[Openswan Users] sendto on eth0 to xxx.xxx.xxx.xxx:4500 failed in EVENT_RETRANSMIT. Errno 1: Operation not permitted

Joachim Pahnke Joachim.Pahnke at t-online.de
Wed Jan 19 17:09:00 CET 2005 

Hi,

I am new to the list, so hello to all :)
I hope you can help me with this:
I have one gateway with a fixed IP adress and a roadwarrior client behind a 
NATed Firewall. Both machines are running SuSE 9.2 with a self compiled 
openswan 2.3.0. Authentication should be done via self signed certificates. 

When the connection is started I get following error message:

sendto on eth0 to xxx.xxx.xxx.xxx:4500 failed in EVENT_RETRANSMIT. Errno 1: 
Operation not permitted

now the config files and logs for both machines:

left config:

config setup
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:192.168.10.0/24
        plutodebug="all"

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior-net
        leftsubnet=192.168.10.0/24
        also=roadwarrior

conn roadwarrior
        left=%defaultroute
        leftcert=xxxx.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
        pfs=yes

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf




right config:

config setup
        interfaces=%defaultroute
        nat_traversal=yes

conn %default
        keyingtries=1
        compress=yes
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-net
        leftsubnet=192.168.10.0/24
        also=roadwarrior

conn roadwarrior
        left=xxx.xxx.xxx.xxx
        leftcert=xxxx.pem
        leftid="C=XX, ST=XX, L=XX, O=XXr, OU=XX, CN=XX, E=XX at XX.de"
        leftca=%same
        right=%defaultroute
        rightcert=XXX.pem
        auto=start
        pfs=yes

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf




left log:

