[Openswan Users] VPN Debian to Astaro

Peter McGill petermcgill at goco.net
Fri Jun 6 09:41:52 EDT 2008 

Antonio,

First disable the debug lines:
	#klipsdebug=none
	#plutodebug=none
They are for developer debuging, not user debuging, and only hide
the usefull (to us) log info in a sea of debug info.

Second, it may be an email typo but your astaro config has both
subnets as 192.168.1.0/24, one should be 192.168.20.0/24. 

Third it looks to me like your mixing left/right parameters.
It is recommended for simplicity that left = local (debian) and
right = remote (astaro).
I'm guessing you should be:
conn to-dm
	left=xx.xxx.xx.xxx (debian internet ip)
	leftsubnet=192.168.1.0/24 (debian lan subnet?)
	leftid=debian
	leftrsasigkey= <-generated with ipsec showhostkey --left
	right=xx.xx.xx.xx (astaro internet ip)
	rightsubnet=192.168.20.0/24 (astaro lan subnet?)
	rightid=astaro
	rightrsasigkey= <-took from astaro web page
	auto=add

Fourth I see nothing in the astaro config that indicates to use
rightid=astaro and md5 hash. If there is nothing, then:
	#rightid=astaro
	ike=3des
	esp=3des

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Antonio Di Marco
> Sent: June 6, 2008 6:39 AM
> To: users at openswan.org
> Subject: [Openswan Users] VPN Debian to Astaro
> 
> I'm trying to setup a lan-to-lan vpn with ipsec between a 
> linux debian 3.1
> server and an Astaro Firewall.
> 
> Debian ipsec.conf:
> ###################################
> version 2.0
> 
> config setup
>         nat_traversal=no
>         interfaces="ipsec0=eth0"
>         klipsdebug=all
>         plutodebug=all
>         plutostderrlog=/tmp/pluto.log
>         overridemtu=1410
>         
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
> 
> conn %default
>         disablearrivalcheck=true
>         authby=rsasig
>         esp=3des-md5
>         compress=no
>         pfs=no
> 
> conn to-dm
>     left=xx.xxx.xx.xxx
>     leftsubnet=192.168.1.0/24
>     leftid=astaro
>     leftrsasigkey= <-generated with ipsec showhostkey --left
>     #
>     right=xx.xx.xx.xx
>     rightsubnet=192.168.20.0/24
>     rightid=debian
>     rightrsasigkey= <-took from astaro web page
>     #
>     auto=add
> ####################################
> 
> ASTARO CONFIGURATION:
> Remote Gateway
> 	Name: debian
> 	GW Type: initiate connection
> 	Gateway: xx.xx.xx.xx
> 	Auth Type: RSA key
> 	VPN ID Type: Hostname
> 	VPN ID: debian
> 	Remote Networks: 192.168.1.0/24
> 
> Connection
> 	Name: VPN dm
> 	Remote GW: debian
> 	Local interface: Wan
> 	Policy: 3DES
> 	Local Networks: 192.168.1.0/24
> 	Auto Packet filter: Yes
> 	Static routing: No
> 
> ###################################à
> 
> debian:/etc# ipsec auto --up to-dm
> 104 "to-dmlogica" #7: STATE_MAIN_I1: initiate
> 003 "to-dmlogica" #7: ignoring Vendor ID payload
> [7f50cc4ebf04c2d9da73abfd69b77aa2]
> 003 "to-dmlogica" #7: ignoring Vendor ID payload [XAUTH]
> 003 "to-dmlogica" #7: received Vendor ID payload [Dead Peer Detection]
> 106 "to-dmlogica" #7: STATE_MAIN_I2: sent MI2, expecting MR2
> 010 "to-dmlogica" #7: STATE_MAIN_I2: retransmission; will wait 20s for
> response
> 003 "to-dmlogica" #7: discarding duplicate packet; already 
> STATE_MAIN_I2
> 108 "to-dmlogica" #7: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "to-dmlogica" #7: next payload type of ISAKMP Hash Payload has an
> unknown value: 54
> 003 "to-dmlogica" #7: malformed payload in packet
> 010 "to-dmlogica" #7: STATE_MAIN_I3: retransmission; will wait 20s for
> response
> 003 "to-dmlogica" #7: next payload type of ISAKMP Hash Payload has an
> unknown value: 166
> 003 "to-dmlogica" #7: malformed payload in packet
> 003 "to-dmlogica" #7: discarding duplicate packet; already 
> STATE_MAIN_I3
> 010 "to-dmlogica" #7: STATE_MAIN_I3: retransmission; will wait 40s for
> response
> 003 "to-dmlogica" #7: discarding duplicate packet; already 
> STATE_MAIN_I3
> 003 "to-dmlogica" #7: next payload type of ISAKMP Hash Payload has an
> unknown value: 176
> 003 "to-dmlogica" #7: malformed payload in packet
> 
> What's wrong with that?
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list