Hello all,<br>
<br>
I have been trying to establish a VPN connection between two Linux
machines using x509 certificates. Here is the information to dig
out the problem;<br>
<br>
I have a local VPN gateway that is a Suse Linux SLES kernel 2.6.5
and is behind a router. It has openswan v.2.4.5 installed
and It's IP address is <a href="http://10.10.10.10/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.10" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.10/24</a><br>
<br>
My remote machine is a Suse Linux 10 kernel 2.6.13 and has openswan 2.4.5 installed as well. <br>
<br>
The remote machine's IP address is <a href="http://192.168.1.109"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109</a>. <br>
<br>
The router's outside interface and the remote machine are in the same network. <br>
<br>
The router's outside interface IP address is <a href="http://192.168.1.203"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.203" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.203</a><br>
<br>
I hope this next line helps to illustrate the network;<br>
<br>
VPN Gateway (<a href="http://10.10.10.10"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.10" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.10</a>)<------------> (<a href="http://10.10.10.1"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.1" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.1</a>)Router
(<a href="http://192.168.1.203"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.203" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.203</a>)<--------------------> (<a href="http://192.168.1.109"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109</a>)Remote
Machine<br>
<br>
And here is the ipsec.conf files;<br>
<br>
<br>
<font size="4">GATEWAY ipsec.conf</font><br>
<br>
# /etc/ipsec.conf - Openswan IPsec configuration file<br>
# RCSID $Id: <a href="http://ipsec.conf.in">ipsec.conf.in</a>,v <a href="http://1.15.2.2"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "1.15.2.2" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 1.15.2.2</a> 2005/11/14 20:10:27 paul Exp $<br>
<br>
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample<br>
#<br>
# Manual: ipsec.conf.5<br>
<br>
<br>
version 2.0 # conforms to second version of ipsec.conf specification<br>
<br>
# basic configuration<br>
config setup<br>
# plutodebug / klipsdebug = "all", "none" or a combation from below:<br>
# "raw crypt parsing emitting control klips pfkey natt x509 private"<br>
# eg:<br>
# plutodebug="control parsing"<br>
#<br>
# Only enable klipsdebug=all if you are a developer<br>
interfaces=%defaultroute<br>
nat_traversal=yes<br>
virtual_private=%v4:<a href="http://10.0.0.0/8,$v4:172.16.0.0/12,%v4:192.168.0.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.0.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.0.0.0/8,$v4:172.16.0.0/12,%v4:192.168.0.0/24</a><br>
<br>
conn %default<br>
keyingtries=1<br>
compress=yes<br>
disablearrivalcheck=no<br>
authby=rsasig<br>
leftrsasigkey=%cert<br>
rightrsasigkey=%cert<br>
auto=add<br>
<br>
conn roadwarrior-net<br>
leftsubnet=<a href="http://10.10.10.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.0/24</a><br>
also=roadwarrior<br>
<br>
conn roadwarrior<br>
left=%defaultroute<br>
rightcert=gate.example.com.pem<br>
right=%any<br>
rightsubnet=vhost:%no,%priv<br>
auto=add<br>
pfs=yes<br>
rekey=no<br>
<br>
conn block<br>
auto=ignore<br>
<br>
conn private<br>
auto=ignore<br>
<br>
conn private-or-clear<br>
auto=ignore<br>
<br>
conn clear-or-private<br>
auto=ignore<br>
<br>
conn clear<br>
auto=ignore<br>
<br>
conn packetdefault<br>
auto=ignore<br>
<br>
<br>
<font size="4">REMOTE MACHINE ipsec.conf</font><br>
<br>
# /etc/ipsec.conf - Openswan IPsec configuration file<br>
# RCSID $Id: <a href="http://ipsec.conf.in">ipsec.conf.in</a>,v <a href="http://1.15.2.2"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "1.15.2.2" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 1.15.2.2</a> 2005/11/14 20:10:27 paul Exp $<br>
<br>
# This file: /usr/share/doc/packages/openswan/ipsec.conf-sample<br>
#<br>
# Manual: ipsec.conf.5<br>
<br>
<br>
version 2.0 # conforms to second version of ipsec.conf specification<br>
<br>
# basic configuration<br>
config setup<br>
# plutodebug / klipsdebug = "all", "none" or a combation from below:<br>
# "raw crypt parsing emitting control klips pfkey natt x509 private"<br>
# eg:<br>
# plutodebug="control parsing"<br>
#<br>