ipsec_setup: Starting Openswan IPsec 2.3.0...
ipsec_setup: insmod /lib/modules/2.6.8-24.5-default/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.8-24.5-default/kernel/net/ipv4/
xfrm4_tunnel.ko
ipsec_setup: insmod /lib/modules/2.6.8-24.5-default/kernel/net/xfrm/
xfrm_user.ko
Jan 19 16:49:41 whvpngw2 ipsec_setup: Stopping Openswan IPsec...
Jan 19 16:49:42 whvpngw2 kernel: NET: Registered protocol family 15
Jan 19 16:49:42 whvpngw2 kernel: Initializing IPsec netlink socket
Jan 19 16:49:42 whvpngw2 ipsec_setup: KLIPS ipsec0 on eth1 
xxx.xxx.xxx.xxx/255.255.255.248 broadcast xxx.xxx.xxx.xxx
Jan 19 16:49:42 whvpngw2 ipsec__plutorun: Starting Pluto subsystem...
Jan 19 16:49:42 whvpngw2 ipsec_setup: ...Openswan IPsec started
Jan 19 16:49:42 whvpngw2 ipsec_setup: Starting Openswan IPsec 2.3.0...
Jan 19 16:49:42 whvpngw2 ipsec_setup: insmod /lib/modules/2.6.8-24.5-default/
kernel/net/key/af_key.ko
Jan 19 16:49:42 whvpngw2 ipsec_setup: insmod /lib/modules/2.6.8-24.5-default/
kernel/net/ipv4/xfrm4_tunnel.ko
Jan 19 16:49:42 whvpngw2 ipsec_setup: insmod /lib/modules/2.6.8-24.5-default/
kernel/net/xfrm/xfrm_user.ko
Jan 19 16:49:42 whvpngw2 pluto[384]: Starting Pluto (Openswan Version 2.3.0 
X.509-1.5.4 PLUTO_USES_KEYRR)
Jan 19 16:49:42 whvpngw2 pluto[384]: Setting port floating to on
Jan 19 16:49:42 whvpngw2 pluto[384]: port floating activate 1/1
Jan 19 16:49:42 whvpngw2 pluto[384]:   including NAT-Traversal patch (Version 
0.6c)
Jan 19 16:49:42 whvpngw2 pluto[384]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Jan 19 16:49:42 whvpngw2 pluto[384]: starting up 1 cryptographic helpers
Jan 19 16:49:42 whvpngw2 pluto[384]: started helper pid=385 (fd:6)
Jan 19 16:49:42 whvpngw2 pluto[384]: Using Linux 2.6 IPsec interface code
Jan 19 16:49:42 whvpngw2 pluto[384]: Changing to directory '/etc/ipsec.d/
cacerts'
Jan 19 16:49:42 whvpngw2 pluto[384]:   loaded CA cert file 'cacert.pem' (1334 
bytes)
Jan 19 16:49:42 whvpngw2 pluto[384]: Could not change to directory '/etc/
ipsec.d/aacerts'
Jan 19 16:49:42 whvpngw2 pluto[384]: Changing to directory '/etc/ipsec.d/
ocspcerts'
Jan 19 16:49:42 whvpngw2 pluto[384]: Changing to directory '/etc/ipsec.d/crls'
Jan 19 16:49:42 whvpngw2 pluto[384]:   loaded crl file 'crl.pem' (536 bytes)
Jan 19 16:49:42 whvpngw2 pluto[384]:   loaded host cert file '/etc/ipsec.d/
certs/whvpngw2.hockenheim.weidenhammer.de.pem' (3748 bytes)
Jan 19 16:49:42 whvpngw2 pluto[384]: added connection description 
"roadwarrior"
Jan 19 16:49:43 whvpngw2 pluto[384]:   loaded host cert file '/etc/ipsec.d/
certs/whvpngw2.hockenheim.weidenhammer.de.pem' (3748 bytes)
Jan 19 16:49:43 whvpngw2 pluto[384]: added connection description 
"roadwarrior-all"
Jan 19 16:49:43 whvpngw2 pluto[384]:   loaded host cert file '/etc/ipsec.d/
certs/whvpngw2.hockenheim.weidenhammer.de.pem' (3748 bytes)
Jan 19 16:49:43 whvpngw2 pluto[384]: added connection description 
"roadwarrior-net"
Jan 19 16:49:43 whvpngw2 pluto[384]: listening for IKE messages
Jan 19 16:49:43 whvpngw2 pluto[384]: adding interface eth1/eth1 
xxx.xxx.xxx.xxx
Jan 19 16:49:43 whvpngw2 pluto[384]: adding interface eth1/eth1 
xxx.xxx.xxx.xxx:4500
Jan 19 16:49:43 whvpngw2 pluto[384]: adding interface eth0/eth0 192.168.10.198
Jan 19 16:49:43 whvpngw2 pluto[384]: adding interface eth0/eth0 
192.168.10.198:4500
Jan 19 16:49:43 whvpngw2 pluto[384]: adding interface lo/lo 127.0.0.1
Jan 19 16:49:43 whvpngw2 pluto[384]: adding interface lo/lo 127.0.0.1:4500
Jan 19 16:49:43 whvpngw2 pluto[384]: adding interface lo/lo ::1
Jan 19 16:49:43 whvpngw2 pluto[384]: loading secrets from "/etc/ipsec.secrets"
Jan 19 16:49:43 whvpngw2 pluto[384]:   loaded private key file '/etc/ipsec.d/
private/whvpngw2.hockenheim.weidenhammer.de.key' (1688 bytes)
Jan 19 16:49:43 whvpngw2 pluto[384]:   loaded private key file '/etc/ipsec.d/
private/vpngw.weidenhammer.gr.key' (1688 bytes)
Jan 19 16:49:48 whvpngw2 pluto[384]: packet from xxx.xxx.xxx.xxx:500: received 
Vendor ID payload [Dead Peer Detection]
Jan 19 16:49:48 whvpngw2 pluto[384]: packet from xxx.xxx.xxx.xxx:500: received 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Jan 19 16:49:48 whvpngw2 pluto[384]: packet from xxx.xxx.xxx.xxx:500: received 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using 
method 108
Jan 19 16:49:48 whvpngw2 pluto[384]: packet from xxx.xxx.xxx.xxx:500: received 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jan 19 16:49:48 whvpngw2 pluto[384]: "roadwarrior"[1] xxx.xxx.xxx.xxx #1: 
responding to Main Mode from unknown peer xxx.xxx.xxx.xxx
Jan 19 16:49:48 whvpngw2 pluto[384]: "roadwarrior"[1] xxx.xxx.xxx.xxx #1: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 19 16:49:49 whvpngw2 pluto[384]: "roadwarrior"[1] xxx.xxx.xxx.xxx #1: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Jan 19 16:49:49 whvpngw2 pluto[384]: "roadwarrior"[1] xxx.xxx.xxx.xxx #1: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 19 16:50:59 whvpngw2 pluto[384]: "roadwarrior"[1] xxx.xxx.xxx.xxx #1: max 
number of retransmissions (2) reached STATE_MAIN_R2
Jan 19 16:50:59 whvpngw2 pluto[384]: "roadwarrior"[1] xxx.xxx.xxx.xxx: 
deleting connection "roadwarrior" instance with peer xxx.xxx.xxx.xxx 
{isakmp=#0/ipsec=#0}





