[Swan] Problems converting from OpenSWAN to LibreSWAN

Nels Lindquist nlindq at maei.ca
Tue May 6 23:23:06 EEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 5/6/2014 1:38 PM, Paul Wouters wrote:

> can you provide a plutodebug=all logs that show a failed
> connection. It should allow us to see what is being mismatched and
> causing the rejection.

(File sent directly)

Looking through it, I noticed that the connection definition was using
the wrong IP address for the host.  The default interface has multiple
IP aliases, and it didn't pick the "defaultroute" IP.

I changed the "left=" directive in the %default conn config to specify
the correct IP address explicitly and now we get much further, though
there's still no certificate exchange, etc.:

May  6 14:12:15 host_a pluto[1828]: packet from 203.0.113.89:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
May  6 14:12:15 host_a pluto[1828]: packet from 203.0.113.89:500:
received Vendor ID payload [RFC 3947]
May  6 14:12:15 host_a pluto[1828]: packet from 203.0.113.89:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
May  6 14:12:15 host_a pluto[1828]: packet from 203.0.113.89:500:
received Vendor ID payload [FRAGMENTATION]
May  6 14:12:15 host_a pluto[1828]: packet from 203.0.113.89:500:
ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
May  6 14:12:15 host_a pluto[1828]: packet from 203.0.113.89:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
May  6 14:12:15 host_a pluto[1828]: packet from 203.0.113.89:500:
ignoring Vendor ID payload [IKE CGA version 1]
May  6 14:12:15 host_a pluto[1828]: "L2TP-Win2KXP"[1] 203.0.113.89 #1:
responding to Main Mode from unknown peer 203.0.113.89
May  6 14:12:15 host_a pluto[1828]: "L2TP-Win2KXP"[1] 203.0.113.89 #1:
OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
May  6 14:12:15 host_a pluto[1828]: "L2TP-Win2KXP"[1] 203.0.113.89 #1:
OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
May  6 14:12:15 host_a pluto[1828]: "L2TP-Win2KXP"[1] 203.0.113.89 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May  6 14:12:15 host_a pluto[1828]: "L2TP-Win2KXP"[1] 203.0.113.89 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
May  6 14:12:15 host_a pluto[1828]: "L2TP-Win2KXP"[1] 203.0.113.89 #1:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
May  6 14:12:15 host_a pluto[1828]: "L2TP-Win2KXP"[1] 203.0.113.89 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May  6 14:12:15 host_a pluto[1828]: "L2TP-Win2KXP"[1] 203.0.113.89 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
May  6 14:13:25 host_a pluto[1828]: "L2TP-Win2KXP"[1] 203.0.113.89 #1:
max number of retransmissions (2) reached STATE_MAIN_R2
May  6 14:13:25 host_a pluto[1828]: "L2TP-Win2KXP"[1] 203.0.113.89:
deleting connection "L2TP-Win2KXP" instance with peer 203.0.113.89
{isakmp=#0/ipsec=#0}

Nels Lindquist
- ----
<nlindq at maei.ca>


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlNpRKkACgkQh6z5POoOLgQe7gCgti3EBFSQ4JC4yL7ljGgZL5Cc
nRIAn3Sh0wn6O3i55Hy8xz3G+UowAach
=uGsc
-----END PGP SIGNATURE-----

More information about the Swan mailing list