[Openswan Users] Cisco Concentrator 3005 to Openswan

ACasella antony.casella at sand.com
Mon Jun 11 12:30:24 EDT 2007 

On Mon, 2007-06-11 at 10:52 -0400, Paul Wouters wrote:

Paul,

Thank you for your reply.
> 
> That probably means XAUTH.
> 

I've now setup my conf file as:


 conn host-to-host
     type=tunnel
     authby=secret
     left=72.55.yyy.yyy
     leftnexthop=%defaultroute
     right=137.186.xxx.xxx
     rightxauthserver=yes
     rightnexthop=%defaultroute
     ike=3des-md5-modp1024
     esp=3des-md5
     keyexchange=ike
     pfs=no
     xauth=yes
     auto=add

Next I run ( I googled this so it may be the wrong thing to run):
 ipsec whack  --name=host-to-host --xauthname=Some_username
--xauthpass=somepassword --initiate

The behaviour is the same a before.  

002 "host-to-host" #1: initiating Main Mode
104 "host-to-host" #1: STATE_MAIN_I1: initiate
003 "host-to-host" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02             _n] method set to=106
003 "host-to-host" #1: ignoring unknown Vendor ID payload
[4048b7d56ebce88525e7d             e7f00d6c2d3c0000000]
002 "host-to-host" #1: enabling possible NAT-traversal with method RFC
3947 (NAT             -Traversal)
002 "host-to-host" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I             2
106 "host-to-host" #1: STATE_MAIN_I2: sent MI2, expecting MR2
010 "host-to-host" #1: STATE_MAIN_I2: retransmission; will wait 20s for
response
003 "host-to-host" #1: ignoring informational payload, type
INVALID_COOKIE
003 "host-to-host" #1: received and ignored informational message
010 "host-to-host" #1: STATE_MAIN_I2: retransmission; will wait 40s for
response
003 "host-to-host" #1: ignoring informational payload, type
INVALID_COOKIE
003 "host-to-host" #1: received and ignored informational message
031 "host-to-host" #1: max number of retransmissions (2) reached
STATE_MAIN_I2
000 "host-to-host" #1: starting keying attempt 2 of an unlimited number,
but releasing whack


They have not provided a certificate.  Only a username and a pre-shared key.


> It should be the xauth parameter. See man ipsec.conf

It says it is not well documented But I am hoping someone can help me
out on the matter. 


Thank you
Antony

More information about the Users mailing list