<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.6944.0">
<TITLE>pure ipsec tunnel iphone| XAUTH & certificates | error no suitable connection for peer</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Hello again,<BR>
<BR>
Ive totally redone my certificates; further cleaned up my config but cant get past these messages<BR>
<BR>
pluto[16726]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'<BR>
pluto[16726]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'<BR>
<BR>
config and full logs are below.<BR>
<BR>
thanks,<BR>
Rich<BR>
<BR>
ipsec.conf<BR>
<BR>
config setup<BR>
plutoopts="--perpeerlog"<BR>
nat_traversal=yes<BR>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25/8<BR>
oe=off<BR>
protostack=netkey<BR>
<BR>
<BR>
conn iphone<BR>
auto=add<BR>
dpdaction=clear<BR>
dpdtimeout=15<BR>
dpddelay=10<BR>
pfs=no<BR>
leftcert=/etc/ipsec.d/certs/OpenswanCert.pem<BR>
left=%defaultroute<BR>
leftsubnet=0.0.0.0/0<BR>
leftxauthserver=yes<BR>
leftmodecfgserver=yes<BR>
leftrsasigkey=%cert<BR>
right=%any<BR>
rightid='@#0x70736b'<BR>
rightmodecfgclient=yes<BR>
rightsubnet=vhost:%priv,%no<BR>
modecfgpull=yes<BR>
<BR>
<BR>
<BR>
/var/log/secure output<BR>
<BR>
May 26 20:14:33 linuxserver pluto[16726]: Starting Pluto (Openswan Version 2.6.33; Vendor ID OEghI_w\134ALFy) pid:16726<BR>
May 26 20:14:33 linuxserver pluto[16726]: LEAK_DETECTIVE support [disabled]<BR>
May 26 20:14:33 linuxserver pluto[16726]: OCF support for IKE [disabled]<BR>
May 26 20:14:33 linuxserver pluto[16726]: SAref support [disabled]: Protocol not available<BR>
May 26 20:14:33 linuxserver pluto[16726]: SAbind support [disabled]: Protocol not available<BR>
May 26 20:14:33 linuxserver pluto[16726]: NSS support [disabled]<BR>
May 26 20:14:33 linuxserver pluto[16726]: HAVE_STATSD notification support not compiled in<BR>
May 26 20:14:33 linuxserver pluto[16726]: Setting NAT-Traversal port-4500 floating to on<BR>
May 26 20:14:33 linuxserver pluto[16726]: port floating activation criteria nat_t=1/port_float=1<BR>
May 26 20:14:33 linuxserver pluto[16726]: NAT-Traversal support [enabled]<BR>
May 26 20:14:33 linuxserver pluto[16726]: using /dev/urandom as source of random entropy<BR>
May 26 20:14:33 linuxserver pluto[16726]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)<BR>
May 26 20:14:33 linuxserver pluto[16726]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)<BR>
May 26 20:14:33 linuxserver pluto[16726]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)<BR>
May 26 20:14:33 linuxserver pluto[16726]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<BR>
May 26 20:14:33 linuxserver pluto[16726]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)<BR>
May 26 20:14:33 linuxserver pluto[16726]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)<BR>
May 26 20:14:33 linuxserver pluto[16726]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)<BR>
May 26 20:14:33 linuxserver pluto[16726]: starting up 1 cryptographic helpers<BR>
May 26 20:14:33 linuxserver pluto[16731]: using /dev/urandom as source of random entropy<BR>
May 26 20:14:33 linuxserver pluto[16726]: started helper pid=16731 (fd:7)<BR>
May 26 20:14:33 linuxserver pluto[16726]: Using Linux 2.6 IPsec interface code on 2.6.21.5-smp (experimental code)<BR>
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)<BR>
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_add(): ERROR: Algorithm already exists<BR>
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)<BR>
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_add(): ERROR: Algorithm already exists<BR>
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)<BR>
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_add(): ERROR: Algorithm already exists<BR>
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)<BR>
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_add(): ERROR: Algorithm already exists<BR>
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)<BR>
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_add(): ERROR: Algorithm already exists<BR>
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)<BR>
May 26 20:14:35 linuxserver pluto[16726]: Changed path to directory '/etc/ipsec.d/cacerts'<BR>
May 26 20:14:35 linuxserver pluto[16726]: loaded CA cert file 'OpenswanCert.pem' (1330 bytes)<BR>
May 26 20:14:35 linuxserver pluto[16726]: Changed path to directory '/etc/ipsec.d/aacerts'<BR>
May 26 20:14:35 linuxserver pluto[16726]: Changed path to directory '/etc/ipsec.d/ocspcerts'<BR>
May 26 20:14:35 linuxserver pluto[16726]: Changing to directory '/etc/ipsec.d/crls'<BR>
May 26 20:14:35 linuxserver pluto[16726]: loaded crl file 'crl3.pem' (609 bytes)<BR>
May 26 20:14:35 linuxserver pluto[16726]: loaded crl file 'crl2.pem' (609 bytes)<BR>
May 26 20:14:35 linuxserver pluto[16726]: loaded crl file 'crl.pem' (609 bytes)<BR>
May 26 20:14:35 linuxserver pluto[16726]: loading certificate from /etc/ipsec.d/certs/OpenswanCert.pem<BR>
