[Openswan Users] Vendor ID payload [Vid-Initial-Contact]

Xunhua Wang wangxx at jmu.edu
Wed Oct 18 08:44:42 EDT 2006 

Hi all,

We are running a VPN server with Linux Openswan U2.4.5/K2.6.9-5.ELsmp
(netkey), whose configuration file can be found at the end of this message.

We could connect to it from XP or Windows 2K clients with L2TP/IPsec.
However, recently we added some new Windows XP users and two of them have
difficulties to connect to the same Linux VPN server. Both of these two
users are behind NAT and from /var/log/secure we noticed that both of them
sent out the "Vendor ID payload [Vid-Initial-Contact]" 

It looks like that these are new types of Windows IPsec clients. Has anybody
experienced with this before?

--- EXAMPLE entries /var/log/secure ------
Oct 18 00:53:11 localhost pluto[3227]: packet from 216.64.10.22:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Oct 18 00:53:11 localhost pluto[3227]: packet from 216.64.10.22:500:
ignoring Vendor ID payload [FRAGMENTATION]
Oct 18 00:53:11 localhost pluto[3227]: packet from 216.64.10.22:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106 
Oct 18 00:53:11 localhost pluto[3227]: packet from 216.64.10.22:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 18 00:53:11 localhost pluto[3227]: "roadwarrior"[316] 216.64.10.22 #426:
responding to Main Mode from unknown peer 216.64.10.22
Oct 18 00:53:11 localhost pluto[3227]: "roadwarrior"[316] 216.64.10.22 #426:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 18 00:53:12 localhost pluto[3227]: "roadwarrior"[316] 216.64.10.22 #426:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Oct 18 00:53:12 localhost pluto[3227]: "roadwarrior"[316] 216.64.10.22 #426:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 18 00:54:22 localhost pluto[3227]: "roadwarrior"[316] 216.64.10.22 #426:
max number of retransmissions (2) reached STATE_MAIN_R2
Oct 18 00:54:22 localhost pluto[3227]: "roadwarrior"[316] 216.64.10.22:
deleting connection "roadwarrior" instance with peer 216.64.10.22
{isakmp=#0/ipsec=#0}
Oct 18 01:01:56 localhost pluto[3227]: packet from 216.64.10.22:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Oct 18 01:01:56 localhost pluto[3227]: packet from 216.64.10.22:500:
ignoring Vendor ID payload [FRAGMENTATION]
Oct 18 01:01:56 localhost pluto[3227]: packet from 216.64.10.22:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106 
Oct 18 01:01:56 localhost pluto[3227]: packet from 216.64.10.22:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 18 01:01:56 localhost pluto[3227]: "roadwarrior"[317] 216.64.10.22 #427:
responding to Main Mode from unknown peer 216.64.10.22
Oct 18 01:01:56 localhost pluto[3227]: "roadwarrior"[317] 216.64.10.22 #427:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 18 01:01:57 localhost pluto[3227]: "roadwarrior"[317] 216.64.10.22 #427:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Oct 18 01:01:57 localhost pluto[3227]: "roadwarrior"[317] 216.64.10.22 #427:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 18 01:03:07 localhost pluto[3227]: "roadwarrior"[317] 216.64.10.22 #427:
max number of retransmissions (2) reached STATE_MAIN_R2
Oct 18 01:03:07 localhost pluto[3227]: "roadwarrior"[317] 216.64.10.22:
deleting connection "roadwarrior" instance with peer 216.64.10.22
{isakmp=#0/ipsec=#0}

---------- EXAMPLE entries /var/log/secure ENDS ------

Thanks,

Steve

---------- SERVER-SIDE /etc/ipsec.conf BEGINS ---------- version 2.0
##   plutodebug="control controlmore"
##   virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
config setup
   interfaces=%defaultroute
   nat_traversal=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.100.0/24

conn %default
   keyingtries=5
   compress=yes
   disablearrivalcheck=no
   authby=rsasig
   leftrsasigkey=%cert
   rightrsasigkey=%cert

# conn roadwarrior-l2tp
#   leftprotoport=17/0
#   rightprotoport=17/1701
#   also=roadwarrior

conn roadwarrior-l2tp-updatedwin
   leftprotoport=17/1701
   rightprotoport=17/1701
   also=roadwarrior

## rightca=%same
conn roadwarrior
   left=%defaultroute
   leftrsasigkey=%cert
   leftcert=ipsec-server.crt
   right=%any
   rightrsasigkey=%cert
   rightsubnet=vhost:%no,%priv
   pfs=no
   rekey=no
   rightca=%same
   auto=add

include /etc/ipsec.d/examples/no_oe.conf

---------- SERVER-SIDE /etc/ipsec.conf ENDS ----------

More information about the Users mailing list