[Openswan Users] Getting there....

Peter McGill petermcgill at goco.net
Thu Mar 13 16:14:18 EDT 2008


Check your firewall(s) on both ends, and check the linksys logs.
You must allow ipsec (and ipsec encapsulated traffic) in your firewalls.
protocol    port    description
17            500    udp:isakmp
50                     esp
You must allow the above inbound and outbound on your internet interfaces.
You must also allow the subnet-to-subnet traffic.
 
Peter McGill
 


  _____  

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Chris Thomas
Sent: March 13, 2008 4:06 PM
To: users at openswan.org
Subject: Re: [Openswan Users] Getting there....



OK, I changed my Linksys box to 1024 bit and I now have this:

 

Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: ignoring unknown Vendor ID payload
[4f4540454371496d7a684644]

Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: received Vendor ID payload [Dead Peer Detection]

Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: received Vendor ID payload [RFC 3947] meth=110, but port
floating is off

Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off

Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off

Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]

Mar 13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5] (remote site IP) #9: responding to Main Mode from unknown peer (remote site
IP)

Mar 13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5] (remote site IP) #9: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1

Mar 13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5] (remote site IP) #9: STATE_MAIN_R1: sent MR1, expecting MI2

Mar 13 16:02:28 gatekeeper pluto[11850]: "pax_square"[5] (remote site IP) #7: max number of retransmissions (2) reached
STATE_MAIN_R1

 

Thanks

-Chris

 

 

From: Peter McGill [mailto:petermcgill at goco.net] 
Sent: Thursday, March 13, 2008 3:50 PM
To: Chris Thomas; users at openswan.org
Subject: RE: [Openswan Users] Getting there....

 

There is a mismatch in your options, specifically your DH/modp Group.

Diffie-Hellman (DH) Group needs to match openswan's ike=*-modp????

I'm guessing that your linksys is sending Diffie-Hellmen (DH) Group 1 (768-bit).

Openswan will not allow this because it's too weak of security.

If you have ike=3des-md5-modp1024 or ike=aes-sha1-modp1024 as I suggested,

then change your linksys to use Group 2 (1024-bit) to match it.

 

Peter McGill

 

 


  _____  


From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Chris Thomas
Sent: March 13, 2008 3:40 PM
To: users at openswan.org
Subject: [Openswan Users] Getting there....

Hello again, everyone.  I have configured my Linksys box to connect to my Ubuntu server running OpenSwan, but when I attempt to
initiate the connection, my logs on the server at HQ get full of this stuff:

 

 

Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote site external IP):500: ignoring unknown Vendor ID payload
[4f4540454371496d7a684644]

Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote site external IP):500: received Vendor ID payload [Dead Peer Detection]

Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote site external IP):500: received Vendor ID payload [RFC 3947] meth=110,
but port floating is off

Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote site external IP):500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off

Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote site external IP):500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off

Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote site external IP):500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]

Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1] (remote site external IP) #1: responding to Main Mode from unknown peer
(remote site external IP)

Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1] (remote site external IP) #1: only OAKLEY_GROUP_MODP1024 and
OAKLEY_GROUP_MODP1536 supported.  Attribute OAKLEY_GROUP_DESCRIPTION

Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1] (remote site external IP) #1: no acceptable Oakley Transform

Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1] (remote site external IP) #1: sending notification NO_PROPOSAL_CHOSEN to
(remote site external IP):500

Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1] (remote site external IP): deleting connection "pax_square" instance with
peer (remote site external IP) {isakmp=#0/ipsec=#0}

 

I am assuming that it has something to do with the Preshared key that I am using, but I am not too sure how to go about fixing it.
I do not want to be a nuisance, but can anyone give me a (another) push in the right direction?  

 

I appreciate your patience.

-Chris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080313/8d6c2ec9/attachment-0001.html 


More information about the Users mailing list