[Openswan Users] VPN Tunnel between Juniper SRX and Openswan

Daniel.Fritz at geneva-id.com Daniel.Fritz at geneva-id.com
Mon Nov 2 07:27:31 EST 2009


Hi there,

since days I try to establish a VPN Connection between a Juniper SRX 240H
(JUNOS 9.6R2) and Openswan 2.4.4.

I have tested from diffrent maschines with diffrent Openswan Version
includes 2.6.23 without success. As I used
Junos 9.6 R1 I wasn't able to establish Phase1 (IKE) but after a upgrade I
can establish the phase1 (IKE). But in phase2
I have problems anymore. I do not know what to do - I tried so much without
success. Maybe you have some hints.

Thank you.

This is my ipsec.conf

version 2.0


# basic configuration
config setup
        # klipsdebug="all"
        # plutodebug="all"
        nat_traversal=yes
        #forwardcontrol=yes
        interfaces=%defaultroute
        nhelpers=0
        # plutodebug / klipsdebug = "all", "none" or a combation from
below:
        # "raw crypt parsing emitting control klips pfkey natt x509
private"
        # eg:
        #       plutodebug="control parsing"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        # nat_traversal=yes
        #
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
# plutodebug=control

# nat_traversal=yes

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

conn JUNIPER-DUS
        authby=secret
        # auth=esp
        auto=start
        # esp=3des-md5
        ike=3des-md5
        ikelifetime=3600s
        keylife=3600s
        left=89.1xx.xx.xx
        leftid=89.1xx.xx.xx
        leftnexthop=192.168.210.1
        leftsubnet=192.168.210.1/32
        pfs=yes
        right=89.1xx.xx.xxx
        rightid=89.1xxx.xx.xxx
        rightsubnet=10.10.100.4/32
        type=tunnel
        # xauth=no

Part of my log with plutodebug=all :

