List Info

Thread: Openswan 2.4.7 and juniper ns208
Openswan 2.4.7 and juniper ns208
user name
 2006-12-07 17:44:31 

  


  

    Hello,
I'm a new user of openswan.
I try to set up a connexion between openswan (Linux Openswan U2.4.7/K2.6.18-1.2798.fc6 (netkey)) and a Juniper ns208.
When i try to setup the link i have the folowing messages. 


=====================================================================
[rootlt85 ~]# ipsec auto --verbose --up lt85_to_centre
002 "lt85_to_centre" #11: initiating Main Mode
104 "lt85_to_centre" #11: STATE_MAIN_I1: initiate

003 "lt85_to_centre" #11: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000]
003 "lt85_to_centre" #11: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106

003 "lt85_to_centre" #11: received Vendor ID payload [Dead Peer Detection]
003 "lt85_to_centre" #11: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
002 "lt85_to_centre" #11: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03

002 "lt85_to_centre" #11: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_I1
002 "lt85_to_centre" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2

106 "lt85_to_centre" #11: STATE_MAIN_I2: sent MI2, expecting MR2
003 "lt85_to_centre" #11: discarding duplicate packet; already STATE_MAIN_I2
002 "lt85_to_centre" #11: I did not send a certificate because I do not have one.

003 "lt85_to_centre" #11: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
002 "lt85_to_centre" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "lt85_to_centre" #11: STATE_MAIN_I3: sent MI3, expecting MR3

003 "lt85_to_centre" #11: discarding duplicate packet; already STATE_MAIN_I3
002 "lt85_to_centre" #11: Main mode peer ID is ID_IPV4_ADDR: '194.250.x.x'
002 "lt85_to_centre" #11: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4

004 "lt85_to_centre" #11: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
002 "lt85_to_centre" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#11}

117 "lt85_to_centre" #12: STATE_QUICK_I1: initiate
002 "lt85_to_centre" #12: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "lt85_to_centre&quot; #12: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x7593622b <0x6859dbc5 xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}

=====================================================================
IPsec SA established ?!

A made a test by sending a ping to the  194.250.x.x.
A tcpdump shows the following (no ESP msg):

=====================================================================

[rootlt85 ~]# tcpdump host 194.250.x.x
19:48:37.441373 IP lt85.xxx.xxx > 194.250.x.x : ICMP echo request, id 1024, seq 55960, length 24
=====================================================================


Any help is appreciated.
Thanks a lot.

-- 
Didine

  

  
  
   
     
    

  

    Openswan 2.4.7 and juniper ns208
  


  

     user name

     2006-12-07 18:12:52
  


  

    
On Thu, 7 Dec 2006, Didine wrote:

> I try to set up a connexion between openswan (Linux
Openswan U2.4.7/K2.6.18-
> 1.2798.fc6 (netkey)) and a Juniper ns208.

> 004 "lt85_to_centre" #12: STATE_QUICK_I2:
sent QI2, IPsec SA established
> {ESP=>0x7593622b <0x6859dbc5
xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}

So the tunnel is established.

> A tcpdump shows the following (no ESP msg):
>
>
============================================================
=========
> [rootlt85 ~]# tcpdump host 194.250.x.x
> 19:48:37.441373 IP lt85.xxx.xxx > 194.250.x.x : ICMP
echo request, id 1024,
> seq 55960, length 24

that's normal for netkey. The packets get encrypted after
tcpdump can see
them. It's annoying.

Run ipsec verify. See if you have bogus redirects, rp_filter
or ip_forwarding
misconfigured. Checkfirewall dfor NAT rules (dont NAT ipsec
packets).

Paul
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155


  


  

    
  

  
  
   
     
    

  

    Openswan 2.4.7 and juniper ns208
  


  

     user name

     2006-12-07 18:18:02
  


  

    

  


  

    Here is my ipsec verify.

[rootlt85 ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path&nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; [OK]
Linux Openswan 
U2.4.7/K2.6.18-1.2798.fc6 (netkey)
Checking for IPsec support in kernel&nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; [OK]
Testing against enforced SElinux mode   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ;  [OK]
Hardware RNG detected, testing if used properly&nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   [FAILED]


  Hardware RNG is present but 'rngd' is not running.
&nbsp; No harware random used!