# Only enable klipsdebug=all if you are a developer<br>
#<br>
# NAT-TRAVERSAL support, see README.NAT-Traversal<br>
nat_traversal=yes<br>
interfaces=%defaultroute<br>
# Certificate Revocation List handling:<br>
#crlcheckinterval=600<br>
#strictcrlpolicy=yes<br>
plutowait=yes<br>
<br>
<br>
conn %default<br>
# keyingtries default to %forever<br>
keyingtries=1<br>
compress=yes<br>
authby=rsasig<br>
# Sig keys (default: %dnsondemand)<br>
leftrsasigkey=%cert<br>
rightrsasigkey=%cert<br>
# Lifetimes, defaults are 1h/8hrs<br>
#ikelifetime=20m<br>
#keylife=1h<br>
#rekeymargin=8m<br>
<br>
#Disable Opportunistic Encryption<br>
include /etc/ipsec.d/examples/no_oe.conf<br>
<br>
<br>
conn roadwarrior-net<br>
leftsubnet=<a href="http://10.10.10.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.0/24</a><br>
also=roadwarrior<br>
<br>
conn roadwarrior<br>
left=<a href="http://192.168.1.203"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.203" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.203</a><br>
leftcert=gate.example.com.pem<br>
right=%defaultroute<br>
rightcert=lin.example.com.pem<br>
auto=add<br>
pfs=yes<br>
<br>
conn block<br>
auto=ignore<br>
<br>
conn private<br>
auto=ignore<br>
<br>
conn private-or-clear<br>
auto=ignore<br>
<br>
conn clear-or-private<br>
auto=ignore<br>
<br>
conn clear<br>
auto=ignore<br>
<br>
conn packetdefault<br>
auto=ignore<br>
<br>
<br>
<br>
<br>
<font size="4">GATEWAY /var/log/messages</font><br>
<br>
May 11 15:30:41 linux pluto[13089]: packet from <a href="http://192.168.1.109:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109:500</a>: ignoring unknown Vendor ID payload [4f457a7d4646466667725<br>
f65]<br>
May 11 15:30:41 linux pluto[13089]: packet from <a href="http://192.168.1.109:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109:500</a>: received Vendor ID payload [Dead Peer Detection]<br>
May 11 15:30:41 linux pluto[13089]: packet from <a href="http://192.168.1.109:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109:500</a>: received Vendor ID payload [RFC 3947] method set to=110<br>
May 11 15:30:41 linux pluto[13089]: packet from <a href="http://192.168.1.109:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03<br>
] meth=108, but already using method 110<br>
May 11 15:30:41 linux pluto[13089]: packet from <a href="http://192.168.1.109:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02<br>
] meth=107, but already using method 110<br>
May 11 15:30:41 linux pluto[13089]: packet from <a href="http://192.168.1.109:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00<br>
]<br>
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] <a href="http://192.168.1.109"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109</a> #1: responding to Main Mode from unknown peer <a href="http://192.168.1.1"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.1" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.1</a><br>
09<br>
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] <a href="http://192.168.1.109"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109</a> #1: transition from state STATE_MAIN_R0 to state STATE_MA<br>
IN_R1<br>
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] <a href="http://192.168.1.109"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109</a> #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] <a href="http://192.168.1.109"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109</a> #1: NAT-Traversal: Result using 3: i am NATed<br>
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] <a href="http://192.168.1.109"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109</a> #1: transition from state STATE_MAIN_R1 to state STATE_MA<br>
IN_R2<br>
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] <a href="http://192.168.1.109"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109</a> #1: STATE_MAIN_R2: sent MR2, expecting MI3<br>
May 11 15:30:42 linux pluto[13089]: "roadwarrior"[1] <a href="http://192.168.1.109"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109</a> #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontari<br>
o, L=Toronto, O=Springboard, CN=Ozgun, E=<a href="mailto:ozgun@springboardnetworks.com">ozgun@springboardnetworks.com</a>'<br>
May 11 15:30:42 linux pluto[13089]: "roadwarrior"[1] <a href="http://192.168.1.109"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109</a> #1: no suitable connection for peer 'C=CA, ST=Ontario, L=<br>