right log:

ipsec_setup: Starting Openswan IPsec 2.3.0...
ipsec_setup: insmod /lib/modules/2.6.8-24.10-default/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.8-24.10-default/kernel/net/ipv4/
xfrm4_tunnel.ko
ipsec_setup: insmod /lib/modules/2.6.8-24.10-default/kernel/net/xfrm/
xfrm_user.ko
Jan 19 16:50:53 vpngw ipsec_setup: Stopping Openswan IPsec...
Jan 19 16:50:53 vpngw kernel: NET: Registered protocol family 15
Jan 19 16:50:53 vpngw kernel: Initializing IPsec netlink socket
Jan 19 16:50:53 vpngw ipsec_setup: KLIPS ipsec0 on eth0 
192.168.1.24/255.255.255.0 broadcast 192.168.1.255
Jan 19 16:50:53 vpngw ipsec__plutorun: Starting Pluto subsystem...
Jan 19 16:50:53 vpngw ipsec_setup: ...Openswan IPsec started
Jan 19 16:50:53 vpngw ipsec_setup: Starting Openswan IPsec 2.3.0...
Jan 19 16:50:53 vpngw ipsec_setup: insmod /lib/modules/2.6.8-24.10-default/
kernel/net/key/af_key.ko
Jan 19 16:50:53 vpngw ipsec_setup: insmod /lib/modules/2.6.8-24.10-default/
kernel/net/ipv4/xfrm4_tunnel.ko
Jan 19 16:50:53 vpngw ipsec_setup: insmod /lib/modules/2.6.8-24.10-default/
kernel/net/xfrm/xfrm_user.ko
Jan 19 16:50:53 vpngw pluto[18226]: Starting Pluto (Openswan Version 2.3.0 
X.509-1.5.4 PLUTO_USES_KEYRR)
Jan 19 16:50:53 vpngw pluto[18226]: Setting port floating to on
Jan 19 16:50:53 vpngw pluto[18226]: port floating activate 1/1
Jan 19 16:50:53 vpngw pluto[18226]:   including NAT-Traversal patch (Version 
0.6c)
Jan 19 16:50:53 vpngw pluto[18226]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Jan 19 16:50:53 vpngw pluto[18226]: starting up 1 cryptographic helpers
Jan 19 16:50:53 vpngw pluto[18226]: started helper pid=18238 (fd:6)
Jan 19 16:50:53 vpngw pluto[18226]: Using Linux 2.6 IPsec interface code
Jan 19 16:50:53 vpngw pluto[18226]: Changing to directory '/etc/ipsec.d/
cacerts'
Jan 19 16:50:53 vpngw pluto[18226]:   loaded CA cert file 'cacert.pem' (1334 
bytes)
Jan 19 16:50:53 vpngw pluto[18226]: Could not change to directory '/etc/
ipsec.d/aacerts'
Jan 19 16:50:53 vpngw pluto[18226]: Changing to directory '/etc/ipsec.d/
ocspcerts'
Jan 19 16:50:53 vpngw pluto[18226]: Changing to directory '/etc/ipsec.d/crls'
Jan 19 16:50:53 vpngw pluto[18226]:   loaded crl file 'crl.pem' (536 bytes)
Jan 19 16:50:54 vpngw pluto[18226]:   loaded host cert file '/etc/ipsec.d/
certs/whvpngw2.hockenheim.weidenhammer.de.pem' (3748 bytes)
Jan 19 16:50:54 vpngw pluto[18226]:   loaded host cert file '/etc/ipsec.d/
certs/vpngw.weidenhammer.gr.pem' (3775 bytes)
Jan 19 16:50:54 vpngw pluto[18226]: added connection description "roadwarrior"
Jan 19 16:50:54 vpngw pluto[18226]:   loaded host cert file '/etc/ipsec.d/
certs/whvpngw2.hockenheim.weidenhammer.de.pem' (3748 bytes)
Jan 19 16:50:54 vpngw pluto[18226]:   loaded host cert file '/etc/ipsec.d/
certs/vpngw.weidenhammer.gr.pem' (3775 bytes)
Jan 19 16:50:54 vpngw pluto[18226]: added connection description 
"roadwarrior-net"
Jan 19 16:50:54 vpngw pluto[18226]: listening for IKE messages