NETKEY detected, testing for disabled ICMP send_redirects &nbsp;   ;  [OK]
NETKEY detected, testing for disabled ICMP accept_redirects ; &nbsp;  [OK]

Checking for RSA private key (/etc/ipsec.secrets)&nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   [OK]
Checking that pluto is running&nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp;  [OK]
Two or more interfaces found, checking IP forwarding  ; &nbsp; &nbsp; &nbsp; &nbsp;  [OK]
Checking NAT and MASQUERADEing &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; [OK]

Checking for 'ip' command&nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp; [OK]
Checking for 'iptables' command&nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; [OK]

Opportunistic Encryption DNS checks:
&nbsp;  Looking for TXT in forward dns zone: 
lt85.xxxxxx.xxx  &nbsp; &nbsp; [MISSING]
  ; Does the machine have at least one non-private address?&nbsp; &nbsp;   [FAILED]




On 12/7/06, Paul Wouters < paulxelerance.com">
paulxelerance.com> wrote:
On Thu, 7 Dec 2006, Didine wrote:

&gt; I try to set up a connexion between openswan (Linux Openswan 
U2.4.7/K2.6.18-
> 1.2798.fc6 (netkey)) and a Juniper ns208.

&gt; 004 "lt85_to_centre&quot; #12: STATE_QUICK_I2: sent QI2, IPsec SA established
> {ESP=>0x7593622b <0x6859dbc5 xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}


So the tunnel is established.

> A tcpdump shows the following (no ESP msg):
>
> =====================================================================
> [rootlt85 ~]# tcpdump host 194.250.x.x

> 19:48:37.441373 IP lt85.xxx.xxx > 194.250.x.x : ICMP echo request, id 1024,
> seq 55960, length 24

that's normal for netkey. The packets get encrypted after tcpdump can see
them. It's annoying.


Run ipsec verify. See if you have bogus redirects, rp_filter or ip_forwarding
misconfigured. Checkfirewall dfor NAT rules (dont NAT ipsec packets).

Paul



-- 

Didine

  

  
  
   
     
    

  

    Openswan 2.4.7 and juniper ns208
  


  

     user name

     2006-12-07 18:23:42
  


  

    

  


  

    Hello,

According to the logs phase 1 and phase 2 are established.

Is 194.250.x.x the address of the Juniper or a host address behind the Juniper ?

If it is the Juniper address it is normal that you see packets in clear but if it is a host address defined in your "lt85_to_centre" connection configuration, you may have to check the "leftsubnet=" line.

As you use netkey, as far as I remember, doing a "tcpdump host xxx" will show you only decrypted packets incoming/coming back to your gateway, for example you will see only replies to ping initiated from your openswan gateway... It is a netkey behavior :s

Anyway... What is the original question ? 

Cheers,

JC


Didine <didinuxgmail.com&gt; a écrit ;:
 Hello,
I'm a new user of openswan.
I try to set up a connexion between openswan
 (Linux Openswan U2.4.7/K2.6.18-1.2798.fc6 (netkey)) and a Juniper ns208.
When i try to setup the link i have the folowing messages. 
 
=====================================================================
[rootlt85 ~]# ipsec auto --verbose --up lt85_to_centre
002 "lt85_to_centre" #11: initiating Main Mode
104 "lt85_to_centre" #11: STATE_MAIN_I1: initiate 
003 "lt85_to_centre" #11: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000]
003 "lt85_to_centre" #11: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
003 "lt85_to_centre" #11: received Vendor ID payload [Dead Peer Detection]
003 "lt85_to_centre" #11: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
002 "lt85_to_centre" #11: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03 
002 "lt85_to_centre" #11: discarding packet received during asynchronous work (DNS or crypto) in
 STATE_MAIN_I1
002 "lt85_to_centre" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 
106 "lt85_to_centre" #11: STATE_MAIN_I2: sent MI2, expecting MR2
003 "lt85_to_centre" #11: discarding duplicate packet; already STATE_MAIN_I2
002 "lt85_to_centre" #11: I did not send a certificate because I do not have one. 
003 "lt85_to_centre" #11: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
002 "lt85_to_centre" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "lt85_to_centre" #11: STATE_MAIN_I3: sent MI3, expecting MR3 
003 "lt85_to_centre" #11: discarding duplicate packet; already STATE_MAIN_I3
002 "lt85_to_centre" #11: Main mode peer ID is ID_IPV4_ADDR: '194.250.x.x'
002 "lt85_to_centre" #11: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 
004 "lt85_to_centre" #11: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
 group=modp1024}
002 "lt85_to_centre" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#11} 
117 "lt85_to_centre" #12: STATE_QUICK_I1: initiate
002 "lt85_to_centre" #12: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "lt85_to_centre" #12: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x7593622b <0x6859dbc5 xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none} 
=====================================================================
IPsec SA established ?!

