Hello Andre, IKE info: IKE-CFG: Attribute INTERNAL_IP4_ADDRESS len 0 skipped
I don't know why the LANCOM VPN router doesn't want to assign a virtual IP address although it gets a request. Regards Andreas On 07/27/2011 03:07 PM, Andre wrote: > Hi, > > I'm trying to get a stronswan based vpn running. My linuxbased > strongswan > client is configured to act as roadwarrior to connect to a lancom vpn > router. > Authentication is done with certs and most of the stuff is also > running. > But my strongswan client isn't able to get an ip via ike-configmode. > > log on my strongswan client: > Jul 27 14:47:45 box1 pluto[7087]: "VPN" #3: initiating Main Mode > Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload > [draft-ietf-ipsec-nat-t-ike-02_n] > Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload > [draft-ietf-ipsec-nat-t-ike-03] > Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload > [RFC3947] > Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: ignoring Vendor ID payload > [eeefa37809e32ad4de4f6b010c26a640] > Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload > [XAUTH] > Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload > [Dead Peer Detection] > Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: enabling possible > NAT-traversal with method 3 > Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: NAT-Traversal: Result using > RFC 3947: both are NATed > Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: we have a cert and are > sending it upon request > Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: Peer ID is ID_DER_ASN1_DN: > 'C=DE, ST=N, L=O, O=N, OU=T, CN=GW, [email protected]' > Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: crl not found > Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: certificate status unknown > Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: ISAKMP SA established > Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: sending ModeCfg request > Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: parsing ModeCfg reply > Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: received ModeCfg reply, > established > > > > log on lancom vpn server: > root@GW:/ >> > [VPN-Status] 2011/07/27 14:47:49,420 > IKE info: The remote server 109.44.202.224:4500 (UDP) peer > def-main-peer id supports draft-ietf-ipsec-isakmp-xauth > IKE info: The remote server 109.44.202.224:4500 (UDP) peer > def-main-peer id negotiated rfc-3706-dead-peer-detection > IKE info: The remote server 109.44.202.224:4500 (UDP) peer > def-main-peer id supports NAT-T in mode rfc > IKE info: The remote server 109.44.202.224:4500 (UDP) peer > def-main-peer id supports NAT-T in mode rfc > IKE info: The remote server 109.44.202.224:4500 (UDP) peer > def-main-peer id supports NAT-T in mode rfc > IKE info: The remote server 109.44.202.224:4500 (UDP) peer > def-main-peer id supports NAT-T in mode rfc > IKE info: The remote server 109.44.202.224:4500 (UDP) peer > def-main-peer id supports NAT-T in mode rfc > > [VPN-Status] 2011/07/27 14:47:49,420 > IKE info: phase-1 proposal failed: remote No 1 authentication method = > rsa signature local No 1 authentication method = PRE_SHARED > IKE info: Phase-1 remote proposal 1 for peer def-main-peer matched with > local proposal 2 > > [VPN-Status] 2011/07/27 14:47:49,940 > IKE info: Set local ID to </C=DE/ST=N/L=O/O=N/OU=T/CN=GW/[email protected]> > > [VPN-Status] 2011/07/27 14:47:50,170 > IKE info: Phase-1 [responder] for peer def-main-peer between initiator > id [email protected],CN=Box1,OU=T,O=N,L=O,ST=N,C=DE, responder id > [email protected],CN=GW,OU=T,O=N,L=O,ST=N,C=DE done > IKE info: NAT-T enabled in mode rfc, we are behind a nat, the remote > side is behind a nat > IKE info: SA ISAKMP for peer def-main-peer encryption aes-cbc > authentication md5 > IKE info: life time ( 3600 sec/ 0 kb) > > [VPN-Status] 2011/07/27 14:47:50,170 > IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer > def-main-peer set to 3240 seconds (Responder) > > [VPN-Status] 2011/07/27 14:47:50,170 > IKE info: Phase-1 SA Timeout (Hard-Event) for peer def-main-peer set to > 3600 seconds (Responder) > > [VPN-Status] 2011/07/27 14:47:50,420 > IKE info: IKE-CFG: Received REQUEST message with id 0 from peer > def-main-peer > IKE info: IKE-CFG: Attribute INTERNAL_IP4_ADDRESS len 0 value (none) > received > IKE info: IKE-CFG: Attribute INTERNAL_IP4_NETMASK len 4 value > 255.255.255.255 received > > [VPN-Status] 2011/07/27 14:47:50,420 > IKE info: IKE-CFG: Creating REPLY message with id 0 for peer > def-main-peer > IKE info: IKE-CFG: Attribute INTERNAL_IP4_NETMASK len 0 skipped > IKE info: IKE-CFG: Attribute INTERNAL_IP4_ADDRESS len 0 skipped > IKE info: IKE-CFG: Sending message > > > > ipsec statusall: > 000 Status of IKEv1 pluto daemon (strongSwan 4.3.2): > 000 interface lo/lo ::1:500 > 000 interface lo/lo 127.0.0.1:4500 > 000 interface lo/lo 127.0.0.1:500 > 000 interface eth0/eth0 10.2.4.1:4500 > 000 interface eth0/eth0 10.2.4.1:500 > 000 interface eth1/eth1 192.168.200.109:4500 > 000 interface eth1/eth1 192.168.200.109:500 > 000 interface wlan0/wlan0 10.2.3.100:4500 > 000 interface wlan0/wlan0 10.2.3.100:500 > 000 %myid = (none) > 000 loaded plugins: curl ldap random pubkey openssl hmac gmp > 000 debug options: none > 000 > 000 "VPN": %modecfg===10.2.3.100:4500[C=DE, ST=N, L=O, O=N, OU=T, > CN=Box1, [email protected]]---10.2.3.1...85.17.130.131:4500[C=DE, ST=N, L=O, > O=N, OU=T, CN=GW, [email protected]]===192.168.1.0/24; unrouted; eroute > owner: #0 > 000 "VPN": CAs: 'C=DE, ST=N, L=O, O=N, OU=T, CN=LinuxVPNCA, > [email protected]'...'%any' > 000 "VPN": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; > rekey_fuzz: 100%; keyingtries: 0 > 000 "VPN": policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,32; > interface: wlan0; > 000 "VPN": newest ISAKMP SA: #3; newest IPsec SA: #0; > 000 "VPN": IKE proposal: AES_CBC_128/HMAC_MD5/MODP_1024 > 000 > 000 #3: "VPN" STATE_MODE_CFG_I2 (received ModeCfg reply, established); > EVENT_SA_REPLACE in 3225s; newest ISAKMP > 000 #3: pending Phase 2 for "VPN" replacing #0 > 000 > > In the logfiles, I can see, that my roadwarrior tries to get an ip, but > why does my vpn route don't give him one? > Anyone tried to get such a combination running? > > rest regards > Andre ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