Toronto, O=Springboard, CN=Ozgun, E=<a href="mailto:ozgun@springboardnetworks.com">ozgun@springboardnetworks.com</a>'<br>
May 11 15:30:42 linux pluto[13089]: "roadwarrior"[1] <a href="http://192.168.1.109"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109</a> #1: sending encrypted notification INVALID_ID_INFORMATION<br>
to <a href="http://192.168.1.109:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109:500</a><br>
May 11 15:30:51 linux pluto[13089]: "roadwarrior"[1] <a href="http://192.168.1.109"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109</a> #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontari<br>
o, L=Toronto, O=Springboard, CN=Ozgun, E=<a href="mailto:ozgun@springboardnetworks.com">ozgun@springboardnetworks.com</a>'<br>
May 11 15:30:52 linux pluto[13089]: "roadwarrior"[1] <a href="http://192.168.1.109"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109</a> #1: no suitable connection for peer 'C=CA, ST=Ontario, L=<br>
Toronto, O=Springboard, CN=Ozgun, E=<a href="mailto:ozgun@springboardnetworks.com">ozgun@springboardnetworks.com</a>'<br>
May 11 15:30:52 linux pluto[13089]: "roadwarrior"[1] <a href="http://192.168.1.109"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109</a> #1: sending encrypted notification INVALID_ID_INFORMATION<br>
to <a href="http://192.168.1.109:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109:500</a><br>
May 11 15:31:12 linux pluto[13089]: "roadwarrior"[1] <a href="http://192.168.1.109"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.109" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.109</a> #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontari<br>
o, L=Toronto, O=Springboard, CN=Ozgun, E=<a href="mailto:ozgun@springboardnetworks.com">ozgun@springboardnetworks.com</a>'<br>
<br>
<br>
<font size="4">REMOTE MACHINE /var/log/messages</font><br>
<br>
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: initiating Main Mode<br>
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: ignoring unknown Vendor ID payload [4f456e4d43757f784f704063]<br>
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: received Vendor ID payload [Dead Peer Detection]<br>
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: received Vendor ID payload [RFC 3947] method set to=109<br>
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: enabling possible NAT-traversal with method 3<br>
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<br>
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: NAT-Traversal: Result using 3: peer is NATed<br>
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: I am sending my cert<br>
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: I am sending a certificate request<br>
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<br>
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: ignoring informational payload, type INVALID_ID_INFORMATION<br>
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: received and ignored informational message<br>
May 11 15:30:50 linuxlaptop pluto[14324]: "roadwarrior-net" #1: discarding duplicate packet; already STATE_MAIN_I3<br>
May 11 15:30:51 linuxlaptop pluto[14324]: "roadwarrior-net" #1: ignoring informational payload, type INVALID_ID_INFORMATION<br>
May 11 15:30:51 linuxlaptop pluto[14324]: "roadwarrior-net" #1: received and ignored informational message<br>
May 11 15:31:11 linuxlaptop pluto[14324]: "roadwarrior-net" #1: discarding duplicate packet; already STATE_MAIN_I3<br>
May 11 15:31:11 linuxlaptop pluto[14324]: "roadwarrior-net" #1: ignoring informational payload, type INVALID_ID_INFORMATION<br>
May 11 15:31:11 linuxlaptop pluto[14324]: "roadwarrior-net" #1: received and ignored informational message<br>
May 11 15:31:51 linuxlaptop pluto[14324]: "roadwarrior-net" #1: max
number of retransmissions (2) reached STATE_MAIN_I3. Possible
authentication failure: no acceptable response to our first encrypted
message<br>
<br>
<br>
<br>
Can anybody help me on this?<br>
<br>
One extra question is that I am so confused with the left, right,
leftsubnet, rightsubnet, leftcert, rightcert of roadwarrior section of
the ipsec.conf files. which left is which and whose's right is other's
right? Especially the rightcert and leftcert of the ipsec.conf files
are so confusing? Can anybody explain me this to me clearly or send me
a link to read. I did a google search on this for a couple of hours but
couldn't find a clue.<br>
<br>
Thank you very much.<br>
<br>
/Can<br>
<br>