[Openswan Users] Connecting to my Company's VPN Concentrator

John Serink jserink2004 at yahoo.com
Thu Jan 24 23:52:33 EST 2008 

Hello Everyone:

I'm trying to figure out how to use openswan to connect to my company's vpn
concentrator. I'm not even sure what kind it is but being that I have no idea
which options IS as setup on it, it doesn't really matter at this point.

I have WindowsXP running in a KVM session with the slirp networking and have
loaded the Cisco VPN client inside and it works great. I don't like this
solution as I lose all my SMB shares while the tunnel is up which is why I want
to do this from Openswan. 

What i did do is capture all the packets going over the eth0 link filtered for
the IP of our vpn gateway with wireshark and had a look. using the as a model,
I was able to decern the following:
1. We are using PFS,
2. The pfsgroup is modp1024,
3. ike=3des-md5-modp1024

I never get to the Xauth prompt as teh concentrator send some sort of malformed
packet..pluto output:
104 "christchurch" #3: STATE_MAIN_I1: initiate
003 "christchurch" #3: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
003 "christchurch" #3: ignoring Vendor ID payload [FRAGMENTATION c0000000]
106 "christchurch" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "christchurch" #3: received Vendor ID payload [Cisco-Unity]
003 "christchurch" #3: received Vendor ID payload [XAUTH]
003 "christchurch" #3: ignoring unknown Vendor ID payload
[2203be8128857c83fbd53be51eb818ff]
003 "christchurch" #3: ignoring Vendor ID payload [Cisco VPN 3000 Series]
003 "christchurch" #3: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
003 "christchurch" #3: multiple ipsec.secrets entries with distinct secrets
match endpoints: first secret used
108 "christchurch" #3: STATE_MAIN_I3: sent MI3, expecting MR3
003 "christchurch" #3: byte 2 of ISAKMP Hash Payload must be zero, but is not
003 "christchurch" #3: malformed payload in packet


Here is the output from /var/log/messages:
Jan 25 12:36:35 jerinkturion pluto[8734]: "christchurch" #3: initiating Main
Mode
Jan 25 12:36:36 jerinkturion pluto[8734]: "christchurch" #3: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jan 25 12:36:36 jerinkturion pluto[8734]: "christchurch" #3: ignoring Vendor ID
payload [FRAGMENTATION c0000000]
Jan 25 12:36:36 jerinkturion pluto[8734]: "christchurch" #3: enabling possible
NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
Jan 25 12:36:36 jerinkturion pluto[8734]: "christchurch" #3: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 25 12:36:36 jerinkturion pluto[8734]: "christchurch" #3: STATE_MAIN_I2:
sent MI2, expecting MR2
Jan 25 12:36:36 jerinkturion pluto[8734]: "christchurch" #3: received Vendor ID
payload [Cisco-Unity]
Jan 25 12:36:36 jerinkturion pluto[8734]: "christchurch" #3: received Vendor ID
payload [XAUTH]
Jan 25 12:36:36 jerinkturion pluto[8734]: "christchurch" #3: ignoring unknown
Vendor ID payload [2203be8128857c83fbd53be51eb818ff]
Jan 25 12:36:36 jerinkturion pluto[8734]: "christchurch" #3: ignoring Vendor ID
payload [Cisco VPN 3000 Series]
Jan 25 12:36:36 jerinkturion pluto[8734]: "christchurch" #3: I did not send a
certificate because I do not have one.
Jan 25 12:36:36 jerinkturion pluto[8734]: "christchurch" #3: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Jan 25 12:36:36 jerinkturion pluto[8734]: "christchurch" #3: multiple
ipsec.secrets entries with distinct secrets match endpoints: first secret used
Jan 25 12:36:36 jerinkturion pluto[8734]: "christchurch" #3: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 25 12:36:36 jerinkturion pluto[8734]: "christchurch" #3: STATE_MAIN_I3:
sent MI3, expecting MR3
Jan 25 12:36:36 jerinkturion pluto[8734]: "christchurch" #3: byte 2 of ISAKMP
Hash Payload must be zero, but is not
Jan 25 12:36:36 jerinkturion pluto[8734]: "christchurch" #3: malformed payload
in packet
Jan 25 12:36:36 jerinkturion pluto[8734]: | payload malformed after IV
Jan 25 12:36:36 jerinkturion pluto[8734]: |   b9 f9 a7 48  b2 b9 da 82
Jan 25 12:36:36 jerinkturion pluto[8734]: "christchurch" #3: sending
notification PAYLOAD_MALFORMED to 218.101.54.11:4500

What is interesting is what wireshark shows.
The openswam attempt looks like this where I am left and the vpn concentrator
is right:
      1 0.000000    left          right         ISAKMP   Identity Protection
(Main Mode)
      2 0.288503    right         left          ISAKMP   Identity Protection
(Main Mode)
      3 0.291258    left          right         ISAKMP   Identity Protection
(Main Mode)
      4 0.594301    right         left          ISAKMP   Identity Protection
(Main Mode)
      5 0.607421    left          right         ISAKMP   Identity Protection
(Main Mode)
      6 0.829992    right         left          ISAKMP   Informational
      7 0.830618    left          right         ISAKMP   Informational


and this is where is stops.
Now here is the grab form the Cisco VPN client:
      1 0.000000    left         right         ISAKMP   Identity Protection
(Main Mode)
      2 0.383163    right         left         ISAKMP   Identity Protection
(Main Mode)
      3 0.419154    left         right         ISAKMP   Identity Protection
(Main Mode)
      4 0.742498    right         left         ISAKMP   Identity Protection
(Main Mode)
      5 0.744450    right         left         ISAKMP   Identity Protection
(Main Mode)
      6 0.854534    left         right         IP       Fragmented IP protocol
(proto=UDP 0x11, off=0) [Reassembled in #7]
      7 0.854652    left         right         ISAKMP   Identity Protection
(Main Mode)
      8 1.323399    right         left         ISAKMP   Identity Protection
(Main Mode)
      9 1.324254    right         left         ISAKMP   Identity Protection
(Main Mode)
     10 1.325535    right         left         ISAKMP   Identity Protection
(Main Mode)
     11 1.326197    right         left         ISAKMP   Identity Protection
(Main Mode)
     12 1.361859    left         right         UDPENCAP 
     13 2.322741    right         left         ISAKMP   Transaction (Config
Mode)
     14 11.414408   left         right         UDPENCAP 
     15 11.968526   left         right         ISAKMP   Transaction (Config
Mode)
     16 12.416218   right         left         ISAKMP   Transaction (Config
Mode)
     17 12.434233   left         right         ISAKMP   Transaction (Config
Mode)
     18 12.759932   left         right         ISAKMP   Transaction (Config
Mode)
     19 13.940327   right         left         ISAKMP   Transaction (Config
Mode)
     20 13.981709   left         right         ISAKMP   Quick Mode
     21 14.225927   right         left         ISAKMP   Informational
     22 14.231512   right         left         ISAKMP   Quick Mode
     23 14.252762   left         right         ISAKMP   Quick Mode
     24 22.146157   right         left         ESP      ESP (SPI=0x0465af25)

As you can see, the concentrator is sending some sort of fragmented or
malformed packet that the Cisco VPN client is either ignoring or using. Is
there anyway I could help open swan along with trying to deal with this?

Cheers,
john


      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

More information about the Users mailing list