[Openswan Users] Multiple VPN remote client session to VPN server is not working in Openswan

Anonymous cross anonymouscross at gmail.com
Sat Mar 24 12:41:55 EDT 2012 

Any idea on this friends??? Whether it is an expected behavior o??

On Fri, Mar 23, 2012 at 12:34 PM, Anonymous cross
<anonymouscross at gmail.com>wrote:

> Hi,
>
>   Please find my topology below
>
>
> pc1     --------------------------
>   30.1.1.2                       30.1.1.1
>                                               GW1 ---------------
> Internet-----------   VPN SERVER ( 50.1.1.226)
>                                              (50.1.1.227)
> pc2 ---------------------------------        (NAT MASQUERADING)
>
> 40.1.1.2                       40.1.1.1
>
> I want to establish a tunnel session from pc1 & pc2 to the VPN sever at
> the same time.
> I found that tunnel from PC1 to VPN server is success but tunnel from PC2
> to
> VPN server fails because its referring the connection/session established
> for PC1.
> It seems to be a valid scenario, why openswan its not classifying the
> sessions properly.
>
>  Please find the logs below
> *
> VPN SERVER log
> ++++++++++++++*
> Mar 25 00:01:00 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227
> #10: sending notification PAYLOAD_MALFORMED to 50.1.1.227:500
> Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
> received Vendor ID payload [Openswan (this version) 2.6.35 ]
> Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
> received Vendor ID payload [Dead Peer Detection]
> Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
> received Vendor ID payload [RFC 3947] method set to=109
> Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
> already using method 109
> Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
> already using method 109
> Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
> already using method 109
> Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227
> #11: responding to Main Mode from unknown peer 50.1.1.227
> Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227
> #11: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227
> #11: STATE_MAIN_R1: sent MR1, expecting MI2
> Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227
> #10: max number of retransmissions (2) reached STATE_MAIN_R2
> Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227
> #11: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
> Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227
> #11: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227
> #11: STATE_MAIN_R2: sent MR2, expecting MI3
> Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227
> #11: next payload type of ISAKMP Identification Payload has an unknown
> value: 149
> Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227
> #11: probable authentication failure (mismatch of preshared secrets?):
> malformed payload in packet
> Mar 25 00:01:40 localhost pluto[15403]: | payload malformed after IV
> Mar 25 00:01:40 localhost pluto[15403]: |   ed 04 a0 c1  4e 6e c6 43  30
> 94 55 a4  ef 8a e1 f3
> Mar 25 00:01:40 localhost pluto[15403]: |   6b b5 09 45
> Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227
> #11: sending notification PAYLOAD_MALFORMED to 50.1.1.227:500
> Mar 25 00:01:50 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227
> #11: next payload type of ISAKMP Identification Payload has an unknown
> value: 149
> Mar 25 00:01:50 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227
> #11: probable authentication failure (mismatch of preshared secrets?):
> malformed payload in packet
> Mar 25 00:01:50 localhost pluto[15403]: | payload malformed after IV
> Mar 25 00:01:50 localhost pluto[15403]: |   ed 04 a0 c1  4e 6e c6 43  30
> 94 55 a4  ef 8a e1 f3
> Mar 25 00:01:50 localhost pluto[15403]: |   6b b5 09 45
>
> *PC2  log
> ++++++++++++++
>
> *104 "static-dynamic" #1: STATE_MAIN_I1: initiate
> 003 "static-dynamic" #1: received Vendor ID payload [Openswan (this
> version) 2.6.35 ]
> 003 "static-dynamic" #1: received Vendor ID payload [Dead Peer Detection]
> 003 "static-dynamic" #1: received Vendor ID payload [RFC 3947] method set
> to=109
> 106 "static-dynamic" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "static-dynamic" #1: NAT-Traversal: Result using RFC 3947
> (NAT-Traversal): i am NATed
> 108 "static-dynamic" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 010 "static-dynamic" #1: STATE_MAIN_I3: retransmission; will wait 20s for
> response
> 003 "static-dynamic" #1: discarding duplicate packet; already STATE_MAIN_I3
> 010 "static-dynamic" #1: STATE_MAIN_I3: retransmission; will wait 40s for
> response
> 003 "static-dynamic" #1: discarding duplicate packet; already STATE_MAIN_I3
> 031 "static-dynamic" #1: max number of retransmissions (2) reached
> STATE_MAIN_I3.  Possible authentication failure: no acceptable response to
> our first encrypted message*
> *
> *PC1 ipsec.conf*
> ++++++++++++
>
> config setup
>         protostack=netkey
>         nat_traversal=yes
>         #virtual_private=%v4:30.1.1.0/8
>         oe=off
>         # Enable this if you see "failed to find any available worker"
>         nhelpers=0
>         interfaces=%defaultroute
>
> conn north-east
>     type=tunnel
>     left=%defaultroute
>     leftid=divya1 at cas.com
>     right=50.1.1.226
>     auth=esp
>     authby=secret
>     pfs=no
>     keyexchange=ike
>     auto=add
> ipsec.secrets
> +++++++++++
> divya1 at cas.com 50.1.1.226: PSK "mypresharedkey1"
>
> *PC2 ipsec.conf*
> ++++++++++++
> config setup
>         protostack=netkey
>         nat_traversal=yes
>         virtual_private=
>         oe=off
>         # Enable this if you see "failed to find any available worker"
>         nhelpers=0
>         interfaces=%defaultroute
> conn static-dynamic
>     type=tunnel
>     left=%defaultroute
>     right=50.1.1.226
>     leftid=divya at cas.com
>     auth=esp
>     authby=secret
>     pfs=no
>     keyexchange=ike
>     rekey=no
>     auto=add
> ipsec.secrets
> 50.1.1.226 divya at cas.com: PSK "mypresharedkey"
> *
> VPN server conf
> ++++++++++++*
>
> onn static-dynamic
>     type=tunnel
>     left=50.1.1.226
>     right=%any
>     rightid=divya1 at cas.com
>     auth=esp
>     authby=secret
>     pfs=no
>     keyexchange=ike
>     ikelifetime=30000s
>     keylife=30000s
>     rekey=no
>     auto=add
> conn north-east
>     type=tunnel
>     left=50.1.1.226
>     right=%any
>     rightid=divya at cas.com
>     auth=esp
>     authby=secret
>     pfs=no
>     keyexchange=ike
>     ikelifetime=30000s
>     keylife=30000s
>     rekey=no
> 50.1.1.226 divya1 at cas.com: PSK "mypresharedkey1"
> 50.1.1.226 divya at cas.com: PSK "mypresharedkey"
>
>
>
> Regards,
> Cross
>
>



-- 
Regards,
Anonymous cross.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120324/0feb5b6b/attachment.html>

More information about the Users mailing list