[Openswan Users] Sonicwall TZ170 to OpenSWAN peer's ID_USER_FQDN contains no @

Paul Wouters paul at xelerance.com
Wed Apr 28 12:06:21 EDT 2010


On Wed, 28 Apr 2010, Mike A. Leonetti wrote:

>>> And then
>>> Apr 28 09:08:32 fortissimo pluto[23745]: packet from y.y.y.y:500:
>>> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>>> Apr 28 09:08:32 fortissimo pluto[23745]: packet from y.y.y.y:500:
>>> ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]
>>> Apr 28 09:08:32 fortissimo pluto[23745]: packet from y.y.y.y:500:
>>> ignoring Vendor ID payload [Sonicwall 2 (3.1.0.12-86s?)]
>>> Apr 28 09:08:32 fortissimo pluto[23745]: packet from y.y.y.y:500:
>>> received Vendor ID payload [XAUTH]
>>> Apr 28 09:08:32 fortissimo pluto[23745]: packet from y.y.y.y:500:
>>> initial Aggressive Mode message from y.y.y.y but no (wildcard)
>>> connection has been configured with policy=PSK+AGGRESSIVE
>>
>> Try using right=%any
>>
>>> But it never comes up.
>>>
> It isn't very happy with that.
>
> Apr 28 11:56:56 fortissimo pluto[25359]: "andree": deleting connection
> Apr 28 11:56:56 fortissimo pluto[25359]: "andree" #37: deleting state
> (STATE_AGGR_I1)
> Apr 28 11:56:57 fortissimo pluto[28651]: added connection description
> "andree"
> Apr 28 11:56:57 fortissimo ipsec__plutorun: 002 added connection
> description "andree"
> Apr 28 11:56:58 fortissimo pluto[28651]: "andree": cannot initiate
> connection without knowing peer IP address (kind=CK_TEMPLATE)
> Apr 28 11:56:58 fortissimo ipsec__plutorun: 029 "andree": cannot
> initiate connection without knowing peer IP address (kind=CK_TEMPLATE)

Yes you can only respond when using %any, not initiate.

I guess I'm just confused what the intention here is, and if one or both
endpoints are behind nat.

Paul


More information about the Users mailing list