[Openswan Users] natted connection to cisco vpn concentrator

Jacco de Leeuw jacco2 at dds.nl
Fri May 5 19:40:42 CEST 2006 

Norbert Wegener wrote:

> I need to setup an l2tp/ipsec connection to a cisco concentrator using 
> certificates with a natted client.
> May  5 18:12:54 linux pluto[17389]: | our client is 84.61.12.203
> May  5 18:12:54 linux pluto[17389]: | our client protocol/port is 17/1701
> May  5 18:12:54 linux pluto[17389]: "rw" #2: our client ID returned 
> doesn't match my proposal
> May  5 18:12:54 linux pluto[17389]: | complete state transition with (null)
> May  5 18:12:54 linux pluto[17389]: "rw" #2: sending encrypted 
> notification INVALID_ID_INFORMATION to 1.2.3.4:4500
> 
> What does it mean: "rw" #2: our client ID returned doesn't match my 
> proposal" ?

The following patch prints those proposals to the debug log. It is not a
fix but at least it will show you the mismatch:

--- ikev1_quick.c.orig  2005-10-13 05:55:46.000000000 +0200
+++ ikev1_quick.c       2006-01-03 15:02:14.000000000 +0100
@@ -552,8 +552,15 @@
      if (!samesubnet(net, &net_temp)
      || *protoid != id->isaiid_protoid || *port != id->isaiid_port)
      {
+        loglog(RC_LOG_SERIOUS,"%s *net: 
%s/%d\n",which,ip_str(&(net->addr)), net->maskbits);
+        loglog(RC_LOG_SERIOUS,"%s net_temp: 
%s/%d\n",which,ip_str(&(net_temp.addr)), net_temp.maskb
its);
+        loglog(RC_LOG_SERIOUS,"%s *protoid:           %d\n",which,*protoid);
+        loglog(RC_LOG_SERIOUS,"%s id->isaiid_protoid: 
%d\n",which,id->isaiid_protoid);
+        loglog(RC_LOG_SERIOUS,"%s *port:              %d\n",which,*port);
+        loglog(RC_LOG_SERIOUS,"%s id->isaiid_port: 
%d\n",which,id->isaiid_port);
         loglog(RC_LOG_SERIOUS, "%s ID returned doesn't match my proposal", 
which);
-       return FALSE;
+       /* return TRUE; */
+       return FALSE;
      }
      return TRUE;
  }


If you are adventurous you can even comment out the return TRUE and
see if you get any further.

What NAT-T variants are supported by the Cisco? Can you show the
log output of the Vendor IDs and the NAT negotiation?

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list