[Openswan Users] RSA + XAUTH + Cisco reconnection failures

Sun Mar 7 09:22:13 EST 2010

Hi Paul,

> That really needs upgrading. At the very least to 2.4.15, ideally to
2.6.24/2.6.25

Upgraded to Linux Openswan U2.6.24/K2.6.29-xs5.5.0.15 (netkey)

>To make these tests non-interactive, why don't you add the user name to
ipsec.conf:
> 	leftxauthusername=test3
>and the password to ipsec.secrets:
> 	@test3 : XAUTH "password"

Made the recommended changes with the same result,

Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: initiating Main Mode
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: received Vendor ID
payload [RFC 3947] method set to=109
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: enabling possible
NAT-traversal with method 4
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: STATE_MAIN_I2: sent MI2,
expecting MR2
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: received Vendor ID
payload [Cisco-Unity]
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: received Vendor ID
payload [Dead Peer Detection]
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: ignoring unknown Vendor
ID payload [8501a8e3ce9cfca42670dabe39360f98]
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: received Vendor ID
payload [XAUTH]
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): i am NATed
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: I am sending my cert
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: I am sending a
certificate request
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: STATE_MAIN_I3: sent MI3,
expecting MR3
Mar  8 01:07:35 debian pluto[24010]: | protocol/port in Phase 1 ID
Payload is 17/0. accepted with port_floating NAT-T
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: Main mode peer ID is
ID_FQDN: '@server.domain.com'
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: no crl from issuer
"CN=Secure Virtual Private Network" found (strict=no)
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1536}
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x47f6cf82) not found (maybe expired)
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: received and ignored
informational message
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: XAUTH: Unsupported
attribute: 21??
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: XAUTH: Answering XAUTH
challenge with user='test3'
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: transition from state
STATE_XAUTH_I0 to state STATE_XAUTH_I1
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: STATE_XAUTH_I1: XAUTH
client - awaiting CFG_set
Mar  8 01:07:35 debian pluto[24010]: "vpn" #3: received Delete SA
payload: deleting ISAKMP State #3
Mar  8 01:07:35 debian pluto[24010]: packet from 113.192.10.21:4500:
received and ignored informational message

If I down / up the VPN after the failure it connects perfectly.

When the Phase 2 lifetime expires - Openswan also fails to reconnect.

Any ideas?

______________________________________________________________________
The information contained in this e-mail (including any attachments)
is confidential. It is only intended for the recipient/s named above.
If you are not the intended or one of the intended recipient/s any
unauthorised use is prohibited. If you have received this e-mail in
error, please notify the sender and destroy all copies of this e-mail.
Confidentiality and legal privilege are not waived or lost as a result
of mistaken delivery.  

Opinions expressed in this e-mail are those of the sender and unless 
expressly stated are not necessarily the opinions of Madison 
Technologies Pty Ltd.

This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________