[Openswan Users] Problem with ShrewSoft VPN Client in DHCP over IPSec Configuration

Martin Krellmann martin2002 at web.de
Mon Jun 15 11:11:19 EDT 2009 

Hi.

 

When I try to establish a connection with the ShrewSoft Client it fails.

DHCP over IPSec, no NAT on both sides: "roadwarrior-dhcp"[1] 89.246.161.100
#3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected

 

Openswan succeeds the IKE Phase:

"roadwarrior-dhcp"[2] 89.246.161.100 #4: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_md5
group=modp3072}

 

But cannot match the connection description afterwards: 

 

Jun 15 16:07:37 gateway pluto[23447]: | peer client is 89.246.161.100

Jun 15 16:07:37 gateway pluto[23447]: | peer client protocol/port is 17/68

Jun 15 16:07:37 gateway pluto[23447]: | our client is 91.67.231.19

Jun 15 16:07:37 gateway pluto[23447]: | our client protocol/port is 17/67

Jun 15 16:07:37 gateway pluto[23447]: "roadwarrior-dhcp"[2] 89.246.161.100
#4: the peer proposed: xxx.xxx.xxx.xxx/32:17/67 -> 89.246.161.100/32:17/68

Jun 15 16:07:37 gateway pluto[23447]: "roadwarrior-dhcp"[2] 89.246.161.100
#4: cannot respond to IPsec SA request because no connection is known for
xxx.xxx.xxx.xxx[C=DE, ST=Brandenburg, L=Potsdam, O=Krellmann, OU=Servers,
CN=vpngate,
E=root at vpngate.potsdam.krellmann.net,+S=C]:17/67...89.246.161.100[C=DE,
O=krellmann, OU=roadwarrior, CN=potsdam.krellmann.net,
E=martin at krellmann.net,+S=C]:17/68

Jun 15 16:07:37 gateway pluto[23447]: | complete state transition with
(null)

Jun 15 16:07:37 gateway pluto[23447]: "roadwarrior-dhcp"[2] 89.246.161.100
#4: sending encrypted notification INVALID_ID_INFORMATION to
89.246.161.100:500

 

The ShrewSoft Client does not notice the above response and resumes with
sending DHCP Discover packages.

Any idea why this happens?

 

The configuration:

Ipsec.conf:

 

config setup

       klipsdebug=none

       nat_traversal=yes

       nhelpers=5

       plutodebug=control,crypt,klips

       protostack=klips

       uniqueids=yes

 
virtual_private=%v4:10.0.1.0/24,%v4:10.0.2.0/24,%v4:!192.168.10.0/24,%v4:!19
2.168.178.0/24

 

conn %default

       type=tunnel

       authby=rsasig

       pfs=no

       rekey=no

       keylife=1h

       ikelifetime=3h

       keyingtries=3

       left=%defaultroute

       leftrsasigkey=%cert

       rightca=%same

       rightrsasigkey=%cert

 

conn roadwarrior-dhcp

       keylife=60s

       rekeymargin=30s

       rekey=no

       leftcert=g1.krellmann.net.pem

       leftprotoport=udp/bootps

       #this allows DHCP discovery broadcast:

       leftsubnet=0.0.0.0/0

       right=%any

       rightcert=roadwarrior.potsdam.krellmann.net.pem

       rightprotoport=udp/bootpc

       auto=add

 

conn roadwarrior

       leftcert=g1.krellmann.net.pem

       leftsubnet=192.168.10.0/24

       right=%any   

       rightcert=roadwarrior.potsdam.krellmann.net.pem

       rightsubnet=vnet:%v4:10.0.1.0/24

       auto=add

 

The client configuration is mostly "auto". Auth mode ist "mutual-rsa",
Certificates are set up (same as on server side + private key for the
client)

 

Greets,

Martin.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090615/a385463a/attachment-0001.html

More information about the Users mailing list