jcoles
June 7th, 2009, 06:28 PM
I have been using OpenSwan successfully since Ubuntu 7.04. When I upgraded from 8.04 to 8.10, my VPN stopped working. My configuration also doesn't work on 9.04.
Now I get phase 1 established, but cannot get phase 2:
104 "office" #1: STATE_MAIN_I1: initiate
003 "office" #1: received Vendor ID payload [Dead Peer Detection]
003 "office" #1: ignoring unknown Vendor ID payload [afca071368a1f1c96b8696fc77570100]
003 "office" #1: ignoring unknown Vendor ID payload [5062b335bc20db32c0d54465a2f70100]
003 "office" #1: ignoring unknown Vendor ID payload [1d6e178f6c2c0be284985465450fe9d4]
003 "office" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "office" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "office" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
117 "office" #2: STATE_QUICK_I1: initiate
010 "office" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "office" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
until it gives up.
What do I change in my configuration?
ipsec.conf:
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
nat_traversal=yes
# interfaces for ipsec %defaultroute is the default
interfaces=%defaultroute
include /etc/ipsec.d/*.conf
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
connection conf file:
conn office
#left side is work
left=<office gateway>
leftsubnet=172.20.120.0/24
#right side is home
right=%defaultroute
#IKE parameters
keyexchange=ike
#auth=esp
#auto=start
authby=secret
#optionally specify encryption/hash for phase 1 & 2
esp=3des
#perfect forward secrecy (default yes)
#pfs=yes
#optionally enable compression
compress=yes
Now I get phase 1 established, but cannot get phase 2:
104 "office" #1: STATE_MAIN_I1: initiate
003 "office" #1: received Vendor ID payload [Dead Peer Detection]
003 "office" #1: ignoring unknown Vendor ID payload [afca071368a1f1c96b8696fc77570100]
003 "office" #1: ignoring unknown Vendor ID payload [5062b335bc20db32c0d54465a2f70100]
003 "office" #1: ignoring unknown Vendor ID payload [1d6e178f6c2c0be284985465450fe9d4]
003 "office" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "office" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "office" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
117 "office" #2: STATE_QUICK_I1: initiate
010 "office" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "office" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
until it gives up.
What do I change in my configuration?
ipsec.conf:
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
nat_traversal=yes
# interfaces for ipsec %defaultroute is the default
interfaces=%defaultroute
include /etc/ipsec.d/*.conf
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
connection conf file:
conn office
#left side is work
left=<office gateway>
leftsubnet=172.20.120.0/24
#right side is home
right=%defaultroute
#IKE parameters
keyexchange=ike
#auth=esp
#auto=start
authby=secret
#optionally specify encryption/hash for phase 1 & 2
esp=3des
#perfect forward secrecy (default yes)
#pfs=yes
#optionally enable compression
compress=yes