[Openswan Users] VPN Tunnel between Juniper SRX and Openswan
Daniel.Fritz at geneva-id.com
Daniel.Fritz at geneva-id.com
Mon Nov 2 07:27:31 EST 2009
Hi there,
since days I try to establish a VPN Connection between a Juniper SRX 240H
(JUNOS 9.6R2) and Openswan 2.4.4.
I have tested from diffrent maschines with diffrent Openswan Version
includes 2.6.23 without success. As I used
Junos 9.6 R1 I wasn't able to establish Phase1 (IKE) but after a upgrade I
can establish the phase1 (IKE). But in phase2
I have problems anymore. I do not know what to do - I tried so much without
success. Maybe you have some hints.
Thank you.
This is my ipsec.conf
version 2.0
# basic configuration
config setup
# klipsdebug="all"
# plutodebug="all"
nat_traversal=yes
#forwardcontrol=yes
interfaces=%defaultroute
nhelpers=0
# plutodebug / klipsdebug = "all", "none" or a combation from
below:
# "raw crypt parsing emitting control klips pfkey natt x509
private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
# nat_traversal=yes
#
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
# plutodebug=control
# nat_traversal=yes
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
conn JUNIPER-DUS
authby=secret
# auth=esp
auto=start
# esp=3des-md5
ike=3des-md5
ikelifetime=3600s
keylife=3600s
left=89.1xx.xx.xx
leftid=89.1xx.xx.xx
leftnexthop=192.168.210.1
leftsubnet=192.168.210.1/32
pfs=yes
right=89.1xx.xx.xxx
rightid=89.1xxx.xx.xxx
rightsubnet=10.10.100.4/32
type=tunnel
# xauth=no
Part of my log with plutodebug=all :
Nov 2 13:21:13 id-soft pluto[32342]: | Added new connection JUNIPER-DUS
with policy PSK+ENCRYPT+TUNNEL+PFS
Nov 2 13:21:14 id-soft pluto[32342]: added connection description
"JUNIPER-DUS"
Nov 2 13:21:14 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:14 id-soft pluto[32342]: | route owner of "JUNIPER-DUS"
unrouted: NULL; eroute owner: NULL
Nov 2 13:21:14 id-soft pluto[32342]: | could_route called for JUNIPER-DUS
(kind=CK_PERMANENT)
Nov 2 13:21:14 id-soft pluto[32342]: | route owner of "JUNIPER-DUS"
unrouted: NULL; eroute owner: NULL
Nov 2 13:21:14 id-soft pluto[32342]: | route_and_eroute with c:
JUNIPER-DUS (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and
state: 0
Nov 2 13:21:14 id-soft pluto[32342]: | executing prepare-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client'
PLUTO_CONNECTION='JUNIPER-DUS' PLUTO_NEXT_HOP='192.168.210.1'
PLUTO_INTERFACE='eth0' PLUTO_ME='xxx.xxx.xxx.xxx'
PLUTO_MY_ID='xxx.xxx.xxx.xxx' PLUTO_MY_CLIENT='192.168.210.1/32'
PLUTO_MY_CLIENT_NET='192.168.210.1' PLUTO_MY_CLIENT_MASK='255.255.255.255'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.xxx'
PLUTO_PEER_ID='xxx.xxx.xxx.xxx' PLUTO_PEER_CLIENT='10.10.100.4/32'
PLUTO_PEER_CLIENT_NET='10.10.100.4'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_CONN_POLICY='PSK+ENCRYPT
+TUNNEL+PFS' ipsec _updown
Nov 2 13:21:14 id-soft pluto[32342]: | executing route-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='route-client'
PLUTO_CONNECTION='JUNIPER-DUS' PLUTO_NEXT_HOP='192.168.210.1'
PLUTO_INTERFACE='eth0' PLUTO_ME='xxx.xxx.xxx.xxx'
PLUTO_MY_ID='xxx.xxx.xxx.xxx' PLUTO_MY_CLIENT='192.168.210.1/32'
PLUTO_MY_CLIENT_NET='192.168.210.1' PLUTO_MY_CLIENT_MASK='255.255.255.255'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.xxx'
PLUTO_PEER_ID='xxx.xxx.xxx.xxx' PLUTO_PEER_CLIENT='10.10.100.4/32'
PLUTO_PEER_CLIENT_NET='10.10.100.4'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_CONN_POLICY='PSK+ENCRYPT
+TUNNEL+PFS' ipsec _updown
Nov 2 13:21:15 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:15 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:15 id-soft pluto[32342]: | Queuing pending Quick Mode with
xxx.xxx.xxx.xxx "JUNIPER-DUS"
Nov 2 13:21:15 id-soft pluto[32342]: "JUNIPER-DUS" #2: initiating Main
Mode
Nov 2 13:21:16 id-soft pluto[32342]: | find_host_pair_conn
(find_host_connection2): xxx.xxx.xxx.xxx:500 xxx.xxx.xxx.xxx:500 ->
hp:JUNIPER-DUS
Nov 2 13:21:16 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:16 id-soft pluto[32342]: "JUNIPER-DUS" #3: responding to Main
Mode
Nov 2 13:21:16 id-soft pluto[32342]: "JUNIPER-DUS" #3: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 2 13:21:16 id-soft pluto[32342]: "JUNIPER-DUS" #3: STATE_MAIN_R1: sent
MR1, expecting MI2
Nov 2 13:21:17 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: received Vendor ID
payload [Dead Peer Detection]
Nov 2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: ignoring unknown
Vendor ID payload
