[Openswan Users] Multiple VPN remote client session to VPN server is not working in Openswan

Tuomo Soini tis at foobar.fi
Sat Mar 24 15:00:08 EDT 2012 

On Sat, 24 Mar 2012 01:04:10 +0530
Anonymous cross <anonymouscross at gmail.com> wrote:

> Hi,
> 
>   Please find my topology below
> 
> 
> pc1     --------------------------
>   30.1.1.2                       30.1.1.1
>                                               GW1 ---------------
> Internet-----------   VPN SERVER ( 50.1.1.226)
>                                              (50.1.1.227)
> pc2 ---------------------------------        (NAT MASQUERADING)
> 
> 40.1.1.2                       40.1.1.1
> 
> I want to establish a tunnel session from pc1 & pc2 to the VPN sever
> at the same time.
> I found that tunnel from PC1 to VPN server is success but tunnel from
> PC2 to VPN server fails because its referring the connection/session
> established for PC1.
> It seems to be a valid scenario, why openswan its not classifying the
> sessions properly.
> 
>  Please find the logs below
> *
> VPN SERVER log
> ++++++++++++++*
> Mar 25 00:01:00 localhost pluto[15403]: "static-dynamic"[2]
> 50.1.1.227 #10: sending notification PAYLOAD_MALFORMED to
> 50.1.1.227:500 Mar 25 00:01:40 localhost pluto[15403]: packet from
> 50.1.1.227:500: received Vendor ID payload [Openswan (this version)
> 2.6.35 ] Mar 25 00:01:40 localhost pluto[15403]: packet from
> 50.1.1.227:500: received Vendor ID payload [Dead Peer Detection]
> Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
> received Vendor ID payload [RFC 3947] method set to=109
> Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108,
> but already using method 109
> Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> meth=106, but already using method 109
> Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107,
> but already using method 109
> Mar 25 00:01:40 localhost pluto[15403]: packet from 50.1.1.227:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2]
> 50.1.1.227 #11: responding to Main Mode from unknown peer 50.1.1.227
> Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2]
> 50.1.1.227 #11: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1 Mar 25 00:01:40 localhost pluto[15403]:
> "static-dynamic"[2] 50.1.1.227 #11: STATE_MAIN_R1: sent MR1,
> expecting MI2 Mar 25 00:01:40 localhost pluto[15403]:
> "static-dynamic"[2] 50.1.1.227 #10: max number of retransmissions (2)
> reached STATE_MAIN_R2 Mar 25 00:01:40 localhost pluto[15403]:
> "static-dynamic"[2] 50.1.1.227 #11: NAT-Traversal: Result using RFC
> 3947 (NAT-Traversal): peer is NATed Mar 25 00:01:40 localhost
> pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11: transition from
> state STATE_MAIN_R1 to state STATE_MAIN_R2 Mar 25 00:01:40 localhost
> pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11: STATE_MAIN_R2: sent
> MR2, expecting MI3 Mar 25 00:01:40 localhost pluto[15403]:
> "static-dynamic"[2] 50.1.1.227 #11: next payload type of ISAKMP
> Identification Payload has an unknown value: 149 Mar 25 00:01:40
> localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11: probable
> authentication failure (mismatch of preshared secrets?): malformed
> payload in packet Mar 25 00:01:40 localhost pluto[15403]: | payload
> malformed after IV Mar 25 00:01:40 localhost pluto[15403]: |   ed 04
> a0 c1  4e 6e c6 43  30 94 55 a4  ef 8a e1 f3
> Mar 25 00:01:40 localhost pluto[15403]: |   6b b5 09 45
> Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2]
> 50.1.1.227 #11: sending notification PAYLOAD_MALFORMED to
> 50.1.1.227:500 Mar 25 00:01:50 localhost pluto[15403]:
> "static-dynamic"[2] 50.1.1.227 #11: next payload type of ISAKMP
> Identification Payload has an unknown value: 149 Mar 25 00:01:50
> localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11: probable
> authentication failure (mismatch of preshared secrets?): malformed
> payload in packet Mar 25 00:01:50 localhost pluto[15403]: | payload
> malformed after IV Mar 25 00:01:50 localhost pluto[15403]: |   ed 04
> a0 c1  4e 6e c6 43  30 94 55 a4  ef 8a e1 f3
> Mar 25 00:01:50 localhost pluto[15403]: |   6b b5 09 45
> 
> *PC2  log
> ++++++++++++++
> 
> *104 "static-dynamic" #1: STATE_MAIN_I1: initiate
> 003 "static-dynamic" #1: received Vendor ID payload [Openswan (this
> version) 2.6.35 ]
> 003 "static-dynamic" #1: received Vendor ID payload [Dead Peer
> Detection] 003 "static-dynamic" #1: received Vendor ID payload [RFC
> 3947] method set to=109
> 106 "static-dynamic" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "static-dynamic" #1: NAT-Traversal: Result using RFC 3947
> (NAT-Traversal): i am NATed
> 108 "static-dynamic" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 010 "static-dynamic" #1: STATE_MAIN_I3: retransmission; will wait 20s
> for response
> 003 "static-dynamic" #1: discarding duplicate packet; already
> STATE_MAIN_I3 010 "static-dynamic" #1: STATE_MAIN_I3: retransmission;
> will wait 40s for response
> 003 "static-dynamic" #1: discarding duplicate packet; already
> STATE_MAIN_I3 031 "static-dynamic" #1: max number of retransmissions
> (2) reached STATE_MAIN_I3.  Possible authentication failure: no
> acceptable response to our first encrypted message*
> *
> *PC1 ipsec.conf*
> ++++++++++++
> 
> config setup
>         protostack=netkey
>         nat_traversal=yes
>         #virtual_private=%v4:30.1.1.0/8
>         oe=off
>         # Enable this if you see "failed to find any available worker"
>         nhelpers=0
>         interfaces=%defaultroute
> 
> conn north-east
>     type=tunnel
>     left=%defaultroute
>     leftid=divya1 at cas.com
>     right=50.1.1.226
>     auth=esp
>     authby=secret
>     pfs=no
>     keyexchange=ike
>     auto=add
> ipsec.secrets
> +++++++++++
> divya1 at cas.com 50.1.1.226: PSK "mypresharedkey1"
> 
> *PC2 ipsec.conf*
> ++++++++++++
> config setup
>         protostack=netkey
>         nat_traversal=yes
>         virtual_private=
>         oe=off
>         # Enable this if you see "failed to find any available worker"
>         nhelpers=0
>         interfaces=%defaultroute
> conn static-dynamic
>     type=tunnel
>     left=%defaultroute
>     right=50.1.1.226
>     leftid=divya at cas.com
>     auth=esp
>     authby=secret
>     pfs=no
>     keyexchange=ike
>     rekey=no
>     auto=add
> ipsec.secrets
> 50.1.1.226 divya at cas.com: PSK "mypresharedkey"
> *
> VPN server conf
> ++++++++++++*
> 
> onn static-dynamic
>     type=tunnel
>     left=50.1.1.226
>     right=%any
>     rightid=divya1 at cas.com

With main mode ipsec, ipv4 address is only possible id, this format can
only be used with aggressive mode with exact ike= and phase2alg=
settings.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

More information about the Users mailing list