A made a test by sending a ping to the  194.250.x.x.
A tcpdump shows the following (no ESP msg):

===================================================================== 
[rootlt85 ~]# tcpdump host 194.250.x.x
19:48:37.441373 IP lt85.xxx.xxx > 194.250.x.x : ICMP echo request, id 1024, seq 55960, length 24
=====================================================================
 
Any help is appreciated.
Thanks a lot.

-- 
Didine
 _______________________________________________
Usersopenswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

 
		
 
Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.

  

  
  
   
     
    

  

    Openswan 2.4.7 and juniper ns208
  


  

     user name

     2006-12-07 18:37:16
  


  

    
On Thu, 7 Dec 2006, Didine wrote:

> Checking your system to see if IPsec got installed and
started correctly:
> Version check and ipsec on-path                        
        [OK]
> Linux Openswan U2.4.7/K2.6.18-1.2798.fc6 (netkey)
> Checking for IPsec support in kernel                   
        [OK]
> Testing against enforced SElinux mode                  
        [OK]
> Hardware RNG detected, testing if used properly        
        [FAILED]
>
>  Hardware RNG is present but 'rngd' is not running.
>  No harware random used!

You might want to install rng-utils / rng-tools 

> NETKEY detected, testing for disabled ICMP
send_redirects       [OK]
> NETKEY detected, testing for disabled ICMP
accept_redirects     [OK]
> Checking for RSA private key (/etc/ipsec.secrets)      
        [OK]
> Checking that pluto is running                         
        [OK]
> Two or more interfaces found, checking IP forwarding   
        [OK]
> Checking NAT and MASQUERADEing                         
        [OK]
> Checking for 'ip' command                              
        [OK]
> Checking for 'iptables' command                        
        [OK]
>
> Opportunistic Encryption DNS checks:
>   Looking for TXT in forward dns zone: lt85.xxxxxx.xxx 
    [MISSING]
>   Does the machine have at least one non-private
address?      [FAILED]

Did you include /etc/ipsec.d/examples/no_oe.conf to disable
Opportunistic Encryption?

> > > 004 "lt85_to_centre" #12:
STATE_QUICK_I2: sent QI2, IPsec SA established
> > > {ESP=>0x7593622b <0x6859dbc5
xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}

Do you have a way of sniffing the connection between the
linux machines and the
juniper so see if you are sending ESP packets? Do you have
any errors on the
juniper?

I can't see any obvious errors from the openswan side.

Paul
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155


  


  

    
  

  
  
   
     
    

  

    Openswan 2.4.7 and juniper ns208
  


  

     user name

     2006-12-07 18:35:08
  


  

    
> Hello,

Salut  Jean-Charles,

> According to the logs phase 1 and phase 2 are
established.
> Is 194.250.x.x the address of the Juniper or a host
address behind the Juniper ?

yep it's the address of the juniper.

> If it is the Juniper address it is normal that you see
packets in clear but if it is a host address defined in your
"lt85_to_centre" connection configuration, you may
have to check the "leftsubnet=" line.

my connexion configuration is :

conn lt85_to_centre
        #
        #lt85
        #
        left=212.121.x.x
        leftsubnet=10.24.0.0/16
        leftnexthop=212.121.x.x
        #
        #destination
        #
        right=194.250.x.x
        rightsubnet=10.20.1.200/16
        auto=start
        #type=tunnel
        authby=secret
        esp=aes128-sha1
        #esp=3des-sha1
        #keyexchange=ike
        #ike=3des-sha1
        #ike=aes128-sha-modp1024
        ikelifetime=60s
        keylife=120s
        rekeymargin=10s
        #pfs=no
        #aggrmode=no
        #spi=0x500
        #esp=3des-md5-96



>
> As you use netkey, as far as I remember, doing a
"tcpdump host xxx" will show you only decrypted
packets incoming/coming back to your gateway, for example
you will see only replies to ping initiated from your
openswan gateway... It is a netkey behavior :s
>

Okay 

> Anyway... What is the original question ? 

