[Openswan Users] Openswan and V-IPSecure

JT Edwards tstrike34 at gmail.com
Wed Sep 2 09:36:03 EDT 2009 

Hi Erich...

Let me run the IKE handshake (running on little sleep so I apologize) again 
and give you the dump from the secure log.

Hang a few minutes.

:)

JT

--------------------------------------------------
From: "Erich Titl" <erich.titl at think.ch>
Sent: Wednesday, September 02, 2009 9:32 AM
To: "JT Edwards" <tstrike34 at gmail.com>
Cc: <users at openswan.org>
Subject: Re: [Openswan Users] Openswan and V-IPSecure

> Hi
>
> JT Edwards wrote:
>> To all:
>>
>> I have researched all the material that in the archives.
>>
>> I configured V-IPSecure for Ike VPN with certificates. After following
>> the instructions for generating certificates (to include a key) I
>> attempted to start connection to a Openswan VPN gateway. We reach the
>> 2nd stage of the Ike negotiations when I get these messages:
>>
> ....
>
>> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>> Sep 1 17:58:13 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1:
>> STATE_MAIN_R2: sent MR2, expecting MI3
>> Sep 1 17:58:14 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1: Main
>> mode peer ID is ID_IPV4_ADDR: '22.45.'
>
> See, no certificate.....
>
>> Sep 1 17:58:14 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1: no
>> suitable connection for peer '22.45.'
>> Sep 1 17:58:14 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1:
>> sending encrypted notification INVALID_ID_INFORMATION to 22.45. :500
>
> Your peer sent you another ID than you expect, so there is no suitable
> connection and your server just tells so. The peer probably tries to
> identify by IP and this is not a certificate set up.
>
>>
>> On the router here is what the VPN log reads (wished it was more verbose)
>>
>> 2009 Sep 1 18:47:31 [SRXN3205] [IKE] Ignore information because
>> ISAKMP-SA has not been established yet._
>> 2009 Sep 1 18:47:40 [SRXN3205] [IKE] The packet is retransmitted by
>> 16.16.[500]._
> ...
>
>>
>> I followed the certs instructions to a T.... Where am I going wrong? Is
>> there some way I can see what is being transmitted to the Openswan
>> server and what it is sending back?
>
> See above ....
>
>> Here is what I am trying to do... I am trying to get my SRXN3207 to
>> connect to a Openswan VPN server using certificates.... The vender ID of
>> the Ike negotiations identify V-IPSecure as a vendor racoon.
>
> No you do not try to identify by cert.
>
> cheers
>
> Erich
>
>
>

More information about the Users mailing list