[Openswan Users] Cannot connect openswan client with Cisco RV220W IPSec VPN
2011-12-06 20:22:39 GMT
I am attempting to connect a laptop with an openswan client (Openswan
IPsec U2.6.28/K3.0.0-12-generic) with my Cisco RV220W. My connection
fails, and the VPN status log shows the following:
2011-12-06 15:04:59: [rv220w][IKE] INFO: Configuration found for 108.58.YY.YY[500].
2011-12-06
15:04:59: [rv220w][IKE] INFO: Received request for new phase 1
negotiation: 108.58.XX.XX[500]<=>108.58.YY.YY[500]
2011-12-06 15:04:59: [rv220w][IKE] INFO: Beginning Identity Protection mode.
2011-12-06 15:04:59: [rv220w][IKE] INFO: Received unknown Vendor ID
2011-12-06 15:04:59: [rv220w][IKE] INFO: Received Vendor ID: DPD
2011-12-06 15:04:59: [rv220w][IKE] ERROR: Ignore information because the message has no hash payload.
2011-12-06 15:05:09: [rv220w][IKE] ERROR: Ignore information because the message has no hash payload.
2011-12-06
15:05:11: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time
up for 108.58.YY.YY[500]. c2e6f14d16bef607:02dbd105dcc0b299
2011-12-06 15:05:19: [rv220w][IKE] ERROR: Ignore information because the message has no hash payload.
2011-12-06 15:05:29: [rv220w][IKE] ERROR: Ignore information because the message has no hash payload.
2011-12-06 15:05:39: [rv220w][IKE] ERROR: Ignore information because the message has no hash payload.
2011-12-06 15:05:49: [rv220w][IKE] ERROR: Ignore information because the message has no hash payload.
2011-12-06 15:05:59: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for 108.58.YY.YY[500]. 5646ff766f579fb0:b221f323a56ba913
My configuration on the RV220W is as follows:
VPN Policy:
Auto Policy
Remote endpoint is an IP address with 108.58.YY.YY
Local traffic is a subnet
Remote traffic is a single IP (same as above)
Encryption/hash settings are: 3DES, SHA1, no PFS key group, SA lifetime of 3600
IKE Policy:
Responder
Main mode
Local and Remote use explicit IP addresses
3des,sha1,pre-shared key,DH group 2,lifetime of 28800,no dead peer detection,no xauth
On the client, I have the following openswan configuration:
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/share/doc/openswan/ipsec.
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=no
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
interfaces=%defaultroute
plutodebug=all
protostack=netkey
# Add connections here
# Use a pre-shared key.
# Connection type _must_ be transport mode
authby=secret
keyingtries=3
type=transport
# "left" is the local linux machine
left=%defaultroute
leftprotoport=17/1701
# "right" is the remote server
right=108.58.XX.XX
rightprotoport=17/1701
# Do not install on startup
auto=add
# SA settings
ike=3des-sha1-modp1024
esp=3des-sha1
keyexchange=ike
pfs=no
I would appreciate any insights into what might be going wrong here.
_______________________________________________ Users <at> openswan.org http://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
RSS Feed