[Openswan Users] Don't know how to configure ID for "we require peer to have ID 'w.x.y.z', but peer declares '0x'"

Dave Stubbs dave.stubbs at utoronto.ca
Wed Jul 11 09:12:28 EDT 2012 

Hmmm,

This isn't exactly a solution, but from a corporate IT perspective, if I was your customer and I issued you a company-mandated NCP VM, and then discovered you were trying to scoop out the settings and use another VPN technology to connect to me, it would result in a fundamental trust issue, and I would be looking to replace you. Why don't you just suck it up and use the mandated solution?

Sent from my iPhone

On 2012-07-11, at 5:00 AM, "Moritz Bunkus" <m.bunkus at linet-services.de> wrote:

> Hey,
> 
> I'm trying to establish a connection to a customer who is pretty strict
> which VPN technologies he accepts. He's offering a pre-configured NCP
> client program (http://www.ncp-e.com/en/downloads/software.html) in a
> pre-configured virtual machine -- which is pretty hard to manage.
> 
> Therefore I'm trying to establish the connection from our central VPN
> gateway using OpenSWAN 2.6.37 on a 3.2.0 kernel. I can extract a lot of
> information from the NCP client configuration including the XAUTH
> credentials and all the required certificates. Here's what my
> configuration looks like:
> 
> conn testconf
>  # local
>  left=%defaultroute
>  leftxauthclient=yes
>  leftmodecfgclient=yes
>  leftxauthusername=ThisIWillKeepSecret
>  leftrsasigkey=%cert
>  leftcert=user1.pem
>  # remote
>  right=213.our.customers.ipaddrees
>  rightxauthserver=yes
>  rightmodecfgserver=yes
>  #
>  auto=add
>  # you probably can not rekey, it requires xauth password, and
> openswan does not
>  # cache it for you. Other clients might cache it and rekey to an
> openswan server
>  rekey=no
>  modecfgpull=yes
> 
> The ipsec.secrets contains both the password for the client certificate
> and the XAUTH password.
> 
> Unfortunately the peer sends an ID that I simply don't know how to
> configure myself:
> 
> $ ipsec auto --up testconf
> 104 "testconf" #4: STATE_MAIN_I1: initiate
> 003 "testconf" #4: received Vendor ID payload [XAUTH]
> 003 "testconf" #4: received Vendor ID payload [RFC 3947] method set to=109
> 003 "testconf" #4: received Vendor ID payload [Dead Peer Detection]
> 003 "testconf" #4: received Vendor ID payload [Cisco-Unity]
> 003 "testconf" #4: ignoring unknown Vendor ID payload [c6f57ac398f493208145b7581e878983]
> 106 "testconf" #4: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "testconf" #4: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
> 108 "testconf" #4: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "testconf" #4: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
> 003 "testconf" #4: we require peer to have ID '213.x.y.z', but peer declares '0x'
> 218 "testconf" #4: STATE_MAIN_I3: INVALID_ID_INFORMATION
> 
> Reading ipsec.conf(5) lets me believe that I can only configure IP
> addresses or arbitrary strings prefixed with '@' as a side's ID. And
> true to the word neither "rightid=0x" nor "rightid=@0x" works. In the
> former case OpenSWAN complains that "0x" doesn't look like an IP address
> when adding the connection, and in the latter case the error message
> simply changes to the following:
> 
> 003 "testconf" #4: we require peer to have ID '@0x', but peer declares '0x'
> 
> Our customer is using some of NCP's server programs. Does anyone have an
> idea whether or not it's possible to establish such an connection?
> 
> Thanks.
> 
> Kind regards,
> Moritz
> 
> -- 
> Dipl.-Inform. Moritz Bunkus
> Geschäftsführer/CTO
> 
> LINET Services GmbH | Am Alten Bahnhof 4b | 38122 Braunschweig
> Tel. 0531-180508-0  | Fax 0531-180508-29  | http://www.linet-services.de
> 
> Geschäftsführung: Moritz Bunkus, Philip Reetz und Timo Springmann
> HR B 9170 Amtsgericht Braunschweig
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list