[Openswan Users] Openswan & ipsec-tools incompatible?

Patrick Lists openswan-list at puzzled.xs4all.nl
Sun Feb 12 12:21:04 EST 2012


Hi,

I have been trying to figure out why Android 4.0.x (ICS) can not connect 
to openswan-2.6.32-9.el6 on a CentOS 6.2 x86_64 box. Android ICS uses 
ipsec-tools 0.8.0 (current git). So I installed ipsec-tools 0.8.0 on the 
CentOS 6.2 box, configured it, on the phone started the IPsec/L2TPD 
profile and the IPsec part works fine. Part of log:

Feb 12 18:01:00 cronos racoon: INFO: respond new phase 1 negotiation: 
10.0.0.107[500]<=>178.228.249.87[500]
Feb 12 18:01:00 cronos racoon: INFO: begin Aggressive mode.
Feb 12 18:01:00 cronos racoon: INFO: received broken Microsoft ID: 
FRAGMENTATION
Feb 12 18:01:00 cronos racoon: INFO: received Vendor ID: RFC 3947
Feb 12 18:01:00 cronos racoon: INFO: received Vendor ID: 
draft-ietf-ipsec-nat-t-ike-02
Feb 12 18:01:00 cronos racoon: INFO: received Vendor ID: 
draft-ietf-ipsec-nat-t-ike-02#012
Feb 12 18:01:00 cronos racoon: INFO: received Vendor ID: 
draft-ietf-ipsec-nat-t-ike-00
Feb 12 18:01:00 cronos racoon: INFO: received Vendor ID: DPD
Feb 12 18:01:00 cronos racoon: [178.228.249.87] INFO: Selected NAT-T 
version: RFC 3947
Feb 12 18:01:00 cronos racoon: INFO: Adding remote and local NAT-D payloads.
Feb 12 18:01:00 cronos racoon: [178.228.249.87] INFO: Hashing 
178.228.249.87[500] with algo #2 (NAT-T forced)
Feb 12 18:01:00 cronos racoon: [10.0.0.107] INFO: Hashing 
10.0.0.107[500] with algo #2 (NAT-T forced)
Feb 12 18:01:00 cronos racoon: WARNING: the packet retransmitted in a 
short time from 178.228.249.87[500]
Feb 12 18:01:00 cronos racoon: NOTIFY: the packet is retransmitted by 
178.228.249.87[500] (1).
Feb 12 18:01:00 cronos racoon: INFO: NAT-T: ports changed to: 
178.228.249.87[4500]<->10.0.0.107[4500]
Feb 12 18:01:00 cronos racoon: INFO: NAT-D payload #0 doesn't match
Feb 12 18:01:00 cronos racoon: INFO: NAT-D payload #1 doesn't match
Feb 12 18:01:00 cronos racoon: INFO: NAT detected: ME PEER
Feb 12 18:01:00 cronos racoon: INFO: ISAKMP-SA established 
10.0.0.107[4500]-178.228.249.87[4500] spi:60ab662b256ed77b:1797136d27841e85
Feb 12 18:01:00 cronos racoon: [178.228.249.87] INFO: received 
INITIAL-CONTACT
Feb 12 18:01:01 cronos racoon: INFO: respond new phase 2 negotiation: 
10.0.0.107[4500]<=>178.228.249.87[4500]
Feb 12 18:01:01 cronos racoon: INFO: no policy found, try to generate 
the policy : 178.228.249.87/32[0] 83.163.53.136/32[1701] proto=udp dir=in
Feb 12 18:01:01 cronos racoon: INFO: Adjusting my encmode 
UDP-Transport->Transport
Feb 12 18:01:01 cronos racoon: INFO: Adjusting peer's encmode 
UDP-Transport(4)->Transport(2)
Feb 12 18:01:01 cronos racoon: INFO: IPsec-SA established: ESP/Transport 
10.0.0.107[4500]->178.228.249.87[4500] spi=227902184(0xd9582e8)
Feb 12 18:01:01 cronos racoon: INFO: IPsec-SA established: ESP/Transport 
10.0.0.107[4500]->178.228.249.87[4500] spi=193980755(0xb8fe953)
Feb 12 18:01:10 cronos xl2tpd[3579]: Maximum retries exceeded for tunnel 
17121.  Closing.

So on the server side ipsec-tools works fine against Android ICS but 
Openswan does not. My question is: are ipsec-tools & Openswan perhaps 
incompatible and is there a way to fix this? Some config setting in 
Openswan perhaps?

Thanks!
Patrick

http://code.google.com/p/android/issues/detail?id=23124



More information about the Users mailing list