[Openswan Users] Please help me with openSuSE 10.3 host and Vista clients

Wei-min Lee weiminlee at sbcglobal.net
Sun Mar 2 18:42:14 EST 2008 

Hi, I'm at the point where my Vista client will generate the following
messages on the server but never completes the connection.  I'm using mostly
the default configurations as well as copying some of the delivered example
configurations.see below.  I'm currently on the same switch with the host
because I'm trying to validate the configurations before I send the host to
its final destination.  The Vista connection settings are as described in
http://www.jacco2.dds.nl/networking/vista-openswan.html using PSK only for
now.  Thanks in advance.

 

Log messages:

Mar  2 14:37:36 dwelnxsrv1 pluto[1864]: packet from 192.168.2.22:500:
received and ignored informational message

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: packet from 192.168.2.22:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000005]

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: packet from 192.168.2.22:500:
received Vendor ID payload [RFC 3947] method set to=110 

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: packet from 192.168.2.22:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 110

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: packet from 192.168.2.22:500:
ignoring Vendor ID payload [FRAGMENTATION]

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: packet from 192.168.2.22:500:
ignoring unknown Vendor ID payload [fb1de3cdf341b7ea16b7e5be0855f120]

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: packet from 192.168.2.22:500:
ignoring Vendor ID payload [Vid-Initial-Contact]

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: packet from 192.168.2.22:500:
ignoring unknown Vendor ID payload [e3a5966a76379fe707228231e5ce8652]

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: "L2TP-PSK-noNAT"[2] 192.168.2.22 #3:
responding to Main Mode from unknown peer 192.168.2.22

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: "L2TP-PSK-noNAT"[2] 192.168.2.22 #3:
Diffie-Hellamn group 20 is not a supported modp group.  Attribute
OAKLEY_GROUP_DESCRIPTION

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: "L2TP-PSK-noNAT"[2] 192.168.2.22 #3:
Diffie-Hellamn group 19 is not a supported modp group.  Attribute
OAKLEY_GROUP_DESCRIPTION

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: "L2TP-PSK-noNAT"[2] 192.168.2.22 #3:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: "L2TP-PSK-noNAT"[2] 192.168.2.22 #3:
STATE_MAIN_R1: sent MR1, expecting MI2

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: "L2TP-PSK-noNAT"[2] 192.168.2.22 #3:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: "L2TP-PSK-noNAT"[2] 192.168.2.22 #3:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: "L2TP-PSK-noNAT"[2] 192.168.2.22 #3:
STATE_MAIN_R2: sent MR2, expecting MI3

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: "L2TP-PSK-noNAT"[2] 192.168.2.22 #3:
Main mode peer ID is ID_IPV4_ADDR: '192.168.2.22'

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: "L2TP-PSK-noNAT"[2] 192.168.2.22 #3:
I did not send a certificate because I do not have one.

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: "L2TP-PSK-noNAT"[2] 192.168.2.22 #3:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: "L2TP-PSK-noNAT"[2] 192.168.2.22 #3:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: "L2TP-PSK-noNAT"[2] 192.168.2.22 #4:
responding to Quick Mode {msgid:01000000}

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: "L2TP-PSK-noNAT"[2] 192.168.2.22 #4:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: "L2TP-PSK-noNAT"[2] 192.168.2.22 #4:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: "L2TP-PSK-noNAT"[2] 192.168.2.22 #4:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Mar  2 14:39:44 dwelnxsrv1 pluto[1864]: "L2TP-PSK-noNAT"[2] 192.168.2.22 #4:
STATE_QUICK_R2: IPsec SA established {ESP=>0x07e8e2ed <0xcd6525f3
xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}

 

 

ipsec.conf:

# /etc/ipsec.conf - Openswan IPsec configuration file

# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $

 

# This file:  /usr/share/doc/packages/openswan/ipsec.conf-sample

#

# Manual:     ipsec.conf.5

 

 

version  2.0       # conforms to second version of ipsec.conf specification

 

