[Openswan Users] Netscreen roadwarrior with XAUTH problems
Wojciech 'arab' Arabczyk
arab at szluug.org
Thu Sep 7 05:47:18 EDT 2006
Hello
I'm trying to setup a linux-to-netscreen vpn connection using natt and
psk/xauth yet i've run into some strange problem.
My ipsec.conf:
version 2.0
config setup
plutodebug="control"
klipsdebug="control"
nat_traversal=yes
conn homenet
type=tunnel
left=%defaultroute
leftid="obfucated at email.address"
leftxauthclient=yes
leftmodecfgclient=yes
rightmodecfgserver=yes
right=some.ip.that.is.correct
rightxauthserver=yes
modecfgpull=yes
xauth=yes
keyexchange=ike
rightsubnet=10.0.9.0/24
auth=esp
authby=secret
auto=add
ike=3des-sha1-modp1024
esp=3des-sha1
pfs=no
aggrmode=yes
compress=no
The trace shows:
ipsec auto --up homenet
112 "homenet" #3: STATE_AGGR_I1: initiate
003 "homenet" #3: received Vendor ID payload [XAUTH]
003 "homenet" #3: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
003 "homenet" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
method set to=106
003 "homenet" #3: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
004 "homenet" #3: STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
041 "homenet" #3: homenet prompt for Username:
Name enter: someuser
040 "homenet" #3: homenet prompt for Password:
Enter secret:
004 "homenet" #3: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
228 "homenet" #3: STATE_XAUTH_I1: CERTIFICATE_UNAVAILABLE
The problem is as i think that openswan is trying to get a certificate for the
netscreen device wich i don't use (as the whole authorization is based on the
PSK keys).
Any ideas?
--
Wojciech Arabczyk :: http://www.arabek.net :: jid:arab at chrome.pl
Administrator: http://www.szluug.org & http://www.trron.pl
More information about the Users
mailing list