[Openswan Users] Newbie have , problems with PSK

John Joseph jjk_saji at yahoo.com
Thu Sep 14 02:17:08 EDT 2006 

--- Paul Wouters <paul at xelerance.com> wrote:

> On Wed, 13 Sep 2006, John Joseph wrote:
> 
> Don't use rightsubnet. L2TP uses a transport mode
> host-host IPsec
> connection and then runs l2tp/ppp within it with a
> new IP address.
> 
> >
>
###############################################################3
> 
> Yes, use auto=add with right=%any
> 



Hi 
   Thanks Paul , for the advice 
I did the changes in "ipsec.conf" , now my modified
ipsec.conf file is 
*******
version 2.0
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        nat_traversal=yes
       
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12

conn %default
        keyingtries=3
        compress=yes
        disablearrivalcheck=no
        authby=secret
        type=tunnel
        keyexchange=ike
        ikelifetime=240m
        keylife=60m

conn l2tp-psk
        pfs=no
        left=192.168.242.100
        leftnexthop=192.168.242.1
        right=%any
        #right=192.168.242.135
        auto=add
****************************
When I try to connect from Win XP , I get the follwing
messages in the "secure" file . 
                 Advice requested 
                     Thanks 
                       Joseph John

*******
[root at psa etc]# cat /var/log/secure

 
Sep 14 12:36:49 psa pluto[27810]: loading secrets from
"/etc/ipsec.secrets"
Sep 14 12:38:02 psa pluto[27810]: packet from
192.168.242.135:500: ignoring Vendor ID payload [MS
NT5 ISAKMPOAKLEY 00000004]
Sep 14 12:38:02 psa pluto[27810]: packet from
192.168.242.135:500: ignoring Vendor ID payload
[FRAGMENTATION]
Sep 14 12:38:02 psa pluto[27810]: packet from
192.168.242.135:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Sep 14 12:38:02 psa pluto[27810]: packet from
192.168.242.135:500: ignoring Vendor ID payload
[Vid-Initial-Contact]
Sep 14 12:38:02 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135 #1: responding to Main Mode from
unknown peer 192.168.242.135Sep 14 12:38:02 psa
pluto[27810]: "l2tp-psk"[1] 192.168.242.135 #1:
transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Sep 14 12:38:02 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135 #1: STATE_MAIN_R1: sent MR1, expecting
MI2
Sep 14 12:38:02 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135 #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Sep 14 12:38:02 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135 #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 14 12:38:02 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135 #1: STATE_MAIN_R2: sent MR2, expecting
MI3
Sep 14 12:38:02 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135 #1: Main mode peer ID is ID_IPV4_ADDR:
'192.168.242.135'
Sep 14 12:38:02 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135 #1: I did not send a certificate
because I do not have one.
Sep 14 12:38:02 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135 #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 14 12:38:02 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Sep 14 12:38:02 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135 #1: cannot respond to IPsec SA request
because no connection is known for
192.168.242.100:17/1701...192.168.242.135:17/1701
Sep 14 12:38:02 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135 #1: sending encrypted notification
INVALID_ID_INFORMATION to 192.168.242.135:500
Sep 14 12:38:03 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135 #1: Quick Mode I1 message is
unacceptable because it uses a previously used Message
ID 0x19381152 (perhaps this is a duplicated packet)
Sep 14 12:38:03 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135 #1: sending encrypted notification
INVALID_MESSAGE_ID to 192.168.242.135:500
Sep 14 12:38:05 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135 #1: Quick Mode I1 message is
unacceptable because it uses a previously used Message
ID 0x19381152 (perhaps this is a duplicated packet)
Sep 14 12:38:05 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135 #1: sending encrypted notification
INVALID_MESSAGE_ID to 192.168.242.135:500


Sep 14 12:38:33 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135 #1: sending encrypted notification
INVALID_MESSAGE_ID to 192.168.242.135:500
Sep 14 12:39:05 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135 #1: received Delete SA payload:
deleting ISAKMP State #1
Sep 14 12:39:05 psa pluto[27810]: "l2tp-psk"[1]
192.168.242.135: deleting connection "l2tp-psk"
instance with peer 192.168.242.135
{isakmp=#0/ipsec=#0}
Sep 14 12:39:05 psa pluto[27810]: packet from
192.168.242.135:500: received and ignored
informational message
Sep 14 12:48:52 psa pluto[27810]: "l2tp-psk": cannot
initiate connection without knowing peer IP address
(kind=CK_TEMPLATE)














> > 	2> Why I do not initiate a connection when I give
> > right=%any in ipsec.conf
> 
> You cannot initiate to roadwarrior at a dynamic ip,
> since you
> don't know where the roadwarrior is.
> 
> Paul
> 



		
___________________________________________________________ 
Try the all-new Yahoo! Mail. "The New Version is radically easier to use" – The Wall Street Journal 
http://uk.docs.yahoo.com/nowyoucan.html

More information about the Users mailing list