[Openswan Users] iPad IPSEC/L2TP->OpenSwan problem
John E.P. Hynes
john at hytronix.com
Wed Oct 27 18:02:06 EDT 2010
On 10/27/2010 05:10 PM, Paul Wouters wrote:
> On Wed, 27 Oct 2010, John E.P. Hynes wrote:
>
>> I have a configuration that works for windows clients but not for
>> iPads. I have included some of the changes suggested by (Nate Carlson?
>> Can't remember) to the config files to allow Apple clients to connect.
>
>> Oct 27 16:15:12 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7: byte
>> 2 of ISAKMP Identification Payload must be zero, but is not
>> Oct 27 16:15:12 firewall pluto[5659]: "dynip-hosts"[3] x.x.x.x #7:
>> probable authentication failure (mismatch of preshared secrets?):
>> malformed payload in packet
>
>> The "mismatch of preshared secrets?" seems obvious - but I've checked to
>> make sure they agree many times.
>
> Did you make sure about this? Perhaps a weird character not supported on
> the ipad?
>
>> My "dynip-hosts" config looks like this:
>>
>> conn dynip-hosts
>> authby=secret
>> pfs=no
>> left=y.y.y.y
>> leftsubnet=10.0.0.0/24
>> leftprotoport=17/1701
>> rightnexthop=%defaultroute
>> right=%any
>> rightprotoport=17/%any
>> rightsubnet=vhost:%priv,%no
>> forceencaps=yes
>> auto=add
>
> forceencaps should not be needed.
> leftsubnet= is wrong and should be left out
> (if you put it there because your openswan server is behind a port
> foward,
> remove it and put left=yourrealip there.
>
> missing type=transport
>
> Paul
Thanks Paul - I tried all of your suggestions and changed the PSK to
something without special chars.
It's looks like it's *almost* there now - now I get:
Oct 27 17:57:08 firewall pluto[6492]: "dynip-hosts"[1] x.x.x.x #1:
responding to Main Mode from unknown peer x.x.x.x
Oct 27 17:57:08 firewall pluto[6492]: "dynip-hosts"[1] x.x.x.x #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 27 17:57:08 firewall pluto[6492]: "dynip-hosts"[1] x.x.x.x #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Oct 27 17:57:08 firewall pluto[6492]: "dynip-hosts"[1] x.x.x.x #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer
is NATed
Oct 27 17:57:08 firewall pluto[6492]: "dynip-hosts"[1] x.x.x.x #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 27 17:57:08 firewall pluto[6492]: "dynip-hosts"[1] x.x.x.x #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Oct 27 17:57:08 firewall pluto[6492]: "dynip-hosts"[1] x.x.x.x #1: Main
mode peer ID is ID_IPV4_ADDR: '192.168.1.7'
Oct 27 17:57:08 firewall pluto[6492]: "dynip-hosts"[1] x.x.x.x #1:
switched from "dynip-hosts" to "dynip-hosts"
Oct 27 17:57:08 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
deleting connection "dynip-hosts" instance with peer x.x.x.x
{isakmp=#0/ipsec=#0}
Oct 27 17:57:08 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 27 17:57:08 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: new
NAT mapping for #1, was x.x.x.x:500, now x.x.x.x:4500
Oct 27 17:57:08 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
Oct 27 17:57:08 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Oct 27 17:57:08 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
received and ignored informational message
Oct 27 17:57:09 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: the
peer proposed: y.y.y.y/32:17/1701 -> 192.168.1.7/32:17/0
Oct 27 17:57:09 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:09 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:09 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:09 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:09 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
cannot respond to IPsec SA request because no connection is known for
y.y.y.y<y.y.y.y>[+S=C]:17/1701...x.x.x.x[192.168.1.7,+S=C]:17/%any===192.168.1.7/32
Oct 27 17:57:09 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
sending encrypted notification INVALID_ID_INFORMATION to x.x.x.x:4500
Oct 27 17:57:12 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: the
peer proposed: y.y.y.y/32:17/1701 -> 192.168.1.7/32:17/0
Oct 27 17:57:12 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:12 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:12 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:12 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:12 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
cannot respond to IPsec SA request because no connection is known for
y.y.y.y<y.y.y.y>[+S=C]:17/1701...x.x.x.x[192.168.1.7,+S=C]:17/%any===192.168.1.7/32
Oct 27 17:57:12 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
sending encrypted notification INVALID_ID_INFORMATION to x.x.x.x:4500
Oct 27 17:57:15 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: the
peer proposed: y.y.y.y/32:17/1701 -> 192.168.1.7/32:17/0
Oct 27 17:57:15 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:15 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:15 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:15 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:15 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