My question is how can i setup the connexion between my
openswan box
and the juniper  and why my
config doesn't work 

> Cheers,

Thank you 

> JC

-- 
Didine

>
> Didine <didinuxgmail.com> a écrit :
>
>  Hello,
> I'm a new user of openswan.
> I try to set up a connexion between openswan  (Linux
Openswan U2.4.7/K2.6.18-1.2798.fc6 (netkey)) and a Juniper
ns208.
> When i try to setup the link i have the folowing
messages.
>
>
============================================================
=========
> [rootlt85 ~]# ipsec auto --verbose --up lt85_to_centre
> 002 "lt85_to_centre" #11: initiating Main
Mode
> 104 "lt85_to_centre" #11: STATE_MAIN_I1:
initiate
> 003 "lt85_to_centre" #11: ignoring unknown
Vendor ID payload
[166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000]
> 003 "lt85_to_centre" #11: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> 003 "lt85_to_centre" #11: received Vendor ID
payload [Dead Peer Detection]
> 003 "lt85_to_centre" #11: ignoring Vendor ID
payload [HeartBeat Notify 386b0100]
> 002 "lt85_to_centre" #11: enabling possible
NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
> 002 "lt85_to_centre" #11: discarding packet
received during asynchronous work (DNS or crypto) in 
STATE_MAIN_I1
> 002 "lt85_to_centre" #11: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
> 106 "lt85_to_centre" #11: STATE_MAIN_I2: sent
MI2, expecting MR2
> 003 "lt85_to_centre" #11: discarding
duplicate packet; already STATE_MAIN_I2
> 002 "lt85_to_centre" #11: I did not send a
certificate because I do not have one.
> 003 "lt85_to_centre" #11: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
> 002 "lt85_to_centre" #11: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
> 108 "lt85_to_centre" #11: STATE_MAIN_I3: sent
MI3, expecting MR3
> 003 "lt85_to_centre" #11: discarding
duplicate packet; already STATE_MAIN_I3
> 002 "lt85_to_centre" #11: Main mode peer ID
is ID_IPV4_ADDR: '194.250.x.x'
> 002 "lt85_to_centre" #11: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
> 004 "lt85_to_centre" #11: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha  group=modp1024}
> 002 "lt85_to_centre" #12: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#11}
> 117 "lt85_to_centre" #12: STATE_QUICK_I1:
initiate
> 002 "lt85_to_centre" #12: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
> 004 "lt85_to_centre" #12: STATE_QUICK_I2:
sent QI2, IPsec SA established {ESP=>0x7593622b
<0x6859dbc5 xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}
>
============================================================
=========
> IPsec SA established ?!
>
> A made a test by sending a ping to the  194.250.x.x.
> A tcpdump shows the following (no ESP msg):
>
>
============================================================
=========
> [rootlt85 ~]# tcpdump host 194.250.x.x
> 19:48:37.441373 IP lt85.xxx.xxx > 194.250.x.x : ICMP
echo request, id 1024, seq 55960, length 24
>
============================================================
=========
>
> Any help is appreciated.
> Thanks a lot.
>
> --
> Didine  _______________________________________________
> Usersopenswan.org
> http
://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with
Openswan:
> http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
>
>
>
>   		________________________________
  Yahoo! Mail réinvente le mail ! Découvrez le nouveau
Yahoo! Mail et
son interface révolutionnaire.
>
>
> _______________________________________________
> Usersopenswan.org
> http
://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with
Openswan:
> http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
>
>
>
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155


  


  

    
  

  
  
   
     
    

  

    Openswan 2.4.7 and juniper ns208
  


  

     user name

     2006-12-07 19:07:17
  


  

    

  


  

    I think you should try to ping a (live) host in the 10.20.1.200/16 subnet and run the same tcpdump (tcpdump host 194.250.x.x).

You should see some ESP packets, if SA are correctly established, logs says they are :p

i think you can check the status of the SA by entering "ipsec auto --status".

A plus

JC

Didine <didinuxgmail.com&gt; a écrit ;:
 > Hello,

Salut  Jean-Charles,

> According to the logs phase 1 and phase 2 are established.
> Is 194.250.x.x the address of the Juniper or a host address behind the Juniper ?

yep it's the address of the juniper.

