<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Jacco - I modified the ipsec.secrets file and got pass the PSK issue.</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">192.168.23.23 66.27.f.g : PSK "mykey"</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Now I see this in "ipsec auto --status"</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">000 #1: "DIR130-JON":4500 STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 9s; lastdpd=-1s(seq in:0 out:0)<BR>000 #1: pending Phase 2 for "DIR130-JON" replacing #0</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">I then stopped Openswan and restarted. Now I see this when I run "ipsec auto --status"</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">000 #1: "DIR130-JON":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 2s; nodpd<BR>000 #1: pending Phase 2 for "DIR130-JON" replacing #0</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Looks like it wants port 4500. But then the next time it wants port 500 (which I opened already). Ran same thing several more times and it stayed at port 500.</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Getting this in auth.log:</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">handling event EVENT_RETRANSMIT<BR>Apr 7 12:03:36 localhost pluto[19631]: | event after this is EVENT_PENDING_PHASE2 in 46 seconds<BR>Apr 7 12:03:36 localhost pluto[19631]: | processing connection DIR130-JON<BR>Apr 7 12:03:36 localhost pluto[19631]: | handling event EVENT_RETRANSMIT for 66.27.113.46 "DIR130-JON" #1<BR>Apr 7 12:03:36 localhost pluto[19631]: | sending 292 bytes for EVENT_RETRANSMIT through eth0:500 to 66.27.f.g:500:<BR>Apr 7 12:03:36 localhost pluto[19631]: | 38 32 ae 3c ff 21 c5 e4 00 00 00 00 00 00 00 00<BR>Apr 7 12:03:36 localhost pluto[19631]: | 01 10 02 00 00 00 00 00 00 00 01 24 0d 00 00 94<BR>Apr 7 12:03:36 localhost pluto[19631]: | 00 00 00 01 00 00 00 01 00 00 00 88 00 01 00 04<BR>Apr 7 12:03:36 localhost
pluto[19631]: | 03 00 00 20 00 01 00 00 80 0b 00 01 80 0c 70 80<BR>Apr 7 12:03:36 localhost pluto[19631]: | 80 01 00 05 80 02 00 01 80 03 00 01 80 04 00 05<BR>Apr 7 12:03:36 localhost pluto[19631]: | 03 00 00 20 01 01 00 00 80 0b 00 01 80 0c 70 80<BR>Apr 7 12:03:36 localhost pluto[19631]: | 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 05<BR>Apr 7 12:03:36 localhost pluto[19631]: | 03 00 00 20 02 01 00 00 80 0b 00 01 80 0c 70 80<BR>Apr 7 12:03:36 localhost pluto[19631]: | 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 02<BR>Apr 7 12:03:36 localhost pluto[19631]: | 00 00 00 20 03 01 00 00 80 0b 00 01 80 0c 70 80<BR>Apr 7 12:03:36 localhost pluto[19631]: | 80 01 00 05 80 02 00 01 80 03
00 01 80 04 00 02<BR>Apr 7 12:03:36 localhost pluto[19631]: | 0d 00 00 10 4f 45 7a 7d 46 46 46 66 67 72 5f 65<BR>Apr 7 12:03:36 localhost pluto[19631]: | 0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc<BR>Apr 7 12:03:36 localhost pluto[19631]: | 77 57 01 00 0d 00 00 14 4a 13 1c 81 07 03 58 45<BR>Apr 7 12:03:36 localhost pluto[19631]: | 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 7d 94 19 a6<BR>Apr 7 12:03:36 localhost pluto[19631]: | 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 0d 00 00 14<BR>Apr 7 12:03:36 localhost pluto[19631]: | cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48<BR>Apr 7 12:03:36 localhost pluto[19631]: | 00 00 00 14 44 85 15 2d 18 b6 bb cd 0b e8 a8 46<BR>Apr 7 12:03:36 localhost pluto[19631]:
