[Openswan Users] no quick mode - received MODECFG message when in state STATE_MAIN_R3, and we aren't xauth client

Elison Niven elison.niven at cyberoam.com
Wed Nov 19 03:32:42 EST 2014 

Hi,

Seems like the client is sending a MODECFG message and expecting you to 
lease an IP address to it. You can either change the settings at the 
client or change settings at your end.

Best Regards,
Elison Niven

On Wednesday 19 November 2014 12:59 PM, gerhard reuter wrote:
> Hello world,
> I tried to setup a VPN for my customers to an AWS Cloud. I decided to use
> openswan (Ubuntu) in the Cloud and VPN Access Manager for the Win7 Clients.
> Furthermore I wanted authentication against /etc/passwd.
> I see this in /var/log/auth.log:
> Nov 19 07:02:31 ip-172-31-14-254 pluto[2691]: "RWConn"[1] 212.64.xxx.xxx #1:
> responding to Main Mode from unknown peer 212.64.xxx.xxx
> Nov 19 07:02:31 ip-172-31-14-254 pluto[2691]: "RWConn"[1] 212.64.xxx.xxx #1:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Nov 19 07:02:31 ip-172-31-14-254 pluto[2691]: "RWConn"[1] 212.64.xxx.xxx #1:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Nov 19 07:02:31 ip-172-31-14-254 pluto[2691]: "RWConn"[1] 212.64.xxx.xxx #1:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
> Nov 19 07:02:31 ip-172-31-14-254 pluto[2691]: "RWConn"[1] 212.64.xxx.xxx #1:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Nov 19 07:02:31 ip-172-31-14-254 pluto[2691]: "RWConn"[1] 212.64.xxx.xxx #1:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[1] 212.64.xxx.xxx #1:
> Main mode peer ID is ID_FQDN: '@'
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[1] 212.64.xxx.xxx #1:
> switched from "RWConn" to "RWConn"
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
> deleting connection "RWConn" instance with peer 212.64.xxx.xxx
> {isakmp=#0/ipsec=#0}
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
> new NAT mapping for #1, was 212.64.xxx.xxx:45551, now 212.64.xxx.xxx:45552
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=aes_256 prf=oakley_md5 group=modp2048}
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
> XAUTH: Sending XAUTH Login/Password Request
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
> XAUTH: Sending Username/Password request (XAUTH_R0)
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
> ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
> received and ignored informational message
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
> XAUTH:  Unsupported XAUTH parameter XAUTH-TYPE received.
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: XAUTH: User Hamsterxy:
> Attempting to login
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: XAUTH: pam authentication
> being called to authenticate user Hamsterxy
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: XAUTH: User Hamsterxyz:
> Authentication Successful
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
> XAUTH: xauth_inR1(STF_OK)
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
> transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
> received MODECFG message when in state STATE_MAIN_R3, and we aren't xauth client
> Nov 19 07:02:32 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
> sending encrypted notification UNSUPPORTED_EXCHANGE_TYPE to 212.64.xxx.xxx:45552
> Nov 19 07:02:37 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
> received MODECFG message when in state STATE_MAIN_R3, and we aren't xauth client
> Nov 19 07:02:37 ip-172-31-14-254 pluto[2691]: "RWConn"[2] 212.64.xxx.xxx #1:
> sending encrypted notification UNSUPPORTED_EXCHANGE_TYPE to 212.64.xxx.xxx:45552
> root at ip-172-31-14-254:~#
>
> - there seems to be an ISAKMP SA for Main Mode
> - the user seems to be authenticated
> - but there is no Quickmode -
>
> my ipsec.conf:
> version    2.0
> config setup
>     protostack=netkey
>     interfaces=%defaultroute
>     nat_traversal=yes
>     force_keepalive=yes
>     keep_alive=60
>     virtual_private=%v4:172.24.0.0/16
>     oe=no
>     nhelpers=0
> conn RWConn
>     rightsubnet=vhost:%priv
>     type=transport
>     authby=secret
>     pfs=no
>     rekey=no
>     ikelifetime=8h
>     keylife=1h
>     leftprotoport=17/1701
>     left=172.31.14.254
>     leftsubnet=172.31.15.0/24
>     leftid=@172.31.14.254
>     leftxauthserver=yes
>     rightprotoport=17/0
>     right=%any
>     rightxauthclient=yes
>     auto=ignore
>
> AWS Openswan has the internal IP: 172.31.14.254
> Wanted to make 172.31.15.0/24 available to my customers.
>
> Any idea what I'm missing ? Banging my head now for 3 days on my desk. will
> need a new head and desk soon.
>
> Thanks a lot in advance
> -Jerry
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> .
>

More information about the Users mailing list