[Openswan Users] openswan on dedibox

Reza Issany issanyr at gmail.com
Wed Nov 12 16:11:10 EST 2008 

I've done these modificcations (v in %v4 and rightsubnet). Here are the 
logs :

Nov 12 22:07:43 transchaines pluto[6298]: packet from 82.229.55.165:500: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Nov 12 22:07:43 transchaines pluto[6298]: packet from 82.229.55.165:500: 
ignoring Vendor ID payload [FRAGMENTATION]
Nov 12 22:07:43 transchaines pluto[6298]: packet from 82.229.55.165:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set 
to=106
Nov 12 22:07:43 transchaines pluto[6298]: packet from 82.229.55.165:500: 
ignoring Vendor ID payload [Vid-Initial-Contact]
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[3] 
82.229.55.165 #2: responding to Main Mode from unknown peer 82.229.55.165
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[3] 
82.229.55.165 #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[3] 
82.229.55.165 #2: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[3] 
82.229.55.165 #2: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[3] 
82.229.55.165 #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[3] 
82.229.55.165 #2: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[3] 
82.229.55.165 #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=FR, ST=France, 
L=Var, O=Olympe CTI, OU=Ingenierie, CN=vpn.olympecti.fr, E=test at aol.com'
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[3] 
82.229.55.165 #2: switched from "roadwarrior-xp" to "roadwarrior-xp"
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: deleting connection "roadwarrior-xp" instance with 
peer 82.229.55.165 {isakmp=#0/ipsec=#0}
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: I am sending my cert
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: new NAT mapping for #2, was 82.229.55.165:500, now 
82.229.55.165:4500
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established 
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp2048}
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: peer client type is FQDN
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: Applying workaround for MS-818043 NAT-T bug
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: IDci was FQDN: X\2772\321, using 
NAT_OA=192.168.7.200/32 as IDci
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: the peer proposed: 88.191.50.209/32:17/1701 -> 
192.168.7.200/32:17/1701
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: peer proposal was reject in a virtual connection 
policy because:
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2:   a private network virtual IP was required, but the 
proposed IP did not match our list (virtual_private=)
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: peer proposal was reject in a virtual connection 
policy because:
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2:   a private network virtual IP was required, but the 
proposed IP did not match our list (virtual_private=)
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: cannot respond to IPsec SA request because no 
connection is known for 
88.191.50.209<88.191.50.209>[+S=C]:17/1701...82.229.55.165[C=FR, 
ST=France, L=Var, O=Olympe CTI, OU=Ingenierie, CN=vpn.olympecti.fr, 
E=test at aol.com,+S=C]:17/1701===192.168.7.200/32
Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: sending encrypted notification INVALID_ID_INFORMATION 
to 82.229.55.165:4500
Nov 12 22:07:45 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: peer client type is FQDN
Nov 12 22:07:45 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: Applying workaround for MS-818043 NAT-T bug
Nov 12 22:07:45 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: IDci was FQDN: X\2772\321, using 
NAT_OA=192.168.7.200/32 as IDci
Nov 12 22:07:45 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: the peer proposed: 88.191.50.209/32:17/1701 -> 
192.168.7.200/32:17/1701
Nov 12 22:07:45 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: peer proposal was reject in a virtual connection 
policy because:
Nov 12 22:07:45 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2:   a private network virtual IP was required, but the 
proposed IP did not match our list (virtual_private=)
Nov 12 22:07:45 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: peer proposal was reject in a virtual connection 
policy because:
Nov 12 22:07:45 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2:   a private network virtual IP was required, but the 
proposed IP did not match our list (virtual_private=)
Nov 12 22:07:45 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: cannot respond to IPsec SA request because no 
connection is known for 
88.191.50.209<88.191.50.209>[+S=C]:17/1701...82.229.55.165[C=FR, 
ST=France, L=Var, O=Olympe CTI, OU=Ingenierie, CN=vpn.olympecti.fr, 
E=test at aol.com,+S=C]:17/1701===192.168.7.200/32
Nov 12 22:07:45 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: sending encrypted notification INVALID_ID_INFORMATION 
to 82.229.55.165:4500
Nov 12 22:07:47 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: peer client type is FQDN
Nov 12 22:07:47 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: Applying workaround for MS-818043 NAT-T bug
Nov 12 22:07:47 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: IDci was FQDN: X\2772\321, using 
NAT_OA=192.168.7.200/32 as IDci
Nov 12 22:07:47 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: the peer proposed: 88.191.50.209/32:17/1701 -> 
192.168.7.200/32:17/1701
Nov 12 22:07:47 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: peer proposal was reject in a virtual connection 
policy because:
Nov 12 22:07:47 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2:   a private network virtual IP was required, but the 
proposed IP did not match our list (virtual_private=)
Nov 12 22:07:47 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: peer proposal was reject in a virtual connection 
policy because:
Nov 12 22:07:47 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2:   a private network virtual IP was required, but the 
proposed IP did not match our list (virtual_private=)
Nov 12 22:07:47 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: cannot respond to IPsec SA request because no 
connection is known for 
88.191.50.209<88.191.50.209>[+S=C]:17/1701...82.229.55.165[C=FR, 
ST=France, L=Var, O=Olympe CTI, OU=Ingenierie, CN=vpn.olympecti.fr, 
E=test at aol.com,+S=C]:17/1701===192.168.7.200/32
Nov 12 22:07:47 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: sending encrypted notification INVALID_ID_INFORMATION 
to 82.229.55.165:4500
Nov 12 22:07:48 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165 #2: received Delete SA payload: deleting ISAKMP State #2
Nov 12 22:07:48 transchaines pluto[6298]: "roadwarrior-xp"[4] 
82.229.55.165: deleting connection "roadwarrior-xp" instance with peer 
82.229.55.165 {isakmp=#0/ipsec=#0}
Nov 12 22:07:48 transchaines pluto[6298]: packet from 
82.229.55.165:4500: received and ignored informational message

Any idea please ?

Paul Wouters a écrit :
> On Wed, 12 Nov 2008, Reza Issany wrote:
>
>   
>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%4:192.168.2.0/24
>>     
>                                                    ^^^^            ^^^^^^
> missing 'v' there. It is %v4 not %4.
>
>   
>>         interfaces=%defaultroute
>>         OE=off
>>         plutodebug=none
>>         nhelpers=1
>>
>> conn %default
>>         keyingtries=1
>>         compress=yes
>>         disablearrivalcheck=no
>>         authby=rsasig
>>         leftrsasigkey=%cert
>>         rightrsasigkey=%cert
>>
>> conn roadwarrior-xp
>>         type=transport
>>         left=publicIPoftheserver
>>         leftsubnet=192.168.2.0/24
>>     
>
> transport mode with subnets?
>
>   
>>         leftcert=vpn.toto.com.pem
>>         leftprotoport=17/1701
>>         right=%any
>>         rightprotoport=17/1701
>>         pfs=no
>>         auto=add
>>     
> Looks like you want l2tp. so leave out the leftsubnet, and add:
> rightsubnet=vhost:%priv,%no
>
>   
>> When I do a tcpdump when trying to connect I just have this log :
>>     
>
> Don't use tcpdump with ipsec, there is no point. It is all crypted.
>
>   
>> Any idea please ?
>>     
>
> Show us the logs from /var/log/secure or /var/log/auth*
>
> Paul
>
>

More information about the Users mailing list