[Openswan Users] VPN from shrewsoft vpn client to openswan stuck in IKE phase

Mohit Mehta mohit.mehta at vyatta.com
Fri Sep 4 20:22:03 EDT 2009 

I am trying to establish a vpn connection to openswan using shrewsoft vpn client with xauth. However, seems like that it's stuck in phase 1. While running wireshark on the pc's interface, I could see ISAKMP messages to/from the box running openswan. Any help with this will be much appreciated. Please find relevant information below - 


On openswan's side, I see these messages in the log repetitively up until shrewsoft client gives up trying to connect :

 packet from 10.3.0.168:500: received Vendor ID payload [XAUTH]
 packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
 packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
 packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
 packet from 10.3.0.168:500: received Vendor ID payload [RFC 3947] method set to=109
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [12f5f28c457168a9702d9fe274cc0204]
 "xauth-roadwarriors"[1] 10.3.0.168 #3: Aggressive mode peer ID is ID_FQDN: '@mohit'
 "xauth-roadwarriors"[1] 10.3.0.168 #3: responding to Aggressive Mode, state #3, connection "xauth-roadwarriors" from 10.
3.0.168
 "xauth-roadwarriors"[1] 10.3.0.168 #3: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
 "xauth-roadwarriors"[1] 10.3.0.168 #3: STATE_AGGR_R1: sent AR1, expecting AI2
....
same messages repeated below as above
....
 packet from 10.3.0.168:500: received Vendor ID payload [XAUTH]
 packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
 packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
 packet from 10.3.0.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
 packet from 10.3.0.168:500: received Vendor ID payload [RFC 3947] method set to=109
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
 packet from 10.3.0.168:500: ignoring unknown Vendor ID payload [12f5f28c457168a9702d9fe274cc0204]
 "xauth-roadwarriors"[1] 10.3.0.168 #4: Aggressive mode peer ID is ID_FQDN: '@mohit'
 "xauth-roadwarriors"[1] 10.3.0.168 #4: responding to Aggressive Mode, state #4, connection "xauth-roadwarriors" from 10.
3.0.168
 "xauth-roadwarriors"[1] 10.3.0.168 #4: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
 "xauth-roadwarriors"[1] 10.3.0.168 #4: STATE_AGGR_R1: sent AR1, expecting AI2


---------------------------------
Config information for openswan :
---------------------------------

root at vDUT-1# more /etc/ipsec.d/passwd
mohit:MJvcO/8f716JU:xauth-roadwarriors

root at vDUT-1# more /etc/ipsec.secrets
# /etc/ipsec.secrets file for @mohit
10.3.0.110 @mohit : PSK "mohitmehta"

root at vDUT-1# more /etc/ipsec.conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        nhelpers=0

conn xauth-roadwarriors
        aggrmode=yes
        authby=secret
        auto=add
        ike=3des-md5-modp1024
        esp=3des-md5
        left=10.3.0.110
        leftxauthserver=yes
        right=%any
        rightid=@mohit
        rightxauthclient=yes

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf



On shrewsoft's side, I have 'auto configuration' disabled and am using 'existing adapter and current address' as address method. Here's the log -

