[Openswan Users] Openswan and Netgear SRXN3205

JT Edwards tstrike34 at gmail.com
Thu Aug 27 17:41:31 EDT 2009 

Paul,

Still not successful. Seems like I am really missing something. Would you be 
kind enough to evaluate my log files and configuration files. I sincerely 
appreciate this. I know I am an Openswan dunce but I am learning pretty 
fast. Thank you in advance (Yup I know the beer tab is climbing!). :)

 I am getting this message:

15:17:46 wizzer8 pluto[12887]: packet from 22.210.33.11:500: ignoring 
unknown Vendor ID payload [810fa565f8ab14369105d706fbd57279]
Aug 27 15:17:46 wizzer8 pluto[12887]: packet from 22.210.33.11:500: ignoring 
unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
Aug 27 15:17:46 wizzer8 pluto[12887]: packet from 22.210.33.11:500: initial 
Aggressive Mode message from 22.210.33.11 but no (wildcard) connection has 
been configured with policy=PSK

Both sides have the PSK identified

/etc/ipsec.d/ipsec.secrets
22.210.33.11 11.231.29.12 : PSK "wizardlywiz"

/etc/ipsec.conf
 /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	# klipsdebug=none
	# plutodebug="control parsing"
	# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
	protostack=netkey
	nat_traversal=yes
# include /etc/ipsec.d/*.conf
conn net-to-net
    left=11.231.29.12
    leftsubnet=192.168.1.0/24
    leftnexthop=%defaultroute
    right=22.210.33.11
    rightsubnet=192.168.122.0/24
    rightnexthop=%defaultroute
    auto=add                       # authorizes but doesn't start this
                                   # connection at startup
    authby=secret


>From the Netgear router

2009 Aug 27 16:02:14 [SRXN3205] [IKE] Adding IKE configuration with 
identifer "openswan"_
2009 Aug 27 16:02:14 [SRXN3205] [IKE] Using IPsec SA configuration: 
anonymous_
2009 Aug 27 16:02:14 [SRXN3205] [IKE] Configuration found for 22.210.33.11._
2009 Aug 27 16:02:14 [SRXN3205] [IKE] Initiating new phase 1 negotiation: 
11.231.29.12 [500]<=>22.210.33.11[500]_
2009 Aug 27 16:02:14 [SRXN3205] [IKE] Beginning Identity Protection mode._
2009 Aug 27 16:02:31 [SRXN3205] [IKE] accept a request to establish IKE-SA: 
22.210.33.11_
2009 Aug 27 16:02:31 [SRXN3205] [IKE] Configuration found for 22.210.33.11._
2009 Aug 27 16:02:45 [SRXN3205] [IKE] Phase 2 negotiation failed due to time 
up waiting for phase1. ESP 22.210.33.11->11.231.29.12 _
2009 Aug 27 16:03:02 [SRXN3205] [IKE] Invalid SA protocol type: 0_
2009 Aug 27 16:03:02 [SRXN3205] [IKE] Phase 2 negotiation failed due to time 
up waiting for phase1. _



--------------------------------------------------
From: "Paul Wouters" <paul at xelerance.com>
Sent: Thursday, August 27, 2009 4:14 PM
To: "JT Edwards" <tstrike34 at gmail.com>
Cc: <users at openswan.org>
Subject: Re: [Openswan Users] Openswan and Netgear SRXN3205

> On Thu, 27 Aug 2009, JT Edwards wrote:
>
>> Thanks for your assistance. Now does this mean I still have use certs or 
>> I can get past that now? (I have the certs generated of course).
>
> If you are using PSK, you are not using certificates.
>
>> Once the VPNs are connected, I have a VM environment that is NAT'ed.... I 
>> want to be able to allow the remote to have access to them (I am a 
>> network novice and an extremely fast learner). Should I add a route?
>
> If your VM can reach them, then your clients should be able to reach it
> too. However, that only works smoothly if for that subnet your VPN server
> is the default gateway. If that is not the case, you might want to look
> at L2TP+IPsec, so that you can assign the clients an IP address within 
> your
> own network, so that all routing is obvious and clear.
>
> Paul

More information about the Users mailing list