[Openswan Users] Ipsec VPN from windows machines

Agent Smith news8080 at yahoo.com
Thu Apr 3 06:27:31 EDT 2008 

I read about that right after I posted yesterday but
thanks, I tried various kernels (2.6.24.1, 24, 24.4)
on FC7, centos 3.9 to see if I can make xfrm work with
netkey and it still doesn't, here are the logs.

as you can see from it, the first client connects in
fine but as soon as second one comes in from the same
NAT box, it fails.



Apr  2 22:40:47 med-idxgtw pluto[5378]: loading
secrets from "/etc/ipsec.secrets"
Apr  2 22:40:47 med-idxgtw pluto[5378]:   loaded
private key file '/etc/ipsec.d/private/servercert.key'
(561 bytes)
Apr  2 22:40:47 med-idxgtw pluto[5378]: "CERT": cannot
initiate connection without knowing peer IP address
(kind=CK_TEMPLATE)
Apr  2 22:40:50 med-idxgtw pluto[5378]: packet from
xx.xx.xx.xx:1026: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY 00000004]
Apr  2 22:40:50 med-idxgtw pluto[5378]: packet from
xx.xx.xx.xx:1026: ignoring Vendor ID payload
[FRAGMENTATION]
Apr  2 22:40:50 med-idxgtw pluto[5378]: packet from
xx.xx.xx.xx:1026: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Apr  2 22:40:50 med-idxgtw pluto[5378]: "CERT"[1]
xx.xx.xx.xx #1: responding to Main Mode from unknown
peer xx.xx.xx.xx
Apr  2 22:40:50 med-idxgtw pluto[5378]: "CERT"[1]
xx.xx.xx.xx #1: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1
Apr  2 22:40:50 med-idxgtw pluto[5378]: "CERT"[1]
xx.xx.xx.xx #1: STATE_MAIN_R1: sent MR1, expecting MI2
Apr  2 22:40:50 med-idxgtw pluto[5378]: "CERT"[1]
xx.xx.xx.xx #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Apr  2 22:40:50 med-idxgtw pluto[5378]: "CERT"[1]
xx.xx.xx.xx #1: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2
Apr  2 22:40:50 med-idxgtw pluto[5378]: "CERT"[1]
xx.xx.xx.xx #1: STATE_MAIN_R2: sent MR2, expecting MI3
Apr  2 22:40:50 med-idxgtw pluto[5378]: "CERT"[1]
xx.xx.xx.xx #1: Main mode peer ID is ID_DER_ASN1_DN:
'C=US, ST=Michigan, L=Detroit, O=Wayne State
University, OU=MSIS, CN=userauth2,
E=userauth2 at domain.com'
Apr  2 22:40:50 med-idxgtw pluto[5378]: "CERT"[1]
xx.xx.xx.xx #1: switched from "CERT" to "CERT"
Apr  2 22:40:50 med-idxgtw pluto[5378]: "CERT"[2]
xx.xx.xx.xx #1: deleting connection "CERT" instance
with peer xx.xx.xx.xx {isakmp=#0/ipsec=#0}
Apr  2 22:40:50 med-idxgtw pluto[5378]: "CERT"[2]
xx.xx.xx.xx #1: I am sending my cert
Apr  2 22:40:50 med-idxgtw pluto[5378]: "CERT"[2]
xx.xx.xx.xx #1: transition from state STATE_MAIN_R2 to
state STATE_MAIN_R3
Apr  2 22:40:50 med-idxgtw pluto[5378]: "CERT"[2]
xx.xx.xx.xx #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
Apr  2 22:40:50 med-idxgtw pluto[5378]: "CERT"[2]
xx.xx.xx.xx #2: responding to Quick Mode
{msgid:65e62b99}
Apr  2 22:40:50 med-idxgtw pluto[5378]: "CERT"[2]
xx.xx.xx.xx #2: transition from state STATE_QUICK_R0
to state STATE_QUICK_R1
Apr  2 22:40:50 med-idxgtw pluto[5378]: "CERT"[2]
xx.xx.xx.xx #2: STATE_QUICK_R1: sent QR1, inbound
IPsec SA installed, expecting QI2
Apr  2 22:40:50 med-idxgtw pluto[5378]: "CERT"[2]
xx.xx.xx.xx #2: transition from state STATE_QUICK_R1
to state STATE_QUICK_R2
Apr  2 22:40:50 med-idxgtw pluto[5378]: "CERT"[2]
xx.xx.xx.xx #2: STATE_QUICK_R2: IPsec SA established
{ESP=>0x0a0aaa8f <0xaa172bff xfrm=3DES_0-HMAC_SHA1
NATD=xx.xx.xx.xx:1026 DPD=none}
Apr  2 22:41:05 med-idxgtw pluto[5378]: packet from
xx.xx.xx.xx:500: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY 00000004]
Apr  2 22:41:05 med-idxgtw pluto[5378]: packet from
xx.xx.xx.xx:500: ignoring Vendor ID payload
[FRAGMENTATION]
Apr  2 22:41:05 med-idxgtw pluto[5378]: packet from