| 95 79 dd cc<BR>Apr 7 12:03:36 localhost pluto[19631]: | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #1<BR>Apr 7 12:03:36 localhost pluto[19631]: | next event EVENT_RETRANSMIT in 40 seconds for #1<BR><BR>Making some progress...almost there. Any idea on why it's retransimitting.?</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">thx</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">----- Original Message ----<BR>From: BUI18 <lbui18@yahoo.com><BR>To: users@openswan.org<BR>Sent: Monday, April 7, 2008 11:16:14 AM<BR>Subject: Re: [Openswan Users] Error: "initial Main Mode message received on 192.168.23.23:500 but no connection has been authorized"<BR><BR>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Jacco -</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">I made some progress based on your suggestion, but not completely there.</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Here's the new ipsec.conf</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"># basic configuration<BR>config setup<BR> # plutodebug / klipsdebug = "all", "none" or a combation from below:<BR> # "raw crypt parsing emitting control klips pfkey natt x509 private"<BR> # eg:<BR> # plutodebug="control parsing"<BR> #<BR> # Only enable klipsdebug=all if you are a developer<BR> #<BR> # NAT-TRAVERSAL support, see README.NAT-Traversal<BR> nat_traversal=yes<BR>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%v4:!192.168.23.0/24<BR> interfaces=%defaultroute<BR> klipsdebug=none<BR> plutodebug=all</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"># Add connections here<BR>conn DIR130-JON<BR> # Left security gateway, subnet behind it, nexthop toward right.<BR> #left=66.27.a.b<BR> <STRONG>left=192.168.23.23</STRONG><BR> leftsubnet=192.168.23.0/24<BR> #leftnexthop=24.25.c.d<BR> <STRONG>leftnexthop=66.27.a.b</STRONG><BR> # Right security gateway, subnet behind it, nexthop toward left.<BR> right=66.27.f.g<BR> rightsubnet=192.168.99.0/24<BR>
#rightnexthop=66.27.e.1<BR> keyexchange=ike<BR> ikelifetime=480m<BR> keylife=3600s<BR> pfs=yes<BR> compress=no<BR> authby=secret<BR> keyingtries=0<BR> auto=start</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Here's "ipsec auto --status"</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} <BR>000 <BR>000 "DIR130-JON": 192.168.23.0/24===192.168.23.23---66.27.82.147...66.27.113.46===192.168.99.0/24; prospective erouted; eroute owner: #0<BR>000 "DIR130-JON": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<BR>000 "DIR130-JON": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<BR>000 "DIR130-JON": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; <BR>000 "DIR130-JON": newest ISAKMP SA: #0; newest IPsec SA: #0; <BR>000 <BR>000 #1: "DIR130-JON":500 STATE_MAIN_I1 (sent MI1, expecting MR1); none in -1s; lastdpd=-1s(seq in:0 out:0)<BR>000 #1: pending Phase 2 for "DIR130-JON" replacing #0<BR>000<BR></DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">You can see that it made it through Phase 1, but choking on Phase 2.</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Here's auth.log output:</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> started looking for secret for 192.168.23.23->66.27.f.g of kind PPK_PSK<BR>Apr 7 10:57:19 localhost pluto[23888]: | actually looking for secret for 192.168.23.23->66.27.f.g of kind PPK_PSK<BR>Apr 7 10:57:19 localhost pluto[23888]: | 1: compared PSK 66.27.f.g to 192.168.23.23 / 66.27.f.g -> 2<BR>Apr 7 10:57:19 localhost pluto[23888]: | 2: compared PSK 66.27.a.b to 192.168.23.23 / 66.27.f.g -> 2<BR>Apr 7 10:57:19 localhost pluto[23888]: | concluding with best_match=0 best=(nil) (lineno=-1)<BR>Apr 7 10:57:19 localhost pluto[23888]: "DIR130-JON" #1: Can't authenticate: no preshared key found for `192.168.23.23' and `66.27.f.g'. Attribute OAKLEY_AUTHENTICATION_METHOD<BR>Apr 7 10:57:19 localhost pluto[23888]: "DIR130-JON" #1: no acceptable Oakley Transform<BR>Apr 7 10:57:19 localhost pluto[23888]: | complete state
