[Openswan Users] no suitable connection OR no connection has been authorized with policy=RSASIG

Richard Pickett richard.pickett at csrtechnologies.com
Tue Jul 26 03:01:21 EDT 2011 

It's me again.

I couldn't get around the nss DH error (see other email)

So, I downloaded openswan 2.6.26 no-nss rpm provided in the downloads
(thanks!), and I'm just going straight RSA. I'm thinking I may even have to
give that up, but I think my problem is not RSA related.

For now I'm trying to get a single connection with *no* need to connect to
private IP ranges behind client server. I basically just want all the
client's IP traffic to come down the tunnel to the server which will then
NAT it out to the rest of the world. Can't get easier than that, no? (sigh)

here's my config:

version 2.0 # conforms to second version of ipsec.conf specification

config setup
protostack=netkey
nat_traversal=yes
 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off

conn mobileaegisclient
authby=rsasig
left=173.255.254.20
 leftcert=01_crt.pem
        leftsubnet=0.0.0.0/0
right=%any
 auto=add

This should catch any and all connections, not even worry about cert
checking, although certs are there


Jul 26 01:20:25 vhost5 pluto[6709]: packet from 74.137.71.67:53540: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 26 01:20:25 vhost5 pluto[6709]: packet from 74.137.71.67:53540: ignoring
unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
Jul 26 01:20:25 vhost5 pluto[6709]: packet from 74.137.71.67:53540: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jul 26 01:20:25 vhost5 pluto[6709]: packet from 74.137.71.67:53540: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Jul 26 01:20:25 vhost5 pluto[6709]: packet from 74.137.71.67:53540: received
Vendor ID payload [RFC 3947] method set to=109
Jul 26 01:20:25 vhost5 pluto[6709]: packet from 74.137.71.67:53540: ignoring
Vendor ID payload [FRAGMENTATION 80000000]
Jul 26 01:20:25 vhost5 pluto[6709]: packet from 74.137.71.67:53540: received
Vendor ID payload [Dead Peer Detection]
Jul 26 01:20:25 vhost5 pluto[6709]: packet from 74.137.71.67:53540: ignoring
unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
Jul 26 01:20:25 vhost5 pluto[6709]: packet from 74.137.71.67:53540: ignoring
unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
Jul 26 01:20:25 vhost5 pluto[6709]: packet from 74.137.71.67:53540: ignoring
unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
Jul 26 01:20:25 vhost5 pluto[6709]: packet from 74.137.71.67:53540: received
Vendor ID payload [Cisco-Unity]
Jul 26 01:20:25 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2:
responding to Main Mode from unknown peer 74.137.71.67
Jul 26 01:20:25 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 26 01:20:25 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2:
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 26 01:20:25 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Jul 26 01:20:25 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 26 01:20:25 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2:
STATE_MAIN_R2: sent MR2, expecting MI3
Jul 26 01:20:26 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2:
Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=Kentucky, O=MA, OU=Admin,
CN=Richard.Pickett at CSRTechnologies.com'
*Jul 26 01:20:26 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2:
no suitable connection for peer 'C=US, ST=Kentucky, O=MA, OU=Admin,
CN=Richard.Pickett at CSRTechnologies.com'*
Jul 26 01:20:26 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2:
sending encrypted notification INVALID_ID_INFORMATION to 74.137.71.67:53540
Jul 26 01:20:35 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2:
byte 2 of ISAKMP Hash Payload must be zero, but is not
Jul 26 01:20:35 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2:
malformed payload in packet
Jul 26 01:20:35 vhost5 pluto[6709]: | payload malformed after IV
Jul 26 01:20:35 vhost5 pluto[6709]: |   7e 25 dd fa  d1 93 98 4b  05 bf b1
15  30 2a 36 0e
Jul 26 01:20:35 vhost5 pluto[6709]: |   8b 95 e1 a9
Jul 26 01:20:35 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #2:
sending notification PAYLOAD_MALFORMED to 74.137.71.67:53540
Jul 26 01:20:47 vhost5 pluto[6709]: "mobileaegisclient"[1] 74.137.71.67 #1:
max number of retransmissions (2) reached STATE_MAIN_R2

I can get that bold line (no suitable connection for peer) to alternate
between that and this:

*Jul 26 01:55:43 vhost5 pluto[14632]: packet from 74.137.71.67:46099:
initial Main Mode message received on 173.255.254.20:500 but no connection
has been authorized with policy=RSASIG*

by changing the righ*=  settings, but no matter what I do, I can't get it to
connect at all.

One thing to note - even though the certs are create with an L=BG, you only
see it in the ca when openswan talks about it, but when it mentions the
certs (as you can see in the log), it's not displayed. Don't know if that's
related or not, but it's something I've noticed.

Searching the Internet for either of those phrases turns up other people who
had problems, but none of them who tell the answer.

Surely the answer isn't that I have to ditch NSS, RSA, and go to something
lame like xauth...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110726/8f6c34f7/attachment-0001.html

More information about the Users mailing list