[Openswan Users] Ubuntu 14.04 (AWS VPC) IPSec Tunnel to Cisco

Ed Nitido ednitido at gmail.com
Thu Oct 22 18:15:17 EDT 2015


Thanks for the reply Neal, I do get further when aggressive mode is off

| find_host_connection2 called from aggr_inI1_outR1_common, me=
172.31.28.158:500 him=%any:500 policy=PSK+AGGRESSIVE
| find_host_pair: comparing to 172.31.28.158:500 THEIR_PUBLIC_IP:500
| find_host_pair_conn (find_host_connection2): 172.31.28.158:500 %any:500
-> hp:none
| searching for connection with policy = PSK+AGGRESSIVE
| find_host_connection2 returns empty
packet from MY_PUBLIC_IP:500: initial Aggressive Mode message from
MY_PUBLIC_IP but no (wildcard) connection has been configured with
policy=PSK+AGGRESSIVE
| complete state transition with STF_IGNORE
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 34 seconds
| next event EVENT_PENDING_DDNS in 34 seconds


however, the client requires that Aggressive Mode is on

Also in the logs when Aggressive Mode was off, I see


"net2net" #1: Main mode peer ID is ID_IPV4_ADDR: '172.28.100.10'
"net2net" #1: we require peer to have ID 'THEIR_PUBLIC_IP', but peer
declares '172.28.100.10'

That means 172.28.100.10 is coming from their end no?


On Wed, Oct 21, 2015 at 5:12 PM, Neal P. Murphy <neal.p.murphy at alum.wpi.edu>
wrote:

> On Wed, 21 Oct 2015 13:46:44 -0400
> Ed Nitido <ednitido at gmail.com> wrote:
>
> > Hello all,
> >
> > I've been trying to set up a server-to-server IPSec VPN tunnel from a
> > Ubuntu 14.04 server hosted in Amazon to a clients Cisco (the logs say
> it's
> > a Cisco VPN 3000 Series).
> >
> > I am new to IPSec so to test, i created 2 VPCs in amazon following this
> > guide http://aws.amazon.com/articles/5472675506466066. It worked, when I
> > checked ipsec status, it said I had 2 tunnels up.
> >
> > Now, when I connect to the client, I get some weird messages in my pluto
> > log.
> >
> >
> > "net2net" #1: received Vendor ID payload [Cisco-Unity]
> > "net2net" #1: received Vendor ID payload [XAUTH]
> > "net2net" #1: received Vendor ID payload [Dead Peer Detection]
> > "net2net" #1: received Vendor ID payload [RFC 3947] method set to=115
> > "net2net" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
> > "net2net" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> > "net2net" #1: protocol/port in Phase 1 ID Payload MUST be 0/0 or 17/500
> but
> > are 17/0 (attempting to continue)
> > "net2net" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '172.28.100.10'
>
> My suggestion: turn off aggressive mode; see if that makes things smoother.
>
> N
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20151022/f38be5a5/attachment.html>


More information about the Users mailing list