[Openswan Users] openswan on dedibox

Reza Issany issanyr at gmail.com
Thu Nov 13 11:55:34 EST 2008 

I can't get working this configuration and I don't understand why.

Anyone could help me ?

Reza Issany a écrit :
> 88.191.50.209 is the public address of the openswan server and 
> 82.229.55.165 is the public address
> of the remote Windows client.
>
> I've just added : 
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:192.168.2.0/24,%v4:88.191.50.0/24 
>
>
> and I've tried with this configuration. It doesn't work :
>
> Nov 13 09:15:43 transchaines pluto[28036]: packet from 
> 82.229.55.165:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 
> 00000004]
> Nov 13 09:15:43 transchaines pluto[28036]: packet from 
> 82.229.55.165:500: ignoring Vendor ID payload [FRAGMENTATION]
> Nov 13 09:15:43 transchaines pluto[28036]: packet from 
> 82.229.55.165:500: received Vendor ID payload 
> [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> Nov 13 09:15:43 transchaines pluto[28036]: packet from 
> 82.229.55.165:500: ignoring Vendor ID payload [Vid-Initial-Contact]
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[3] 
> 82.229.55.165 #3: responding to Main Mode from unknown peer 82.229.55.165
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[3] 
> 82.229.55.165 #3: transition from state STATE_MAIN_R0 to state 
> STATE_MAIN_R1
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[3] 
> 82.229.55.165 #3: STATE_MAIN_R1: sent MR1, expecting MI2
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[3] 
> 82.229.55.165 #3: NAT-Traversal: Result using 
> draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[3] 
> 82.229.55.165 #3: transition from state STATE_MAIN_R1 to state 
> STATE_MAIN_R2
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[3] 
> 82.229.55.165 #3: STATE_MAIN_R2: sent MR2, expecting MI3
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[3] 
> 82.229.55.165 #3: Main mode peer ID is ID_DER_ASN1_DN: 'C=FR, 
> ST=France, L=Var, O=Olympe CTI, OU=Ingenierie, CN=vpn.olympecti.fr, 
> E=test at aol.com'
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[3] 
> 82.229.55.165 #3: switched from "roadwarrior-xp" to "roadwarrior-xp"
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #3: deleting connection "roadwarrior-xp" instance with 
> peer 82.229.55.165 {isakmp=#0/ipsec=#0}
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #3: I am sending my cert
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #3: transition from state STATE_MAIN_R2 to state 
> STATE_MAIN_R3
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #3: new NAT mapping for #3, was 82.229.55.165:500, now 
> 82.229.55.165:4500
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established 
> {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha 
> group=modp2048}
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #3: peer client type is FQDN
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #3: Applying workaround for MS-818043 NAT-T bug
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #3: IDci was FQDN: X\2772\321, using 
> NAT_OA=192.168.7.200/32 as IDci
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #3: the peer proposed: 88.191.50.209/32:17/1701 -> 
> 192.168.7.200/32:17/1701
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #4: responding to Quick Mode proposal {msgid:870767ef}
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #4:     us: 88.191.50.209<88.191.50.209>[+S=C]:17/1701
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #4:   them: 82.229.55.165[C=FR, ST=France, L=Var, 
> O=Olympe CTI, OU=Ingenierie, CN=vpn.olympecti.fr, 
> E=test at aol.com,+S=C]:17/1701===192.168.7.200/32
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #4: transition from state STATE_QUICK_R0 to state 
> STATE_QUICK_R1
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA 
> installed, expecting QI2
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #4: transition from state STATE_QUICK_R1 to state 
> STATE_QUICK_R2
> Nov 13 09:15:43 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #4: STATE_QUICK_R2: IPsec SA established transport mode 
> {ESP=>0x8c8601a3 <0xb1649fe9 xfrm=3DES_0-HMAC_MD5 NATOA=192.168.7.200 
> NATD=82.229.55.165:4500 DPD=none}
> Nov 13 09:16:15 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #3: received Delete SA(0x8c8601a3) payload: deleting 
> IPSEC State #4
> Nov 13 09:16:15 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #3: request to replace with shunt a prospective erouted 
> policy with netkey kernel --- experimental
> Nov 13 09:16:15 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #3: received and ignored informational message
> Nov 13 09:16:15 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165 #3: received Delete SA payload: deleting ISAKMP State #3
> Nov 13 09:16:15 transchaines pluto[28036]: "roadwarrior-xp"[4] 
> 82.229.55.165: deleting connection "roadwarrior-xp" instance with peer 
> 82.229.55.165 {isakmp=#0/ipsec=#0}
> Nov 13 09:16:15 transchaines pluto[28036]: "roadwarrior-xp": request 
> to delete a unrouted policy with netkey kernel --- experimental
> Nov 13 09:16:15 transchaines pluto[28036]: packet from 
> 82.229.55.165:4500: received and ignored informational message
>
> I don't know where is the problem.
>
>
> Paul Wouters a écrit :
>> On Wed, 12 Nov 2008, Reza Issany wrote:
>>
>>  
>>> I've done these modificcations (v in %v4 and rightsubnet). Here are 
>>> the logs :
>>>     
>>
>>  
>>> Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
>>> 82.229.55.165
>>> #2: peer proposal was reject in a virtual connection policy because:
>>> Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
>>> 82.229.55.165
>>> #2:   a private network virtual IP was required, but the proposed IP 
>>> did not
>>> match our list (virtual_private=)
>>> Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
>>> 82.229.55.165
>>> #2: peer proposal was reject in a virtual connection policy because:
>>> Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
>>> 82.229.55.165
>>> #2:   a private network virtual IP was required, but the proposed IP 
>>> did not
>>> match our list (virtual_private=)
>>> Nov 12 22:07:43 transchaines pluto[6298]: "roadwarrior-xp"[4] 
>>> 82.229.55.165
>>> #2: cannot respond to IPsec SA request because no connection is 
>>> known for
>>> 88.191.50.209<88.191.50.209>[+S=C]:17/1701...82.229.55.165[C=FR, 
>>> ST=France,
>>> L=Var, O=Olympe CTI, OU=Ingenierie, CN=vpn.olympecti.fr,
>>> E=test at aol.com,+S=C]:17/1701===192.168.7.200/32
>>>     
>>
>> 88.191.50.209 is NAT'ed to 82.229.55.165? But 88.191.50.0/24 is not 
>> listed
>> in virtual_private= as a valid address to allow for NAT-T.
>>
>> Paul
>>
>>   
>

More information about the Users mailing list