Jan 19 16:50:54 vpngw pluto[18226]: adding interface eth1/eth1 192.168.30.1
Jan 19 16:50:54 vpngw pluto[18226]: adding interface eth1/eth1 
192.168.30.1:4500
Jan 19 16:50:54 vpngw pluto[18226]: adding interface eth0/eth0 192.168.1.24
Jan 19 16:50:54 vpngw pluto[18226]: adding interface eth0/eth0 
192.168.1.24:4500
Jan 19 16:50:54 vpngw pluto[18226]: adding interface lo/lo 127.0.0.1
Jan 19 16:50:54 vpngw pluto[18226]: adding interface lo/lo 127.0.0.1:4500
Jan 19 16:50:54 vpngw pluto[18226]: adding interface lo/lo ::1
Jan 19 16:50:54 vpngw pluto[18226]: loading secrets from "/etc/ipsec.secrets"
Jan 19 16:50:54 vpngw pluto[18226]:   loaded private key file '/etc/ipsec.d/
private/vpngw.weidenhammer.gr.key' (1700 bytes)
Jan 19 16:50:55 vpngw pluto[18226]: "roadwarrior" #1: initiating Main Mode
Jan 19 16:50:55 vpngw pluto[18226]: | no IKE algorithms for this connection
Jan 19 16:50:55 vpngw ipsec__plutorun: 104 "roadwarrior" #1: STATE_MAIN_I1: 
initiate
Jan 19 16:50:55 vpngw ipsec__plutorun: ...could not start conn "roadwarrior"
Jan 19 16:50:55 vpngw pluto[18226]: "roadwarrior" #1: received Vendor ID 
payload [Dead Peer Detection]
Jan 19 16:50:55 vpngw pluto[18226]: "roadwarrior" #1: received Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Jan 19 16:50:55 vpngw pluto[18226]: "roadwarrior" #1: enabling possible 
NAT-traversal with method RFC XXXX (NAT-Traversal)
Jan 19 16:50:55 vpngw pluto[18226]: "roadwarrior" #1: transition from state 
STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 19 16:50:55 vpngw pluto[18226]: "roadwarrior" #1: NAT-Traversal: Result 
using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Jan 19 16:50:55 vpngw pluto[18226]: "roadwarrior" #1: I am sending my cert
Jan 19 16:50:55 vpngw pluto[18226]: "roadwarrior" #1: I am sending a 
certificate request
Jan 19 16:50:55 vpngw pluto[18226]: "roadwarrior" #1: transition from state 
STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 19 16:50:55 vpngw pluto[18226]: ERROR: "roadwarrior" #1: sendto on eth0 to 
xxx.xxx.xxx.xxx:4500 failed in STATE_MAIN_I2. Errno 1: Operation not 
permitted
Jan 19 16:51:05 vpngw pluto[18226]: "roadwarrior" #1: discarding duplicate 
packet; already STATE_MAIN_I3
Jan 19 16:51:05 vpngw pluto[18226]: ERROR: "roadwarrior" #1: sendto on eth0 to 
xxx.xxx.xxx.xxx:4500 failed in EVENT_RETRANSMIT. Errno 1: Operation not 
permitted
Jan 19 16:51:25 vpngw pluto[18226]: ERROR: "roadwarrior" #1: sendto on eth0 to 
xxx.xxx.xxx.xxx:4500 failed in EVENT_RETRANSMIT. Errno 1: Operation not 
permitted
Jan 19 16:51:25 vpngw pluto[18226]: "roadwarrior" #1: discarding duplicate 
packet; already STATE_MAIN_I3
Jan 19 16:52:05 vpngw pluto[18226]: "roadwarrior" #1: max number of 
retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: 
no acceptable response to our first encrypted message


Thanks for the help!
Joachim

More information about the Users mailing list