[Openswan Users] Problem between openswan server and Windows XP client

Michael Shiels MaSSoft at massoftware.com
Thu May 22 20:01:13 EDT 2008 

HELP!!!!!
 
The client is on a public IP, not natted (I removed the nat configuration
for testing)
The server is on a public IP, but also has associated with it lots of
internal machines/private subnet.
laptopd is the direct connect configuration, and I have laptopn which is the
natted one, just so I can tinker/test with this.
AS WELL I have 5-6 working VPN connections with a client Cisco box with no
problems at all.
 
configuration file is as follows
 
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        #klipsdebug=all
        #plutodebug=all
        nat_traversal=yes
 
virtual_private="%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:!192.168.124.0/24"

conn laptopd
        auth=esp
        authby=secret
        pfs=no
        left=%defaultroute
        leftprotoport=17/1701
        leftupdown=/usr/lib/ipsec/_updownnoroute
        right=%any
        rightprotoport=17/%any
        rightupdown=/usr/lib/ipsec/_updownnoroute
        auto=add

 
SOMEHOW we end up in a funky rekeying situation, and I have not been able to
capture packets/logs yet from the windows end, but I may try that soon, the
problem is the machines are quite a distance apart right now, so hard to
debug/work on this too much.
 
MY openswan logs shows the following and I just noticed the first #1 main
mode got modp2048, while #3 main mode got modp1024, interesting.  
 
May 21 09:47:36 firewall pluto[15606]: packet from 74.210.20.96:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
May 21 09:47:36 firewall pluto[15606]: packet from 74.210.20.96:500:
ignoring Vendor ID payload [FRAGMENTATION]
May 21 09:47:36 firewall pluto[15606]: packet from 74.210.20.96:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
May 21 09:47:36 firewall pluto[15606]: packet from 74.210.20.96:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
May 21 09:47:36 firewall pluto[15606]: "laptopn"[1] 74.210.20.96 #1:
responding to Main Mode from unknown peer 74.210.20.96
May 21 09:47:36 firewall pluto[15606]: "laptopn"[1] 74.210.20.96 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 21 09:47:36 firewall pluto[15606]: "laptopn"[1] 74.210.20.96 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
May 21 09:47:37 firewall pluto[15606]: "laptopn"[1] 74.210.20.96 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
May 21 09:47:37 firewall pluto[15606]: "laptopn"[1] 74.210.20.96 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 21 09:47:37 firewall pluto[15606]: "laptopn"[1] 74.210.20.96 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
May 21 09:47:37 firewall pluto[15606]: "laptopn"[1] 74.210.20.96 #1: Main
mode peer ID is ID_IPV4_ADDR: '74.210.20.96'
May 21 09:47:37 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #1:
deleting connection "laptopn" instance with peer 74.210.20.96
{isakmp=#0/ipsec=#0}
May 21 09:47:37 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #1: I did
not send a certificate because I do not have one.
May 21 09:47:37 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 21 09:47:37 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp20
May 21 09:47:37 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #2:
responding to Quick Mode {msgid:87418ca6}
May 21 09:47:37 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May 21 09:47:37 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
May 21 09:47:38 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 21 09:47:38 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #2:
STATE_QUICK_R2: IPsec SA established {ESP=>0x222e4dfb <0x97a8cc19
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
May 21 10:43:07 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
initiating Main Mode to replace #1
May 21 10:43:07 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
May 21 10:43:07 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
ignoring Vendor ID payload [FRAGMENTATION]
May 21 10:43:07 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
May 21 10:43:07 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
May 21 10:43:07 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
May 21 10:43:07 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
STATE_MAIN_I2: sent MI2, expecting MR2
May 21 10:43:07 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3: I did
not send a certificate because I do not have one.
May 21 10:43:07 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
May 21 10:43:07 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
May 21 10:43:07 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
STATE_MAIN_I3: sent MI3, expecting MR3
May 21 10:43:07 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3: Main
mode peer ID is ID_IPV4_ADDR: '74.210.20.96'
May 21 10:43:07 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
May 21 10:43:07 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
May 21 10:43:08 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #4:
initiating Quick Mode PSK+ENCRYPT+TUNNEL to replace #2 {using isakmp#3}
May 21 10:43:08 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
ignoring informational payload, type INVALID_ID_INFORMATION
May 21 10:43:08 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
received and ignored informational message
May 21 10:44:18 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #4: max
number of retransmissions (2) reached STATE_QUICK_I1
May 21 10:44:18 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #4:
starting keying attempt 2 of an unlimited number
May 21 10:44:18 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #5:
initiating Quick Mode PSK+ENCRYPT+TUNNEL to replace #4 {using isakmp#3}
May 21 10:44:18 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
ignoring informational payload, type INVALID_ID_INFORMATION
May 21 10:44:18 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
received and ignored informational message
May 21 10:45:28 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #5: max
number of retransmissions (2) reached STATE_QUICK_I1
May 21 10:45:28 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #5:
starting keying attempt 3 of an unlimited number
May 21 10:45:28 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #6:
initiating Quick Mode PSK+ENCRYPT+TUNNEL to replace #5 {using isakmp#3}
May 21 10:45:28 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
ignoring informational payload, type INVALID_ID_INFORMATION
May 21 10:45:28 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #3:
received and ignored informational message
May 21 10:46:14 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #7:
responding to Quick Mode {msgid:38485bd0}
May 21 10:46:14 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #7:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May 21 10:46:14 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #7:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
May 21 10:46:14 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #7:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 21 10:46:14 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #7:
STATE_QUICK_R2: IPsec SA established {ESP=>0x30e532c3 <0x144d7c04
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
May 21 10:46:14 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #1:
received Delete SA(0x222e4dfb) payload: deleting IPSEC State #2
May 21 10:46:14 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #1:
received and ignored informational message
May 21 10:46:38 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #6: max
number of retransmissions (2) reached STATE_QUICK_I1
May 21 10:46:38 firewall pluto[15606]: "laptopd"[1] 74.210.20.96 #6:
starting keying attempt 4 of an unlimited number

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080522/2493993c/attachment.html

More information about the Users mailing list