[Swan] Help configuring libreswan with XAUTH, NSS and remote clients (road warriors)

Paul Wouters paul at nohats.ca
Thu Sep 18 16:25:42 EEST 2014


On Thu, 18 Sep 2014, Enrico Brunetta wrote:

> Now it looks like the connection is found but it fails differently:
>
> Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: Starting Pluto (Libreswan Version 3.10 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER KLIPS_MAST CURL(non-NSS)) pid:2054

> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: received Vendor ID payload [XAUTH]
> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: received Vendor ID payload [Cisco-Unity]
> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: received Vendor ID payload [FRAGMENTATION 80000000]
> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: received Vendor ID payload [Dead Peer Detection]
> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: responding to Main Mode from unknown peer 70.117.100.63
> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I am behind NAT+peer behind NAT
> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Sep 18 11:54:17 ip-172-31-48-104 pluto[2054]: ERROR: asynchronous network error report on eth0 (sport=500) for message to 70.117.100.63 port 500, complainant 70.117.100.63: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

This looks like a fragmentation issue, or MTU/firewall issue. Try
ike-frag=force, as the cisco you are talking to seems to support
FRAGMENTATION. If that fails, you can try to lower the mtu of your
interface a little.

Paul


More information about the Swan mailing list