[Openswan Users] Linux IPsec client

Xunhua Wang wangxx at jmu.edu
Tue Sep 26 15:30:04 EDT 2006 

Thank you for the reply.

The server-side /var/log/secure log has the following (134.126.20.79 is the
server's IP address and the Linux client is located behind a NAT whose IP is
68.235.168.219; Attached is the ipsec.conf of our server).

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Sep 26 14:32:27 localhost pluto[3418]: packet from 68.235.168.219:500:
ignoring unknown Vendor ID payload [4f456e4d43757f784f704063]
Sep 26 14:32:27 localhost pluto[3418]: packet from 68.235.168.219:500:
received Vendor ID payload [Dead Peer Detection]
Sep 26 14:32:27 localhost pluto[3418]: "roadwarrior"[306] 68.235.168.219
#333: responding to Main Mode from unknown peer 68.235.168.219
Sep 26 14:32:27 localhost pluto[3418]: "roadwarrior"[306] 68.235.168.219
#333: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 26 14:32:27 localhost pluto[3418]: "roadwarrior"[306] 68.235.168.219
#333: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 26 14:32:27 localhost pluto[3418]: "roadwarrior"[306] 68.235.168.219
#333: Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=Virginia,
L=Harrisonburg, O=JMU, OU=CS, CN=Steve Wang'
Sep 26 14:32:27 localhost pluto[3418]: "roadwarrior"[306] 68.235.168.219
#333: crl update for "C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS,
CN=Crypto CA" is overdue since Jun 04 01:53:24 UTC 2006
Sep 26 14:32:27 localhost pluto[3418]: "roadwarrior"[307] 68.235.168.219
#333: deleting connection "roadwarrior" instance with peer 68.235.168.219
{isakmp=#0/ipsec=#0}
Sep 26 14:32:27 localhost pluto[3418]: "roadwarrior"[307] 68.235.168.219
#333: I am sending my cert
Sep 26 14:32:27 localhost pluto[3418]: "roadwarrior"[307] 68.235.168.219
#333: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 26 14:32:27 localhost pluto[3418]: "roadwarrior"[307] 68.235.168.219
#333: sent MR3, ISAKMP SA established
Sep 26 14:32:27 localhost pluto[3418]: "roadwarrior"[307] 68.235.168.219
#333: cannot respond to IPsec SA request because no connection is known for
134.126.20.79[C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=IPsec VPN
Server 02]:17/1701...68.235.168.219[C=US, ST=Virginia, L=Harrisonburg,
O=JMU, OU=CS, CN=Steve Wang]:17/1701===192.168.1.3/32
Sep 26 14:32:27 localhost pluto[3418]: "roadwarrior"[307] 68.235.168.219
#333: sending encrypted notification INVALID_ID_INFORMATION to
68.235.168.219:500
Sep 26 14:32:37 localhost pluto[3418]: "roadwarrior"[307] 68.235.168.219
#333: Quick Mode I1 message is unacceptable because it uses a previously
used Message ID 0x0b713c4c (perhaps this is a duplicated packet)
Sep 26 14:32:37 localhost pluto[3418]: "roadwarrior"[307] 68.235.168.219
#333: sending encrypted notification INVALID_MESSAGE_ID to
68.235.168.219:500
Sep 26 14:32:57 localhost pluto[3418]: "roadwarrior"[307] 68.235.168.219
#333: Quick Mode I1 message is unacceptable because it uses a previously
used Message ID 0x0b713c4c (perhaps this is a duplicated packet)
Sep 26 14:32:57 localhost pluto[3418]: "roadwarrior"[307] 68.235.168.219
#333: sending encrypted notification INVALID_MESSAGE_ID to
68.235.168.219:500
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

It looks like the server cannot find the appropriate connection. Should it
be the roadwarrior connection?

Thanks,

Steve

> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Sunday, September 24, 2006 9:22 PM
> To: Xunhua Wang
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Linux IPsec client
> 
> On Sun, 24 Sep 2006, Xunhua Wang wrote:
> 
> > We have a VPN server running Linux Openswan U2.4.5/K2.6.9-5.ELsmp
> (netkey)
> > and l2tpd. The server's configuration is attached as ipsec.conf
> >
> > With Windows XP/2000 clients, we can connect to this VPN server (with
> the
> > roadwarrior connection).
> >
> > However, when we try to use a Linux Openswan 2.4.5 client (the client's
> > configuration is attached as ipsec-client.conf) to connect to the same
> > server, we got the following error:
> 
> > 004 "l2tpclient" #1: STATE_MAIN_I4: ISAKMP SA established
> > {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
> > group=modp1536}
> > 117 "l2tpclient" #2: STATE_QUICK_I1: initiate
> > 010 "l2tpclient" #2: STATE_QUICK_I1: retransmission; will wait 20s for
> > response
> 
> You should see an error on the server side as to why this happened.
> 
> Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.conf
Type: application/octet-stream
Size: 883 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20060926/40eb055f/attachment-0001.obj

More information about the Users mailing list