xx.xx.xx.xx:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Apr  2 22:41:05 med-idxgtw pluto[5378]: packet from
xx.xx.xx.xx:500: ignoring Vendor ID payload
[Vid-Initial-Contact]
Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[2]
xx.xx.xx.xx #3: responding to Main Mode from unknown
peer xx.xx.xx.xx
Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[2]
xx.xx.xx.xx #3: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1
Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[2]
xx.xx.xx.xx #3: STATE_MAIN_R1: sent MR1, expecting MI2
Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[2]
xx.xx.xx.xx #3: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[2]
xx.xx.xx.xx #3: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2
Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[2]
xx.xx.xx.xx #3: STATE_MAIN_R2: sent MR2, expecting MI3
Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[2]
xx.xx.xx.xx #3: Main mode peer ID is ID_DER_ASN1_DN:
'C=US, ST=Michigan, L=Detroit, O=Wayne State
University, OU=MSIS, CN=userauth,
E=userauth at domain.com'
Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[2]
xx.xx.xx.xx #3: switched from "CERT" to "CERT"
Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[3]
xx.xx.xx.xx #3: I am sending my cert
Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[3]
xx.xx.xx.xx #3: transition from state STATE_MAIN_R2 to
state STATE_MAIN_R3
Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[3]
xx.xx.xx.xx #3: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[3]
xx.xx.xx.xx #3: Virtual IP xx.xx.xx.xx/32 is already
used by 'C=US, ST=Michigan, L=Detroit, O=Wayne State
University, OU=MSIS, CN=userauth2,
E=userauth2 at domain.com'
Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[3]
xx.xx.xx.xx #3: Your ID is 'C=US, ST=Michigan,
L=Detroit, O=Wayne State University, OU=MSIS,
CN=userauth, E=userauth at domain.com'
Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[3]
xx.xx.xx.xx #3: Virtual IP xx.xx.xx.xx/32 is already
used by 'C=US, ST=Michigan, L=Detroit, O=Wayne State
University, OU=MSIS, CN=userauth2,
E=userauth2 at domain.com'
Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[3]
xx.xx.xx.xx #3: Your ID is 'C=US, ST=Michigan,
L=Detroit, O=Wayne State University, OU=MSIS,
CN=userauth, E=userauth at domain.com'
Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[3]
xx.xx.xx.xx #3: cannot respond to IPsec SA request
because no connection is known for x.x.x.x[C=US,
ST=Michigan, L=Detroit, O=Wayne State University,
OU=MSIS, CN=servercert,
E=servercert at domain.com]...xx.xx.xx.xx[C=US,
ST=Michigan, L=Detroit, O=Wayne State University,
OU=MSIS, CN=userauth, E=userauth at domain.com]
Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[3]
xx.xx.xx.xx #3: sending encrypted notification
INVALID_ID_INFORMATION to xx.xx.xx.xx:4500




--- Marco Berizzi <pupilla at hotmail.com> wrote:

> Agent Smith wrote:
> >
> > OK: I tried it on FC7 2.6.24 and it didn't work.
> >
> > what is xfrm?
> 
> it is the linux 2.6 native ipsec stack (aka netkey)
> 
> > I just patched source with NAT-T patch
> >
>
(http://openswan.org/download/openswan-2.4.x.kernel-2.6.23-natt.patch)
> > and recompiled the kernel
> >
> > make;make modules_install;make install and reboot.
> >
> > I then did openswan with make programs;make
> install
> > ;reboot
> >
> > first client connects, second one fails... I am
> not
> > using l2tp/ipsec just windows native IPSEC.
> 
> what does your logs says? Are you using psk or x509?
> 
> 
> 



      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com

More information about the Users mailing list