[Openswan Users] no quick mode - received MODECFG message when in state STATE_MAIN_R3, and we aren't xauth client

gerhard reuter gerhard.reuter at bayer.com
Wed Nov 19 02:29:20 EST 2014 

Hello world,
I tried to setup a VPN for my customers to an AWS Cloud. I decided to use
openswan (Ubuntu) in the Cloud and VPN Access Manager for the Win7 Clients.
Furthermore I wanted authentication against /etc/passwd. 
I see this in /var/log/auth.log: 
Nov 19 07:02:31 ip-172-31-14-254 pluto[2691]: "RWConn"[1] 212.64.xxx.xxx #1:
responding to Main Mode from unknown peer 212.64.xxx.xxx
Nov 19 07:02:31 ip-172-31-14-254 pluto[2691]: "RWConn"[1] 212.64.xxx.xxx #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 19 07:02:31 ip-172-31-14-254 pluto[2691]: "RWConn"[1] 212.64.xxx.xxx #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Nov 19 07:02:31 ip-172-31-14-254 pluto[2691]: "RWConn"[1] 212.64.xxx.xxx #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Nov 19 07:02:31 ip-172-31-14-254 pluto[2691]: "RWConn"[1] 212.64.xxx.xxx #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 19 07:02:31 ip-172-31-14-254 pluto[2691]: "RWConn"[1] 212.64.xxx.xxx #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[1] 212.64.xxx.xxx #1:
Main mode peer ID is ID_FQDN: '@'
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[1] 212.64.xxx.xxx #1:
switched from "RWConn" to "RWConn"
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
deleting connection "RWConn" instance with peer 212.64.xxx.xxx
{isakmp=#0/ipsec=#0}
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
new NAT mapping for #1, was 212.64.xxx.xxx:45551, now 212.64.xxx.xxx:45552
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_256 prf=oakley_md5 group=modp2048}
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
XAUTH: Sending XAUTH Login/Password Request
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
XAUTH: Sending Username/Password request (XAUTH_R0)
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
received and ignored informational message
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
XAUTH:  Unsupported XAUTH parameter XAUTH-TYPE received.
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: XAUTH: User Hamsterxy:
Attempting to login
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: XAUTH: pam authentication
being called to authenticate user Hamsterxy
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: XAUTH: User Hamsterxyz:
Authentication Successful
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
XAUTH: xauth_inR1(STF_OK)
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
received MODECFG message when in state STATE_MAIN_R3, and we aren't xauth client
Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
sending encrypted notification UNSUPPORTED_EXCHANGE_TYPE to 212.64.xxx.xxx:45552
Nov 19 07:02:37 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
received MODECFG message when in state STATE_MAIN_R3, and we aren't xauth client
Nov 19 07:02:37 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
sending encrypted notification UNSUPPORTED_EXCHANGE_TYPE to 212.64.xxx.xxx:45552
root at ip-172-31-14-254:~#

- there seems to be an ISAKMP SA for Main Mode
- the user seems to be authenticated 
- but there is no Quickmode - 

my ipsec.conf:
version    2.0
config setup
   protostack=netkey
   interfaces=%defaultroute
   nat_traversal=yes
   force_keepalive=yes
   keep_alive=60
   virtual_private=%v4:172.24.0.0/16
   oe=no
   nhelpers=0
conn RWConn 
   rightsubnet=vhost:%priv
   type=transport
   authby=secret
   pfs=no
   rekey=no
   ikelifetime=8h
   keylife=1h
   leftprotoport=17/1701
   left=172.31.14.254
   leftsubnet=172.31.15.0/24
   leftid=@172.31.14.254
   leftxauthserver=yes
   rightprotoport=17/0
   right=%any
   rightxauthclient=yes
   auto=ignore

AWS Openswan has the internal IP: 172.31.14.254
Wanted to make 172.31.15.0/24 available to my customers.

Any idea what I'm missing ? Banging my head now for 3 days on my desk. will
need a new head and desk soon. 

Thanks a lot in advance
-Jerry

More information about the Users mailing list