can anyone help me how to solve this problems... i already google it but no solution i found..<br><br>my log at /var/log/auth.log is look like this;<br><br>Nov 5 17:44:07 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]<br>
Nov 5 17:44:07 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: ignoring Vendor ID payload [FRAGMENTATION]<br>Nov 5 17:44:07 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<br>
Nov 5 17:44:07 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: ignoring Vendor ID payload [Vid-Initial-Contact]<br>Nov 5 17:44:07 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: initial Main Mode message received on <a href="http://219.93.36.214:500">219.93.36.214:500</a> but no connection has been authorized<br>
Nov 5 17:44:08 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]<br>Nov 5 17:44:08 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: ignoring Vendor ID payload [FRAGMENTATION]<br>
Nov 5 17:44:08 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<br>Nov 5 17:44:08 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: ignoring Vendor ID payload [Vid-Initial-Contact]<br>
Nov 5 17:44:08 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: initial Main Mode message received on <a href="http://219.93.36.214:500">219.93.36.214:500</a> but no connection has been authorized<br>
Nov 5 17:44:10 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]<br>Nov 5 17:44:10 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: ignoring Vendor ID payload [FRAGMENTATION]<br>
Nov 5 17:44:10 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<br>Nov 5 17:44:10 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: ignoring Vendor ID payload [Vid-Initial-Contact]<br>
Nov 5 17:44:10 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: initial Main Mode message received on <a href="http://219.93.36.214:500">219.93.36.214:500</a> but no connection has been authorized<br>
Nov 5 17:44:14 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]<br>Nov 5 17:44:14 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: ignoring Vendor ID payload [FRAGMENTATION]<br>
Nov 5 17:44:14 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<br>Nov 5 17:44:14 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: ignoring Vendor ID payload [Vid-Initial-Contact]<br>
Nov 5 17:44:14 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: initial Main Mode message received on <a href="http://219.93.36.214:500">219.93.36.214:500</a> but no connection has been authorized<br>
Nov 5 17:46:37 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: ignoring Delete SA payload: not encrypted<br>Nov 5 17:46:37 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: received and ignored informational message<br>
<br>this is my ipsec.conf<br>Nov 5 17:46:37 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: ignoring Delete SA payload: not encrypted<br>Nov 5 17:46:37 vpnserver pluto[23542]: packet from <a href="http://219.93.36.194:31764">219.93.36.194:31764</a>: received and ignored informational message<br>
conn roadwarrior-net<br> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> also=roadwarrior<br><br>conn roadwarrior-all<br> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> also=roadwarrior<br><br>conn roadwarrior<br>
left=%defaultroute<br> leftcert=host.example.com.pem<br> right=<a href="http://60.51.211.53">60.51.211.53</a><br> # rightsubnet=vhost:%no,%priv<br> rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> auto=add<br>
pfs=yes<br><br>conn roadwarrior-l2tp<br> type=transport<br> left=%defaultroute<br> leftcert=host.example.com.pem<br> leftprotoport=17/1701<br> right=<a href="http://60.51.211.51">60.51.211.51</a><br> rightprotoport=17/1701<br>
pfs=no<br> auto=add<br>conn roadwarrior-l2tp<br> type=transport<br> left=%defaultroute<br> leftcert=host.example.com.pem<br> leftprotoport=17/1701<br> right=<a href="http://60.51.211.51">60.51.211.51</a><br>
