[Openswan Users] trying to configure XAUTH as replacement for working Cisco VPN Client

David Lawless lawless at spamcop.net
Mon Mar 26 21:59:26 EDT 2007


Hello,

I'm trying to configure Openswan v2.4.6-1 running under OpenWrt 
v0.9 on a Linksys WRT54GS v2.1 as a substitute for a working 
Cisco VPN v4.6.03.0021 Windows client.  It seems from what I
can tell that XAUTH is how this type of client operates.

If I select main mode, Openswan fails immediately with

pluto[24068]: "Connection" #1: initiating Main Mode
pluto[24068]: packet from R.R.R.R:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
pluto[24068]: packet from R.R.R.R:500: received and ignored informational message

If I select aggressive mode, I can't seem to figure out which
algorithms to select.  Openswan says

pluto[22863]: "Connection" #1: multiple transforms were set in aggressive mode. Only first one used.
pluto[22863]: "Connection" #1: transform (7,2,5,128) ignored.
pluto[22863]: "Connection" #1: transform (7,1,2,128) ignored.
pluto[22863]: "Connection" #1: transform (7,2,2,128) ignored.
pluto[22863]: "Connection" #1: ASSERTION FAILED at spdb_struct.c:1233: trans->attr_cnt == 4
pluto[22863]: "Connection" #1: interface ipsec0/vlan1 L.L.L.L
pluto[22863]: "Connection" #1: interface ipsec0/vlan1 L.L.L.L
pluto[22863]: "Connection" #1: %myid = (none)
pluto[22863]: "Connection" #1: debug none

And then lists the available algorithms.

Here's the config.  I've been using the commented lines in the
second case above.

version 2.0
config setup
        interfaces=%defaultroute
        nat_traversal=yes
        klipsdebug=none
        plutodebug=none

conn Connection
        left=             %defaultroute
        leftid=           @GroupName
        leftxauthclient=  yes
        right=            R.R.R.R
        rightsubnet=      R.R.R.H/32
        rightxauthserver= yes
       #aggrmode=         yes
       #ike=              aes128
       #esp=              3des-sha1-96
        authby=           secret
        xauth=            yes
        auto=             add

Below is the verbose output from the Cisco VPN client for a 
successful session setup.  This session passes through the exact 
same WRT54GS that I'm attempting to configure.  Private network 
is 172.29.87.0/24 and the Windows client runs on 172.29.87.12.  
Router is 172.29.87.1.

I'm posting this to the dev group as well as the users group 
because I saw a similar error that was an issue in Openswan.  
Would like to figure out if this is the same one, though I'm 
not using certificates as was the earlier case.

Thanks for your help!

David



Cisco Systems VPN Client Version 4.6.03.0021
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client

1      15:23:04.355  03/26/07  Sev=Info/4	CM/0x63100002
Begin connection process

2      15:23:04.371  03/26/07  Sev=Info/4	CM/0x63100004
Establish secure connection using Ethernet

3      15:23:04.371  03/26/07  Sev=Info/4	CM/0x63100024
Attempt connection with server "R.R.R.R"

4      15:23:04.386  03/26/07  Sev=Info/6	IKE/0x6300003B
Attempting to establish a connection with R.R.R.R.

5      15:23:04.402  03/26/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to R.R.R.R

6      15:23:04.433  03/26/07  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = R.R.R.R

7      15:23:04.433  03/26/07  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, HASH) from R.R.R.R

8      15:23:04.433  03/26/07  Sev=Info/5	IKE/0x63000001
Peer supports XAUTH

9      15:23:04.433  03/26/07  Sev=Info/5	IKE/0x63000001
Peer supports DPD

10     15:23:04.433  03/26/07  Sev=Info/5	IKE/0x63000001
Peer is a Cisco-Unity compliant peer

11     15:23:04.433  03/26/07  Sev=Info/5	IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x00000025

