "medimatica-zyxel" instance with peer 82.49.3.138 
{isakmp=#0/ipsec=#0}
Feb 20 11:19:27 Vpn pluto[4153]: packet from 82.49.3.138:500: ignoring 
unknown Vendor ID payload [625027749d5ab97f5616c1602765cf480a3b7d0b]
Feb 20 11:19:27 Vpn pluto[4153]: "medimatica-zyxel"[3] 82.49.3.138 #3: 
responding to Main Mode from unknown peer 82.49.3.138
Feb 20 11:19:27 Vpn pluto[4153]: "medimatica-zyxel"[3] 82.49.3.138 #3: only 
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute 
OAKLEY_GROUP_DESCRIPTION
Feb 20 11:19:27 Vpn pluto[4153]: "medimatica-zyxel"[3] 82.49.3.138 #3: no 
acceptable Oakley Transform
Feb 20 11:19:27 Vpn pluto[4153]: "medimatica-zyxel"[3] 82.49.3.138 #3: 
sending notification NO_PROPOSAL_CHOSEN to 82.49.3.138:500
Feb 20 11:19:27 Vpn pluto[4153]: "medimatica-zyxel"[3] 82.49.3.138: deleting 
connection "medimatica-zyxel" instance with peer 82.49.3.138 
{isakmp=#0/ipsec=#0}
Feb 20 11:19:43 Vpn pluto[4153]: packet from 82.49.3.138:500: ignoring 
unknown Vendor ID payload [625027749d5ab97f5616c1602765cf480a3b7d0b]
Feb 20 11:19:43 Vpn pluto[4153]: "medimatica-zyxel"[4] 82.49.3.138 #4: 
responding to Main Mode from unknown peer 82.49.3.138
Feb 20 11:19:43 Vpn pluto[4153]: "medimatica-zyxel"[4] 82.49.3.138 #4: only 
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute 
OAKLEY_GROUP_DESCRIPTION
Feb 20 11:19:43 Vpn pluto[4153]: "medimatica-zyxel"[4] 82.49.3.138 #4: no 
acceptable Oakley Transform
Feb 20 11:19:43 Vpn pluto[4153]: "medimatica-zyxel"[4] 82.49.3.138 #4: 
sending notification NO_PROPOSAL_CHOSEN to 82.49.3.138:500
Feb 20 11:19:43 Vpn pluto[4153]: "medimatica-zyxel"[4] 82.49.3.138: deleting 
connection "medimatica-zyxel" instance with peer 82.49.3.138 
{isakmp=#0/ipsec=#0}


My ipsec.conf is :

version 2.0

config setup
   interfaces=%defaultroute
   forwardcontrol=yes
   klipsdebug=none
   plutodebug=none
   nat_traversal=no
   fragicmp=no   

conn medimatica-winxp
     authby=secret
     disablearrivalcheck=no
     pfs=no
     left=XX.XX.XX.XX
     leftprotoport=17/1701
     right=%any
     rightprotoport=17/1701
     compress=yes
     auto=add

conn medimatica-zyxel
     authby=secret
     pfs=no
     left=XX.XX.XX.XX
     leftsubnet=192.168.0.0/24
   
     right=%any
     rightsubnet=192.168.1.0/24
     keyexchange=ike
     ikelifetime=240m
     keylife=60m
    # compress=no
     
     auto=add

conn OEself
     auto=ignore

conn clear
     auto=ignore

conn private
     auto=ignore

conn private-or-clear
     auto=ignore

conn clear-or-private
     auto=ignore

conn block
     auto=ignore

conn packetdefault
     auto=ignore 

When in the zyxel i chang type of connection from ike to manual
i have 2 key, one key in autentications for sha1 and a preshared key 
for 3des Why ?

Thank to all :D


More information about the Users mailing list