[Openswan Users] OpenSWan 2.6.26 vs. Draytek Vigor 2850 (FW 3.6.0): no joy
Thomas Bätzler
t.baetzler at bringe.com
Wed Feb 29 13:25:29 EST 2012
Hi,
I'm trying to set up a site-to-site vpn between a Vigor 2850 and a
Debian "Squeeze" server running the current OpenSWan package.
# cat /proc/version
Linux version 2.6.32-5-amd64 (Debian 2.6.32-41) (ben at decadent.org.uk)
(gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Mon Jan 16 16:22:28 UTC 2012
# ipsec version
Linux Openswan 2.6.28 (klips)
My ipsec.conf looks like this:
--8<--(snip)--8<--
version 2.0
config setup
plutodebug=none
klipsdebug=none
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.16.0.0/16,%v4
oe=off
protostack=auto
conn northface
also=roadwarriors
rightsubnet=192.168.206.0/24
rightid="C=XX, ST=Somestate, L=Somewhere, O=Some Org, CN=igor.somewhere.xx"
conn frederick
also=roadwarriors
rightsubnet=192.168.85.0/24
rightid="C=XX, ST=Somestate, L=Somewhere, O=Some Org,
CN=frederick.somewhere.xx"
conn roadwarriors
type=tunnel
authby=rsasig
left=1.1.1.1
leftsubnet=172.16.0.0/16
leftsourceip=172.16.0.1
leftcert=lab.pem
leftsendcert=always
leftrsasigkey=%cert
leftid="C=XX, ST=Somestate, L=Somewhere, O=Some Org, CN=lab.somewhere.xx"
right=%any
rightrsasigkey=%cert
rightca=%same
keyingtries=%forever
auto=add
--8<--(snip)--8<--
"frederick" is my test connection from another Debian box also running
OpenSWan. It works fine, so I'm assuming there's no really big mistake
in the config above, and that my certs are fine.
The pluto log for a "dial in" request from the Vigor looks like this:
--8<--(snip)--8<--
Feb 29 18:28:29 lab pluto[20031]: packet from 2.2.2.2:500: received
Vendor ID payload [Dead Peer Detection]
Feb 29 18:28:29 lab pluto[20031]: packet from 2.2.2.2:500: received
Vendor ID payload [RFC 3947] method set to=109
Feb 29 18:28:29 lab pluto[20031]: packet from 2.2.2.2:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
using method 109
Feb 29 18:28:29 lab pluto[20031]: packet from 2.2.2.2:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 109
Feb 29 18:28:29 lab pluto[20031]: packet from 2.2.2.2:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
using method 109
Feb 29 18:28:29 lab pluto[20031]: packet from 2.2.2.2:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4: responding
to Main Mode from unknown peer 2.2.2.2
Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4:
STATE_MAIN_R1: sent MR1, expecting MI2
Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4:
STATE_MAIN_R2: sent MR2, expecting MI3
Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4: ignoring
informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4: Main mode
peer ID is ID_DER_ASN1_DN: 'C=XX, ST=Somestate, L=Somewhere, O=Some Org,
CN=igor.somewhere.xx'
Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4: I am
sending my cert
Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_256 prf=oakley_sha group=modp1024}
Feb 29 18:28:33 lab pluto[20031]: "northface"[2] 2.2.2.2 #4:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Feb 29 18:28:39 lab pluto[20031]: "northface"[2] 2.2.2.2 #4:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
--8<--(snip)--8<--
I'd appreciate any hints that would enable me to unravel this problem.
TIA,
Thomas
More information about the Users
mailing list