[Openswan Users] Advice and help to read pluto's logs

Frank Mayer frank.mayer at knapp.com
Fri Feb 8 08:21:04 EST 2008


Hello,

as far as I understand things, the Vendor ID payload describes the peer 
and its capabilities, not the actual options used.
In your case this would mean that the Cisco indicates that it can do 
XAUTH, but not that XAUTH would be used for this connection.

And concerning log line 9: yes, this is perfectly normal and has nothing 
whatsoever to do with XAUTH.

Best Regards,
  Frank Mayer

users-bounces at openswan.org schrieb am 08.02.2008 10:04:33:

> Hello,
> 
> I am having difficulties to read the logs of pluto,
> devices are :  openswan <-> cisco 3080
> 
> 
> 1-  #249651: initiating Main Mode
> 2-  #249651: ignoring Vendor ID payload [FRAGMENTATION c0000000]
> 3-  #249651: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> 4-  #249651: STATE_MAIN_I2: sent MI2, expecting MR2 
> 5-  #249651: received Vendor ID payload [Cisco-Unity]
> 6-  #249651: received Vendor ID payload [XAUTH]
> 7-  #249651: ignoring unknown Vendor ID payload 
> [086a6374027ed9bbc051dd742ee98d16]
> 8-  #249651: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> 9-  #249651: I did not send a certificate because I do not have one.
> 10- #249651: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> 11- #249651: STATE_MAIN_I3: sent MI3, expecting MR3
> 12- #249651: received Vendor ID payload [Dead Peer Detection]
> 13- #249651: Main mode peer ID is ID_IPV4_ADDR: 'CISCO_PUBLIC_IP'
> 14- #249651: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> 15- #249651: STATE_MAIN_I4: ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp1024}
> 16- #249651: Dead Peer Detection (RFC 3706): enabled 
> 17- #249652: initiating Quick Mode PSK+ENCRYPT+TUNNEL {using 
isakmp#249651}
> 18- #249652: Dead Peer Detection (RFC 3706): enabled
> 19- #249652: transition from state STATE_QUICK_I1 to state 
STATE_QUICK_I2
> 20- #249652: STATE_QUICK_I2: sent QI2, IPsec SA established 
> {ESP=>0x456b9e75 <0x7779aa6e xfrm=3DES_0-HMAC_SHA1 NATD=none 
DPD=enabled}
> 
> 
> As you can see on line 6 it seems I am receiving a XAUTH
> request. However on the CISCO 3080, I have the following options for the
> authentication mode :
> 
>  Preshared key    <-----------
>  RSA digital certificate
>  DSA digital certificate
>  Preshared key (XAUTH)
>  RSA digital certificate (XAUTH)
>  DSA digital certificate (XAUTH)
>  RSA digital certificate (HYBRID)
>  DSA digital certificate (HYBRID)
> 
> 
> The "preshared key" is the one selected on the cisco 3080 device. Is
> it normal to get the line 6 ? 
> 
> line 9 : I think this is normal on my side because I didn t configure
> any certificate. Is this line the result of a XAUTH request  I am not
> able to answer ?
> 
> Thanks 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080208/f6c3f699/attachment-0001.html 


More information about the Users mailing list