Ipsec config problem // openswan

Posted by user90696 on Server Fault See other posts from Server Fault or by user90696
Published on 2011-08-05T20:55:50Z Indexed on 2012/10/27 5:06 UTC
Read the original article Hit count: 701

Filed under:
|
|

I try to configure Ipsec on server with openswan as client.
But receive error - possible, it's auth error.

What I wrote wrong in config ?

Thank you for answers.


#1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "f-net" #1: received Vendor ID payload [Cisco-Unity]
003 "f-net" #1: received Vendor ID payload [Dead Peer Detection]
003 "f-net" #1: ignoring unknown Vendor ID payload [ca917959574c7d5aed4222a9df367018]
003 "f-net" #1: received Vendor ID payload [XAUTH]
108 "f-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "f-net" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "f-net" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "f-net" #1: discarding duplicate packet; already STATE_MAIN_I3
003 "f-net" #1: discarding duplicate packet; already STATE_MAIN_I3
003 "f-net" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "f-net" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
031 "f-net" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
000 "f-net" #1: starting keying attempt 2 of at most 3, but releasing whack


other side - Cisco ASA.

parameters for my connection  on our Linux server :    

 VPN Gateway   8.*.*.*    (Cisco )
Phase 1    
Exchange Type    
Main Mode    
Identification Type    
IP Address    
Local ID           4.*.*.*     (our Linux server IP)    
Remote ID          8.*.*.*     (VPN server IP)    
Authentication        PSK    
Pre Shared Key           
Diffie-Hellman Key Group DH 5 (1536 bit) or DH 2 (1024 bit)    
Encryption Algorithm   AES 256    
HMAC Function          SHA-1
Lifetime          86.400 seconds / no volume limit
Phase 2
Security Protocol     ESP
Connection Mode       Tunnel
Encryption Algorithm  AES 256
HMAC Function         SHA-1
Lifetime              3600 seconds / 4.608.000 kilobytes
DPD / IKE Keepalive   15 seconds
PFS                off
Remote Network        192.168.100.0/24
Local Network 1       10.0.0.0/16
...............
Local Network 5

current openswan config :

#
config setup
klipsdebug=all
plutodebug="control parsing"
protostack=netkey
nat_traversal=no
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off    
nhelpers=0    


conn f-net

type=tunnel
keyexchange=ike
authby=secret
auth=esp
esp=aes256-sha1
keyingtries=3
pfs=no
aggrmode=no

keylife=3600s
ike=aes256-sha1-modp1024
#    
left=4.*.*.*
leftsubnet=10.0.0.0/16
leftid=4.*.*.*
leftnexthop=%defaultroute  
right=8.*.*.*
rightsubnet=192.168.100.0/24
rightid=8.*.*.*
rightnexthop=%defaultroute 
auto=add         

© Server Fault or respective owner

Related posts about vpn

Related posts about ipsec