[Openswan Users] Roadwarrior using Openswan

Paul Wouters paul at xelerance.com
Thu Feb 1 13:32:28 EST 2007 

On Thu, 1 Feb 2007, Angel Vicente Perez wrote:

> > > I'm very newbie at Openswan. I'd like to setup a connection for a
> > > roadwarrior, but after reading some thread in the list about the subject, I
> > > didn't get success.
> > >
> > > I have the next data:
> > >
> > > IP of a security gateway
> > > IPSec ID
> > > IPSec secret
> > > XAuth username
> > > XAuth password
> > >
> > > with this data, I'm able to act as a roadwarrior using vpnc, but I'm not
> > > able to do the same using Openswan.
> >
> > see "man ipsec.conf", the options you are looking for are:
> >
> > leftid=
> > rightid=
> > left=%defaultroute
> > right=ipofsecuritygateway
> > leftxauthclient=yes
> > rightxauthserver=yes
> >
> Hello...
>
> I'm trying to test it, but without success below is my configuration:
>
> conn Test
>     authby=secret
>     left=%defaultroute
>     leftmodecfgclient=yes
>     leftid=@IDLeft
>     leftxauthclient=yes
>     right=xxx.xxx.xxx.xxx
>     rightid=@IDRight
>     rightxauthserver=yes
>     rightmodecfgserver=yes
>     modecfgpull=yes
>     auto=add
>
> but when I do: ipsec auto --up Test, I get the next outprint:
>
> angel# ipsec auto --up Test
> 104 "Test" #9: STATE_MAIN_I1: initiate
> 003 "Test" #9: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
> method set to=108
> 003 "Test" #9: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> meth=106, but already using method 108
> 106 "Test" #9: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "Test" #9: received Vendor ID payload [XAUTH]
> 003 "Test" #9: received Vendor ID payload [Dead Peer Detection]
> 003 "Test" #9: received Vendor ID payload [Cisco-Unity]
> 003 "Test" #9: ignoring unknown Vendor ID payload
> [fef0b7c75c3b14501e906e3cff679e63]
> 003 "Test" #9: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
> i am NATed
> 108 "Test" #9: STATE_MAIN_I3: sent MI3, expecting MR3
> 010 "Test" #9: STATE_MAIN_I3: retransmission; will wait 20s for response
> 010 "Test" #9: STATE_MAIN_I3: retransmission; will wait 40s for response
> 031 "Test" #9: max number of retransmissions (2) reached STATE_MAIN_I3.
> Possible authentication failure: no acceptable response to our first
> encrypted message
> 000 "Test" #9: starting keying attempt 2 of an unlimited number, but
> releasing whack

You can try specifying specific ike= and esp= lines. Perhaps grab them from
a windows log/client that can connect properly? Perhaps you need aggressive mode?

> I think that the quiz is in the next line to the "[Cisco-Unity]" but I'm not
> sure.

Nah, that's likely a vendorid that wouldnt really mean anything useful to us.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list