09/09/04 16:55:54 ii : ipc client process thread begin ...
09/09/04 16:55:54 <A : peer config add message
09/09/04 16:55:54 DB : peer added ( obj count = 1 )
09/09/04 16:55:54 ii : local address 10.3.0.168:500 selected for peer
09/09/04 16:55:54 DB : tunnel added ( obj count = 1 )
09/09/04 16:55:54 <A : proposal config message
09/09/04 16:55:54 <A : proposal config message
09/09/04 16:55:54 <A : client config message
09/09/04 16:55:54 <A : xauth username message
09/09/04 16:55:54 <A : xauth password message
09/09/04 16:55:54 <A : local id 'mohit' message
09/09/04 16:55:54 <A : preshared key message
09/09/04 16:55:54 <A : remote resource message
09/09/04 16:55:54 <A : peer tunnel enable message
09/09/04 16:55:54 DB : new phase1 ( ISAKMP initiator )
09/09/04 16:55:54 DB : exchange type is aggressive
09/09/04 16:55:54 DB : 10.3.0.168:500 <-> 10.3.0.110:500
09/09/04 16:55:54 DB : afa9e19b5df65c7b:0000000000000000
09/09/04 16:55:54 DB : phase1 added ( obj count = 1 )
09/09/04 16:55:54 >> : security association payload
09/09/04 16:55:54 >> : - proposal #1 payload 
09/09/04 16:55:54 >> : -- transform #1 payload 
09/09/04 16:55:54 >> : key exchange payload
09/09/04 16:55:54 >> : nonce payload
09/09/04 16:55:54 >> : identification payload
09/09/04 16:55:54 >> : vendor id payload
09/09/04 16:55:54 ii : local supports XAUTH
09/09/04 16:55:54 >> : vendor id payload
09/09/04 16:55:54 ii : local supports nat-t ( draft v00 )
09/09/04 16:55:54 >> : vendor id payload
09/09/04 16:55:54 ii : local supports nat-t ( draft v01 )
09/09/04 16:55:54 >> : vendor id payload
09/09/04 16:55:54 ii : local supports nat-t ( draft v02 )
09/09/04 16:55:54 >> : vendor id payload
09/09/04 16:55:54 ii : local supports nat-t ( draft v03 )
09/09/04 16:55:54 >> : vendor id payload
09/09/04 16:55:54 ii : local supports nat-t ( rfc )
09/09/04 16:55:54 >> : vendor id payload
09/09/04 16:55:54 ii : local is SHREW SOFT compatible
09/09/04 16:55:54 >> : vendor id payload
09/09/04 16:55:54 ii : local is NETSCREEN compatible
09/09/04 16:55:54 >> : vendor id payload
09/09/04 16:55:54 ii : local is SIDEWINDER compatible
09/09/04 16:55:54 >> : vendor id payload
09/09/04 16:55:54 ii : local is CISCO UNITY compatible
09/09/04 16:55:54 >= : cookies afa9e19b5df65c7b:0000000000000000
09/09/04 16:55:54 >= : message 00000000
09/09/04 16:55:54 -> : send IKE packet 10.3.0.168:500 -> 10.3.0.110:500 ( 477 bytes )
09/09/04 16:55:54 DB : phase1 resend event scheduled ( ref count = 2 )
09/09/04 16:55:59 -> : resend 1 phase1 packet(s) 10.3.0.168:500 -> 10.3.0.110:500
09/09/04 16:56:04 -> : resend 1 phase1 packet(s) 10.3.0.168:500 -> 10.3.0.110:500
09/09/04 16:56:09 -> : resend 1 phase1 packet(s) 10.3.0.168:500 -> 10.3.0.110:500
09/09/04 16:56:14 ii : resend limit exceeded for phase1 exchange
09/09/04 16:56:14 ii : phase1 removal before expire time
09/09/04 16:56:14 DB : phase1 deleted ( obj count = 0 )
09/09/04 16:56:14 DB : policy not found
09/09/04 16:56:14 DB : policy not found
09/09/04 16:56:14 DB : tunnel stats event canceled ( ref count = 1 )
09/09/04 16:56:14 DB : removing tunnel config references
09/09/04 16:56:14 DB : removing tunnel phase2 references
09/09/04 16:56:14 DB : removing tunnel phase1 references
09/09/04 16:56:14 DB : tunnel deleted ( obj count = 0 )
09/09/04 16:56:14 DB : removing all peer tunnel refrences
09/09/04 16:56:14 DB : peer deleted ( obj count = 0 )
09/09/04 16:56:14 ii : ipc client process thread exit ...

More information about the Users mailing list