[Openswan Users] Connection problem

Krzysztof Kardas krzychk2 at gmail.com
Thu Jan 24 15:51:19 EST 2013


Hi,
I am a new in OpenSwan technologies. I have a problem with proper
configuration of ip-sec tunnel to CISCO equipment.

Tunnel parameters are:
Phase 1
Authentication-method: rsa-signatures
Diffie-Hellman-group: group2
Authentication-algorithm: sha1
Encryption-algorithm: aes-256-cbc
Lifetime-seconds: 86400
Phase 2
Protocol: esp
Authentication-algorithm: hmac-sha1-96
Encryption-algorithm: aes-256-cbc
Lifetime-seconds: 3600

My configuration I am working on is:

conn borucza
     authby = rsasig
     auth = esp
     keyexchange = ike
     ike = aes256-sha1
     ikelifetime = 86400s
     pfs = yes
     esp = aes256-sha1
     salifetime = 3600s
     dpdtimeout = 10
     dpddelay = 3

     right=%defaultroute
     rightrsasigkey=%cert
     rightcert=netp  ## certificate in the NSS database
     rightid=@B-DMZ-FWL-2201.plicbd.pl

     # Left side is Check Point
     left=91.217.25.14
     leftsubnet=10.104.5.36/24 ## subnet behind the gateway
     leftcert=c352fa89f28c4d7c7c4944dbfd47e93c_e9bf401e-df95-4b5e-a0ee-ae2fa4aba850
     leftrsasigkey=%cert
     auto=start

The problem I have is that I can not connect.
There is something like that in logs:

Jan 24 21:23:56 plicbd pluto[1508]: loaded private key for keyid:
PPK_RSA:AwEAAdaBO
Jan 24 21:23:56 plicbd pluto[1508]: "borucza" #1: initiating Main Mode
Jan 24 21:23:56 plicbd pluto[1508]: "borucza" #1: ignoring unknown
Vendor ID payload
[a601e645e2e8e15239409664fdeb5a9000cf9cad0000000e0000061e]
Jan 24 21:23:56 plicbd pluto[1508]: "borucza" #1: received Vendor ID
payload [Dead Peer Detection]
Jan 24 21:23:56 plicbd pluto[1508]: "borucza" #1: ignoring Vendor ID
payload [HeartBeat Notify 386b0100]
Jan 24 21:23:56 plicbd pluto[1508]: "borucza" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 24 21:23:56 plicbd pluto[1508]: "borucza" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
Jan 24 21:23:56 plicbd pluto[1508]: "borucza" #1: I am sending my cert
Jan 24 21:23:56 plicbd pluto[1508]: "borucza" #1: I am sending a
certificate request
Jan 24 21:23:56 plicbd pluto[1508]: "borucza" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 24 21:23:56 plicbd pluto[1508]: "borucza" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
Jan 24 21:23:58 plicbd pluto[1508]: packet from aaa,bbb.ccc.ddd:500:
ignoring unknown Vendor ID payload
[a601e645e2e8e15239409664fdeb5a9000cf9cad0000000e0000061e]
Jan 24 21:23:58 plicbd pluto[1508]: packet from aaa,bbb.ccc.ddd:500:
received Vendor ID payload [Dead Peer Detection]
Jan 24 21:23:58 plicbd pluto[1508]: packet from aaa,bbb.ccc.ddd:500:
ignoring Vendor ID payload [HeartBeat Notify 386b0100]
Jan 24 21:23:58 plicbd pluto[1508]: packet from aaa,bbb.ccc.ddd:500:
initial Main Mode message received on xxx.yyy,zzz,vvv:500 but no
connection has been authorized with policy=RSASIG

Can somebody help me?
Regards
Chris


More information about the Users mailing list