[Openswan Users] Openswan and V-IPSecure
JT Edwards
tstrike34 at gmail.com
Wed Sep 2 09:43:31 EDT 2009
Here is the secure Log and my ipsec.conf in its entirety
#securelog
Sep 2 08:37:44 wizbang pluto[5858]: packet from 12.234.22.224:500: ignoring
unknown Vendor ID payload [810fa565f8ab14369105d706fbd57279]
Sep 2 08:37:44 wizbang pluto[5858]: packet from 12.234.22.224:500: ignoring
unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
Sep 2 08:37:44 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2:
responding to Main Mode from unknown peer 12.234.22.224
Sep 2 08:37:44 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 2 08:37:44 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2:
STATE_MAIN_R1: sent MR1, expecting MI2
Sep 2 08:37:45 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2:
ignoring Vendor ID payload [KAME/racoon]
Sep 2 08:37:45 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 2 08:37:45 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2:
STATE_MAIN_R2: sent MR2, expecting MI3
Sep 2 08:37:45 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: Main
mode peer ID is ID_IPV4_ADDR: '12.234.22.224'
Sep 2 08:37:45 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: no
suitable connection for peer '12.234.22.224'
Sep 2 08:37:45 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2:
sending encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep 2 08:37:55 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: Main
mode peer ID is ID_IPV4_ADDR: '12.234.22.224'
Sep 2 08:37:55 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: no
suitable connection for peer '12.234.22.224'
Sep 2 08:37:55 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2:
sending encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep 2 08:37:55 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: Main
mode peer ID is ID_IPV4_ADDR: '12.234.22.224'
Sep 2 08:37:55 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: no
suitable connection for peer '12.234.22.224'
Sep 2 08:37:55 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2:
sending encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep 2 08:38:15 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: Main
mode peer ID is ID_IPV4_ADDR: '12.234.22.224'
Sep 2 08:38:15 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: no
suitable connection for peer '12.234.22.224'
Sep 2 08:38:15 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2:
sending encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep 2 08:38:55 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224 #2: max
number of retransmissions (2) reached STATE_MAIN_R2
Sep 2 08:38:55 wizbang pluto[5858]: "ait-to-home"[2] 12.234.22.224:
deleting connection "ait-to-home" instance with peer 12.234.22.224
{isakmp=#0/ipsec=#0}
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"
# eg:
# plutodebug="control parsing"
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Again: only enable plutodebug or klipsdebug when asked by a
developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. netkey,klips,mast,auto or none
protostack=auto
# Add connections here
conn ait-to-home
# Configuration for one user with any type of IPsec/L2TP client
# including the updated Windows 2000/XP (MS KB Q818043), but
# excluding the non-updated Windows 2000/XP.
#
#
# Use a certificate. Disable Perfect Forward Secrecy.
#
authby=rsasig
pfs=no
auto=add
# we cannot rekey for %any, let client rekey
rekey=no
# Set ikelifetime and keylife to same defaults windows has
ikelifetime=8h
keylife=1h
# l2tp-over-ipsec is transport mode
# See http://bugs.xelerance.com/view.php?id=466
type=transport
#
left=22.34.33.26
leftid=%fromcert
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/aittorden.pem
leftprotoport=17/1701
#
# The remote user.
#
right=%any
rightca=%same
rightrsasigkey=%cert
# Using the magic port of "0" means "any one single port". This is
# a work around required for Apple OSX clients that use a randomly
# high port, but propose "0" instead of their port. If that does
# not work, try 17/%any (or fall back to 17/1701 for just Windows
# clients.
rightprotoport=17/0
rightsubnet=vhost:%priv,%no
JT Edwards
Senior Solutions Architect (Automation and Service Management)
IBM Tivoli Certified
Direct: 281-226-0284
Direct: 512-772-3266
Follow Me: 1866-866-4391 ext 1
AIM tstrike34
GoogleTalk tstrike34 at gmail.com
--------------------------------------------------
From: "Erich Titl" <erich.titl at think.ch>
Sent: Wednesday, September 02, 2009 9:32 AM
To: "JT Edwards" <tstrike34 at gmail.com>
Cc: <users at openswan.org>
Subject: Re: [Openswan Users] Openswan and V-IPSecure
> Hi
>
> JT Edwards wrote:
>> To all:
>>
>> I have researched all the material that in the archives.
>>
>> I configured V-IPSecure for Ike VPN with certificates. After following
>> the instructions for generating certificates (to include a key) I
>> attempted to start connection to a Openswan VPN gateway. We reach the
>> 2nd stage of the Ike negotiations when I get these messages:
>>
> ....
>
>> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>> Sep 1 17:58:13 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1:
>> STATE_MAIN_R2: sent MR2, expecting MI3
>> Sep 1 17:58:14 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1: Main
>> mode peer ID is ID_IPV4_ADDR: '22.45.'
>
> See, no certificate.....
>
>> Sep 1 17:58:14 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1: no
>> suitable connection for peer '22.45.'
>> Sep 1 17:58:14 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1:
>> sending encrypted notification INVALID_ID_INFORMATION to 22.45. :500
>
> Your peer sent you another ID than you expect, so there is no suitable
> connection and your server just tells so. The peer probably tries to
> identify by IP and this is not a certificate set up.
>
>>
>> On the router here is what the VPN log reads (wished it was more verbose)
>>
>> 2009 Sep 1 18:47:31 [SRXN3205] [IKE] Ignore information because
>> ISAKMP-SA has not been established yet._
>> 2009 Sep 1 18:47:40 [SRXN3205] [IKE] The packet is retransmitted by
>> 16.16.[500]._
> ...
>
>>
>> I followed the certs instructions to a T.... Where am I going wrong? Is
>> there some way I can see what is being transmitted to the Openswan
>> server and what it is sending back?
>
> See above ....
>
>> Here is what I am trying to do... I am trying to get my SRXN3207 to
>> connect to a Openswan VPN server using certificates.... The vender ID of
>> the Ike negotiations identify V-IPSecure as a vendor racoon.
>
> No you do not try to identify by cert.
>
> cheers
>
> Erich
>
>
>
More information about the Users
mailing list