rightprotoport=17/1701<br> pfs=no<br> auto=add<br><br>conn roadwarrior-l2tp-oldwin<br> left=%defaultroute<br> leftcert=host.example.com.pem<br> leftprotoport=17/0<br> right=<a href="http://60.51.211.51">60.51.211.51</a><br>
rightprotoport=17/1701<br> # rightsubnet=vhost:%no,%priv <br> rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> pfs=no<br> auto=add<br><br>conn block<br> auto=ignore<br><br>conn private<br> auto=ignore<br>
<br>conn private-or-clear<br> auto=ignore<br>conn clear-or-private<br> auto=ignore <br><br>conn clear<br> auto=ignore<br><br>conn packetdefault<br> auto=ignore<br><br># sample VPN connections, see /etc/ipsec.d/examples/<br>
<br>#Disable Opportunistic Encryption<br>include /etc/ipsec.d/examples/no_oe.conf<br><br><br>This is my ipsec auto --status;<br>000 interface eth0/eth0 2001:328:2002:5ca2:21b:11ff:fe51:751f<br>000 interface lo/lo ::1<br>000 interface lo/lo <a href="http://127.0.0.1">127.0.0.1</a><br>
000 interface lo/lo <a href="http://127.0.0.1">127.0.0.1</a><br>000 interface eth0/eth0 <a href="http://192.168.1.148">192.168.1.148</a><br>000 interface eth0/eth0 <a href="http://192.168.1.148">192.168.1.148</a><br>000 interface eth1/eth1 <a href="http://219.93.36.214">219.93.36.214</a><br>
000 interface eth1/eth1 <a href="http://219.93.36.214">219.93.36.214</a><br>000 interface tun0/tun0 <a href="http://1.1.1.1">1.1.1.1</a><br>000 interface tun0/tun0 <a href="http://1.1.1.1">1.1.1.1</a><br>000 %myid = (none)<br>
000 debug none<br>000 <br>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64<br>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192<br>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448<br>
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0<br>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<br>
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<br>000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256<br>000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128<br>
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0<br>000 <br>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192<br>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128<br>
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<br>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536<br>
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048<br>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<br>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096<br>
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144<br>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192<br>000 <br>000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} <br>
000 <br>000 "roadwarrior": <a href="http://219.93.36.214">219.93.36.214</a>[C=MY, ST=Selangor, L=Kuala Lumpur, O=Scan Berhad, OU=Isd, CN=vpnserver, E=<a href="mailto:danny@scan-associates.net">danny@scan-associates.net</a>]...60.51.<br>
211.53===<a href="http://0.0.0.0/0">0.0.0.0/0</a>; unrouted; eroute owner: #0<br>000 "roadwarrior": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br>000 "roadwarrior": CAs: 'C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver, E=<a href="mailto:danny@scan-associates.net">danny@scan-associates.net</a>'...'%any'<br>
000 "roadwarrior": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5<br>000 "roadwarrior": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 32,0; interface: eth1; encap: esp;<br>
000 "roadwarrior": newest ISAKMP SA: #0; newest IPsec SA: #0; <br>000 "roadwarrior-all": <a href="http://0.0.0.0/0===219.93.36.214[C=MY">0.0.0.0/0===219.93.36.214[C=MY</a>, ST=Selangor, L=Kuala Lumpur, O=Scan Berhad, OU=Isd, CN=vpnserver, E=danny@scan-associat<br>
<a href="http://es.net">es.net</a>]...<a href="http://60.51.211.53">60.51.211.53</a>===<a href="http://0.0.0.0/0">0.0.0.0/0</a>; unrouted; eroute owner: #0<br>000 "roadwarrior-all": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br>
000 "roadwarrior-all": CAs: 'C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver, E=<a href="mailto:danny@scan-associates.net">danny@scan-associates.net</a>'...'%any'<br>000 "roadwarrior-all": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5<br>
