[Openswan Users] natted connection to cisco vpn concentrator

Norbert Wegener nw at sbs.de
Thu May 18 12:34:22 CEST 2006 

I could not talk to the Cisco admin, so I decided to become adventurous 
and it was honored.
I don't know, why the client and the cisco vpn disagreed, but returning 
TRUE, although there was a disagreement, made the connection come up:
May 18 11:26:34 lino2 pluto[17400]: "rw" #1: STATE_MAIN_I4: ISAKMP SA 
established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_19
2 prf=oakley_sha group=modp1024}
May 18 11:26:34 lino2 pluto[17400]: "rw" #2: initiating Quick Mode 
RSASIG+ENCRYPT+UP {using isakmp#1}
May 18 11:26:34 lino2 pluto[17400]: "rw" #2: our client *net: 
192.168.170.23/32
May 18 11:26:34 lino2 pluto[17400]: "rw" #2: our client net_temp: 
80.139.204.187/32
May 18 11:26:34 lino2 pluto[17400]: "rw" #2: our client 
*protoid:           17
May 18 11:26:34 lino2 pluto[17400]: "rw" #2: our client 
id->isaiid_protoid: 17
May 18 11:26:34 lino2 pluto[17400]: "rw" #2: our client 
*port:              1701
May 18 11:26:34 lino2 pluto[17400]: "rw" #2: our client id->isaiid_port: 
1701
May 18 11:26:34 lino2 pluto[17400]: "rw" #2: our client ID returned 
doesn't match my proposal
May 18 11:26:34 lino2 pluto[17400]: "rw" #2: NAT-Traversal: received 1 
NAT-OA. ignored because peer is not NATed
May 18 11:26:34 lino2 vpn: up-host start-session 1.2.3.4

Thanks
Norbert


Jacco de Leeuw wrote:
>
> Norbert Wegener wrote:
>
>> I need to setup an l2tp/ipsec connection to a cisco concentrator 
>> using certificates with a natted client.
>> May  5 18:12:54 linux pluto[17389]: | our client is 84.61.12.203
>> May  5 18:12:54 linux pluto[17389]: | our client protocol/port is 
>> 17/1701
>> May  5 18:12:54 linux pluto[17389]: "rw" #2: our client ID returned 
>> doesn't match my proposal
>> May  5 18:12:54 linux pluto[17389]: | complete state transition with 
>> (null)
>> May  5 18:12:54 linux pluto[17389]: "rw" #2: sending encrypted 
>> notification INVALID_ID_INFORMATION to 1.2.3.4:4500
>>
>> What does it mean: "rw" #2: our client ID returned doesn't match my 
>> proposal" ?
>
> The following patch prints those proposals to the debug log. It is not a
> fix but at least it will show you the mismatch:
>
> --- ikev1_quick.c.orig  2005-10-13 05:55:46.000000000 +0200
> +++ ikev1_quick.c       2006-01-03 15:02:14.000000000 +0100
> @@ -552,8 +552,15 @@
>      if (!samesubnet(net, &net_temp)
>      || *protoid != id->isaiid_protoid || *port != id->isaiid_port)
>      {
> +        loglog(RC_LOG_SERIOUS,"%s *net: 
> %s/%d\n",which,ip_str(&(net->addr)), net->maskbits);
> +        loglog(RC_LOG_SERIOUS,"%s net_temp: 
> %s/%d\n",which,ip_str(&(net_temp.addr)), net_temp.maskb
> its);
> +        loglog(RC_LOG_SERIOUS,"%s *protoid:           
> %d\n",which,*protoid);
> +        loglog(RC_LOG_SERIOUS,"%s id->isaiid_protoid: 
> %d\n",which,id->isaiid_protoid);
> +        loglog(RC_LOG_SERIOUS,"%s *port:              
> %d\n",which,*port);
> +        loglog(RC_LOG_SERIOUS,"%s id->isaiid_port: 
> %d\n",which,id->isaiid_port);
>         loglog(RC_LOG_SERIOUS, "%s ID returned doesn't match my 
> proposal", which);
> -       return FALSE;
> +       /* return TRUE; */
> +       return FALSE;
>      }
>      return TRUE;
>  }
>
>
> If you are adventurous you can even comment out the return TRUE and
> see if you get any further.
>
> What NAT-T variants are supported by the Cisco? Can you show the
> log output of the Vendor IDs and the NAT negotiation?
>
> Jacco

More information about the Users mailing list