[Openswan Users] Openswan and V-IPSecure

JT Edwards tstrike34 at gmail.com
Wed Sep 2 09:43:31 EDT 2009 

Here is the secure Log and my ipsec.conf in its entirety

#securelog
Sep  2 08:37:44 wizbang pluto[5858]: packet from 12.234.22.224:500: ignoring 
unknown Vendor ID payload [810fa565f8ab14369105d706fbd57279]
Sep  2 08:37:44 wizbang pluto[5858]: packet from 12.234.22.224:500: ignoring 
unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
Sep  2 08:37:44 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: 
responding to Main Mode from unknown peer 12.234.22.224
Sep  2 08:37:44 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep  2 08:37:44 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: 
STATE_MAIN_R1: sent MR1, expecting MI2
Sep  2 08:37:45 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: 
ignoring Vendor ID payload [KAME/racoon]
Sep  2 08:37:45 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep  2 08:37:45 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: 
STATE_MAIN_R2: sent MR2, expecting MI3
Sep  2 08:37:45 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: Main 
mode peer ID is ID_IPV4_ADDR: '12.234.22.224'
Sep  2 08:37:45 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: no 
suitable connection for peer '12.234.22.224'
Sep  2 08:37:45 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: 
sending encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep  2 08:37:55 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: Main 
mode peer ID is ID_IPV4_ADDR: '12.234.22.224'
Sep  2 08:37:55 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: no 
suitable connection for peer '12.234.22.224'
Sep  2 08:37:55 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: 
sending encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep  2 08:37:55 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: Main 
mode peer ID is ID_IPV4_ADDR: '12.234.22.224'
Sep  2 08:37:55 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: no 
suitable connection for peer '12.234.22.224'
Sep  2 08:37:55 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: 
sending encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep  2 08:38:15 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: Main 
mode peer ID is ID_IPV4_ADDR: '12.234.22.224'
Sep  2 08:38:15 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: no 
suitable connection for peer '12.234.22.224'
Sep  2 08:38:15 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: 
sending encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep  2 08:38:55 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: max 
number of retransmissions (2) reached STATE_MAIN_R2
Sep  2 08:38:55 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224: 
deleting connection "ait-to-home" instance with peer 12.234.22.224 
{isakmp=#0/ipsec=#0}


# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd 
private"
        # eg:
        # plutodebug="control parsing"
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Again: only enable plutodebug or klipsdebug when asked by a 
developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. netkey,klips,mast,auto or none
        protostack=auto


# Add connections here
conn ait-to-home
        # Configuration for one user with any type of IPsec/L2TP client
        # including the updated Windows 2000/XP (MS KB Q818043), but
        # excluding the non-updated Windows 2000/XP.
        #
        #
        # Use a certificate. Disable Perfect Forward Secrecy.
        #
        authby=rsasig
        pfs=no
        auto=add
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Set ikelifetime and keylife to same defaults windows has
        ikelifetime=8h
        keylife=1h
        # l2tp-over-ipsec is transport mode
        # See http://bugs.xelerance.com/view.php?id=466
        type=transport
        #
        left=22.34.33.26
        leftid=%fromcert
        leftrsasigkey=%cert
        leftcert=/etc/ipsec.d/certs/aittorden.pem
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        rightca=%same
        rightrsasigkey=%cert
        # Using the magic port of "0" means "any one single port". This is
        # a work around required for Apple OSX clients that use a randomly
        # high port, but propose "0" instead of their port. If that does
        # not work, try 17/%any (or fall back to 17/1701 for just Windows
        # clients.
        rightprotoport=17/0
        rightsubnet=vhost:%priv,%no

JT Edwards
Senior Solutions Architect (Automation and Service Management)
IBM Tivoli Certified
Direct: 281-226-0284
Direct: 512-772-3266
Follow Me: 1866-866-4391 ext 1
AIM tstrike34
GoogleTalk tstrike34 at gmail.com

--------------------------------------------------
From: "Erich Titl" <erich.titl at think.ch>
Sent: Wednesday, September 02, 2009 9:32 AM
To: "JT Edwards" <tstrike34 at gmail.com>
Cc: <users at openswan.org>
Subject: Re: [Openswan Users] Openswan and V-IPSecure

> Hi
>
> JT Edwards wrote:
>> To all:
>>
>> I have researched all the material that in the archives.
>>
>> I configured V-IPSecure for Ike VPN with certificates. After following
>> the instructions for generating certificates (to include a key) I
>> attempted to start connection to a Openswan VPN gateway. We reach the
>> 2nd stage of the Ike negotiations when I get these messages:
>>
> ....
>
>> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>> Sep 1 17:58:13 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1:
>> STATE_MAIN_R2: sent MR2, expecting MI3
>> Sep 1 17:58:14 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1: Main
>> mode peer ID is ID_IPV4_ADDR: '22.45.'
>
> See, no certificate.....
>
>> Sep 1 17:58:14 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1: no
>> suitable connection for peer '22.45.'
>> Sep 1 17:58:14 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1:
>> sending encrypted notification INVALID_ID_INFORMATION to 22.45. :500
>
> Your peer sent you another ID than you expect, so there is no suitable
> connection and your server just tells so. The peer probably tries to
> identify by IP and this is not a certificate set up.
>
>>
>> On the router here is what the VPN log reads (wished it was more verbose)
>>
>> 2009 Sep 1 18:47:31 [SRXN3205] [IKE] Ignore information because
>> ISAKMP-SA has not been established yet._
>> 2009 Sep 1 18:47:40 [SRXN3205] [IKE] The packet is retransmitted by
>> 16.16.[500]._
> ...
>
>>
>> I followed the certs instructions to a T.... Where am I going wrong? Is
>> there some way I can see what is being transmitted to the Openswan
>> server and what it is sending back?
>
> See above ....
>
>> Here is what I am trying to do... I am trying to get my SRXN3207 to
>> connect to a Openswan VPN server using certificates.... The vender ID of
>> the Ike negotiations identify V-IPSecure as a vendor racoon.
>
> No you do not try to identify by cert.
>
> cheers
>
> Erich
>
>
>

More information about the Users mailing list