[Openswan Users] natted connection to cisco vpn concentrator

Fri May 5 20:56:14 CEST 2006

Sorry, for some reason the output was not correct. I have put the 
complete log there again:
http://www.wegener-net.de/os/messages

 Here are the messages from Jacco's patch:

ay  5 19:44:19 linux pluto[23522]: | our client is 84.61.12.203
May  5 19:44:19 linux pluto[23522]: | our client protocol/port is 17/1701
May  5 19:44:19 linux pluto[23522]: "rw" #2: JDL our client *net: 
192.168.170.21/32
May  5 19:44:19 linux pluto[23522]: "rw" #2: JDL our client net_temp: 
84.61.12.203/32
May  5 19:44:19 linux pluto[23522]: "rw" #2: JDL our client 
*protoid:           17
May  5 19:44:19 linux pluto[23522]: "rw" #2: JDL our client 
id->isaiid_protoid: 17
May  5 19:44:19 linux pluto[23522]: "rw" #2: JDL our client 
*port:              1701
May  5 19:44:19 linux pluto[23522]: "rw" #2: JDL our client 
id->isaiid_port: 1701
May  5 19:44:19 linux pluto[23522]: "rw" #2: JDL our client ID returned 
doesn't match my proposal

Sorry again.
Norbert

Norbert Wegener wrote:

> The output is at:
> http://www.wegener-net.de/os/messages
> Advanturous I will become tomorrow:-)
> What the cisco supports, I do not know and the admin is already 
> enjoying his weekend.
> Norbert
>
>
> Jacco de Leeuw wrote:
>
>>
>> Norbert Wegener wrote:
>>
>>> I need to setup an l2tp/ipsec connection to a cisco concentrator 
>>> using certificates with a natted client.
>>> May  5 18:12:54 linux pluto[17389]: | our client is 84.61.12.203
>>> May  5 18:12:54 linux pluto[17389]: | our client protocol/port is 
>>> 17/1701
>>> May  5 18:12:54 linux pluto[17389]: "rw" #2: our client ID returned 
>>> doesn't match my proposal
>>> May  5 18:12:54 linux pluto[17389]: | complete state transition with 
>>> (null)
>>> May  5 18:12:54 linux pluto[17389]: "rw" #2: sending encrypted 
>>> notification INVALID_ID_INFORMATION to 1.2.3.4:4500
>>>
>>> What does it mean: "rw" #2: our client ID returned doesn't match my 
>>> proposal" ?
>>
>>
>>
>> The following patch prints those proposals to the debug log. It is not a
>> fix but at least it will show you the mismatch:
>>
>> --- ikev1_quick.c.orig  2005-10-13 05:55:46.000000000 +0200
>> +++ ikev1_quick.c       2006-01-03 15:02:14.000000000 +0100
>> @@ -552,8 +552,15 @@
>>      if (!samesubnet(net, &net_temp)
>>      || *protoid != id->isaiid_protoid || *port != id->isaiid_port)
>>      {
>> +        loglog(RC_LOG_SERIOUS,"%s *net: 
>> %s/%d\n",which,ip_str(&(net->addr)), net->maskbits);
>> +        loglog(RC_LOG_SERIOUS,"%s net_temp: 
>> %s/%d\n",which,ip_str(&(net_temp.addr)), net_temp.maskb
>> its);
>> +        loglog(RC_LOG_SERIOUS,"%s *protoid:           
>> %d\n",which,*protoid);
>> +        loglog(RC_LOG_SERIOUS,"%s id->isaiid_protoid: 
>> %d\n",which,id->isaiid_protoid);
>> +        loglog(RC_LOG_SERIOUS,"%s *port:              
>> %d\n",which,*port);
>> +        loglog(RC_LOG_SERIOUS,"%s id->isaiid_port: 
>> %d\n",which,id->isaiid_port);
>>         loglog(RC_LOG_SERIOUS, "%s ID returned doesn't match my 
>> proposal", which);
>> -       return FALSE;
>> +       /* return TRUE; */
>> +       return FALSE;
>>      }
>>      return TRUE;
>>  }
>>
>>
>> If you are adventurous you can even comment out the return TRUE and
>> see if you get any further.
>>
>> What NAT-T variants are supported by the Cisco? Can you show the
>> log output of the Vendor IDs and the NAT negotiation?
>>
>> Jacco
>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155