# basic configuration

config setup

            # plutodebug / klipsdebug = "all", "none" or a combation from
below:

            # "raw crypt parsing emitting control klips pfkey natt x509
private"

            # eg: plutodebug="control parsing"

            #

            # ONLY enable plutodebug=all or klipsdebug=all if you are a
developer !!

            #

            # NAT-TRAVERSAL support, see README.NAT-Traversal

            nat_traversal=yes

            #
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

            #

            # Certificate Revocation List handling:

            #crlcheckinterval=600

            #strictcrlpolicy=yes

            #

            # Change rp_filter setting? (default is 0, disabled)

            # See also setting in the /etc/sysctl.conf file!

            #rp_filter=%unchanged

            #

            # Workaround to setup all tunnels immediately, since the new
default

            # of "plutowait=no" causes "Resource temporarily unavailable"
errors

            # for the first connect attempt over each tunnel, that is
delayed to

            # be established later / on demand.

            # With "plutowait=yes" plutio waits for each negotiation attempt

            # that is part of startup to finish, before proceeding with the
next.

            plutowait=yes

            #

            # enable this if you see "failed to find any available worker"

            nhelpers=0

            # default settings for connections

 

conn %default

            # keyingtries default to %forever

            #keyingtries=3

            keyingtries=3

            # Sig keys (default: %dnsondemand)

            leftrsasigkey=%cert

            rightrsasigkey=%cert

            # Lifetimes, defaults are 1h/8hrs

            #ikelifetime=20m

            #keylife=1h

            #rekeymargin=8m

 

#Disable Opportunistic Encryption

include /etc/ipsec.d/examples/no_oe.conf

 

# For sample VPN connections, see /etc/ipsec.d/examples/

# Add connections here

 

# Configuration supporting multiple users with any type of

# IPsec/L2TP client. This includes the updated Windows 2000/XP

# (MS KB Q818043), Vista and Mac OS X 10.3+ but excludes the

# non-updated Windows 2000/XP.

#

# Authenticates through a Pre-Shared Key. Supports clients that

# are not behind NAT. Does not support clients that are behind NAT.

 

conn l2tp-X.509

            #

            # Configuration for one user with any type of IPsec/L2TP client

            # including the updated Windows 2000/XP (MS KB Q818043), but

            # excluding the non-updated Windows 2000/XP.

            #

            #

            # Use a certificate. Disable Perfect Forward Secrecy.

            #

            authby=rsasig

            pfs=no

            auto=add

            # we cannot rekey for %any, let client rekey

            rekey=no

            # Do not enable the line below. It is implicitely used, and

            # specifying it will currently break when using nat-t.

            # type=transport. See http://bugs.xelerance.com/view.php?id=466

            #

            left=%defaultroute

            # or you can use: left=YourIPAddress

            leftrsasigkey=%cert

            leftcert=/etc/ipsec.d/certs/dh1024.pem

            # For updated Windows 2000/XP clients,

            # to support old clients as well, use leftprotoport=17/%any

            leftprotoport=17/1701

            #

            # The remote user.

            #

            right=%any

            rightca=%same

            rightrsasigkey=%cert

            rightprotoport=17/1701

            rightsubnet=vhost:%priv,%no

 

conn L2TP-PSK-NAT

            rightsubnet=vhost:%priv

            also=L2TP-PSK-noNAT

 

conn L2TP-PSK-noNAT

            #

            # Configuration for one user with any type of IPsec/L2TP client

            # including the updated Windows 2000/XP (MS KB Q818043), but

            # excluding the non-updated Windows 2000/XP.

            #

            #

            # Use a Preshared Key. Disable Perfect Forward Secrecy.

            #

            # PreSharedSecret needs to be specified in /etc/ipsec.secrets as

            # YourIPAddress  %any: "sharedsecret"

            authby=secret

            pfs=no

            auto=add

            keyingtries=3

            # we cannot rekey for %any, let client rekey

            rekey=no

            type=transport

            #

            left=%defaultroute

            # or you can use: left=YourIPAddress

            #

            # For updated Windows 2000/XP clients,

            # to support old clients as well, use leftprotoport=17/%any

            leftprotoport=17/1701

            #

            # The remote user.

            #

            right=%any

            rightprotoport=17/1701

 

 

 

Wei-min Lee

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080302/a391c4b6/attachment-0001.html

More information about the Users mailing list