[Openswan Users] How to config Static-to-Roadwarrior in different openswan version?

Erich Titl erich.titl at think.ch
Thu May 26 10:37:57 EDT 2011 

Hi

at 26.05.2011 12:52, tknv wrote:
> Buggy
> 
> Hello,
> I try Static-to-RoadWarrior IPsec at below network.
> at IPsec router:ipsec setup start
> at RoadWarrior:ipsec auto --up road
> But can not establish.
> 
>      router(192.168.11.0/24)
>          /                     \      
>         /                       \
>  IPsec router               Roadwarrior
>  Static(192.168.11.11)      Dynamic(192.168.11.X)
>  Openswan 2.4.15(klips)     Openswan U2.6.32
>        /
>       /
> A-macihne:192.168.25.X
> 
> --ipsec.config:IPsec router--
> version 2.0
> 
> config setup
> interfaces=%defaultroute
> nat_traversal=yes
> nhelpers=0
> syslog=daemon.error
> klipsdebug=none
> plutodebug=none
> plutoopts=
> handle_delete=no
> overridemtu=1280
> 
> conn road
> left=192.168.11.11
> leftsubnet=192.168.25.0/24
> right=%any
> rightnexthop=%defaultroute
> auto=add
> authby=secret
> type=tunnel
> leftid=@dh.srv.org
> rightid=@dh.ore.org
> keyingtries=0
> aggrmode=yes

don't do that

> pfs=no
> keylife=28800
> ikelifetime=3600
> rekeymargin=100
> rekeyfuzz=0%
> dpddelay=30
> dpdaction=clear
> include /etc/ipsec.d/examples/no_oe.conf
> 
> --ipsec.config:Roadwarrior--
> version	2.0
> 
> config setup
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> protostack=klips
> klipsdebug=none
> plutodebug=none
> nhelpers=0
> 
> conn road
> authby=secret
> left=%defaultroute
> leftid=@dh.ore.org
> right=192.168.11.11
> rightsubnet=192.168.25.0/24
> rightid=@dh.srv.org
> auto=add
> include /etc/ipsec.d/*.conf
> 
> --ipsec.secrets:both--
> @dh.ore.org @dh.srv.org : PSK "foo"
> 
> --log when try :ipsec auto --up road: from Roadwarrior--
> May 25 20:32:48 localhost authpriv.warn pluto[10313]: packet from
> 192.168.11.3:500: ignoring unknown Vendor ID payload
> [4f4568794c64414365636661]
> May 25 20:32:48 localhost authpriv.warn pluto[10313]: packet from
> 192.168.11.3:500: received Vendor ID payload [Dead Peer Detection]
> May 25 20:32:48 localhost authpriv.warn pluto[10313]: packet from
> 192.168.11.3:500: received Vendor ID payload [RFC 3947] method set
> to=109
> May 25 20:32:48 localhost authpriv.warn pluto[10313]: packet from
> 192.168.11.3:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
> May 25 20:32:48 localhost authpriv.warn pluto[10313]: packet from
> 192.168.11.3:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
> May 25 20:32:48 localhost authpriv.warn pluto[10313]: packet from
> 192.168.11.3:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
> May 25 20:32:48 localhost authpriv.warn pluto[10313]: packet from
> 192.168.11.3:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
> May 25 20:32:48 localhost authpriv.warn pluto[10313]: packet from
> 192.168.11.3:500: initial Main Mode message received on
> 192.168.11.11:500 but no connection has been authorized

The log says it all, you did not authorize a connection.

For tests use
ipsec auto --up road

or modify your config file accordingly
auto=up

cheers


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3409 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20110526/156b7653/attachment.bin

More information about the Users mailing list