[Openswan Users] Don't know how to configure ID for "we require peer to have ID 'w.x.y.z', but peer declares '0x'"

Moritz Bunkus m.bunkus at linet-services.de
Wed Jul 11 04:59:58 EDT 2012 

Hey,

I'm trying to establish a connection to a customer who is pretty strict
which VPN technologies he accepts. He's offering a pre-configured NCP
client program (http://www.ncp-e.com/en/downloads/software.html) in a
pre-configured virtual machine -- which is pretty hard to manage.

Therefore I'm trying to establish the connection from our central VPN
gateway using OpenSWAN 2.6.37 on a 3.2.0 kernel. I can extract a lot of
information from the NCP client configuration including the XAUTH
credentials and all the required certificates. Here's what my
configuration looks like:

conn testconf
   # local
   left=%defaultroute
   leftxauthclient=yes
   leftmodecfgclient=yes
   leftxauthusername=ThisIWillKeepSecret
   leftrsasigkey=%cert
   leftcert=user1.pem
   # remote
   right=213.our.customers.ipaddrees
   rightxauthserver=yes
   rightmodecfgserver=yes
   #
   auto=add
   # you probably can not rekey, it requires xauth password, and
openswan does not
   # cache it for you. Other clients might cache it and rekey to an
openswan server
   rekey=no
   modecfgpull=yes

The ipsec.secrets contains both the password for the client certificate
and the XAUTH password.

Unfortunately the peer sends an ID that I simply don't know how to
configure myself:

$ ipsec auto --up testconf
104 "testconf" #4: STATE_MAIN_I1: initiate
003 "testconf" #4: received Vendor ID payload [XAUTH]
003 "testconf" #4: received Vendor ID payload [RFC 3947] method set 
to=109
003 "testconf" #4: received Vendor ID payload [Dead Peer Detection]
003 "testconf" #4: received Vendor ID payload [Cisco-Unity]
003 "testconf" #4: ignoring unknown Vendor ID payload 
[c6f57ac398f493208145b7581e878983]
106 "testconf" #4: STATE_MAIN_I2: sent MI2, expecting MR2
003 "testconf" #4: NAT-Traversal: Result using RFC 3947 
(NAT-Traversal): no NAT detected
108 "testconf" #4: STATE_MAIN_I3: sent MI3, expecting MR3
003 "testconf" #4: ignoring informational payload, type 
IPSEC_INITIAL_CONTACT msgid=00000000
003 "testconf" #4: we require peer to have ID '213.x.y.z', but peer 
declares '0x'
218 "testconf" #4: STATE_MAIN_I3: INVALID_ID_INFORMATION

Reading ipsec.conf(5) lets me believe that I can only configure IP
addresses or arbitrary strings prefixed with '@' as a side's ID. And
true to the word neither "rightid=0x" nor "rightid=@0x" works. In the
former case OpenSWAN complains that "0x" doesn't look like an IP 
address
when adding the connection, and in the latter case the error message
simply changes to the following:

003 "testconf" #4: we require peer to have ID '@0x', but peer declares 
'0x'

Our customer is using some of NCP's server programs. Does anyone have 
an
idea whether or not it's possible to establish such an connection?

Thanks.

Kind regards,
Moritz

-- 
Dipl.-Inform. Moritz Bunkus
Geschäftsführer/CTO

LINET Services GmbH | Am Alten Bahnhof 4b | 38122 Braunschweig
Tel. 0531-180508-0  | Fax 0531-180508-29  | 
http://www.linet-services.de

Geschäftsführung: Moritz Bunkus, Philip Reetz und Timo Springmann
HR B 9170 Amtsgericht Braunschweig

More information about the Users mailing list