[Openswan Users] Conn road not function

sasa sasa at shoponweb.it
Wed Dec 29 13:33:38 CET 2004 

Hi, I have a problem with connection 'road', my ipsec.conf (I use fc1.):

conn left-road
  auto=add
  authby=secret
  pfs=no
  type=transport
#sede A left (locale)

  left=1.2.3.4

#leftnexthop indica lip pub assegnato al router adsl

  leftnexthop=89.191.223.97

  leftprotoport=17/1701

#sede B road

  right=%any

  rightprotoport=17/1701



..when:

1.2.3.4 is ip address on eth0 (public interface and ipsec interface)

1.2.3.5 is ip address on my adls router



in the log file:



Dec 29 12:26:01 fw pluto[5203]: packet from 213.45.204.218:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]

Dec 29 12:26:01 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: responding to Main Mode from unknown peer 213.45.204.218

Dec 29 12:26:01 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: transition from state (null) to state STATE_MAIN_R1

Dec 29 12:26:01 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Dec 29 12:26:02 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: Peer ID is ID_IPV4_ADDR: '213.45.204.218'

Dec 29 12:26:02 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: I did not send a certificate because I do not have one.

Dec 29 12:26:02 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Dec 29 12:26:02 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: sent MR3, ISAKMP SA established
Dec 29 12:26:02 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: cannot respond to IPsec SA request because no connection is known for 1.2.3.4:17/0...213.45.204.218:17/1701

Dec 29 12:26:02 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: sending encrypted notification INVALID_ID_INFORMATION to 213.45.204.218:500
Dec 29 12:26:03 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xcecc8b04 (perhaps this is a duplicated packet)
Dec 29 12:26:03 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: sending encrypted notification INVALID_MESSAGE_ID to 213.45.204.218:500
Dec 29 12:26:05 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xcecc8b04 (perhaps this is a duplicated packet)
Dec 29 12:26:05 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: sending encrypted notification INVALID_MESSAGE_ID to 213.45.204.218:500
Dec 29 12:26:09 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xcecc8b04 (perhaps this is a duplicated packet)
Dec 29 12:26:09 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: sending encrypted notification INVALID_MESSAGE_ID to 213.45.204.218:500
Dec 29 12:26:17 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xcecc8b04 (perhaps this is a duplicated packet)
Dec 29 12:26:17 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: sending encrypted notification INVALID_MESSAGE_ID to 213.45.204.218:500
Dec 29 12:26:34 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xcecc8b04 (perhaps this is a duplicated packet)
Dec 29 12:26:34 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: sending encrypted notification INVALID_MESSAGE_ID to 213.45.204.218:500
Dec 29 12:27:05 fw pluto[5203]: "left-road"[2] 213.45.204.218 #6: received Delete SA payload: deleting ISAKMP State #6
Dec 29 12:27:05 fw pluto[5203]: "left-road"[2] 213.45.204.218: deleting connection "left-road" instance with peer 213.45.204.218 {isakmp=#0/ipsec=#0}
Dec 29 12:27:05 fw pluto[5203]: packet from 213.45.204.218:500: received and ignored informational message



and:



root at fw root]# ipsec whack --status
000 interface ipsec0/eth0 1.2.3.4
000 interface ipsec0/eth0 1.2.3.4
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168, keysizemax=168
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,8,36} trans={0,8,96} attrs={0,8,160}
000
000 "left-road": 1.2.3.4:17/1701---1.2.3.5...%any:17/1701; unrouted; eroute owner: #0
000 "left-road":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "left-road":   policy: PSK+ENCRYPT; prio: 32,32; interface: eth0;
000 "left-road":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "left-road":   IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
000 "left-road":   IKE algorithms found:  5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "left-road":   ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "left-road":   ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
000 "left-road"[2]: 1.2.3.4:17/1701---1.2.3.5...213.45.204.218:17/1701; unrouted; eroute owner: #0
000 "left-road"[2]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "left-road"[2]:   policy: PSK+ENCRYPT; prio: 32,32; interface: eth0;
000 "left-road"[2]:   newest ISAKMP SA: #6; newest IPsec SA: #0;
000 "left-road"[2]:   IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
000 "left-road"[2]:   IKE algorithms found:  5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "left-road"[2]:   IKE algorithm newest: 3DES_CBC_192-SHA-MODP1024
000 "left-road"[2]:   ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "left-road"[2]:   ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
000
000 #6: "left-road"[2] 213.45.204.218 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3270s; newest ISAKMP
000



thanks.

Salvatore.

More information about the Users mailing list