[Openswan Users] Advice and help to read pluto's logs

Sebastien COUPPEY sebastien.couppey at zero9.it
Fri Feb 8 11:07:21 EST 2008 

Thanks for the answer,
So nothing to worry about

On Fri, Feb 08, 2008 at 02:21:04PM +0100, Frank Mayer wrote:
> Hello,
> 
> as far as I understand things, the Vendor ID payload describes the peer 
> and its capabilities, not the actual options used.
> In your case this would mean that the Cisco indicates that it can do 
> XAUTH, but not that XAUTH would be used for this connection.
> 
> And concerning log line 9: yes, this is perfectly normal and has nothing 
> whatsoever to do with XAUTH.
> 
> Best Regards,
>   Frank Mayer
> 
> users-bounces at openswan.org schrieb am 08.02.2008 10:04:33:
> 
> > Hello,
> > 
> > I am having difficulties to read the logs of pluto,
> > devices are :  openswan <-> cisco 3080
> > 
> > 
> > 1-  #249651: initiating Main Mode
> > 2-  #249651: ignoring Vendor ID payload [FRAGMENTATION c0000000]
> > 3-  #249651: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> > 4-  #249651: STATE_MAIN_I2: sent MI2, expecting MR2 
> > 5-  #249651: received Vendor ID payload [Cisco-Unity]
> > 6-  #249651: received Vendor ID payload [XAUTH]
> > 7-  #249651: ignoring unknown Vendor ID payload 
> > [086a6374027ed9bbc051dd742ee98d16]
> > 8-  #249651: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> > 9-  #249651: I did not send a certificate because I do not have one.
> > 10- #249651: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> > 11- #249651: STATE_MAIN_I3: sent MI3, expecting MR3
> > 12- #249651: received Vendor ID payload [Dead Peer Detection]
> > 13- #249651: Main mode peer ID is ID_IPV4_ADDR: 'CISCO_PUBLIC_IP'
> > 14- #249651: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> > 15- #249651: STATE_MAIN_I4: ISAKMP SA established 
> > {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> > group=modp1024}
> > 16- #249651: Dead Peer Detection (RFC 3706): enabled 
> > 17- #249652: initiating Quick Mode PSK+ENCRYPT+TUNNEL {using 
> isakmp#249651}
> > 18- #249652: Dead Peer Detection (RFC 3706): enabled
> > 19- #249652: transition from state STATE_QUICK_I1 to state 
> STATE_QUICK_I2
> > 20- #249652: STATE_QUICK_I2: sent QI2, IPsec SA established 
> > {ESP=>0x456b9e75 <0x7779aa6e xfrm=3DES_0-HMAC_SHA1 NATD=none 
> DPD=enabled}
> > 
> > 
> > As you can see on line 6 it seems I am receiving a XAUTH
> > request. However on the CISCO 3080, I have the following options for the
> > authentication mode :
> > 
> >  Preshared key    <-----------
> >  RSA digital certificate
> >  DSA digital certificate
> >  Preshared key (XAUTH)
> >  RSA digital certificate (XAUTH)
> >  DSA digital certificate (XAUTH)
> >  RSA digital certificate (HYBRID)
> >  DSA digital certificate (HYBRID)
> > 
> > 
> > The "preshared key" is the one selected on the cisco 3080 device. Is
> > it normal to get the line 6 ? 
> > 
> > line 9 : I think this is normal on my side because I didn t configure
> > any certificate. Is this line the result of a XAUTH request  I am not
> > able to answer ?
> > 
> > Thanks

More information about the Users mailing list