12     15:23:04.464  03/26/07  Sev=Info/6	IKE/0x63000001
IOS Vendor ID Contruction successful

13     15:23:04.464  03/26/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to R.R.R.R

14     15:23:04.464  03/26/07  Sev=Info/4	IKE/0x63000083
IKE Port in use - Local Port =  0x01F4, Remote Port = 0x01F4

15     15:23:04.464  03/26/07  Sev=Info/4	CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

16     15:23:04.464  03/26/07  Sev=Info/4	CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

17     15:23:04.496  03/26/07  Sev=Info/5	IKE/0x6300005E
Client sending a firewall request to concentrator

18     15:23:04.496  03/26/07  Sev=Info/5	IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client, Capability= (Centralized Protection Policy).

19     15:23:04.496  03/26/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to R.R.R.R

20     15:23:04.496  03/26/07  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = R.R.R.R

21     15:23:04.496  03/26/07  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from R.R.R.R

22     15:23:04.511  03/26/07  Sev=Info/5	IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

23     15:23:04.511  03/26/07  Sev=Info/5	IKE/0x63000047
This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now

24     15:23:04.511  03/26/07  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = R.R.R.R

25     15:23:04.511  03/26/07  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from R.R.R.R

26     15:23:04.511  03/26/07  Sev=Info/5	IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.70.10.50

27     15:23:04.511  03/26/07  Sev=Info/5	IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

28     15:23:04.511  03/26/07  Sev=Info/5	IKE/0x6300000F
SPLIT_NET #1
	subnet = R.R.R.H 
	mask = 255.255.255.255
	protocol = 0
	src port = 0
	dest port=0

29     15:23:04.527  03/26/07  Sev=Info/5	IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

30     15:23:04.527  03/26/07  Sev=Info/4	CM/0x63100019
Mode Config data received

31     15:23:04.527  03/26/07  Sev=Info/4	IKE/0x63000056
Received a key request from Driver: Local IP = 10.70.10.50, GW IP = R.R.R.R, Remote IP = 0.0.0.0

32     15:23:04.527  03/26/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to R.R.R.R

33     15:23:04.542  03/26/07  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = R.R.R.R

34     15:23:04.558  03/26/07  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from R.R.R.R

35     15:23:04.558  03/26/07  Sev=Info/5	IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds

36     15:23:04.558  03/26/07  Sev=Info/5	IKE/0x63000046
RESPONDER-LIFETIME notify has value of 4608000 kb

37     15:23:04.558  03/26/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to R.R.R.R

38     15:23:04.558  03/26/07  Sev=Info/5	IKE/0x63000059
Loading IPsec SA (MsgID=EFEAEFC5 OUTBOUND SPI = 0x91C6935C INBOUND SPI = 0x3D88560E)

39     15:23:04.558  03/26/07  Sev=Info/5	IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0x91C6935C

40     15:23:04.558  03/26/07  Sev=Info/5	IKE/0x63000026
Loaded INBOUND ESP SPI: 0x3D88560E

41     15:23:04.667  03/26/07  Sev=Info/5	CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0       172.29.87.1      172.29.87.12       10
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1        1
    172.29.87.0     255.255.255.0      172.29.87.12      172.29.87.12       10
   172.29.87.12   255.255.255.255         127.0.0.1         127.0.0.1       10
 172.29.255.255   255.255.255.255      172.29.87.12      172.29.87.12       10
      224.0.0.0         240.0.0.0      172.29.87.12      172.29.87.12       10
255.255.255.255   255.255.255.255      172.29.87.12      172.29.87.12        1


42     15:23:05.449  03/26/07  Sev=Info/4	CM/0x63100034
The Virtual Adapter was enabled: 
	IP=10.70.10.50/255.0.0.0
	DNS=0.0.0.0,0.0.0.0
	WINS=0.0.0.0,0.0.0.0
	Domain=
	Split DNS Names=

