[CentOS] Latest openswan update does no longer connect to Cisco VPN 3000 Series

Mon Mar 10 12:34:22 UTC 2014
SilverTip257 <silvertip257 at gmail.com>

On Mon, Mar 10, 2014 at 4:48 AM, Radu Radutiu <rradutiu at gmail.com> wrote:

> Both servers are directly connected to Internet so NAT should not be
> enabled. I've tried to upgrade again and noticed that pluto keeps dying and
> restarting ervery 30 seconds (just enough for the other VPNs to connect).
>

Correct, they do not need NAT-T since they're both directly connected.

I do see NAT-T in the logs below, which is why I replied as I did.
But I could have read a second time before replying (lazy Friday behavior).
 Maybe then I would have caught the "no NAT detected" message. :-S


>
> Here is the log from the old (working) openswan version when connecting to
> Cisco VPN:
> Mar 10 10:00:09 firewall pluto[18894]: added connection description
> "ciscovpntest"
> Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: initiating Main
> Mode
> Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: received Vendor
> ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: ignoring Vendor
> ID payload [FRAGMENTATION c0000000]
> Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: enabling possible
> NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05
>

^ NAT-T


> Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: transition from
> state STATE_MAIN_I1 to state STATE_MAIN_I2
> Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: STATE_MAIN_I2:
> sent MI2, expecting MR2
> Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: received Vendor
> ID payload [Cisco-Unity]
> Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: received Vendor
> ID payload [XAUTH]
> Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: ignoring unknown
> Vendor ID payload [9bad1e05974f138cfc1f0c2b58144a88]
> Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: ignoring Vendor
> ID payload [Cisco VPN 3000 Series]
> Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: I will NOT send
> an initial contact payload
> Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: NAT-Traversal:
> Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
>

^ NAT-T not detected


> Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: Not sending
> INITIAL_CONTACT
> Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: transition from
> state STATE_MAIN_I2 to state STATE_MAIN_I3
> Mar 10 10:00:10 firewall pluto[18894]: "ciscovpntest" #2: STATE_MAIN_I3:
> sent MI3, expecting MR3
> Mar 10 10:00:11 firewall pluto[18894]: "ciscovpntest" #2: received Vendor
> ID payload [Dead Peer Detection]
> Mar 10 10:00:11 firewall pluto[18894]: "ciscovpntest" #2: Main mode peer ID
> is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
> Mar 10 10:00:11 firewall pluto[18894]: "ciscovpntest" #2: transition from
> state STATE_MAIN_I3 to state STATE_MAIN_I4
>
> The openswan-2.6.32-27.2.el6_5 (not working) log:
> Mar 10 09:57:54 firewall pluto[17287]: added connection description
> "ciscovpntest"
> Mar 10 09:57:55 firewall pluto[17287]: "ciscovpntest" #2: initiating Main
> Mode
> Mar 10 09:57:56 firewall pluto[17287]: "ciscovpntest" #2: received Vendor
> ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> Mar 10 09:57:56 firewall pluto[17287]: "ciscovpntest" #2: ignoring Vendor
> ID payload [FRAGMENTATION c0000000]
> Mar 10 09:57:56 firewall pluto[17287]: "ciscovpntest" #2: enabling possible
> NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05
>

^ NAT-T


> Mar 10 09:57:56 firewall pluto[17287]: "ciscovpntest" #2: next payload type
> of ISAKMP NAT-D Payload has an unknown value: 130
> Mar 10 09:58:04 firewall pluto[17287]: "ciscovpntest" #2: discarding
> duplicate packet; already STATE_MAIN_I1
> Mar 10 09:58:05 firewall pluto[17287]: "ciscovpntest" #2: discarding
> duplicate packet; already STATE_MAIN_I1
> Mar 10 09:58:13 firewall pluto[17287]: "ciscovpntest" #2: discarding
> duplicate packet; already STATE_MAIN_I1
> Mar 10 09:58:25 firewall pluto[17287]: "ciscovpntest" #2: received Vendor
> ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> Mar 10 09:58:25 firewall pluto[17287]: "ciscovpntest" #2: ignoring Vendor
> ID payload [FRAGMENTATION c0000000]
> Mar 10 09:58:25 firewall pluto[17287]: "ciscovpntest" #2: enabling possible
> NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05
> Mar 10 09:58:25 firewall pluto[17287]: "ciscovpntest" #2: ASSERTION FAILED
> at /builddir/build/BUILD/openswan-2.6.32/programs/pluto/ikev1_main.c:1112:
> st->st_sec_in_use==FALSE
>
> and after 30 seconds pluto restarts.
> To me this looks like a regression. Where should I report this problem?
> Centos or Redhat Bugzilla?
>

First, you might consider hitting up the Openswan list and possibly even
Libreswan.  That way someone that knows the code can test and confirm.
(Around the time Paul Wouters forked Openswan as Libreswan, he secured a
position with Red Hat.  He's rather responsive, so I'd expect he'd help
sort this out.)

https://lists.openswan.org/mailman/listinfo/users
https://lists.libreswan.org/mailman/listinfo/swan

-- 
---~~.~~---
Mike
//  SilverTip257  //