[Openswan Users] Endian openswan & roadwarrior

Marco Tironi tironi at 8volante.com
Mon Oct 29 04:39:14 EDT 2007 

Greetings. I use openswan-2.4.7 with the last version of Endian Firewall. I
have two roadwarriors that wants to connect to local network using a SafeNet
VPN client.

I have read two tutorial in the wiki, but they referrers to Openswan v1, so
I have some problems.
- I don't know the roadwarrior's IP and they maybe connect behind a
firewall. I write this line in the file "ipsec.secret" (111.111.111.111 is
my endian firewall installation): 
###################################################
111.111.111.111 0.0.0.0 : PSK "nodeNKNK" 
###################################################
When I try to connect this is the error log for IPSEC:
###################################################
Oct 29 09:20:23 pluto[1728] "nodeNK"[1] 151.37.34.175 #7078: responding to
Main Mode from unknown peer 151.37.34.175 
Oct 29 09:20:23 pluto[1728] "nodeNK"[1] 151.37.34.175 #7078: Can't
authenticate: no preshared key found for `111.111.111.111' and `%any'.
Attribute OAKLEY_AUTHENTICATION_METHOD 
Oct 29 09:20:23 pluto[1728] "nodeNK"[1] 151.37.34.175 #7078: no acceptable
Oakley Transform 
Oct 29 09:20:23 pluto[1728] "nodeNK"[1] 151.37.34.175 #7078: sending
notification NO_PROPOSAL_CHOSEN to 151.37.34.175:500 
Oct 29 09:20:23 pluto[1728] "nodeNK"[1] 151.37.34.175: deleting connection
"nodeNK" instance with peer 151.37.34.175 {isakmp=#0/ipsec=#0} 
###################################################

- I have made a lot of tryes and I can bypass the problem setting a static
IP address in "ipsec.secret" (even if I don't really know my roadwarrior
IP):
###################################################
111.111.111.111 151.37.34.175 : PSK "nodeNKNK" 
###################################################
- The connection is established, but during the negotiation:
###################################################
Oct 29 09:30:26 pluto[2001] packet from 151.37.34.175:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-00] 
Oct 29 09:30:26 pluto[2001] packet from 151.37.34.175:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106  
Oct 29 09:30:26 pluto[2001] "nodeNK" #12: responding to Main Mode 
Oct 29 09:30:26 pluto[2001] "nodeNK" #12: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1 
Oct 29 09:30:26 pluto[2001] "nodeNK" #12: STATE_MAIN_R1: sent MR1, expecting
MI2 
Oct 29 09:30:26 pluto[2001] "nodeNK" #12: ignoring unknown Vendor ID payload
[47bbe7c993f1fc13b4e6d0db565c68e501020101020101031131302e372e3120...] 
Oct 29 09:30:26 pluto[2001] "nodeNK" #12: ignoring unknown Vendor ID payload
[da8e937880010000] 
Oct 29 09:30:26 pluto[2001] "nodeNK" #12: received Vendor ID payload [Dead
Peer Detection] 
Oct 29 09:30:26 pluto[2001] "nodeNK" #12: received Vendor ID payload [XAUTH]

Oct 29 09:30:26 pluto[2001] "nodeNK" #12: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed 
Oct 29 09:30:26 pluto[2001] "nodeNK" #12: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2 
Oct 29 09:30:26 pluto[2001] "nodeNK" #12: STATE_MAIN_R2: sent MR2, expecting
MI3 
Oct 29 09:30:26 pluto[2001] "nodeNK" #12: ignoring informational payload,
type IPSEC_REPLAY_STATUS 
Oct 29 09:30:26 pluto[2001] "nodeNK" #12: ignoring informational payload,
type IPSEC_INITIAL_CONTACT 
Oct 29 09:30:26 pluto[2001] | protocol/port in Phase 1 ID Payload is 17/0.
accepted with port_floating NAT-T 
Oct 29 09:30:26 pluto[2001] "nodeNK" #12: Main mode peer ID is ID_IPV4_ADDR:
'192.168.0.200' 
Oct 29 09:30:26 pluto[2001] "nodeNK" #12: no suitable connection for peer
'192.168.0.200' 
Oct 29 09:30:26 pluto[2001] "nodeNK" #12: sending encrypted notification
INVALID_ID_INFORMATION to 151.37.34.175:500 
###################################################
The IP "192.168.0.200" is my roadwarrior local IP address.

How can I solve my configuration problem and ... How can i reload ipsec
configuration withour reboot all the system?

Many Thanks!

Marco Tironi

PS: this is my "ipsec.conf" :
###################################################
version 2

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        uniqueids=yes
        nat_traversal=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4$

conn %default
        keyingtries=0
        disablearrivalcheck=no

conn nodeNK
        left=111.111.111.111
        leftnexthop=%defaultroute
        leftsubnet=128.1.0.0/255.255.0.0
        right=151.37.34.175
        ike=3des-md5-modp1024
        esp=3des-md5
        pfs=no
        ikelifetime=8h
        keylife=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        authby=secret
        auto=add

conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore
###################################################

“Le informazioni contenute nella presente comunicazione e i relativi
allegati possono essere riservate e sono, comunque, destinate esclusivamente
alle persone o alla Società sopraindicati. La diffusione, distribuzione e/o
copiatura del documento trasmesso da parte di qualsiasi soggetto diverso dal
destinatario è proibita, sia ai sensi dell’art. 616 c.p. , che ai sensi del
D.Lgs. n. 196/2003. Se avete ricevuto questo messaggio per errore, vi
preghiamo di distruggerlo e di informarci immediatamente inviando un
messaggio all’indirizzo di posta elettronica relativo alla presente”.

 “The information in this e-mail (which includes any files transmitted with
it) is confidential and may also be legally privileged. It is intended for
the addressee only. Access to this e-mail by anyone else is unauthorised. It
is not to be relied upon by any person other than the addressee, except with
our prior written approval. If no such approval is given, we will not accept
any liability (in negligence or otherwise) arising from any third party
acting, or refraining from acting on such information. Unauthorised
recipients are required to maintain confidentiality. If you have received
this e-mail in error please notify us immediately, destroy any copies and
delete it from your computer system. Any use, dissemination, forwarding,
printing or copying of this e-mail is prohibited. Copyright in this e-mail
and any document created by us will be and remain vested in us and will not
be transferred to you. We assert the right to be identified as the author of
and to object to any misuses  of the contents of  this e-mail or such
documents”.

More information about the Users mailing list