[Swan] Help configuring libreswan with XAUTH, NSS and remote clients (road warriors)
Wolfgang Nothdurft
wolfgang at linogate.de
Fri Sep 19 12:02:54 EEST 2014
Am 18.09.2014 15:25, schrieb Paul Wouters:
> On Thu, 18 Sep 2014, Enrico Brunetta wrote:
>
>> Now it looks like the connection is found but it fails differently:
>>
>> Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: Starting Pluto
>> (Libreswan Version 3.10 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG
>> XAUTH_PAM NETWORKMANAGER KLIPS_MAST CURL(non-NSS)) pid:2054
>
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from
>> 70.117.100.63:500: received Vendor ID payload [XAUTH]
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from
>> 70.117.100.63:500: received Vendor ID payload [Cisco-Unity]
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from
>> 70.117.100.63:500: received Vendor ID payload [FRAGMENTATION 80000000]
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from
>> 70.117.100.63:500: received Vendor ID payload [Dead Peer Detection]
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
>> 70.117.100.63 #1: enabling possible NAT-traversal with method RFC 3947
>> (NAT-Traversal)
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
>> 70.117.100.63 #1: responding to Main Mode from unknown peer 70.117.100.63
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
>> 70.117.100.63 #1: transition from state STATE_MAIN_R0 to state
>> STATE_MAIN_R1
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
>> 70.117.100.63 #1: STATE_MAIN_R1: sent MR1, expecting MI2
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
>> 70.117.100.63 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal)
>> sender port 500: I am behind NAT+peer behind NAT
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
>> 70.117.100.63 #1: transition from state STATE_MAIN_R1 to state
>> STATE_MAIN_R2
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
>> 70.117.100.63 #1: STATE_MAIN_R2: sent MR2, expecting MI3
>> Sep 18 11:54:17 ip-172-31-48-104 pluto[2054]: ERROR: asynchronous
>> network error report on eth0 (sport=500) for message to 70.117.100.63
>> port 500, complainant 70.117.100.63: Connection refused [errno 111,
>> origin ICMP type 3 code 3 (not authenticated)]
>
> This looks like a fragmentation issue, or MTU/firewall issue. Try
> ike-frag=force, as the cisco you are talking to seems to support
> FRAGMENTATION. If that fails, you can try to lower the mtu of your
> interface a little.
>
This also can happen if the vpn service is not allowed to read the
certificate. The vpn service will stop to listen on udp/500 than.
Can you check the permissions of the certificate in the keychain
settings on your mac or check the log on mac site.
Wolfgang
More information about the Swan
mailing list