[Openswan Users] Multiple VPN remote client session to VPN server is not working in Openswan

Anonymous cross anonymouscross at gmail.com
Fri Mar 23 15:34:10 EDT 2012 

Hi,

  Please find my topology below


pc1     --------------------------
  30.1.1.2                       30.1.1.1
                                              GW1 ---------------
Internet-----------   VPN SERVER ( 50.1.1.226)
                                             (50.1.1.227)
pc2 ---------------------------------        (NAT MASQUERADING)

40.1.1.2                       40.1.1.1

I want to establish a tunnel session from pc1 & pc2 to the VPN sever at the
same time.
I found that tunnel from PC1 to VPN server is success but tunnel from PC2 to
VPN server fails because its referring the connection/session established
for PC1.
It seems to be a valid scenario, why openswan its not classifying the
sessions properly.

 Please find the logs below
*
VPN SERVER log
++++++++++++++*
Mar 25 00:01:00 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #10:
sending notification PAYLOAD_MALFORMED to 50.1.1.227:500
Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
received Vendor ID payload [Openswan (this version) 2.6.35 ]
Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
received Vendor ID payload [Dead Peer Detection]
Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
received Vendor ID payload [RFC 3947] method set to=109
Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 109
Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 109
Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 109
Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11:
responding to Main Mode from unknown peer 50.1.1.227
Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11:
STATE_MAIN_R1: sent MR1, expecting MI2
Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #10:
max number of retransmissions (2) reached STATE_MAIN_R2
Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11:
STATE_MAIN_R2: sent MR2, expecting MI3
Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11:
next payload type of ISAKMP Identification Payload has an unknown value: 149
Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11:
probable authentication failure (mismatch of preshared secrets?): malformed
payload in packet
Mar 25 00:01:40 localhost pluto[15403]: | payload malformed after IV
Mar 25 00:01:40 localhost pluto[15403]: |   ed 04 a0 c1  4e 6e c6 43  30 94
55 a4  ef 8a e1 f3
Mar 25 00:01:40 localhost pluto[15403]: |   6b b5 09 45
Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11:
sending notification PAYLOAD_MALFORMED to 50.1.1.227:500
Mar 25 00:01:50 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11:
next payload type of ISAKMP Identification Payload has an unknown value: 149
Mar 25 00:01:50 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11:
probable authentication failure (mismatch of preshared secrets?): malformed
payload in packet
Mar 25 00:01:50 localhost pluto[15403]: | payload malformed after IV
Mar 25 00:01:50 localhost pluto[15403]: |   ed 04 a0 c1  4e 6e c6 43  30 94
55 a4  ef 8a e1 f3
Mar 25 00:01:50 localhost pluto[15403]: |   6b b5 09 45

*PC2  log
++++++++++++++

*104 "static-dynamic" #1: STATE_MAIN_I1: initiate
003 "static-dynamic" #1: received Vendor ID payload [Openswan (this
version) 2.6.35 ]
003 "static-dynamic" #1: received Vendor ID payload [Dead Peer Detection]
003 "static-dynamic" #1: received Vendor ID payload [RFC 3947] method set
to=109
106 "static-dynamic" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "static-dynamic" #1: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): i am NATed
108 "static-dynamic" #1: STATE_MAIN_I3: sent MI3, expecting MR3
010 "static-dynamic" #1: STATE_MAIN_I3: retransmission; will wait 20s for
response
003 "static-dynamic" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "static-dynamic" #1: STATE_MAIN_I3: retransmission; will wait 40s for
response
003 "static-dynamic" #1: discarding duplicate packet; already STATE_MAIN_I3
031 "static-dynamic" #1: max number of retransmissions (2) reached
STATE_MAIN_I3.  Possible authentication failure: no acceptable response to
our first encrypted message*
*
*PC1 ipsec.conf*
++++++++++++

config setup
        protostack=netkey
        nat_traversal=yes
        #virtual_private=%v4:30.1.1.0/8
        oe=off
        # Enable this if you see "failed to find any available worker"
        nhelpers=0
        interfaces=%defaultroute

conn north-east
    type=tunnel
    left=%defaultroute
    leftid=divya1 at cas.com
    right=50.1.1.226
    auth=esp
    authby=secret
    pfs=no
    keyexchange=ike
    auto=add
ipsec.secrets
+++++++++++
divya1 at cas.com 50.1.1.226: PSK "mypresharedkey1"

*PC2 ipsec.conf*
++++++++++++
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=off
        # Enable this if you see "failed to find any available worker"
        nhelpers=0
        interfaces=%defaultroute
conn static-dynamic
    type=tunnel
    left=%defaultroute
    right=50.1.1.226
    leftid=divya at cas.com
    auth=esp
    authby=secret
    pfs=no
    keyexchange=ike
    rekey=no
    auto=add
ipsec.secrets
50.1.1.226 divya at cas.com: PSK "mypresharedkey"
*
VPN server conf
++++++++++++*

onn static-dynamic
    type=tunnel
    left=50.1.1.226
    right=%any
    rightid=divya1 at cas.com
    auth=esp
    authby=secret
    pfs=no
    keyexchange=ike
    ikelifetime=30000s
    keylife=30000s
    rekey=no
    auto=add
conn north-east
    type=tunnel
    left=50.1.1.226
    right=%any
    rightid=divya at cas.com
    auth=esp
    authby=secret
    pfs=no
    keyexchange=ike
    ikelifetime=30000s
    keylife=30000s
    rekey=no
50.1.1.226 divya1 at cas.com: PSK "mypresharedkey1"
50.1.1.226 divya at cas.com: PSK "mypresharedkey"



Regards,
Cross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120324/6813f0b7/attachment.html>

More information about the Users mailing list