cannot respond to IPsec SA request because no connection is known for
y.y.y.y<y.y.y.y>[+S=C]:17/1701...x.x.x.x[192.168.1.7,+S=C]:17/%any===192.168.1.7/32
Oct 27 17:57:15 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
sending encrypted notification INVALID_ID_INFORMATION to x.x.x.x:4500
Oct 27 17:57:18 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: the
peer proposed: y.y.y.y/32:17/1701 -> 192.168.1.7/32:17/0
Oct 27 17:57:18 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:18 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:18 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:18 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:18 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
cannot respond to IPsec SA request because no connection is known for
y.y.y.y<y.y.y.y>[+S=C]:17/1701...x.x.x.x[192.168.1.7,+S=C]:17/%any===192.168.1.7/32
Oct 27 17:57:18 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
sending encrypted notification INVALID_ID_INFORMATION to x.x.x.x:4500
Oct 27 17:57:20 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: the
peer proposed: y.y.y.y/32:17/1701 -> 192.168.1.7/32:17/0
Oct 27 17:57:20 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:20 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:20 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:20 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:20 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
cannot respond to IPsec SA request because no connection is known for
y.y.y.y<y.y.y.y>[+S=C]:17/1701...x.x.x.x[192.168.1.7,+S=C]:17/%any===192.168.1.7/32
Oct 27 17:57:20 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
sending encrypted notification INVALID_ID_INFORMATION to x.x.x.x:4500
Oct 27 17:57:23 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: the
peer proposed: y.y.y.y/32:17/1701 -> 192.168.1.7/32:17/0
Oct 27 17:57:23 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:23 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:23 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:23 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:23 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
cannot respond to IPsec SA request because no connection is known for
y.y.y.y<y.y.y.y>[+S=C]:17/1701...x.x.x.x[192.168.1.7,+S=C]:17/%any===192.168.1.7/32
Oct 27 17:57:23 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
sending encrypted notification INVALID_ID_INFORMATION to x.x.x.x:4500
Oct 27 17:57:26 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: the
peer proposed: y.y.y.y/32:17/1701 -> 192.168.1.7/32:17/0
Oct 27 17:57:26 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:26 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:26 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:26 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:26 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
cannot respond to IPsec SA request because no connection is known for
y.y.y.y<y.y.y.y>[+S=C]:17/1701...x.x.x.x[192.168.1.7,+S=C]:17/%any===192.168.1.7/32
Oct 27 17:57:26 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
sending encrypted notification INVALID_ID_INFORMATION to x.x.x.x:4500
Oct 27 17:57:29 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: the
peer proposed: y.y.y.y/32:17/1701 -> 192.168.1.7/32:17/0
Oct 27 17:57:29 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:29 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:29 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:29 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:29 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
cannot respond to IPsec SA request because no connection is known for
y.y.y.y<y.y.y.y>[+S=C]:17/1701...x.x.x.x[192.168.1.7,+S=C]:17/%any===192.168.1.7/32
Oct 27 17:57:29 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
sending encrypted notification INVALID_ID_INFORMATION to x.x.x.x:4500
Oct 27 17:57:32 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: the
peer proposed: y.y.y.y/32:17/1701 -> 192.168.1.7/32:17/0
Oct 27 17:57:32 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:32 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:32 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer
proposal was reject in a virtual connection policy because:
Oct 27 17:57:32 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: a
private network virtual IP was required, but the proposed IP did not
match our list (virtual_private=)
Oct 27 17:57:32 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
cannot respond to IPsec SA request because no connection is known for
y.y.y.y<y.y.y.y>[+S=C]:17/1701...x.x.x.x[192.168.1.7,+S=C]:17/%any===192.168.1.7/32
Oct 27 17:57:32 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
sending encrypted notification INVALID_ID_INFORMATION to x.x.x.x:4500
Thanks Again,
-John
More information about the Users
mailing list