[Openswan Users] LAN to LAN connection failed with RSA+AGGRESSIVE but succeed with RSA+Main mode
Patrick Naubert
patrickn at xelerance.com
Mon Feb 2 12:07:37 EST 2015
Rescued from the Spam bucket. Please remember to subscribe to the mailing list before posting to it.
From: Willer Wang 王明偉 <willer.wang at cybertan.com.tw <mailto:willer.wang at cybertan.com.tw>>
To: "users at lists.openswan.org <mailto:users at lists.openswan.org>" <users at lists.openswan.org <mailto:users at lists.openswan.org>>
Subject: LAN to LAN connection failed with RSA+AGGRESSIVE but succeed with RSA+Main mode
Date: February 1, 2015 at 9:04:03 PM GMT-5
Hi,
I got a problem to setup a LAN to LAN VPN environment with RSASIG+AGGRESSIVE
Version of OPENSWAN: 2.6.37
Topology:
LAN ß à Device (A) ß à WAN ß à Device (B) ß à LAN
192.168.1.0/24 10.0.0.1 10.0.0.15 192.168.15.0/24
------------------------
configure for Device (A)
------------------------
config setup
listen=10.0.0.1
conn "ips1"
left=10.0.0.1
leftsubnet=192.168.1.0/24
leftnexthop=10.0.0.15
right=10.0.0.15
rightsubnet=192.168.15.0/24
pfs=no
phase2alg=aes128-sha1
salifetime=3600s
ike=aes128-sha1;modp768
aggrmode=yes
ikelifetime=28800s
rekeymargin=3s
leftid=CN=rv130_1
rightid=CN=rv130_15
authby=rsasig
leftcert=rv130_ca.pem
leftrsasigkey=%cert
rightrsasigkey=%cert
------------------------------
ipsec.secrets for Device (A)
------------------------------
: RSA pr130.key "password"
------------------------
configure for Device (B)
------------------------
config setup
listen=10.0.0.15
conn "ips15"
left=10.0.0.15
leftsubnet=192.168.15.0/24
leftnexthop=10.0.0.1
right=10.0.0.1
rightsubnet=192.168.1.0/24
pfs=no
phase2alg=aes128-sha1
salifetime=3600s
ike=aes128-sha1;modp768
aggrmode=yes
ikelifetime=28800s
rekeymargin=3s
leftid=CN=rv130_15
rightid=CN=rv130_1
authby=rsasig
leftcert=rv130_ca.pem
leftrsasigkey=%cert
rightrsasigkey=%cert
------------------------------
ipsec.secrets for Device (B)
------------------------------
: RSA pr130.key "password"
Now we up tunnel from Device (A) to Device (B), we can find following log.
Device (A)
Feb 2 00:31:55 pluto[1777]: "ips1" #8692: initiating Aggressive Mode #8692, connection "ips1"
112 "ips1" #8692: STATE_AGGR_I1: initiate
Feb 2 00:31:55 pluto[1777]: packet from 10.0.0.15:500: ignoring informational payload, type INVALID_ID_INFORMATION on st==NULL (deleted?)
Feb 2 00:31:55 pluto[1777]: packet from 10.0.0.15:500: received and ignored informational message
Device (B)
Feb 17 00:32:36 pluto[1980]: packet from 10.0.0.1:500: received Vendor ID payload [Dead Peer Detection]
Feb 17 00:32:36 pluto[1980]: "ips15" #8528: Aggressive mode peer ID is ID_DER_ASN1_DN: 'CN=rv130_1'
Feb 17 00:32:36 pluto[1980]: "ips15" #8528: no suitable connection for peer 'CN=rv130_1'
Feb 17 00:32:36 pluto[1980]: "ips15" #8528: initial Aggressive Mode packet claiming to be from CN=rv130_1 on 10.0.0.1 but no connection has been authorized
Feb 17 00:32:36 pluto[1980]: "ips15" #8528: sending notification INVALID_ID_INFORMATION to 10.0.0.1:500
But If I marked “aggrmode=yes” for both Devices, the connection works perfectly.
Does Openswan not support for “aggressive mode + RSASIG” in LAN to LAN mode?
Or someone can give us advice about this problem?
THX
/Willer
This e-mail transmission originated at CyberTAN Technology, Inc., and may contain privileged or confidential information that is the property of CyberTAN and protected by law from disclosure. If you are not an intended recipient of this transmission and you received it in error, please inform the sender by reply e-mail and destroy this and all other copies of this transmission to which you have access. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150202/d3e378dc/attachment-0001.html>
More information about the Users
mailing list