[Openswan Users] OpenSWan 2.6.26 vs. Draytek Vigor 2850 (FW 3.6.0): no joy

Thomas Bätzler t.baetzler at bringe.com
Wed Feb 29 13:25:29 EST 2012 

Hi,

I'm trying to set up a site-to-site vpn between a Vigor 2850 and a
Debian "Squeeze" server running the current OpenSWan package.

 # cat /proc/version
 Linux version 2.6.32-5-amd64 (Debian 2.6.32-41) (ben at decadent.org.uk)
(gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Mon Jan 16 16:22:28 UTC 2012
 # ipsec version
Linux Openswan 2.6.28 (klips)

My ipsec.conf looks like this:

--8<--(snip)--8<--
 version 2.0

 config setup
	plutodebug=none
	klipsdebug=none
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.16.0.0/16,%v4
	oe=off
	protostack=auto

 conn northface
	also=roadwarriors
	rightsubnet=192.168.206.0/24
	rightid="C=XX, ST=Somestate, L=Somewhere, O=Some Org, CN=igor.somewhere.xx"

 conn frederick
	also=roadwarriors
	rightsubnet=192.168.85.0/24
	rightid="C=XX, ST=Somestate, L=Somewhere, O=Some Org,
CN=frederick.somewhere.xx"

 conn roadwarriors
	type=tunnel
	authby=rsasig
	left=1.1.1.1
	leftsubnet=172.16.0.0/16
	leftsourceip=172.16.0.1
	leftcert=lab.pem
	leftsendcert=always
	leftrsasigkey=%cert
	leftid="C=XX, ST=Somestate, L=Somewhere, O=Some Org, CN=lab.somewhere.xx"
	right=%any
	rightrsasigkey=%cert
	rightca=%same
	keyingtries=%forever
	auto=add
--8<--(snip)--8<--

"frederick" is my test connection from another Debian box also running
OpenSWan. It works fine, so I'm assuming there's no really big mistake
in the config above, and that my certs are fine.

The pluto log for a "dial in" request from the Vigor looks like this:

--8<--(snip)--8<--
 Feb 29 18:28:29 lab pluto[20031]: packet from 2.2.2.2:500: received
Vendor ID payload [Dead Peer Detection]
 Feb 29 18:28:29 lab pluto[20031]: packet from 2.2.2.2:500: received
Vendor ID payload [RFC 3947] method set to=109
 Feb 29 18:28:29 lab pluto[20031]: packet from 2.2.2.2:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
using method 109
 Feb 29 18:28:29 lab pluto[20031]: packet from 2.2.2.2:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 109
 Feb 29 18:28:29 lab pluto[20031]: packet from 2.2.2.2:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
using method 109
 Feb 29 18:28:29 lab pluto[20031]: packet from 2.2.2.2:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
 Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4: responding
to Main Mode from unknown peer 2.2.2.2
 Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
 Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4:
STATE_MAIN_R1: sent MR1, expecting MI2
 Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
 Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
 Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4:
STATE_MAIN_R2: sent MR2, expecting MI3
 Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4: ignoring
informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
 Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4: Main mode
peer ID is ID_DER_ASN1_DN: 'C=XX, ST=Somestate, L=Somewhere, O=Some Org,
CN=igor.somewhere.xx'
 Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4: I am
sending my cert
 Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
 Feb 29 18:28:29 lab pluto[20031]: "northface"[2] 2.2.2.2 #4:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_256 prf=oakley_sha group=modp1024}
 Feb 29 18:28:33 lab pluto[20031]: "northface"[2] 2.2.2.2 #4:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
 Feb 29 18:28:39 lab pluto[20031]: "northface"[2] 2.2.2.2 #4:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
--8<--(snip)--8<--

I'd appreciate any hints that would enable me to unravel this problem.

TIA,
Thomas

More information about the Users mailing list