[Openswan Users] VPN Debian to Astaro

Antonio Di Marco akyra84 at gmail.com
Fri Jun 6 06:39:27 EDT 2008 

I'm trying to setup a lan-to-lan vpn with ipsec between a linux debian 3.1
server and an Astaro Firewall.

Debian ipsec.conf:
###################################
version 2.0

config setup
        nat_traversal=no
        interfaces="ipsec0=eth0"
        klipsdebug=all
        plutodebug=all
        plutostderrlog=/tmp/pluto.log
        overridemtu=1410
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
        disablearrivalcheck=true
        authby=rsasig
        esp=3des-md5
        compress=no
        pfs=no

conn to-dm
    left=xx.xxx.xx.xxx
    leftsubnet=192.168.1.0/24
    leftid=astaro
    leftrsasigkey= <-generated with ipsec showhostkey --left
    #
    right=xx.xx.xx.xx
    rightsubnet=192.168.20.0/24
    rightid=debian
    rightrsasigkey= <-took from astaro web page
    #
    auto=add
####################################

ASTARO CONFIGURATION:
Remote Gateway
	Name: debian
	GW Type: initiate connection
	Gateway: xx.xx.xx.xx
	Auth Type: RSA key
	VPN ID Type: Hostname
	VPN ID: debian
	Remote Networks: 192.168.1.0/24

Connection
	Name: VPN dm
	Remote GW: debian
	Local interface: Wan
	Policy: 3DES
	Local Networks: 192.168.1.0/24
	Auto Packet filter: Yes
	Static routing: No

###################################à

debian:/etc# ipsec auto --up to-dm
104 "to-dmlogica" #7: STATE_MAIN_I1: initiate
003 "to-dmlogica" #7: ignoring Vendor ID payload
[7f50cc4ebf04c2d9da73abfd69b77aa2]
003 "to-dmlogica" #7: ignoring Vendor ID payload [XAUTH]
003 "to-dmlogica" #7: received Vendor ID payload [Dead Peer Detection]
106 "to-dmlogica" #7: STATE_MAIN_I2: sent MI2, expecting MR2
010 "to-dmlogica" #7: STATE_MAIN_I2: retransmission; will wait 20s for
response
003 "to-dmlogica" #7: discarding duplicate packet; already STATE_MAIN_I2
108 "to-dmlogica" #7: STATE_MAIN_I3: sent MI3, expecting MR3
003 "to-dmlogica" #7: next payload type of ISAKMP Hash Payload has an
unknown value: 54
003 "to-dmlogica" #7: malformed payload in packet
010 "to-dmlogica" #7: STATE_MAIN_I3: retransmission; will wait 20s for
response
003 "to-dmlogica" #7: next payload type of ISAKMP Hash Payload has an
unknown value: 166
003 "to-dmlogica" #7: malformed payload in packet
003 "to-dmlogica" #7: discarding duplicate packet; already STATE_MAIN_I3
010 "to-dmlogica" #7: STATE_MAIN_I3: retransmission; will wait 40s for
response
003 "to-dmlogica" #7: discarding duplicate packet; already STATE_MAIN_I3
003 "to-dmlogica" #7: next payload type of ISAKMP Hash Payload has an
unknown value: 176
003 "to-dmlogica" #7: malformed payload in packet

What's wrong with that?

More information about the Users mailing list