May 26 20:14:35 linuxserver pluto[16726]: loaded host cert file '/etc/ipsec.d/certs/OpenswanCert.pem' (1330 bytes)<BR>
May 26 20:14:35 linuxserver pluto[16726]: added connection description "iphone"<BR>
May 26 20:14:36 linuxserver pluto[16726]: listening for IKE messages<BR>
May 26 20:14:36 linuxserver pluto[16726]: adding interface eth0/eth0 192.168.0.2:500<BR>
May 26 20:14:36 linuxserver pluto[16726]: adding interface eth0/eth0 192.168.0.2:4500<BR>
May 26 20:14:36 linuxserver pluto[16726]: adding interface lo/lo 127.0.0.1:500<BR>
May 26 20:14:36 linuxserver pluto[16726]: adding interface lo/lo 127.0.0.1:4500<BR>
May 26 20:14:36 linuxserver pluto[16726]: adding interface lo/lo ::1:500<BR>
May 26 20:14:36 linuxserver pluto[16726]: loading secrets from "/etc/ipsec.secrets"<BR>
May 26 20:14:36 linuxserver pluto[16726]: loaded private key file '/etc/ipsec.d/private/hostKey.pem' (1743 bytes)<BR>
May 26 20:14:36 linuxserver pluto[16726]: loaded private key for keyid: PPK_RSA:AwEAAb3qE<BR>
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: received Vendor ID payload [RFC 3947] method set to=109<BR>
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110<BR>
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]<BR>
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]<BR>
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]<BR>
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]<BR>
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]<BR>
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110<BR>
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110<BR>
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110<BR>
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: received Vendor ID payload [XAUTH]<BR>
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: received Vendor ID payload [Cisco-Unity]<BR>
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: received Vendor ID payload [Dead Peer Detection]<BR>
May 26 20:16:13 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: responding to Main Mode from unknown peer 203.20.35.28<BR>
May 26 20:16:13 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<BR>
May 26 20:16:13 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: STATE_MAIN_R1: sent MR1, expecting MI2<BR>
May 26 20:16:14 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed<BR>
May 26 20:16:14 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<BR>
May 26 20:16:14 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: STATE_MAIN_R2: sent MR2, expecting MI3<BR>
May 26 20:16:16 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<BR>
May 26 20:16:16 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'<BR>
May 26 20:16:16 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'<BR>
May 26 20:16:16 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:29561<BR>
May 26 20:16:20 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<BR>
May 26 20:16:20 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'<BR>
May 26 20:16:20 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'<BR>
May 26 20:16:20 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:29561<BR>
May 26 20:16:22 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<BR>
May 26 20:16:22 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'<BR>
May 26 20:16:22 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'<BR>
May 26 20:16:22 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:29561<BR>
May 26 20:16:24 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<BR>
May 26 20:16:24 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'<BR>
May 26 20:16:24 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'<BR>
May 26 20:16:24 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:29561<BR>
May 26 20:16:25 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<BR>
May 26 20:16:25 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'<BR>
May 26 20:16:25 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'<BR>
May 26 20:16:25 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:29561<BR>
May 26 20:16:38 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<BR>
May 26 20:16:38 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'<BR>
May 26 20:16:38 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'<BR>
May 26 20:16:38 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:29561<BR>
May 26 20:16:45 linuxserver pluto[16726]: ERROR: asynchronous network error report on eth0 (sport=500) for message to 203.20.35.28 port 29561, complainant 203.20.35.28: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]<BR>
May 26 20:17:24 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: max number of retransmissions (2) reached STATE_MAIN_R2<BR>
May 26 20:17:24 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28: deleting connection "iphone" instance with peer 203.20.35.28 {isakmp=#0/ipsec=#0</FONT></P>
</BODY>
</HTML>