[Openswan Users] x509 setup problems

James james at nttmcl.com
Wed May 30 19:01:48 EDT 2007 

James wrote:
> Gbenga wrote:
>   
>> James wrote:
>>
>> You obviously have problem with the connection but I think you are not waiting for main mode [ike] to complete, hence the message below. Do ipsec auto --down <conn-name> before you attempt to bring up again. That might not solve your problem but you will eliminate the retransmission error.
>>
>>   
>>     
> I actually already had solved it... don't remember what i did. probably 
> remade the certificates again or something
>
> anyhow i have a new problem. I'm establishing a connection but it's not 
> tunneling any traffic through.
> After i start up the connection and try to ping the vpn server it just 
> sits. i also try to ping anything on the network behind it and also a 
> timeout.
>
> It's connecting from client to the rightsubnet=0.0.0.0/0
>
> on the server leftsubnet=0.0.0.0/0
>
>
> dhcp215:/home/james# ipsec auto --up --verbose roadwarrior-all
> 002 "roadwarrior-all" #3: initiating Main Mode
> 104 "roadwarrior-all" #3: STATE_MAIN_I1: initiate
> 003 "roadwarrior-all" #3: received Vendor ID payload [Openswan (this 
> version) 2.4.6  X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
> 003 "roadwarrior-all" #3: received Vendor ID payload [Dead Peer Detection]
> 003 "roadwarrior-all" #3: received Vendor ID payload [RFC 3947] method 
> set to=110
> 002 "roadwarrior-all" #3: enabling possible NAT-traversal with method 3
> 002 "roadwarrior-all" #3: transition from state STATE_MAIN_I1 to state 
> STATE_MAIN_I2
> 106 "roadwarrior-all" #3: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "roadwarrior-all" #3: NAT-Traversal: Result using 3: no NAT detected
> 002 "roadwarrior-all" #3: I am sending my cert
> 002 "roadwarrior-all" #3: I am sending a certificate request
> 002 "roadwarrior-all" #3: transition from state STATE_MAIN_I2 to state 
> STATE_MAIN_I3
> 108 "roadwarrior-all" #3: STATE_MAIN_I3: sent MI3, expecting MR3
> 002 "roadwarrior-all" #3: Main mode peer ID is ID_DER_ASN1_DN: 'C=US, 
> ST=California, L=xxx, O=xxx, CN=xxx, E=xxx'
> 002 "roadwarrior-all" #3: transition from state STATE_MAIN_I3 to state 
> STATE_MAIN_I4
> 004 "roadwarrior-all" #3: STATE_MAIN_I4: ISAKMP SA established 
> {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 
> group=modp1536}
> 002 "roadwarrior-all" #5: initiating Quick Mode 
> RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#3}
> 117 "roadwarrior-all" #5: STATE_QUICK_I1: initiate
> 002 "roadwarrior-all" #5: transition from state STATE_QUICK_I1 to state 
> STATE_QUICK_I2
> 004 "roadwarrior-all" #5: STATE_QUICK_I2: sent QI2, IPsec SA established 
> {ESP=>0xa6574577 <0x307f6ba4 xfrm=AES_0-HMAC_SHA1 IPCOMP=>0x000047a6 
> <0x0000b789 NATD=none DPD=none}
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>   
ok well i already solved all my problems with that.

Now i'm having problems with my windows client connecting to the vpn
i created the .p12 certificate and imported it as per instructions and 
everything
i went to cmd and ran ipsec
can't get a ping to go. I'm figuring it's cause it can't establish an 
ipsec connection at all after looking at the logs.
Dunno why tho.
TIA

here's the auth.log from my server
May 30 15:56:34 vpnserver pluto[26129]: packet from xxx.xxx.xxx.210:500: 
ignoring Vendor ID payload [Vid-Initial-Contact]
May 30 15:56:34 vpnserver pluto[26129]: "roadwarrior-net"[6] 
xxx.xxx.xxx.210 #6: responding to Main Mode from unknown peer 
xxx.xxx.xxx.210
May 30 15:56:34 vpnserver pluto[26129]: "roadwarrior-net"[6] 
xxx.xxx.xxx.210 #6: transition from state STATE_MAIN_R0 to state 
STATE_MAIN_R1
May 30 15:56:34 vpnserver pluto[26129]: "roadwarrior-net"[6] 
xxx.xxx.xxx.210 #6: STATE_MAIN_R1: sent MR1, expecting MI2
May 30 15:56:34 vpnserver pluto[26129]: "roadwarrior-net"[6] 
xxx.xxx.xxx.210 #6: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
May 30 15:56:34 vpnserver pluto[26129]: "roadwarrior-net"[6] 
xxx.xxx.xxx.210 #6: transition from state STATE_MAIN_R1 to state 
STATE_MAIN_R2
May 30 15:56:34 vpnserver pluto[26129]: "roadwarrior-net"[6] 
xxx.xxx.xxx.210 #6: STATE_MAIN_R2: sent MR2, expecting MI3
May 30 15:56:35 vpnserver pluto[26129]: "roadwarrior-net"[6] 
xxx.xxx.xxx.210 #6: next payload type of ISAKMP Hash Payload has an 
unknown value: 148
May 30 15:56:35 vpnserver pluto[26129]: "roadwarrior-net"[6] 
xxx.xxx.xxx.210 #6: malformed payload in packet
May 30 15:56:35 vpnserver pluto[26129]: "roadwarrior-net"[6] 
xxx.xxx.xxx.210 #6: sending notification PAYLOAD_MALFORMED to 
xxx.xxx.xxx.210:500
May 30 15:57:44 vpnserver pluto[26129]: "roadwarrior-net"[6] 
xxx.xxx.xxx.210 #6: max number of retransmissions (2) reached STATE_MAIN_R2
May 30 15:57:44 vpnserver pluto[26129]: "roadwarrior-net"[6] 
xxx.xxx.xxx.210: deleting connection "roadwarrior-net" instance with 
peer xxx.xxx.xxx.210 {isakmp=#0/ipsec=#0}
May 30 15:58:19 vpnserver pluto[26129]: packet from xxx.xxx.xxx.210:500: 
Informational Exchange is for an unknown (expired?) SA

More information about the Users mailing list