[Openswan Users] ERROR: asynchronous network error

Wed Oct 18 08:16:06 EDT 2006

Hi,

We are running a VPN server with Linux Openswan U2.4.5/K2.6.9-5.ELsmp
(netkey), whose configuration file can be found at the end of this message.

We can connect to it from XP or Windows 2K clients with L2TP/IPsec. From a
Linux client (Linux Openswan U2.4.5/K2.6.11-1.35_FC3 (netkey)), it was
working fine. However, recently we got the following errors from the Linux
client's /var/log/secure:

------ /var/log/secure BEGINS ------
Oct 18 07:46:48 localhost pluto[5772]: "l2tpclient" #2:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x410e7680 <0xc4edafcd
xfrm=AES_0-HMAC_SHA1 IPCOMP=>0x000040ab <0x00002711 NATD=134.126.20.79:4500
DPD=none} 

Oct 18 07:47:30 localhost pluto[5772]: ERROR: asynchronous network error
report on wlan0 (sport=4500) for message to 134.126.20.79 port 4500,
complainant 192.168.1.9: No route to host [errno 113, origin ICMP type 3
code 1 (not authenticated)]
------ /var/log/secure ENDS ------

On the server's side, /etc/log/secure reports nothing abnormal.

What caused this error? Is there something wrong with my configuration? How
to solve it?

Thanks,

Steve

---------- CLIENT-SIDE /etc/ipsec.conf BEGINS ----------
# Configuration for connecting to an L2TP/IPsec server,
# for example Windows 2003 Server.
#
# Authenticates through certificates. The Linux client can be
# behind NAT or not.
version 2.0

config setup
       interfaces=%defaultroute
       nat_traversal=yes

conn %default

   keyingtries=3
   compress=yes
   disablearrivalcheck=no
   authby=rsasig
   leftrsasigkey=%cert
   rightrsasigkey=%cert

conn l2tpclient
        pfs=no
        rekey=no
        type=transport
        left=%defaultroute
        leftcert=/etc/ipsec.d/certs/ipsec-client.crt
        leftprotoport=17/1701
        right=134.126.20.79
        rightcert=/etc/ipsec.d/certs/ipsec-server.crt
        rightca=%same
        rightprotoport=17/1701
        auto=add

include /etc/ipsec.d/examples/no_oe.conf
---------- CLIENT-SIDE /etc/ipsec.conf ENDS ----------

---------- SERVER-SIDE /etc/ipsec.conf BEGINS ----------
version 2.0

##   plutodebug="control controlmore"
##   virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
config setup
   interfaces=%defaultroute
   nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.100.0/24

conn %default
   keyingtries=5
   compress=yes
   disablearrivalcheck=no
   authby=rsasig
   leftrsasigkey=%cert
   rightrsasigkey=%cert

# conn roadwarrior-l2tp
#   leftprotoport=17/0
#   rightprotoport=17/1701
#   also=roadwarrior

conn roadwarrior-l2tp-updatedwin
   leftprotoport=17/1701
   rightprotoport=17/1701
   also=roadwarrior

## rightca=%same
conn roadwarrior
   left=%defaultroute
   leftrsasigkey=%cert
   leftcert=ipsec-server.crt
   right=%any
   rightrsasigkey=%cert
   rightsubnet=vhost:%no,%priv
   pfs=no
   rekey=no
   rightca=%same
   auto=add

include /etc/ipsec.d/examples/no_oe.conf

---------- SERVER-SIDE /etc/ipsec.conf ENDS ----------