[Openswan Users] Getting there....
Peter McGill
petermcgill at goco.net
Thu Mar 13 16:14:18 EDT 2008
Check your firewall(s) on both ends, and check the linksys logs.
You must allow ipsec (and ipsec encapsulated traffic) in your firewalls.
protocol port description
17 500 udp:isakmp
50 esp
You must allow the above inbound and outbound on your internet interfaces.
You must also allow the subnet-to-subnet traffic.
Peter McGill
_____
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Chris Thomas
Sent: March 13, 2008 4:06 PM
To: users at openswan.org
Subject: Re: [Openswan Users] Getting there....
OK, I changed my Linksys box to 1024 bit and I now have this:
Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: ignoring unknown Vendor ID payload
[4f4540454371496d7a684644]
Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: received Vendor ID payload [Dead Peer Detection]
Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: received Vendor ID payload [RFC 3947] meth=110, but port
floating is off
Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off
Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Mar 13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5] (remote site IP) #9: responding to Main Mode from unknown peer (remote site
IP)
Mar 13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5] (remote site IP) #9: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Mar 13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5] (remote site IP) #9: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 13 16:02:28 gatekeeper pluto[11850]: "pax_square"[5] (remote site IP) #7: max number of retransmissions (2) reached
STATE_MAIN_R1
Thanks
-Chris
From: Peter McGill [mailto:petermcgill at goco.net]
Sent: Thursday, March 13, 2008 3:50 PM
To: Chris Thomas; users at openswan.org
Subject: RE: [Openswan Users] Getting there....
There is a mismatch in your options, specifically your DH/modp Group.
Diffie-Hellman (DH) Group needs to match openswan's ike=*-modp????
I'm guessing that your linksys is sending Diffie-Hellmen (DH) Group 1 (768-bit).
Openswan will not allow this because it's too weak of security.
If you have ike=3des-md5-modp1024 or ike=aes-sha1-modp1024 as I suggested,
then change your linksys to use Group 2 (1024-bit) to match it.
Peter McGill
_____
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Chris Thomas
Sent: March 13, 2008 3:40 PM
To: users at openswan.org
Subject: [Openswan Users] Getting there....
Hello again, everyone. I have configured my Linksys box to connect to my Ubuntu server running OpenSwan, but when I attempt to
initiate the connection, my logs on the server at HQ get full of this stuff:
Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote site external IP):500: ignoring unknown Vendor ID payload
[4f4540454371496d7a684644]
Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote site external IP):500: received Vendor ID payload [Dead Peer Detection]
Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote site external IP):500: received Vendor ID payload [RFC 3947] meth=110,
but port floating is off
Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote site external IP):500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote site external IP):500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off
Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote site external IP):500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1] (remote site external IP) #1: responding to Main Mode from unknown peer
(remote site external IP)
Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1] (remote site external IP) #1: only OAKLEY_GROUP_MODP1024 and
OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION
Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1] (remote site external IP) #1: no acceptable Oakley Transform
Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1] (remote site external IP) #1: sending notification NO_PROPOSAL_CHOSEN to
(remote site external IP):500
Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1] (remote site external IP): deleting connection "pax_square" instance with
peer (remote site external IP) {isakmp=#0/ipsec=#0}
I am assuming that it has something to do with the Preshared key that I am using, but I am not too sure how to go about fixing it.
I do not want to be a nuisance, but can anyone give me a (another) push in the right direction?
I appreciate your patience.
-Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080313/8d6c2ec9/attachment-0001.html
More information about the Users
mailing list