[Openswan Users] Laptop (right) connecting to left.

Sun Jul 26 15:46:39 EDT 2009

> You should not need a leftnexthop when using %defaultroute.
>
> Paul

Paul, thank you so much for your reply and help.

Im still not quite there yet. But least the error log is improving,
all thanks to you. If you wouldn't mind over looking the last of my
conf files.

Standalone machine:

----------8<--------------8<---------------8<------------------------
version 2.0

config setup
        nat_traversal=yes
        #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        #plutodebug="control parsing"
        nhelpers=0
        interfaces="%defaultroute"

conn linux-to-linux
        auth=esp
        left=196.36.x.x
        leftid=@work
        leftsubnet=196.36.x.0/29       # Is this actually needed?
        authby=secret
        right=%any
        rightid=@home
        rightsubnet=vhost:%priv,%no
        pfs=no
        esp=aes128
        #ike=aes
        auto=add                       # Changed to 'add', as per your request.

include /etc/ipsec.d/examples/no_oe.conf

----------8<--------------8<---------------8<------------------------

Laptop config

version 2.0

config setup
        plutodebug="control parsing"
        nat_traversal=yes
        # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        nhelpers=0
        interfaces="%defaultroute"

conn linux-to-linux
        auth=esp
        authby=secret
        right=196.36.x.x
        rightid=@work
        rightsubnet=196.36.x.0/29
        left=%defaultroute
        #leftsubnet=vhost:%priv,%no           # Should I not uncomment this?
        leftid=@home
        pfs=no
        esp=aes128
        #ike=aes
        auto=start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

----------8<--------------8<---------------8<------------------------

Jul 26 21:35:07 VPN pluto[29041]: forgetting secrets
Jul 26 21:35:07 VPN pluto[29041]: loading secrets from "/etc/ipsec.secrets"
Jul 26 21:35:17 VPN pluto[29041]: packet from 165.146.174.215:500:
received Vendor ID payload [Openswan (this version) 2.4.12  LDAP_V3
PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Jul 26 21:35:17 VPN pluto[29041]: packet from 165.146.174.215:500:
received Vendor ID payload [Dead Peer Detection]
Jul 26 21:35:17 VPN pluto[29041]: packet from 165.146.174.215:500:
received Vendor ID payload [RFC 3947] method set to=109
Jul 26 21:35:17 VPN pluto[29041]: packet from 165.146.174.215:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108,
but already using method 109
Jul 26 21:35:17 VPN pluto[29041]: packet from 165.146.174.215:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107,
but already using method 109
Jul 26 21:35:17 VPN pluto[29041]: packet from 165.146.174.215:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 109
Jul 26 21:35:17 VPN pluto[29041]: packet from 165.146.174.215:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 26 21:35:17 VPN pluto[29041]: "linux-to-linux"[1] 165.146.174.215
#1: responding to Main Mode from unknown peer 165.146.174.215
Jul 26 21:35:17 VPN pluto[29041]: "linux-to-linux"[1] 165.146.174.215
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 26 21:35:17 VPN pluto[29041]: "linux-to-linux"[1] 165.146.174.215
#1: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 26 21:35:17 VPN pluto[29041]: "linux-to-linux"[1] 165.146.174.215
#1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is
NATed
Jul 26 21:35:17 VPN pluto[29041]: "linux-to-linux"[1] 165.146.174.215
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 26 21:35:17 VPN pluto[29041]: "linux-to-linux"[1] 165.146.174.215
#1: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 26 21:35:18 VPN pluto[29041]: "linux-to-linux"[1] 165.146.174.215
#1: Main mode peer ID is ID_FQDN: '@home'
Jul 26 21:35:18 VPN pluto[29041]: "linux-to-linux"[1] 165.146.174.215
#1: I did not send a certificate because I do not have one.
Jul 26 21:35:18 VPN pluto[29041]: "linux-to-linux"[1] 165.146.174.215
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 26 21:35:18 VPN pluto[29041]: "linux-to-linux"[1] 165.146.174.215
#1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}
Jul 26 21:35:18 VPN pluto[29041]: "linux-to-linux"[1] 165.146.174.215
#1: cannot respond to IPsec SA request because no connection is known
for 196.36.x.0/29===196.36.x.x[@work]...165.146.174.215[@home]===10.0.0.1/32
Jul 26 21:35:18 VPN pluto[29041]: "linux-to-linux"[1] 165.146.174.215
#1: sending encrypted notification INVALID_ID_INFORMATION to
165.146.174.215:4500

Would this not have have to do with my entries in my /etc/ipsec.secrets files.

Thank you again for your help. I really do appreciate it.

Brent