transition with (null)<BR>Apr 7 10:57:19 localhost pluto[23888]: "DIR130-JON" #1: sending notification NO_PROPOSAL_CHOSEN to 66.27.113.46:500<BR>Apr 7 10:57:19 localhost pluto[23888]: | **emit ISAKMP Message:<BR>Apr 7 10:57:19 localhost pluto[23888]: | initiator cookie:<BR>Apr 7 10:57:19 localhost pluto[23888]: | 0c c5 00 e5 e4 aa 6c ff<BR>Apr 7 10:57:19 localhost pluto[23888]: | responder cookie:<BR>Apr 7 10:57:19 localhost pluto[23888]: | 00 00 00 00 00 00 00 00<BR>Apr 7 10:57:19 localhost pluto[23888]: | next payload type: ISAKMP_NEXT_N<BR>Apr 7 10:57:19 localhost pluto[23888]: | ISAKMP version: ISAKMP Version 1.0<BR>Apr 7 10:57:19 localhost pluto[23888]: | exchange type: ISAKMP_XCHG_INFO<BR>Apr 7 10:57:19 localhost pluto[23888]: | flags:
none<BR>Apr 7 10:57:19 localhost pluto[23888]: | message ID: 00 00 00 00<BR>Apr 7 10:57:19 localhost pluto[23888]: | ***emit ISAKMP Notification Payload:<BR>Apr 7 10:57:19 localhost pluto[23888]: | next payload type: ISAKMP_NEXT_NONE<BR>Apr 7 10:57:19 localhost pluto[23888]: | DOI: ISAKMP_DOI_IPSEC<BR>Apr 7 10:57:19 localhost pluto[23888]: | protocol ID: 1<BR>Apr 7 10:57:19 localhost pluto[23888]: | SPI size: 0<BR>Apr 7 10:57:19 localhost pluto[23888]: | Notify Message Type: NO_PROPOSAL_CHOSEN<BR>Apr 7 10:57:19 localhost pluto[23888]: | emitting length of ISAKMP Notification Payload: 12<BR>Apr 7 10:57:19 localhost pluto[23888]: | emitting length of ISAKMP Message: 40<BR>Apr 7 10:57:19 localhost pluto[23888]: | sending 40 bytes for notification packet through eth0:500 to
66.27.f.g:500:<BR>Apr 7 10:57:19 localhost pluto[23888]: | 0c c5 00 e5 e4 aa 6c ff 00 00 00 00 00 00 00 00<BR>Apr 7 10:57:19 localhost pluto[23888]: | 0b 10 05 00 00 00 00 00 00 00 00 28 00 00 00 0c<BR>Apr 7 10:57:19 localhost pluto[23888]: | 00 00 00 01 01 00 00 0e<BR>Apr 7 10:57:19 localhost pluto[23888]: | state transition function for STATE_MAIN_I1 failed: NO_PROPOSAL_CHOSEN<BR>Apr 7 10:57:19 localhost pluto[23888]: | next event EVENT_PENDING_PHASE2 in 103 seconds<BR></DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Not sure what's happening here...something about the authentication, any ideas?</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">thx</DIV><BR><BR>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">----- Original Message ----<BR>From: Jacco de Leeuw <jacco2@dds.nl><BR>To: users@openswan.org<BR>Sent: Monday, April 7, 2008 10:30:07 AM<BR>Subject: Re: [Openswan Users] Error: "initial Main Mode message received on 192.168.23.23:500 but no connection has been authorized"<BR><BR>BUI18 wrote:<BR><BR>> I thought that "left" is suppose to be the Openswan's internet gateway, <BR>> which is why I specified 66.27.a.b.<BR><BR>No, this should be the IP address of the Openswan server itself.<BR><BR>> I did a tcpdump on the Openswan server and indeed it was receiving an<BR>> initialization request on udp port 500.<BR><BR>Yes, but presumably for 192.168.23.23.<BR><BR>> Any suggestion on what left, leftnexthop and right, rightnexthop should be<BR>> for this to
work?<BR><BR>left=192.168.23.23<BR>leftnexthop=192.168.23.1<BR>leftsubnet=192.168.23.0/24<BR>right=66.27.f.g<BR>rightsubnet=192.168.99.0/24<BR><BR>I'm not sure if this will work but you should get a bit further and<BR>if it does not work the logfile will tell which parameters are required.<BR><BR>Jacco<BR>-- <BR>Jacco de Leeuw mailto:<A href="mailto:jacco2@dds.nl" target=_blank rel=nofollow ymailto="mailto:jacco2@dds.nl">jacco2@dds.nl</A><BR>Zaandam, The Netherlands <A href="http://www.jacco2.dds.nl/" target=_blank rel=nofollow>http://www.jacco2.dds.nl</A><BR></DIV><BR></DIV></DIV><BR>
<HR SIZE=1>
You rock. That's why Blockbuster's offering you <A href="http://us.rd.yahoo.com/evt=47523/*http://tc.deals.yahoo.com/tc/blockbuster/text5.com" target=_blank rel=nofollow>one month of Blockbuster Total Access</A>, No Cost.</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><BR></DIV></div><br>
<hr size=1>You rock. That's why Blockbuster's offering you <a href="http://us.rd.yahoo.com/evt=47523/*http://tc.deals.yahoo.com/tc/blockbuster/text5.com">one month of Blockbuster Total Access</a>, No Cost.</body></html>