[Openswan Users] Problem with OpenSwan Configuration
chteh
chteh at nav6.org
Sat Aug 23 04:45:37 EDT 2008
Dear OpenSwan users,
Hello, good day to everyone. Recently I would like to try install
OpenSwan in our lab, but i failed.
I have refered to different manual, but none of them can save my day. So
i decided to post my problem to this mailing list.
I was to setup a VPN server where i can access my local LAN resources at
remote site.
My setup:
------------
-------------
|Local LAN| ----- (OpenSwan VPN)--{Internet}-----| Remote Site|
------------
-------------
Below is my IPSEC configuration:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
overridemtu=1410
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=3
compress=yes
disablearrivalcheck=no
authby=secret
type=tunnel
keyexchange=ike
ikelifetime=240m
keylife=60m
#conn roadwarrior-net
# leftsubnet=10.0.0.0/8
# also=roadwarrior
#conn roadwarrior-all
# leftsubnet=0.0.0.0/0
# also=roadwarrior
conn roadwarrior-l2tp
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-l2tp-updatedwin
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior
pfs=no
left=203.80.17.145
leftnexthop=203.80.17.129
right=%any
rightsubnet=vhost:%no,%priv
auto=add
#Disable Opportunistic Encryption
When i try to connect the VPN server using Windows XP client, i got the
"Error 792 The L2TP connection attempt failed because security
negotation time out"
And in my log file i got this:
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: packet from
202.170.56.245:40485: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000004]
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: packet from
202.170.56.245:40485: ignoring Vendor ID payload [FRAGMENTATION]
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: packet from
202.170.56.245:40485: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: packet from
202.170.56.245:40485: ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[11]
202.170.56.245 #6: responding to Main Mode from unknown peer 202.170.56.245
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[11]
202.170.56.245 #6: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[11]
202.170.56.245 #6: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[11]
202.170.56.245 #6: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[11]
202.170.56.245 #6: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[11]
202.170.56.245 #6: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[11]
202.170.56.245 #6: Main mode peer ID is ID_FQDN: '@simonx300'
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[11]
202.170.56.245 #6: switched from "roadwarrior" to "roadwarrior"
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: deleting connection "roadwarrior" instance with peer
202.170.56.245 {isakmp=#0/ipsec=#0}
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: new NAT mapping for #6, was 202.170.56.245:40485, now
202.170.566
.245:40553
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: peer client type is FQDN
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: Applying workaround for MS-818043 NAT-T bug
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: IDci was FQDN: \313P\021\221, using
NAT_OA=10.207.161.212/32 as IDci
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: the peer proposed: 203.80.17.145/32:0/0 ->
10.207.161.212/32:0/0
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: cannot respond to IPsec SA request because no
connection is known for
203.80.17.145<203.80.17.145>[+S=C]:17/1701...202.170.56.245[@simonx300,+S=C]:17/1701===10.207.161.212/32
Aug 24 00:44:57 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: sending encrypted notification INVALID_ID_INFORMATION
to 202.170.56.245:40553
Aug 24 00:44:58 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: peer client type is FQDN
Aug 24 00:44:58 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: Applying workaround for MS-818043 NAT-T bug
Aug 24 00:44:58 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: IDci was FQDN: \313P\021\221, using
NAT_OA=10.207.161.212/32 as IDci
Aug 24 00:44:58 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: the peer proposed: 203.80.17.145/32:0/0 ->
10.207.161.212/32:0/0
Aug 24 00:44:58 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: cannot respond to IPsec SA request because no
connection is known for
203.80.17.145<203.80.17.145>[+S=C]:17/1701...202.170.56.245[@simonx300,+S=C]:17/1701===10.207.161.212/32
Aug 24 00:44:58 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: sending encrypted notification INVALID_ID_INFORMATION
to 202.170.56.245:40553
Aug 24 00:45:00 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: peer client type is FQDN
Aug 24 00:45:00 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: Applying workaround for MS-818043 NAT-T bug
Aug 24 00:45:00 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: IDci was FQDN: \313P\021\221, using
NAT_OA=10.207.161.212/32 as IDci
Aug 24 00:45:00 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: the peer proposed: 203.80.17.145/32:0/0 ->
10.207.161.212/32:0/0
Aug 24 00:45:00 OpenSwanVPN pluto[6868]: "roadwarrior"[12]
202.170.56.245 #6: *cannot respond to IPsec SA request because no
connection is known for
203.80.17.145<203.80.17.145>[+S=C]:17/1701...202.170.56.245[@simonx300,+S=C]:17/1701===10.207.161.212/32*
Hope to hear from you all very soon. Thanks in advanced!
--
Best regards,
Simon Teh
Network and System Administrator
National Advanced IPv6
Centre of Excellence,
School of Computer Science,
Universiti Sains Malaysia
More information about the Users
mailing list