Nov  2 13:21:13 id-soft pluto[32342]: | Added new connection JUNIPER-DUS
with policy PSK+ENCRYPT+TUNNEL+PFS
Nov  2 13:21:14 id-soft pluto[32342]: added connection description
"JUNIPER-DUS"
Nov  2 13:21:14 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:14 id-soft pluto[32342]: | route owner of "JUNIPER-DUS"
unrouted: NULL; eroute owner: NULL
Nov  2 13:21:14 id-soft pluto[32342]: | could_route called for JUNIPER-DUS
(kind=CK_PERMANENT)
Nov  2 13:21:14 id-soft pluto[32342]: | route owner of "JUNIPER-DUS"
unrouted: NULL; eroute owner: NULL
Nov  2 13:21:14 id-soft pluto[32342]: | route_and_eroute with c:
JUNIPER-DUS (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and
state: 0
Nov  2 13:21:14 id-soft pluto[32342]: | executing prepare-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client'
PLUTO_CONNECTION='JUNIPER-DUS' PLUTO_NEXT_HOP='192.168.210.1'
PLUTO_INTERFACE='eth0' PLUTO_ME='xxx.xxx.xxx.xxx'
PLUTO_MY_ID='xxx.xxx.xxx.xxx' PLUTO_MY_CLIENT='192.168.210.1/32'
PLUTO_MY_CLIENT_NET='192.168.210.1' PLUTO_MY_CLIENT_MASK='255.255.255.255'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.xxx'
PLUTO_PEER_ID='xxx.xxx.xxx.xxx' PLUTO_PEER_CLIENT='10.10.100.4/32'
PLUTO_PEER_CLIENT_NET='10.10.100.4'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_CONN_POLICY='PSK+ENCRYPT
+TUNNEL+PFS'   ipsec _updown
Nov  2 13:21:14 id-soft pluto[32342]: | executing route-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='route-client'
PLUTO_CONNECTION='JUNIPER-DUS' PLUTO_NEXT_HOP='192.168.210.1'
PLUTO_INTERFACE='eth0' PLUTO_ME='xxx.xxx.xxx.xxx'
PLUTO_MY_ID='xxx.xxx.xxx.xxx' PLUTO_MY_CLIENT='192.168.210.1/32'
PLUTO_MY_CLIENT_NET='192.168.210.1' PLUTO_MY_CLIENT_MASK='255.255.255.255'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.xxx'
PLUTO_PEER_ID='xxx.xxx.xxx.xxx' PLUTO_PEER_CLIENT='10.10.100.4/32'
PLUTO_PEER_CLIENT_NET='10.10.100.4'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_CONN_POLICY='PSK+ENCRYPT
+TUNNEL+PFS'   ipsec _updown
Nov  2 13:21:15 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:15 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:15 id-soft pluto[32342]: | Queuing pending Quick Mode with
xxx.xxx.xxx.xxx "JUNIPER-DUS"
Nov  2 13:21:15 id-soft pluto[32342]: "JUNIPER-DUS" #2: initiating Main
Mode
Nov  2 13:21:16 id-soft pluto[32342]: | find_host_pair_conn
(find_host_connection2): xxx.xxx.xxx.xxx:500 xxx.xxx.xxx.xxx:500 ->
hp:JUNIPER-DUS
Nov  2 13:21:16 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:16 id-soft pluto[32342]: "JUNIPER-DUS" #3: responding to Main
Mode
Nov  2 13:21:16 id-soft pluto[32342]: "JUNIPER-DUS" #3: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov  2 13:21:16 id-soft pluto[32342]: "JUNIPER-DUS" #3: STATE_MAIN_R1: sent
MR1, expecting MI2
Nov  2 13:21:17 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: received Vendor ID
payload [Dead Peer Detection]
Nov  2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: ignoring unknown
Vendor ID payload
[699369228741c6d4ca094c93e242c9de19e7b7c60000000500000500]
Nov  2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: ignoring Vendor ID
payload [draft-stenberg-ipsec-nat-traversal-01]
Nov  2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: ignoring Vendor ID
payload [draft-stenberg-ipsec-nat-traversal-02]
Nov  2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-00]
Nov  2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02] method set to=107
Nov  2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
method 107
Nov  2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Nov  2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: enabling possible
NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
Nov  2 13:21:17 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Nov  2 13:21:17 id-soft pluto[32342]: "JUNIPER-DUS" #2: STATE_MAIN_I2: sent
MI2, expecting MR2
Nov  2 13:21:18 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:18 id-soft pluto[32342]: "JUNIPER-DUS" #2: I did not send a
certificate because I do not have one.
Nov  2 13:21:19 id-soft pluto[32342]: "JUNIPER-DUS" #2: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Nov  2 13:21:19 id-soft pluto[32342]: "JUNIPER-DUS" #2: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Nov  2 13:21:19 id-soft pluto[32342]: "JUNIPER-DUS" #2: STATE_MAIN_I3: sent
MI3, expecting MR3
Nov  2 13:21:20 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:20 id-soft pluto[32342]: "JUNIPER-DUS" #2: Main mode peer ID
is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
Nov  2 13:21:20 id-soft pluto[32342]: "JUNIPER-DUS" #2: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov  2 13:21:20 id-soft pluto[32342]: "JUNIPER-DUS" #2: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1024}
Nov  2 13:21:20 id-soft pluto[32342]: | unqueuing pending Quick Mode with
xxx.xxx.xxx.xxx "JUNIPER-DUS"
Nov  2 13:21:20 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:20 id-soft pluto[32342]: "JUNIPER-DUS" #6: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#2}
Nov  2 13:21:20 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:22 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:22 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:22 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:22 id-soft pluto[32342]: "JUNIPER-DUS" #6: Notify Message Type
of ISAKMP Notification Payload has an unknown value: 40001
Nov  2 13:21:22 id-soft pluto[32342]: "JUNIPER-DUS" #6: malformed payload
in packet
Nov  2 13:21:22 id-soft pluto[32342]: "JUNIPER-DUS" #6: sending
notification PAYLOAD_MALFORMED to xxx.xxx.xxx.xxx:500
Nov  2 13:21:26 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:26 id-soft pluto[32342]: | handling event EVENT_RETRANSMIT for
xxx.xxx.xxx.xxx "JUNIPER-DUS" #3
Nov  2 13:21:31 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:31 id-soft pluto[32342]: | handling event EVENT_RETRANSMIT for
xxx.xxx.xxx.xxx "JUNIPER-DUS" #6
Nov  2 13:21:35 id-soft pluto[32342]: | find_host_pair_conn
(find_host_connection2): xxx.xxx.xxx.xxx:500 xxx.xxx.xxx.xxx:500 ->
hp:JUNIPER-DUS
Nov  2 13:21:35 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:35 id-soft pluto[32342]: "JUNIPER-DUS" #8: responding to Main
Mode
Nov  2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov  2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: STATE_MAIN_R1: sent
MR1, expecting MI2
Nov  2 13:21:36 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:36 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:36 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:36 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:36 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Nov  2 13:21:36 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov  2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: STATE_MAIN_R2: sent
MR2, expecting MI3
Nov  2 13:21:36 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: ignoring
informational payload, type IPSEC_INITIAL_CONTACT
Nov  2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: Main mode peer ID
is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
Nov  2 13:21:36 id-soft pluto[32342]: | refine_connection: starting with
JUNIPER-DUS
Nov  2 13:21:36 id-soft pluto[32342]: | refine_connection: happy with
starting point: JUNIPER-DUS
Nov  2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: I did not send a
certificate because I do not have one.
Nov  2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov  2 13:21:36 id-soft pluto[32342]: "JUNIPER-DUS" #8: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Nov  2 13:21:40 id-soft pluto[32342]: | processing connection JUNIPER-DUS
Nov  2 13:21:40 id-soft pluto[32342]: | processing connection JUNIPER-DUS





More information about the Users mailing list