43     15:23:05.449  03/26/07  Sev=Info/5	CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0       172.29.87.1      172.29.87.12       10
       10.0.0.0         255.0.0.0       10.70.10.50       10.70.10.50       10
    10.70.10.50   255.255.255.255         127.0.0.1         127.0.0.1       10
 10.255.255.255   255.255.255.255       10.70.10.50       10.70.10.50       10
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1        1
    172.29.87.0     255.255.255.0      172.29.87.12      172.29.87.12       10
   172.29.87.12   255.255.255.255         127.0.0.1         127.0.0.1       10
 172.29.255.255   255.255.255.255      172.29.87.12      172.29.87.12       10
      224.0.0.0         240.0.0.0       10.70.10.50       10.70.10.50       10
      224.0.0.0         240.0.0.0      172.29.87.12      172.29.87.12       10
255.255.255.255   255.255.255.255       10.70.10.50       10.70.10.50        1
255.255.255.255   255.255.255.255      172.29.87.12      172.29.87.12        1


44     15:23:05.464  03/26/07  Sev=Info/4	CM/0x63100038
Successfully saved route changes to file.

45     15:23:05.464  03/26/07  Sev=Info/5	CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0       172.29.87.1      172.29.87.12       10
       10.0.0.0         255.0.0.0       10.70.10.50       10.70.10.50       10
    10.70.10.50   255.255.255.255         127.0.0.1         127.0.0.1       10
 10.255.255.255   255.255.255.255       10.70.10.50       10.70.10.50       10
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1        1
    172.29.87.0     255.255.255.0      172.29.87.12      172.29.87.12       10
    172.29.87.1   255.255.255.255      172.29.87.12      172.29.87.12        1
   172.29.87.12   255.255.255.255         127.0.0.1         127.0.0.1       10
 172.29.255.255   255.255.255.255      172.29.87.12      172.29.87.12       10
  R.R.R.R         255.255.255.255       172.29.87.1      172.29.87.12        1
  R.R.R.H         255.255.255.255       10.70.10.50       10.70.10.50        1
      224.0.0.0         240.0.0.0       10.70.10.50       10.70.10.50       10
      224.0.0.0         240.0.0.0      172.29.87.12      172.29.87.12       10
255.255.255.255   255.255.255.255       10.70.10.50       10.70.10.50        1
255.255.255.255   255.255.255.255      172.29.87.12      172.29.87.12        1


46     15:23:05.464  03/26/07  Sev=Info/6	CM/0x63100036
The routing table was updated for the Virtual Adapter

47     15:23:05.496  03/26/07  Sev=Info/4	CM/0x6310001A
One secure connection established

48     15:23:05.574  03/26/07  Sev=Info/4	CM/0x6310003B
Address watch added for 172.29.87.12.  Current hostname: geileis, Current address(es): 10.70.10.50, 172.29.87.12.

49     15:23:05.605  03/26/07  Sev=Info/4	CM/0x6310003B
Address watch added for 10.70.10.50.  Current hostname: geileis, Current address(es): 10.70.10.50, 172.29.87.12.

50     15:23:05.605  03/26/07  Sev=Info/4	IPSEC/0x63700008
IPSec driver successfully started

51     15:23:05.605  03/26/07  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

52     15:23:05.605  03/26/07  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

53     15:23:05.605  03/26/07  Sev=Info/4	IPSEC/0x63700010
Created a new key structure

54     15:23:05.605  03/26/07  Sev=Info/4	IPSEC/0x6370000F
Added key with SPI=0x5c93c691 into key list

55     15:23:05.621  03/26/07  Sev=Info/4	IPSEC/0x63700010
Created a new key structure

56     15:23:05.621  03/26/07  Sev=Info/4	IPSEC/0x6370000F
Added key with SPI=0x0e56883d into key list

57     15:23:05.621  03/26/07  Sev=Info/4	IPSEC/0x6370002F
Assigned VA private interface addr 10.70.10.50



More information about the Users mailing list