[Openswan Users] Advice and help to read pluto's logs
Sebastien COUPPEY
sebastien.couppey at zero9.it
Fri Feb 8 11:07:21 EST 2008
Thanks for the answer,
So nothing to worry about
On Fri, Feb 08, 2008 at 02:21:04PM +0100, Frank Mayer wrote:
> Hello,
>
> as far as I understand things, the Vendor ID payload describes the peer
> and its capabilities, not the actual options used.
> In your case this would mean that the Cisco indicates that it can do
> XAUTH, but not that XAUTH would be used for this connection.
>
> And concerning log line 9: yes, this is perfectly normal and has nothing
> whatsoever to do with XAUTH.
>
> Best Regards,
> Frank Mayer
>
> users-bounces at openswan.org schrieb am 08.02.2008 10:04:33:
>
> > Hello,
> >
> > I am having difficulties to read the logs of pluto,
> > devices are : openswan <-> cisco 3080
> >
> >
> > 1- #249651: initiating Main Mode
> > 2- #249651: ignoring Vendor ID payload [FRAGMENTATION c0000000]
> > 3- #249651: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> > 4- #249651: STATE_MAIN_I2: sent MI2, expecting MR2
> > 5- #249651: received Vendor ID payload [Cisco-Unity]
> > 6- #249651: received Vendor ID payload [XAUTH]
> > 7- #249651: ignoring unknown Vendor ID payload
> > [086a6374027ed9bbc051dd742ee98d16]
> > 8- #249651: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> > 9- #249651: I did not send a certificate because I do not have one.
> > 10- #249651: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> > 11- #249651: STATE_MAIN_I3: sent MI3, expecting MR3
> > 12- #249651: received Vendor ID payload [Dead Peer Detection]
> > 13- #249651: Main mode peer ID is ID_IPV4_ADDR: 'CISCO_PUBLIC_IP'
> > 14- #249651: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> > 15- #249651: STATE_MAIN_I4: ISAKMP SA established
> > {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> > group=modp1024}
> > 16- #249651: Dead Peer Detection (RFC 3706): enabled
> > 17- #249652: initiating Quick Mode PSK+ENCRYPT+TUNNEL {using
> isakmp#249651}
> > 18- #249652: Dead Peer Detection (RFC 3706): enabled
> > 19- #249652: transition from state STATE_QUICK_I1 to state
> STATE_QUICK_I2
> > 20- #249652: STATE_QUICK_I2: sent QI2, IPsec SA established
> > {ESP=>0x456b9e75 <0x7779aa6e xfrm=3DES_0-HMAC_SHA1 NATD=none
> DPD=enabled}
> >
> >
> > As you can see on line 6 it seems I am receiving a XAUTH
> > request. However on the CISCO 3080, I have the following options for the
> > authentication mode :
> >
> > Preshared key <-----------
> > RSA digital certificate
> > DSA digital certificate
> > Preshared key (XAUTH)
> > RSA digital certificate (XAUTH)
> > DSA digital certificate (XAUTH)
> > RSA digital certificate (HYBRID)
> > DSA digital certificate (HYBRID)
> >
> >
> > The "preshared key" is the one selected on the cisco 3080 device. Is
> > it normal to get the line 6 ?
> >
> > line 9 : I think this is normal on my side because I didn t configure
> > any certificate. Is this line the result of a XAUTH request I am not
> > able to answer ?
> >
> > Thanks
More information about the Users
mailing list