[Openswan Users] natted connection to cisco vpn concentrator

Norbert Wegener nw at sbs.de
Fri May 5 20:10:46 CEST 2006 

The output is at:
http://www.wegener-net.de/os/messages
Advanturous I will become tomorrow:-)
What the cisco supports, I do not know and the admin is already enjoying 
his weekend.
Norbert


Jacco de Leeuw wrote:

>
> Norbert Wegener wrote:
>
>> I need to setup an l2tp/ipsec connection to a cisco concentrator 
>> using certificates with a natted client.
>> May  5 18:12:54 linux pluto[17389]: | our client is 84.61.12.203
>> May  5 18:12:54 linux pluto[17389]: | our client protocol/port is 
>> 17/1701
>> May  5 18:12:54 linux pluto[17389]: "rw" #2: our client ID returned 
>> doesn't match my proposal
>> May  5 18:12:54 linux pluto[17389]: | complete state transition with 
>> (null)
>> May  5 18:12:54 linux pluto[17389]: "rw" #2: sending encrypted 
>> notification INVALID_ID_INFORMATION to 1.2.3.4:4500
>>
>> What does it mean: "rw" #2: our client ID returned doesn't match my 
>> proposal" ?
>
>
> The following patch prints those proposals to the debug log. It is not a
> fix but at least it will show you the mismatch:
>
> --- ikev1_quick.c.orig  2005-10-13 05:55:46.000000000 +0200
> +++ ikev1_quick.c       2006-01-03 15:02:14.000000000 +0100
> @@ -552,8 +552,15 @@
>      if (!samesubnet(net, &net_temp)
>      || *protoid != id->isaiid_protoid || *port != id->isaiid_port)
>      {
> +        loglog(RC_LOG_SERIOUS,"%s *net: 
> %s/%d\n",which,ip_str(&(net->addr)), net->maskbits);
> +        loglog(RC_LOG_SERIOUS,"%s net_temp: 
> %s/%d\n",which,ip_str(&(net_temp.addr)), net_temp.maskb
> its);
> +        loglog(RC_LOG_SERIOUS,"%s *protoid:           
> %d\n",which,*protoid);
> +        loglog(RC_LOG_SERIOUS,"%s id->isaiid_protoid: 
> %d\n",which,id->isaiid_protoid);
> +        loglog(RC_LOG_SERIOUS,"%s *port:              
> %d\n",which,*port);
> +        loglog(RC_LOG_SERIOUS,"%s id->isaiid_port: 
> %d\n",which,id->isaiid_port);
>         loglog(RC_LOG_SERIOUS, "%s ID returned doesn't match my 
> proposal", which);
> -       return FALSE;
> +       /* return TRUE; */
> +       return FALSE;
>      }
>      return TRUE;
>  }
>
>
> If you are adventurous you can even comment out the return TRUE and
> see if you get any further.
>
> What NAT-T variants are supported by the Cisco? Can you show the
> log output of the Vendor IDs and the NAT negotiation?
>
> Jacco

More information about the Users mailing list