[Openswan Users] xauth

Jon James jonj at claimtools.ca
Tue Jun 23 17:00:17 EDT 2009 

Could anyone tell me if automated rekeying with Xauth actually works?

I initiate the tunnel by hand using whack and all goes well.

The ike (phase2) rekeying works however when it comes time to rekey the
phase1 with xauth the tunnel fails 

I have also attached a full ipsec barf

Thank you

Jon 

 

Openswan Ipsec.conf

 

config setup

      nat_traversal=yes

 

conn home

 leftxauthclient=yes

 leftxauthusername=test

 rightxauthserver=yes

 left=%defaultroute

 leftsourceip=x.x.x.x

 right=x.x.x.x

 rightsubnet=192.168.80.0/24

 keyexchange=ike

 auth=esp

 authby=secret

 esp=3des

 compress=no

 pfs=yes

 auto=add

 rekey=yes

 

 

Openswan ipsec.secrets

 

: PSK "xxxxxxx"

@test : XAUTH "test"

 

 

Fortigate Config phase1

Mode=main

P1 proposal= 3des-sha1

DH group=5

Keylife=300seconds(shortlife for testing purposes)

NAT transversal=enabled

DPD=enabled

 

 

Fortigate Config phase2

Encryption=3des-sha1

Pfs=yes

DH group=5

Keylife=120seconds(short life for testing purposes)

Auto keep alive=enabled

 

 

 

 

Log on Openswan end during phase1 rekey

Jun 23 13:32:36 claimtools pluto[15665]: packet from x.x.x.x:4500: received
and ignored informational message

Jun 23 13:32:36 claimtools pluto[15665]: "home" #1: received Delete SA
payload: deleting ISAKMP State #1

Jun 23 13:32:30 claimtools pluto[15665]: "home" #8: sending notification
NO_PROPOSAL_CHOSEN to x.x.x.x:4500

Jun 23 13:32:30 claimtools pluto[15665]: "home" #8: no acceptable Oakley
Transform

Jun 23 13:32:30 claimtools pluto[15665]: "home" #8: policy mandates Extended
Authentication (XAUTH) with PSK of responder (we are responder).  Attribute
OAKL

EY_AUTHENTICATION_METHOD

Jun 23 13:32:30 claimtools pluto[15665]: "home" #8: responding to Main Mode

Jun 23 13:32:30 claimtools pluto[15665]: packet from x.x.x.x:4500: received
Vendor ID payload [Dead Peer Detection]

Jun 23 13:32:30 claimtools pluto[15665]: packet from x.x.x.x:4500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Jun 23 13:32:30 claimtools pluto[15665]: packet from x.x.x.x:4500: ignoring
unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]

Jun 23 13:32:30 claimtools pluto[15665]: packet from x.x.x.x:4500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already u

sing method 109

Jun 23 13:32:30 claimtools pluto[15665]: packet from x.x.x.x:4500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already usi

ng method 109

Jun 23 13:32:30 claimtools pluto[15665]: packet from x.x.x.x:4500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already usi

ng method 109

Jun 23 13:32:30 claimtools pluto[15665]: packet from x.x.x.x:4500: ignoring
unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]

Jun 23 13:32:30 claimtools pluto[15665]: packet from x.x.x.x:4500: ignoring
unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]

Jun 23 13:32:30 claimtools pluto[15665]: packet from x.x.x.x:4500: ignoring
unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]

Jun 23 13:32:30 claimtools pluto[15665]: packet from x.x.x.x:4500: ignoring
unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]

Jun 23 13:32:30 claimtools pluto[15665]: packet from x.x.x.x:4500: ignoring
unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]

Jun 23 13:32:30 claimtools pluto[15665]: packet from x.x.x.x:4500: received
Vendor ID payload [RFC 3947] method set to=109 

Jun 23 13:32:22 claimtools pluto[15665]: "home" #7: sending notification
NO_PROPOSAL_CHOSEN to x.x.x.x:4500

Jun 23 13:32:22 claimtools pluto[15665]: "home" #7: no acceptable Oakley
Transform

Jun 23 13:32:22 claimtools pluto[15665]: "home" #7: policy mandates Extended
Authentication (XAUTH) with PSK of responder (we are responder).  Attribute
OAKL

EY_AUTHENTICATION_METHOD

Jun 23 13:32:22 claimtools pluto[15665]: "home" #7: responding to Main Mode

Jun 23 13:32:22 claimtools pluto[15665]: packet from x.x.x.x:4500: received
Vendor ID payload [Dead Peer Detection]

Jun 23 13:32:22 claimtools pluto[15665]: packet from x.x.x.x:4500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Jun 23 13:32:22 claimtools pluto[15665]: packet from x.x.x.x:4500: ignoring
unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]

Jun 23 13:32:22 claimtools pluto[15665]: packet from x.x.x.x:4500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already u

sing method 109

Jun 23 13:32:22 claimtools pluto[15665]: packet from x.x.x.x:4500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already usi

ng method 109

Jun 23 13:32:22 claimtools pluto[15665]: packet from x.x.x.x:4500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already usi

ng method 109

Jun 23 13:32:22 claimtools pluto[15665]: packet from x.x.x.x:4500: ignoring
unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]

Jun 23 13:32:22 claimtools pluto[15665]: packet from x.x.x.x:4500: ignoring
unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]

Jun 23 13:32:22 claimtools pluto[15665]: packet from x.x.x.x:4500: ignoring
unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]

Jun 23 13:32:22 claimtools pluto[15665]: packet from x.x.x.x:4500: ignoring
unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]

Jun 23 13:32:22 claimtools pluto[15665]: packet from x.x.x.x:4500: ignoring
unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]

Jun 23 13:32:22 claimtools pluto[15665]: packet from x.x.x.x:4500: received
Vendor ID payload [RFC 3947] method set to=109 

Jun 23 13:32:18 claimtools pluto[15665]: "home" #6: sending notification
NO_PROPOSAL_CHOSEN to x.x.x.x:4500

Jun 23 13:32:18 claimtools pluto[15665]: "home" #6: no acceptable Oakley
Transform

Jun 23 13:32:18 claimtools pluto[15665]: "home" #6: policy mandates Extended
Authentication (XAUTH) with PSK of responder (we are responder).  Attribute
OAKL

EY_AUTHENTICATION_METHOD

Jun 23 13:32:18 claimtools pluto[15665]: "home" #6: responding to Main Mode

Jun 23 13:32:18 claimtools pluto[15665]: packet from x.x.x.x:4500: received
Vendor ID payload [Dead Peer Detection]

Jun 23 13:32:18 claimtools pluto[15665]: packet from x.x.x.x:4500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Jun 23 13:32:18 claimtools pluto[15665]: packet from x.x.x.x:4500: ignoring
unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]

Jun 23 13:32:18 claimtools pluto[15665]: packet from x.x.x.x:4500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already u

sing method 109

 

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090623/b378f0a7/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: barf
Type: application/octet-stream
Size: 70073 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20090623/b378f0a7/attachment-0001.obj

More information about the Users mailing list