[Openswan Users] Openswan Road Warrior Mode and JuniperNetscreen IPSec firewall/vpn

Eric Langheinrich openswan at eric.unspam.com
Wed Jun 13 21:36:03 EDT 2007 

 
Nico Wrote:

> This used to work for me, I have no current connections with a Netscreen
though.


> conn me-remote
>       auto=start
>       authby=secret
>       pfs=yes
>       keylife=3600
>       left=<My Public IP>
>       leftnexthop=<My Gateway>
>       leftsourceip=192.168.x.1
>       leftsubnet=192.168.x.0/24
>       #leftid=@adencfw.adencnet.ipsec
>       leftrsasigkey=<An RSA Key>
>       right=<remote address>
>       rightsubnet=<remote Net   e.g. 10.10.0.0/16>
>       rightrsasigkey=<Other RSA KEY>


> Left & leftnexthop depend on my netwerksetup to my provider, just havinbg 
> left=%default should suffice.


Nico, Thank you for the reply. I'll try it this way tomorrow and see if I
can get anywhere.

I just spent the last several hours on the Phone with Netscreen attempting
to get this to work with Xauth and PSK. The good news is that I got about
half way there, the bad news is, that Xauth was never able to fully
negotiate, so I never got to Phase2. 

Even after setting leftauthclient=no rightauthserver=no and xauth=no,
Openswan was still attempting to do Xauth at some level. From the searches
I've done it looks like other people have had this same problem, but the
threads do not seem to go anywhere or have an answer.

If anyone has any ideas, I would love to hear them.

My configuration looks like:

conn my_conn
    type=tunnel
    left=%defaultroute
    leftid=user at domain.com
    leftxauthclient=yes
    right=(netscreen IP)
    rightsubnet= (privatenetwork)
    rightxauthserver=yes
    pfs=yes
    aggrmode=yes
    auto=add
    auth=esp
    authby=secret
    xauth=yes
    keyexchange=ike
    ike=3des-sha1-modp1024 
    esp=3des-sha1


When I attempt to connect, I see the following logs:

<snip>
002 "my_conn" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
004 "my_conn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024} 
041 "my_conn" #1: my_conn prompt for Username:
Name enter:   user
040 "my_conn" #1: my_conn prompt for Password:
Enter secret: 
002 "my_conn" #1: XAUTH: Answering XAUTH challenge with user='user' 
002 "my_conn" #1: transition from state STATE_XAUTH_I0 to state
STATE_XAUTH_I1
004 "my_conn" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
228 "my_conn" #1: STATE_XAUTH_I1: CERTIFICATE_UNAVAILABLE 
002 "my_conn" #1: sending encrypted notification CERTIFICATE_UNAVAILABLE to
(netscreen IP):500
003 "my_conn" #1: next payload type of ISAKMP Hash Payload has an unknown
value: 89 
003 "my_conn" #1: malformed payload in packet
002 "my_conn" #1: sending notification PAYLOAD_MALFORMED to (netscreen
IP):500
003 "my_conn" #1: next payload type of ISAKMP Hash Payload has an unknown
value: 89 
003 "my_conn" #1: malformed payload in packet
002 "my_conn" #1: sending notification PAYLOAD_MALFORMED to (netscreen
IP):500

On the Netscreen side I see:

Rejected an IKE packet on ethernet3 from (my IP):500 to (netscreen IP):500
with cookies 6c58809750757d0d and 882a6dcb46910c01 because a Phase 2 packet
arrived while XAuth was still pending.

Then Immediately:

Rejected an IKE packet on ethernet3 from (my IP):500 to (netscreen IP):500
with cookies 6c58809750757d0d and 882a6dcb46910c01 because an unencrypted
packet unexpectedly arrived.

I'm happy to test pretty much anything...

Thank you,

Eric

More information about the Users mailing list