[Openswan Users] Help: no suitable connection for peer

Paul Wouters paul at xelerance.com
Thu Feb 3 14:39:15 CET 2005


On Wed, 2 Feb 2005, Rodrigo wrote:

>
> Notebook(xp)              gw                      vpn gw (debian) 
> desktop(xp)
> 10.10.2.154-----------10.10.1.200--------------10.10.1.231 / 
> 192.168.0.1--------192.168.0.2
> (dhcp)                		        eth0(dhcp) /   eth1 
>

> version 2.0
>
> config setup
> 	interfaces=%defaultroute
> 	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

You forgot nat_traversal=yes
You forgot to add exlusion for your subnet from net:
  	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/24

> my ipsec.secrets 
> : RSA teste.key ""

Does that work for an empty passphrase? I thought you just didnt need to add it to the file
in that case?

> im using Marcus Müller's ipsec.exe utility with Win Xp
> prof sp2.

Make sure the windows firewall is off. I had issues where macafee (antivirus) was
spamvertising i wasnt running a firewall (which i dont want indeed) but it didn't
recognise the new windows builtin one (just its own brand I guess)

> conn roadwarrior
> 	left=%any
> 	right=10.10.1.231
> 	rightca="C=br,ST=paraiba,L=joao 
> pessoa,O=teste,CN=teste,Email=nobregasz at yahoo.com.br 
> <http://br.f149.mail.yahoo.com/ym/Compose?To=nobregasz@yahoo.com.br&YY=31559&order=down&sort=date&pos=0&view=a&head=b>"

Adding odd symbols in here is REALLY bad. Is this an email client mess up, or actually in your config?

> wehn im try ping 192.168.0.1 or 192.168.0.2 or
> 10.10.1.321 from 10.10.2.154 im receving Negotiating
> IP Security and 100% packet loss.

enable and check oakley.log

> im using iptables -A INPUT -p 50 -j ACCEPT
> iptables -A INPUT -p 51 -j ACCEPT
> iptables -A OUTPUT -p 50 -j ACCEPT
> iptables -A OUTPUT -p 51 -j ACCEPT
> iptables -A INPUT -p udp --sport 500 --dport 500 -j
> ACCEPT
> iptables -A OUTPUT -p udp --sport 500 --dport 500 -j
> ACCEPT

Add accept for udp 4500

> Feb  2 16:26:15 vpn pluto[3320]: packet from 10.10.2.154:500: ignoring Vendor 
> ID payload [26244d38eddb61b3172a36e3d0cfb819]

I'd very much like to know what string vendoris is, basedon your oakley.log!

> Feb  2 16:26:15 vpn pluto[3320]: "packetdefault"[5] 0.0.0.0/0=== 
> ...10.10.2.154===? #5: responding to Main Mode from unknown peer 10.10.2.154

that is because nat_traversal wasn't enabled.

Paul
-- 

"At best it is a theory, at worst a fantasy" -- Michael Crichton


More information about the Users mailing list