[Openswan Users] Roadwarrior (lsipsectool) configuration with openswan

Gbenga stjames08 at yahoo.co.uk
Tue Oct 17 06:02:14 EDT 2006 

Hello list,

I will appreciate some help with my configuration. I really do not know what else to change configure in the ipsec.conf to make it work.

I have "Linux Openswan 1.0.3" due to be upgraded but I need to set up a connection as soon as I can first. Already there are 4 other connections work flawlessly on this box. I now wanted to add a new conn to access my internal 10.10.0.0/16 network, but I have not been successful. I am planning on using lsipsectool (tunnel) with this conn. This is because it is easier setting up connection for 3rd party with staright ipsec - tunnel connection, since most of them would have had some kind of vpn client already install on their pc.

This is the relevent part of my config:

# /etc/ipsec.conf - Openswan IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in Openswan's doc/examples file, in the HTML documentation, and online
# at http://www.openswan.org/docs/
# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        #interfaces=psec0=eth2
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search
        # Don't wait for pluto to complete every plutostart before continuing
        plutowait=no
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes
        nat_traversal=yes

# Defaults for all connection descriptions
conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        auto=add
        leftrsasigkey=%dnsondemand
        rightrsasigkey=%dnsondemand
conn syseng-lan-access
    left=193.120.XXX.XXX                # Local vitals
    leftsubnet=10.10.0.0/16
    leftnexthop=%defaultroute           # correct in many situations
    right=%any                  # Remote vitals
    rightsubnet=0.0.0.0.0/0
    authby=secret
    pfs=no
    esp=3des-sha1-96
    keyexchange=ike
    auto=add

The error messages coming from openswan:

Oct 17 10:57:18 digimon pluto[19446]: packet from 193.120.10.174:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Oct 17 10:57:18 digimon pluto[19446]: packet from 193.120.10.174:500: ignoring Vendor ID payload [FRAGMENTATION]
Oct 17 10:57:18 digimon pluto[19446]: packet from 193.120.10.174:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Oct 17 10:57:18 digimon pluto[19446]: packet from 193.120.10.174:500: ignoring Vendor ID payload [26244d38eddb61b3...]
Oct 17 10:57:18 digimon pluto[19446]: "syseng-lan-access" #111: responding to Main Mode
Oct 17 10:57:18 digimon pluto[19446]: "syseng-lan-access" #111: transition from state (null) to state STATE_MAIN_R1
Oct 17 10:57:18 digimon pluto[19446]: "syseng-lan-access" #111: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 17 10:57:18 digimon pluto[19446]: "syseng-lan-access" #111: Main mode peer ID is ID_IPV4_ADDR: '193.120.10.174'
Oct 17 10:57:18 digimon pluto[19446]: "syseng-lan-access" #111: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 17 10:57:18 digimon pluto[19446]: "syseng-lan-access" #111: sent MR3, ISAKMP SA established
Oct 17 10:57:18 digimon pluto[19446]: "syseng-lan-access" #111: cannot respond to IPsec SA request because no connection is known for 10.10.0.0/16===193.120.242.122...193.120.10.174
Oct 17 10:57:18 digimon pluto[19446]: "syseng-lan-access" #111: sending encrypted notification INVALID_ID_INFORMATION to 193.120.10.174:500
Oct 17 10:57:20 digimon pluto[19446]: "syseng-lan-access" #111: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x05b7d2b9 (perhaps this is a duplicated packet)
Oct 17 10:57:20 digimon pluto[19446]: "syseng-lan-access" #111: sending encrypted notification INVALID_MESSAGE_ID to 193.120.10.174:500
Oct 17 10:57:22 digimon pluto[19446]: "syseng-lan-access" #111: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x05b7d2b9 (perhaps this is a duplicated packet)
Oct 17 10:57:22 digimon pluto[19446]: "syseng-lan-access" #111: sending encrypted notification INVALID_MESSAGE_ID to 193.120.10.174:500
Oct 17 10:57:26 digimon pluto[19446]: "syseng-lan-access" #111: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x05b7d2b9 (perhaps this is a duplicated packet)
Oct 17 10:57:26 digimon pluto[19446]: "syseng-lan-access" #111: sending encrypted notification INVALID_MESSAGE_ID to 193.120.10.174:500
Oct 17 10:57:34 digimon pluto[19446]: "syseng-lan-access" #111: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x05b7d2b9 (perhaps this is a duplicated packet)
Oct 17 10:57:34 digimon pluto[19446]: "syseng-lan-access" #111: sending encrypted notification INVALID_MESSAGE_ID to 193.120.10.174:500
Oct 17 10:57:50 digimon pluto[19446]: "syseng-lan-access" #111: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x05b7d2b9 (perhaps this is a duplicated packet)


The vpn server is coupled with firewall as usual, so aybe I am leaaving something out. I will appreciate any help here.

Thanks,
Gbenga

Send instant messages to your online friends http://uk.messenger.yahoo.com

More information about the Users mailing list