Hi,<br><br> Please find my topology below<br><br><br>pc1 --------------------------<br> 30.1.1.2 30.1.1.1<br> GW1 --------------- Internet----------- VPN SERVER ( 50.1.1.226)<br>
(50.1.1.227)<br>pc2 --------------------------------- (NAT MASQUERADING)<br clear="all"><br>40.1.1.2 40.1.1.1<br><br>I want to establish a tunnel session from pc1 & pc2 to the VPN sever at the same time.<br>
I found that tunnel from PC1 to VPN server is success but tunnel from PC2 to<br>VPN server fails because its referring the connection/session established for PC1.<br>It seems to be a valid scenario, why openswan its not classifying the sessions properly.<br>
<br> Please find the logs below<br><b><br>VPN SERVER log<br>++++++++++++++</b><br>Mar 25 00:01:00 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #10: sending notification PAYLOAD_MALFORMED to <a href="http://50.1.1.227:500">50.1.1.227:500</a><br>
Mar 25 00:01:40 localhost pluto[15403]: packet from <a href="http://50.1.1.227:500">50.1.1.227:500</a>: received Vendor ID payload [Openswan (this version) 2.6.35 ]<br>Mar 25 00:01:40 localhost pluto[15403]: packet from <a href="http://50.1.1.227:500">50.1.1.227:500</a>: received Vendor ID payload [Dead Peer Detection]<br>
Mar 25 00:01:40 localhost pluto[15403]: packet from <a href="http://50.1.1.227:500">50.1.1.227:500</a>: received Vendor ID payload [RFC 3947] method set to=109<br>Mar 25 00:01:40 localhost pluto[15403]: packet from <a href="http://50.1.1.227:500">50.1.1.227:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109<br>
Mar 25 00:01:40 localhost pluto[15403]: packet from <a href="http://50.1.1.227:500">50.1.1.227:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109<br>Mar 25 00:01:40 localhost pluto[15403]: packet from <a href="http://50.1.1.227:500">50.1.1.227:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109<br>
Mar 25 00:01:40 localhost pluto[15403]: packet from <a href="http://50.1.1.227:500">50.1.1.227:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<br>Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11: responding to Main Mode from unknown peer 50.1.1.227<br>
Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11: STATE_MAIN_R1: sent MR1, expecting MI2<br>
Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #10: max number of retransmissions (2) reached STATE_MAIN_R2<br>Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed<br>
Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11: STATE_MAIN_R2: sent MR2, expecting MI3<br>
Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11: next payload type of ISAKMP Identification Payload has an unknown value: 149<br>Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet<br>
Mar 25 00:01:40 localhost pluto[15403]: | payload malformed after IV<br>Mar 25 00:01:40 localhost pluto[15403]: | ed 04 a0 c1 4e 6e c6 43 30 94 55 a4 ef 8a e1 f3<br>Mar 25 00:01:40 localhost pluto[15403]: | 6b b5 09 45<br>
Mar 25 00:01:40 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11: sending notification PAYLOAD_MALFORMED to <a href="http://50.1.1.227:500">50.1.1.227:500</a><br>Mar 25 00:01:50 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11: next payload type of ISAKMP Identification Payload has an unknown value: 149<br>
Mar 25 00:01:50 localhost pluto[15403]: "static-dynamic"[2] 50.1.1.227 #11: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet<br>Mar 25 00:01:50 localhost pluto[15403]: | payload malformed after IV<br>
Mar 25 00:01:50 localhost pluto[15403]: | ed 04 a0 c1 4e 6e c6 43 30 94 55 a4 ef 8a e1 f3<br>Mar 25 00:01:50 localhost pluto[15403]: | 6b b5 09 45<br><br><b>PC2 log<br>++++++++++++++<br><br></b>104 "static-dynamic" #1: STATE_MAIN_I1: initiate<br>
003 "static-dynamic" #1: received Vendor ID payload [Openswan (this version) 2.6.35 ]<br>003 "static-dynamic" #1: received Vendor ID payload [Dead Peer Detection]<br>003 "static-dynamic" #1: received Vendor ID payload [RFC 3947] method set to=109<br>
106 "static-dynamic" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>003 "static-dynamic" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed<br>108 "static-dynamic" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>
010 "static-dynamic" #1: STATE_MAIN_I3: retransmission; will wait 20s for response<br>003 "static-dynamic" #1: discarding duplicate packet; already STATE_MAIN_I3<br>010 "static-dynamic" #1: STATE_MAIN_I3: retransmission; will wait 40s for response<br>
003 "static-dynamic" #1: discarding duplicate packet; already STATE_MAIN_I3<br>031 "static-dynamic" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message<b><br>
</b><br><b>PC1 ipsec.conf</b><br>++++++++++++<br><br>config setup<br> protostack=netkey<br> nat_traversal=yes<br> #virtual_private=%v4:<a href="http://30.1.1.0/8">30.1.1.0/8</a><br> oe=off<br> # Enable this if you see "failed to find any available worker"<br>
nhelpers=0<br> interfaces=%defaultroute<br><br>conn north-east<br> type=tunnel<br> left=%defaultroute<br> leftid=<a href="mailto:divya1@cas.com">divya1@cas.com</a><br> right=50.1.1.226<br> auth=esp<br>
authby=secret<br> pfs=no<br> keyexchange=ike<br> auto=add<br>ipsec.secrets<br>+++++++++++<br><a href="mailto:divya1@cas.com">divya1@cas.com</a> <a href="http://50.1.1.226">50.1.1.226</a>: PSK "mypresharedkey1"<br>
<br><b>PC2 ipsec.conf</b><br>++++++++++++<br>config setup<br> protostack=netkey<br> nat_traversal=yes<br> virtual_private=<br> oe=off<br> # Enable this if you see "failed to find any available worker"<br>
nhelpers=0<br> interfaces=%defaultroute<br>conn static-dynamic<br> type=tunnel<br> left=%defaultroute<br> right=50.1.1.226<br> leftid=<a href="mailto:divya@cas.com">divya@cas.com</a><br> auth=esp<br>
authby=secret<br> pfs=no<br> keyexchange=ike<br> rekey=no<br> auto=add<br>ipsec.secrets<br>50.1.1.226 <a href="mailto:divya@cas.com">divya@cas.com</a>: PSK "mypresharedkey"<br><b><br>VPN server conf<br>
++++++++++++</b><br><br>onn static-dynamic<br> type=tunnel<br> left=50.1.1.226<br> right=%any<br> rightid=<a href="mailto:divya1@cas.com">divya1@cas.com</a><br> auth=esp<br> authby=secret<br> pfs=no<br>
keyexchange=ike<br> ikelifetime=30000s<br> keylife=30000s<br> rekey=no<br> auto=add<br>conn north-east<br> type=tunnel<br> left=50.1.1.226<br> right=%any<br> rightid=<a href="mailto:divya@cas.com">divya@cas.com</a><br>
auth=esp<br> authby=secret<br> pfs=no<br> keyexchange=ike<br> ikelifetime=30000s<br> keylife=30000s<br> rekey=no<br>50.1.1.226 <a href="mailto:divya1@cas.com">divya1@cas.com</a>: PSK "mypresharedkey1"<br>
50.1.1.226 <a href="mailto:divya@cas.com">divya@cas.com</a>: PSK "mypresharedkey"<br><br><br><br>Regards,<br>Cross<br> <br>