[Openswan Users] Installation/setup issues...

Mark Williams mwp at mwp.id.au
Tue Mar 4 09:51:22 EST 2008


Greetings all,

First, while im a long time Linux user, this is my first time setting
up a VPN client.

Im trying to connect to my companies VPN which is also running openswan.
The linux box im trying to connect to the VPN server with is behind a
DSL router (does NAT).
Im using NETKEY with the latest 2.6.24 kernel.

My conf file looks like.........

config setup
    plutodebug=all
    nat_traversal=yes
    #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
    OE=off

conn cf
    type=transport
    keyingtries=3
    rekey=yes
    pfs=no
    authby=secret
    left=<my-lan-ip>
    leftnexthop=<my-inet-ip>
    leftprotoport=17/1701
    right=<vpn-servers-ip>
    rightprotoport=17/1701
    auto=add

Starting pluto i got in the sys logs....

Mar  5 00:18:20 linux ipsec_setup: ...Openswan IPsec started
Mar  5 00:18:20 linux ipsec_setup: Starting Openswan IPsec U2.5.17/K2.6.24.3...
Mar  5 00:18:20 linux ipsec_setup: WARNING: interfaces= is ignored
when using the NETKEY stack
Mar  5 00:18:20 linux ipsec_setup: Trying hardware random, this may
fail, which is okay.
Mar  5 00:18:20 linux ipsec_setup: Trying to load all NETKEY
modules:xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_beet xfrm6_mode_ro
xfrm6_mode_transport xfrm4_mode_transport xfrm4_mode_tunnel
xfrm4_tunnel xfrm4_mode_beet esp4 esp6 ah4 ah6 ipcomp ipcomp6 af_key
Mar  5 00:18:20 linux ipsec_setup: Trying VIA padlock driver, this may
fail, which is okay.
Mar  5 00:18:20 linux ipsec_setup: Trying to load Crypto API modules,
some may fail, which is okay.
Mar  5 00:18:20 linux ipsec_setup: aes-x86_64 aes des sha512 sha256
md5 cbc xcbc ecb twofish blowfish serpent
Mar  5 00:18:20 linux ipsec__plutorun: 002 added connection description "cf"

On trying to connect i get............

[root at linux sbin]# ./ipsec auto --up cf
104 "cf" #1: STATE_MAIN_I1: initiate
003 "cf" #1: ignoring unknown Vendor ID payload [4f457a7d4646466667725f65]
003 "cf" #1: received Vendor ID payload [Dead Peer Detection]
003 "cf" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "cf" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "cf" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "cf" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "cf" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha
group=modp1536}
117 "cf" #2: STATE_QUICK_I1: initiate
010 "cf" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "cf" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "cf" #2: max number of retransmissions (2) reached STATE_QUICK_I1.
 No acceptable response to our first Quick Mode message: perhaps peer
likes no proposal
000 "cf" #2: starting keying attempt 2 of at most 3, but releasing whack
[root at linux sbin]#

Is there anything obviously wrong here?
Where does the rest of the debugging info (i assume there is more
detailed message somewhere) get spat out to?

Thanks for any help!
Mark W.


More information about the Users mailing list