[Openswan Users] PSK connection problems

[Peter Smith]

Hi All,

I'm trying to set up OpenSwan on a debian box to allow Windows XP
roadwarriors to connect. I'm trying with PSK first (I've been lead to
believe that this is an easier option when first starting out).

Here's what I see in the logs when I attempt to connect from XP:

packet from 1.2.3.4:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000004]
packet from 1.2.3.4:500: ignoring Vendor ID payload [FRAGMENTATION]
packet from 1.2.3.4:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
packet from 1.2.3.4:500: ignoring Vendor ID payload [Vid-Initial-Contact]
"roadwarrior-a-psk"[3] 1.2.3.4 #3: responding to Main Mode from unknown
peer 1.2.3.4
"roadwarrior-a-psk"[3] 1.2.3.4 #3: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1
"roadwarrior-a-psk"[3] 1.2.3.4 #3: STATE_MAIN_R1: sent MR1, expecting MI2
"roadwarrior-a-psk"[3] 1.2.3.4 #3: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
"roadwarrior-a-psk"[3] 1.2.3.4 #3: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2
"roadwarrior-a-psk"[3] 1.2.3.4 #3: STATE_MAIN_Rsent MR2, expecting MI3
"roadwarrior-a-psk"[3] 1.2.3.4 #3: Main mode peer ID is ID_FQDN:
'@b-30876fff59d64'
"roadwarrior-a-psk"[3] 1.2.3.4 #3: switched from "roadwarrior-a-psk" to
"roadwarrior-a-psk"
"roadwarrior-a-psk"[4] 1.2.3.4 #3: deleting connection "roadwarrior-a-psk"
instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
"roadwarrior-a-psk"[4] 1.2.3.4 #3: I did not send a certificate because I
do not have one.
"roadwarrior-a-psk"[4] 1.2.3.4 #3: transition from state STATE_MAIN_R2 to
state STATE_MAIN_R3
"roadwarrior-a-psk"[4] 1.2.3.4 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp2048}
"roadwarrior-a-psk"[4] 1.2.3.4 #4: responding to Quick Mode {msgid:b9a83c80}
"roadwarrior-a-psk"[4] 1.2.3.4 #4: transition from state STATE_QUICK_R0 to
state STATE_QUICK_R1
"roadwarrior-a-psk"[4] 1.2.3.4 #4: STATE_QUICK_R1: sent QR1, inbound IPsec
SA installed, expecting QI2
"roadwarrior-a-psk"[4] 1.2.3.4 #4: transition from state STATE_QUICK_R1 to
state STATE_QUICK_R2
"roadwarrior-a-psk"[4] 1.2.3.4 #4: STATE_QUICK_RIPsec SA established
{ESP=>0x748ea2af <0x92e09dbb xfrm=3DES_0-HMAC_MD5 NATD=1.2.3.4:4500
DPD=none}
"roadwarrior-a-psk"[4] 1.2.3.4 #3: received Delete SA(0x748ea2af) payload:
deleting IPSEC State #4
"roadwarrior-a-psk"[4] 1.2.3.4 #3: received and ignored informational message
"roadwarrior-a-psk"[4] 1.2.3.4 #3: received Delete SA payload: deleting
ISAKMP State #3
"roadwarrior-a-psk"[4] 1.2.3.4: deleting connection "roadwarrior-a-psk"
instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
packet from 1.2.3.4:4500: received and ignored informational message

.... and my /etc/ipsec.conf:

config setup
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=secret
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-a-psk
        type=transport
        authby=secret|rsasig
        pfs=no
        left=%defaultroute
        leftprotoport=17/0
        leftrsasigkey=%cert
        right=%any
        rightprotoport=17/0
        rightrsasigkey=%cert
        auto=add
        keyingtries=3

Am I missing something obvious? Any help greatly appreciated.

Thanks,
Pete