[Openswan Users] openswan configuration needs help

Wed Apr 18 14:36:36 EDT 2007

On Wed, 18 Apr 2007, Jean Marc Le Fevre wrote:

>        dumpdir=/tmp

> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R1: sent MR1,
> expecting MI2
> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: ignoring Vendor ID payload
> [KAME/racoon]
> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: NAT-Traversal: Result using
> 3: i am NATed

So NAT'ed....

> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: transition from state
> STATE_MAIN_R1 to state STATE_MAIN_R2
> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R2: sent MR2,
> expecting MI3
> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: Main mode peer ID is
> ID_IPV4_ADDR: 'IPFIXE'
> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: I did not send a certificate
> because I do not have one.
> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: transition from state
> STATE_MAIN_R2 to state STATE_MAIN_R3
> Apr 18 18:04:16 Zpro pluto[11600]: | NAT-T: new mapping IPFIXE:500/4500)
> Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R3: sent MR3,
> ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
> prf=oakley_sha group=modp1024}
> Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: NAT-Traversal: received 2
> NAT-OA. ignored because peer is not NATed

Not NAT'ed??

> Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: responding to Quick Mode
> {msgid:99321c1d}
> Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: ASSERTION FAILED at
> kernel.c:2237: c->kind == CK_PERMANENT || c->kind == CK_INSTANCE

Run gdb on the core in /tmp, and please give us some more information.

Which version of openswan is this? If it is pre 2.4.7, please upgrade and try
again.

> newest ISAKMP; nodpd
> Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2:
> Apr 18 18:04:17 Zpro ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 217:
> 11600 Aborted                 (core dumped) /usr/lib/ipsec/pluto --nofork
> --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto
> --uniqueids --nat_traversal --nhelpers 0
> Apr 18 18:04:17 Zpro ipsec__plutorun: !pluto failure!:  exited with error
> status 134 (signal 6)
> Apr 18 18:04:17 Zpro ipsec__plutorun: restarting IPsec after pause...

Same for this one.

you might also want to try not using rightprotoport=17/%any, but 17/1701 and
do a test with Windows XP (not OSX)

Paul
-
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155