000 "roadwarrior-all": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 0,0; interface: eth1; encap: esp;<br>000 "roadwarrior-all": newest ISAKMP SA: #0; newest IPsec SA: #0; <br>000 "roadwarrior-l2tp": <a href="http://219.93.36.214">219.93.36.214</a>[C=MY, ST=Selangor, L=Kuala Lumpur, O=Scan Berhad, OU=Isd, CN=vpnserver, E=<a href="mailto:danny@scan-associates.net">danny@scan-associates.net</a>]:17/<br>
1701...<a href="http://60.51.211.51:17/1701">60.51.211.51:17/1701</a>; unrouted; eroute owner: #0<br>000 "roadwarrior-l2tp": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br>000 "roadwarrior-l2tp": CAs: 'C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver, E=<a href="mailto:danny@scan-associates.net">danny@scan-associates.net</a>'...'%any'<br>
000 "roadwarrior-l2tp": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5<br>000 "roadwarrior-l2tp": policy: RSASIG+ENCRYPT+COMPRESS; prio: 32,32; interface: eth1; encap: esp;<br>
000 "roadwarrior-l2tp": newest ISAKMP SA: #0; newest IPsec SA: #0; <br>000 "roadwarrior-l2tp-oldwin": <a href="http://219.93.36.214">219.93.36.214</a>[C=MY, ST=Selangor, L=Kuala Lumpur, O=Scan Berhad, OU=Isd, CN=vpnserver, E=danny@scan-associates.n<br>
et]:17/0...<a href="http://60.51.211.51:17/1701===0.0.0.0/0">60.51.211.51:17/1701===0.0.0.0/0</a>; unrouted; eroute owner: #0<br>000 "roadwarrior-l2tp-oldwin": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br>
000 "roadwarrior-l2tp-oldwin": CAs: 'C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver, E=<a href="mailto:danny@scan-associates.net">danny@scan-associates.net</a>'...'%any'<br>000 "roadwarrior-l2tp-oldwin": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5<br>
000 "roadwarrior-l2tp-oldwin": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL; prio: 32,0; interface: eth1; encap: esp;<br>000 "roadwarrior-l2tp-oldwin": newest ISAKMP SA: #0; newest IPsec SA: #0; <br>000 "roadwarrior-net": <a href="http://0.0.0.0/0===219.93.36.214[C=MY">0.0.0.0/0===219.93.36.214[C=MY</a>, ST=Selangor, L=Kuala Lumpur, O=Scan Berhad, OU=Isd, CN=vpnserver, E=danny@scan-associat<br>
<a href="http://es.net">es.net</a>]...<a href="http://60.51.211.53">60.51.211.53</a>===<a href="http://0.0.0.0/0">0.0.0.0/0</a>; unrouted; eroute owner: #0<br>000 "roadwarrior-net": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br>
000 "roadwarrior-net": CAs: 'C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver, E=<a href="mailto:danny@scan-associates.net">danny@scan-associates.net</a>'...'%any'<br>000 "roadwarrior-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5<br>
000 "roadwarrior-net": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 0,0; interface: eth1; encap: esp;<br>000 "roadwarrior-net": newest ISAKMP SA: #0; newest IPsec SA: #0; <br>000 <br>000 <br>
<br><br>this is my ipsec verify..<br>root@vpnserver:~# ipsec varify<br>/usr/sbin/ipsec: unknown IPsec command `varify' (`ipsec --help' for list)<br>root@vpnserver:~# ipsec verify<br>Checking your system to see if IPsec got installed and started correctly:<br>
Version check and ipsec on-path [OK]<br>Linux Openswan U2.4.9/K2.6.24-16-server (netkey)<br>Checking for IPsec support in kernel [OK]<br>NETKEY detected, testing for disabled ICMP send_redirects [FAILED]<br>
<br> Please disable /proc/sys/net/ipv4/conf/*/send_redirects<br> or NETKEY will cause the sending of bogus ICMP redirects!<br><br>NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]<br><br> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects<br>
or NETKEY will accept bogus ICMP redirects!<br><br>Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]<br> ipsec showhostkey: no default key in "/etc/ipsec.secrets"<br>Checking that pluto is running [OK]<br>
Two or more interfaces found, checking IP forwarding [OK]<br>Checking NAT and MASQUERADEing [OK]<br>Checking for 'ip' command [OK]<br>
Checking for 'iptables' command [OK]<br>Opportunistic Encryption Support [DISABLED]<br><br><br><br>