[699369228741c6d4ca094c93e242c9de19e7b7c60000000500000500]
Nov 2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: ignoring Vendor ID
payload [draft-stenberg-ipsec-nat-traversal-01]
Nov 2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: ignoring Vendor ID
payload [draft-stenberg-ipsec-nat-traversal-02]
Nov 2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-00]
Nov 2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02] method set to=107
Nov 2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
method 107
Nov 2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Nov 2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: enabling possible
NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
Nov 2 13:21:17 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: STATE_MAIN_I2: sent
MI2, expecting MR2
Nov 2 13:21:18 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:18 id-soft pluto[32342]: "JUNIPER-DUS" #2: I did not send a
certificate because I do not have one.
Nov 2 13:21:19 id-soft pluto[32342]: "JUNIPER-DUS" #2: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Nov 2 13:21:19 id-soft pluto[32342]: "JUNIPER-DUS" #2: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 2 13:21:19 id-soft pluto[32342]: "JUNIPER-DUS" #2: STATE_MAIN_I3: sent
MI3, expecting MR3
Nov 2 13:21:20 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:20 id-soft pluto[32342]: "JUNIPER-DUS" #2: Main mode peer ID
is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
Nov 2 13:21:20 id-soft pluto[32342]: "JUNIPER-DUS" #2: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 2 13:21:20 id-soft pluto[32342]: "JUNIPER-DUS" #2: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1024}
Nov 2 13:21:20 id-soft pluto[32342]: | unqueuing pending Quick Mode with
xxx.xxx.xxx.xxx "JUNIPER-DUS"
Nov 2 13:21:20 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:20 id-soft pluto[32342]: "JUNIPER-DUS" #6: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#2}
Nov 2 13:21:20 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:22 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:22 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:22 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:22 id-soft pluto[32342]: "JUNIPER-DUS" #6: Notify Message Type
of ISAKMP Notification Payload has an unknown value: 40001
Nov 2 13:21:22 id-soft pluto[32342]: "JUNIPER-DUS" #6: malformed payload
in packet
Nov 2 13:21:22 id-soft pluto[32342]: "JUNIPER-DUS" #6: sending
notification PAYLOAD_MALFORMED to xxx.xxx.xxx.xxx:500
Nov 2 13:21:26 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:26 id-soft pluto[32342]: | handling event EVENT_RETRANSMIT for
xxx.xxx.xxx.xxx "JUNIPER-DUS" #3
Nov 2 13:21:31 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:31 id-soft pluto[32342]: | handling event EVENT_RETRANSMIT for
xxx.xxx.xxx.xxx "JUNIPER-DUS" #6
Nov 2 13:21:35 id-soft pluto[32342]: | find_host_pair_conn
(find_host_connection2): xxx.xxx.xxx.xxx:500 xxx.xxx.xxx.xxx:500 ->
hp:JUNIPER-DUS
Nov 2 13:21:35 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:35 id-soft pluto[32342]: "JUNIPER-DUS" #8: responding to Main
Mode
Nov 2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: STATE_MAIN_R1: sent
MR1, expecting MI2
Nov 2 13:21:36 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:36 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:36 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:36 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:36 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Nov 2 13:21:36 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: STATE_MAIN_R2: sent
MR2, expecting MI3
Nov 2 13:21:36 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: ignoring
informational payload, type IPSEC_INITIAL_CONTACT
Nov 2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: Main mode peer ID
is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
Nov 2 13:21:36 id-soft pluto[32342]: | refine_connection: starting with
JUNIPER-DUS
Nov 2 13:21:36 id-soft pluto[32342]: | refine_connection: happy with
starting point: JUNIPER-DUS
Nov 2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: I did not send a
certificate because I do not have one.
Nov 2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Nov 2 13:21:40 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov 2 13:21:40 id-soft pluto[32342]: | processing connection JUNIPER-DUS
More information about the Users
mailing list