> If it is the Juniper address it is normal that you see packets in clear but if it is a host address defined in your "lt85_to_centre" connection configuration, you may have to check the "leftsubnet=" line.

my
 connexion configuration is :

conn lt85_to_centre
        #
        #lt85
        #
        left=212.121.x.x
        leftsubnet=10.24.0.0/16
        leftnexthop=212.121.x.x
        #
        #destination
        #
        right=194.250.x.x
        rightsubnet=10.20.1.200/16
        auto=start
        #type=tunnel
        authby=secret
        esp=aes128-sha1
        #esp=3des-sha1
        #keyexchange=ike
        #ike=3des-sha1
        #ike=aes128-sha-modp1024
        ikelifetime=60s
        keylife=120s
        rekeymargin=10s
        #pfs=no
        #aggrmode=no
        #spi=0x500
        #esp=3des-md5-96



&gt;
> As you use netkey, as far as I remember, doing a "tcpdump host xxx" will show you only decrypted packets incoming/coming back to your gateway, for example you will see only replies to ping initiated from your openswan gateway... It is a netkey behavior
 :s
>

Okay 

> Anyway... What is the original question ? 

My question is how can i setup the connexion between my openswan box
and the juniper  and why my config doesn't work 

> Cheers,

Thank you 

> JC

-- 
Didine

&gt;
> Didine gmail.com> a écrit :
>
>;  Hello,
>; I'm a new user of openswan.
> I try to set up a connexion between openswan  (Linux Openswan U2.4.7/K2.6.18-1.2798.fc6 (netkey)) and a Juniper ns208.
>; When i try to setup the link i have the folowing messages.
>
> =====================================================================
> [rootlt85 ~]# ipsec auto --verbose --up lt85_to_centre
> 002 "lt85_to_centre" #11: initiating Main Mode
> 104 "lt85_to_centre" #11: STATE_MAIN_I1: initiate
&gt; 003 "lt85_to_centre" #11: ignoring unknown Vendor ID payload
 [166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000]
> 003 "lt85_to_centre" #11: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
>; 003 "lt85_to_centre" #11: received Vendor ID payload [Dead Peer Detection]
> 003 "lt85_to_centre" #11: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
> 002 "lt85_to_centre" #11: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
> 002 "lt85_to_centre" #11: discarding packet received during asynchronous work (DNS or crypto) in  STATE_MAIN_I1
> 002 "lt85_to_centre" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> 106 "lt85_to_centre" #11: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "lt85_to_centre" #11: discarding duplicate packet; already STATE_MAIN_I2
> 002 "lt85_to_centre" #11: I did not send a certificate because I do not have one.
> 003 "lt85_to_centre" #11: NAT-Traversal: Result using
 draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
&gt; 002 "lt85_to_centre" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> 108 "lt85_to_centre" #11: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "lt85_to_centre" #11: discarding duplicate packet; already STATE_MAIN_I3
> 002 "lt85_to_centre" #11: Main mode peer ID is ID_IPV4_ADDR: '194.250.x.x'
> 002 "lt85_to_centre" #11: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> 004 "lt85_to_centre" #11: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha  group=modp1024}
> 002 "lt85_to_centre" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#11}
> 117 "lt85_to_centre" #12: STATE_QUICK_I1: initiate
&gt; 002 "lt85_to_centre" #12: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> 004 "lt85_to_centre" #12: STATE_QUICK_I2: sent QI2, IPsec SA established
 {ESP=>0x7593622b <0x6859dbc5 xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}
> =====================================================================
> IPsec SA established ?!
>
&gt; A made a test by sending a ping to the  194.250.x.x.
> A tcpdump shows the following (no ESP msg):
>
> =====================================================================
> [rootlt85 ~]# tcpdump host 194.250.x.x
> 19:48:37.441373 IP lt85.xxx.xxx > 194.250.x.x : ICMP echo request, id 1024, seq 55960, length 24
> =====================================================================
>
&gt; Any help is appreciated.
> Thanks a lot.
>
> --
> Didine  _______________________________________________
> Usersopenswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
>
 http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>;
>
>
>     ________________________________
  Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et
son interface révolutionnaire.
>
>
> _______________________________________________
> Usersopenswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>;
>
>
gmail.com>

 
		
 
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.		
  

  
  
   
     
    






 [1-7]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )