[Openswan Users] l2tp ike phase 2 quick mode message

George Wu aihuawu at gmail.com
Sat Feb 3 22:38:37 EST 2007


Hi, Paul:

Thank you very much.

Now I have found my log message in /var/log/auth.log.
I tried both openswan (2.4.5) and strongswan (2.8).
Linux kernel is 2.6.17 (Ubuntu 6.10)

It seems it is ignoring the Microsoft stuff.
The lt2p clients are windows 2003 (Sp1) and XP (SP2)

George

===========================
The following error message (oepnswan <> windows 2003) 
is repeating a few times before
the connection's timeout,
Strongswan has slightly different message.

Feb  4 10:22:02 localhost pluto[4447]: packet from 192.168.1.128:500: ignoring V
endor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Feb  4 10:22:02 localhost pluto[4447]: packet from 192.168.1.128:500: ignoring V
endor ID payload [FRAGMENTATION]
Feb  4 10:22:02 localhost pluto[4447]: packet from 192.168.1.128:500: received V
endor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating i
s off
Feb  4 10:22:02 localhost pluto[4447]: packet from 192.168.1.128:500: ignoring V
endor ID payload [Vid-Initial-Contact]
Feb  4 10:22:02 localhost pluto[4447]: packet from 192.168.1.128:500: initial Ma
in Mode message received on 192.168.1.131:500 but no connection has been authori
zed
Feb  4 10:22:03 localhost pluto[4447]: packet from 192.168.1.128:500: ignoring V
endor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Feb  4 10:22:03 localhost pluto[4447]: packet from 192.168.1.128:500: ignoring V
endor ID payload [FRAGMENTATION]
Feb  4 10:22:03 localhost pluto[4447]: packet from 192.168.1.128:500: received V
endor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating i
s off
Feb  4 10:22:03 localhost pluto[4447]: packet from 192.168.1.128:500: ignoring V
endor ID payload [Vid-Initial-Contact]
Feb  4 10:22:03 localhost pluto[4447]: packet from 192.168.1.128:500: initial Ma
in Mode message received on 192.168.1.131:500 but no connection has been authori
zed


On  Sat,  3  Feb  2007,  George  Wu  wrote:

>  I  can  set  up  openswan  to  talk  to  both  openswan  and  strongswan.
>  But  when  I  try  it  with  Xp(SP2)  or  windows  2003  (SP1).  Neither  works.
>  My  kernel  is  2.6.17  using  netkey.
>  My  openswan  is  2.4.5
>
>  It  seems  my  /var/log/secure  doesn't  exists,    I  use  tcpdump  port  500
>  to  print  the  message.    Also  on  windows,  I  check  the  file  oakley.log  file.

Find  the  right  logfile,  tcpdump  is  pretty  useless,  esp  after  phase  1  is
established  and  crypto  is  active.

>    2-03:  16:00:49:741:868  processing  HASH  (Notify/Delete)
>    2-03:  16:00:49:741:868  processing  payload  NOTIFY
>    2-03:  16:00:49:741:868  notify:  INVALID-ID-INFORMATION
>    2-03:  16:00:49:741:868  isadb_set_status  sa:018203C0  centry:00000000  status  3601

Seems  openswan  is  rejecting  the  XP  client.  It  should  log  why  that  is.  check
your  logs,  daemon.log,  auth.log  or  secure.

Paul
--  
Building  and  integrating  Virtual  Private  Networks  with  Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070204/a3f20830/attachment-0001.html 


More information about the Users mailing list