[Openswan Users] safenet PSK + openswan + NAT

Luca Andreoli l.andreoli at kelyansmc.it
Wed Sep 20 09:31:31 EDT 2006


i have configured the openswan 2.x to accept vpn connection.
but i have this type of problem

in the secure log

Sep 20 15:24:51 mantofw pluto[8225]: packet from 83.103.71.142:500: 
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 20 15:24:51 mantofw pluto[8225]: packet from 83.103.71.142:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, 
but already using method 0
Sep 20 15:24:51 mantofw pluto[8225]: "vpn-laptop"[1] 83.103.71.142 #1: 
responding to Main Mode from unknown peer 83.103.71.142
Sep 20 15:24:51 mantofw pluto[8225]: "vpn-laptop"[1] 83.103.71.142 #1: 
transition from state (null) to state STATE_MAIN_R1
Sep 20 15:24:51 mantofw pluto[8225]: "vpn-laptop"[1] 83.103.71.142 #1: 
ignoring Vendor ID payload [47bbe7c993f1fc13...]
Sep 20 15:24:51 mantofw pluto[8225]: "vpn-laptop"[1] 83.103.71.142 #1: 
ignoring Vendor ID payload [da8e937880010000]
Sep 20 15:24:51 mantofw pluto[8225]: "vpn-laptop"[1] 83.103.71.142 #1: 
ignoring Vendor ID payload [Dead Peer Detection]
Sep 20 15:24:51 mantofw pluto[8225]: "vpn-laptop"[1] 83.103.71.142 #1: 
received Vendor ID payload [XAUTH]
Sep 20 15:24:51 mantofw pluto[8225]: "vpn-laptop"[1] 83.103.71.142 #1: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 20 15:24:52 mantofw pluto[8225]: "vpn-laptop"[1] 83.103.71.142 #1: 
ignoring informational payload, type IPSEC_REPLAY_STATUS
Sep 20 15:24:52 mantofw pluto[8225]: "vpn-laptop"[1] 83.103.71.142 #1: 
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Sep 20 15:24:52 mantofw pluto[8225]: "vpn-laptop"[1] 83.103.71.142 #1: 
Peer ID is ID_USER_FQDN: 'mantovani at benne.net'
Sep 20 15:24:52 mantofw pluto[8225]: "vpn-laptop"[1] 83.103.71.142 #1: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 20 15:24:52 mantofw pluto[8225]: "vpn-laptop"[1] 83.103.71.142 #1: 
sent MR3, ISAKMP SA established
Sep 20 15:24:52 mantofw pluto[8225]: "vpn-laptop"[1] 83.103.71.142 #1: 
cannot respond to IPsec SA request because no connection is known for 
192.4.0.36/32===81.72.153.201[S=C]...83.103.71.142[mantovani at benne.net,S=C]===192.168.200.11/32

Sep 20 15:26:23 mantofw pluto[8225]: "vpn-laptop"[2] 83.103.71.142 #2: 
Quick Mode I1 message is unacceptable because it uses a previously used 
Message ID 0xc88aa25a (perhaps this is a duplicated packet)

and safe net log
 9-20: 15:26:11.328
 9-20: 15:26:11.359 My Connections\MantovaniBenne - Initiating IKE Phase 
1 (IP ADDR=81.72.153.201)
 9-20: 15:26:11.375 My Connections\MantovaniBenne - SENDING>>>> ISAKMP 
OAK MM (SA, VID 2x)
 9-20: 15:26:11.453 My Connections\MantovaniBenne - RECEIVED<<< ISAKMP 
OAK MM (SA)
 9-20: 15:26:11.687 My Connections\MantovaniBenne - SENDING>>>> ISAKMP 
OAK MM (KE, NON, VID 4x)
 9-20: 15:26:11.796 My Connections\MantovaniBenne - RECEIVED<<< ISAKMP 
OAK MM (KE, NON)
 9-20: 15:26:12.031 My Connections\MantovaniBenne - SENDING>>>> ISAKMP 
OAK MM *(ID, HASH, NOTIFY:STATUS_REPLAY_STATUS, 
NOTIFY:STATUS_INITIAL_CONTACT)
 9-20: 15:26:12.125 My Connections\MantovaniBenne - RECEIVED<<< ISAKMP 
OAK MM *(ID, HASH)
 9-20: 15:26:12.125 My Connections\MantovaniBenne - Established IKE SA
 9-20: 15:26:12.125    MY COOKIE ff 77 2b bc d7 3a d7 31
 9-20: 15:26:12.125    HIS COOKIE 5b 4b c4 3a 1f c6 f3 76
 9-20: 15:26:12.484 My Connections\MantovaniBenne - Initiating IKE Phase 
2 with Client IDs (message id: 5AA28AC8)
 9-20: 15:26:12.484   Initiator = IP ADDR=192.168.200.11, prot = 0 port = 0
 9-20: 15:26:12.484   Responder = IP ADDR=192.4.0.36, prot = 0 port = 0
 9-20: 15:26:12.484 My Connections\MantovaniBenne - SENDING>>>> ISAKMP 
OAK QM *(HASH, SA, NON, KE, ID 2x)
 9-20: 15:26:27.500 My Connections\MantovaniBenne - QM re-keying timed 
out. Retry count: 1
 9-20: 15:26:27.500 My Connections\MantovaniBenne - SENDING>>>> ISAKMP 
OAK QM *(Retransmission)


[root at mantofw etc]# cat ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.12 2004/01/20 19:37:13 sam Exp $

# This file:  /usr/share/doc/freeswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
#
# Help:
# http://www.freeswan.org/freeswan_trees/freeswan-2.1.5/doc/quickstart.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.1.5/doc/config.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.1.5/doc/adv_config.html
#
# Policy groups are enabled by default. See:
# 
http://www.freeswan.org/freeswan_trees/freeswan-2.1.5/doc/policygroups.html
#
# Examples:
# http://www.freeswan.org/freeswan_trees/freeswan-2.1.5/doc/examples


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=all
        # plutodebug=dns
        interfaces="%defaultroute "
        klipsdebug="none"
        #plutodebug="crypt parsing emitting control klips dns "
        uniqueids=yes
        nat_traversal=yes
        
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.200.0/255.255.255.0,%v4:!192.168.0.0/24,%v4:!192.4.0.0/24


# Add connections here.

#Disable Opportunistic Encryption
#include /etc/ipsec.d/examples/no_oe.conf


conn    vpn-laptop
        type=tunnel
        left=81.72.153.201
        leftsubnet=192.4.0.32/24
        leftnexthop=81.72.153.206
        right=%any
        rightid=mantovani at benne.net
        rightsubnet=vhost:%no,%priv
        keyingtries=1
        disablearrivalcheck=no
        keyexchange=ike
        ikelifetime=1200
        keylife=1200
        esp=3des-md5-96
        authby=secret
        pfs=yes
        auto=add

help me pls!!!
bye
luca






More information about the Users mailing list