[Openswan Users] vpn connection to a LANCOM router
Andreas Lüdtke
andi.luedtke at gmx.de
Sat Jan 7 22:10:35 CET 2006
Hi,
I'm trying now for a week to get a vpn connection from my Linksys router
running openWRT (with Openswan 2.4.4) to our company LANCOM router. I
already search the web and the openWRT forum, but I didn't got an answer for
my problem. I also talked long to a support technician at LANCOM and he told
me that everything looks good and it should work... But he is not a linux
guru. So now I try it here and hope for answers.
To put it short: when I try to make the connection, I get either the error
messages NO_PROPOSAL_CHOSEN or INVALID_COOKIE or the connection goes to
STATE_MAIN_I4 and tell me then "phase 1 is done, looking for phase 1 to
unpend" and then then next connection is tried. The error messages depend as
far as I can see it on the setting of pfs=yes/no in ipsec.conf.
Could someone please help me to get it working?
Thanks
Andreas
Here are the ipsec details of the LANCOM router:
Connection #12 10.11.12.0/255.255.255.0:0 <->
10.7.7.0/255.255.255.0:0 any
Name: PTALFW
Unique Id: ipsec-14-PTALFW-pr0-l0-r0
Flags: main-mode
Local Network: IPV4_ADDR_SUBNET(any:0,
10.11.12.0/255.255.255.0)
Local Gateway: IPV4_ADDR(any:0, 123.45.67.89)
Remote Gateway: IPV4_ADDR(any:0, 84.140.207.51) <=== this is
my.private.home.dyndns.org
Remote Network: IPV4_ADDR_SUBNET(any:0,
10.7.7.0/255.255.255.0)
IKE Proposal List: isakmp-AL-IKE-PRESH-KEY-gr2
# of proposals = 2
IKE Proposal #1: prop-AL-PSK-AES-MD5-ike-gr2
IKE Encryption: AES_CBC
IKE Hash: MD5
Authentication: PRE_SHARED
IKE Group: MODP_1024
Lifetime (sec, hard): 3600,0:3600
Lifetime (KB, hard): ANY
IKE Proposal #2: prop-AL-PSK-AES-SHA-ike-gr2
IKE Encryption: AES_CBC
IKE Hash: SHA
Authentication: PRE_SHARED
IKE Group: MODP_1024
Lifetime (sec, hard): 3600,0:3600
Lifetime (KB, hard): ANY
IKE Identities and Key:
Key: *
IPSec Proposal List: ipsec-IPS-PTALFW-KOPIE-gr2
# of proposals = 1
IPSec Proposal #1: IPSEC_ESP AES(128,128:256) HMAC_MD5
Encapsulation Mode: TUNNEL
PFS Group: MODP_1024
Lifetime (sec, hard): 28800,0:28800
Lifetime (KB, hard): ANY
and here is the ipsec.conf of from openWRT:
version 2.0
config setup
plutodebug="control"
uniqueids=yes
conn PTHHFW
left=my.private.home.dyndns.org
leftnexthop=%defaultroute
leftsubnet=10.7.7.0/255.255.255.0
right=123.45.67.89
rightsubnet=10.11.12.0/255.255.255.0
rightnexthop=%defaultroute
ike=aes128-md5-modp1024
esp=aes128-md5
authby=secret
auto=start
pfs=yes
include /etc/ipsec.d/examples/no_oe.conf
excerpt from Openswan log:
Jan 7 21:20:32 (none) kern.warn pluto[23418]: "PTHHFW" #1: Main mode peer
ID is ID_IPV4_ADDR: '123.45.67.89'
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | complete state transition
with STF_OK
Jan 7 21:20:32 (none) kern.warn pluto[23418]: "PTHHFW" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | inserting event
EVENT_SA_REPLACE, timeout in 2944 seconds for #1
Jan 7 21:20:32 (none) kern.warn pluto[23418]: "PTHHFW" #1: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128
prf=oakley_md5 group=modp1024}
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | modecfg pull: noquirk
policy:push not-client
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | phase 1 is done, looking
for phase 1 to unpend
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | unqueuing pending Quick
Mode with 123.45.67.89 "PTHHFW"
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | duplicating state object
#1
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | creating state object #2
at 0x1001fcb8
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | processing connection
PTHHFW
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | ICOOKIE: 16 85 a7 e1 8f
8d 41 b6
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | RCOOKIE: 86 09 66 6e 44
dc af 30
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | peer: d9 5b 2f 41
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | state hash entry 4
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #2
Jan 7 21:20:32 (none) kern.warn pluto[23418]: "PTHHFW" #2: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | 0: w->pcw_dead: 0
w->pcw_work: 0 cnt: 1
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | asking helper 0 to do
build_kenonce op on seq: 2
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | inserting event
EVENT_CRYPTO_FAILED, timeout in 300 seconds for #2
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | next event
EVENT_SHUNT_SCAN in 112 seconds
Jan 7 21:20:32 (none) kern.debug pluto[23427]: ! helper -1 doing
build_kenonce op id: 2
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | processing connection
PTHHFW
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | kernel_alg_db_new() will
return p_new->protoid=3, p_new->trans_cnt=1
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | kernel_alg_db_new()
trans[0]: transid=12, attr_cnt=2, attrs[0].type=5, attrs[0].val=1
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | returning new proposal
from esp_info
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | generate SPI: 63 83 77 cc
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | sending 300 bytes for
quick_outI1 through ppp0:500 to 123.45.67.89:
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #2
Jan 7 21:20:32 (none) kern.debug pluto[23418]: | next event
EVENT_RETRANSMIT in 10 seconds for #2
More information about the Users
mailing list