[Openswan Users] Openswan connection difficulties
Steve Wakelin
steve at wcsl.net
Wed Jun 30 13:48:55 CEST 2004
Hello,
Kernel V2.4.26
OpenSwan 2.1.4 nattpatch installed
Ipsec.conf
version 2.0
config setup
interfaces=ipsec0=eth0
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn roadwarrior
left=213.232.93.110
leftcert=www.sfpost.net.pem
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes
conn roadwarrior-l2tp
pfs=no
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-l2tp-updatedwin
pfs=no
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-net-1
leftsubnet=172.16.200.1/32
also=roadwarrior
conn roadwarrior-net-2
leftsubnet=172.168.200.2/32
also=roadwarrior
Windows 2000
Ipsec.conf
C:\ipsec>type ipsec.conf
conn roadwarrior
left=%any
leftsubnet=192.168.2.0/255.255.255.0
right=213.232.93.110
rightsubnet=172.16.200.1/255.255.255.255
rightca="C=GB,S=Hertfordshire,L=Harpenden,O=WCSL,OU=sfbackup,CN=www.sfpo
st.net,Email=support at wcsl.net"
network=auto
auto=start
pfs=yes
Log file extract:
Jun 30 12:45:04 p4-7165 pluto[9191]: "roadwarrior"[11] 81.178.19.145 #6:
responding to Main Mode from unknown peer 81.178.19.145
Jun 30 12:45:04 p4-7165 pluto[9191]: "roadwarrior"[11] 81.178.19.145 #6:
transition from state (null) to state STATE_MAIN_R1
Jun 30 12:45:05 p4-7165 pluto[9191]: "roadwarrior"[11] 81.178.19.145 #6:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 30 12:45:06 p4-7165 pluto[9191]: "roadwarrior"[11] 81.178.19.145 #6:
Peer ID is ID_DER_ASN1_DN: 'C=GB, ST=Hertfordshire, L=Harpenden, O=WCSL,
CN=www.wcsl.net, E=support at wcsl.net'
Jun 30 12:45:06 p4-7165 pluto[9191]: "roadwarrior"[12] 81.178.19.145 #6:
deleting connection "roadwarrior" instance with peer 81.178.19.145
{isakmp=#0/ipsec=#0}
Jun 30 12:45:06 p4-7165 pluto[9191]: "roadwarrior"[12] 81.178.19.145 #6:
deleting connection "roadwarrior" instance with peer 81.178.19.145
{isakmp=#1/ipsec=#0}
Jun 30 12:45:06 p4-7165 pluto[9191]: "roadwarrior" #1: deleting state
(STATE_MAIN_R3)
Jun 30 12:45:06 p4-7165 pluto[9191]: "roadwarrior"[12] 81.178.19.145 #6:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 30 12:45:06 p4-7165 pluto[9191]: "roadwarrior"[12] 81.178.19.145 #6:
sent MR3, ISAKMP SA established
Jun 30 12:45:06 p4-7165 pluto[9191]: "roadwarrior"[12] 81.178.19.145 #6:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Jun 30 12:45:06 p4-7165 pluto[9191]: ERROR: asynchronous network error
report on eth0 for message to 81.178.19.145 port 2, complainant
81.178.19.145: Connection refused [errno 111, origin ICMP type 3 code 3
(not authenticated)]
Jun 30 12:45:07 p4-7165 pluto[9191]: "roadwarrior"[12] 81.178.19.145 #6:
cannot respond to IPsec SA request because no connection is known for
172.16.200.1/32===213.232.93.110[C=GB, ST=Hertfordshire, L=Harpenden,
O=WCSL, OU=sfbackup, CN=www.sfpost.net,
E=support at wcsl.net,S=C]...81.178.19.145[C=GB, ST=Hertfordshire,
L=Harpenden, O=WCSL, CN=www.wcsl.net,
E=support at wcsl.net,S=C]===192.168.2.0/24
Jun 30 12:45:07 p4-7165 pluto[9191]: "roadwarrior"[12] 81.178.19.145 #6:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x2450ab30 (perhaps this is a duplicated packet)
Network Configuration
Windows 2000 - 192.168.2.3
NAT Gateway - 81.178.19.146
IPsec machine
eth0: 213.232.93.110
eth0:1 172.16.200.1
eth0:2 172.16.200.2
I wish to bind services for specific inbound connections to the eth0:1
and eth0:2 addresses e.g. Samba.
Any assistance greatly appreciated.
Regards
/Steve
More information about the Users
mailing list