[Openswan Users] not quite there - ipsec SA proposal no working
Mads Rasmussen
mads at grupof.com.br
Mon Jan 24 14:48:46 CET 2005
Hello,
I have been pulling my gray hairs for som time now. Would some one
please be so kind as to have a look at my config and logs to help me out.
I seem to be able to pass the IKE phase but cannot establish a SA.
here's my configs.
gw = gentoo linux, roadwarrior = win2k with SSH sentinel
Log:
Jan 24 14:20:44 [pluto] packet from road_ip:500: ignoring Vendor ID
payload [SSH Communications Security IPSEC Express version 4.1.0]
Jan 24 14:20:44 [pluto] "road"[1] road_ip #1: responding to Main Mode
from unknown peer road_ip
Jan 24 14:20:44 [pluto] "road"[1] road_ip #1: transition from state
(null) to state STATE_MAIN_R1
Jan 24 14:20:44 [pluto] "road"[1] road_ip #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 24 14:20:45 [pluto] "road"[1] road_ip #1: ignoring informational
payload, type IPSEC_INITIAL_CONTACT
Jan 24 14:20:45 [pluto] "road"[1] road_ip #1: Peer ID is ID_DER_ASN1_DN:
'C=BR, O=Grupo F Arquitetura, OU=TI, CN=remote at grupof.com.br'
Jan 24 14:20:45 [pluto] "road"[1] road_ip #1: no crl from issuer "C=BR,
ST=Sao Paulo, L=Sao Paulo, O=Grupo F Arquitetura, OU=TI,
CN=pernambuco.dyndns.org" found (strict=no)
Jan 24 14:20:45 [pluto] "road"[1] road_ip #1: I am sending my cert
Jan 24 14:20:45 [pluto] "road"[1] road_ip #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 24 14:20:45 [pluto] "road"[1] road_ip #1: sent MR3, ISAKMP SA
established
Jan 24 14:20:46 [pluto] "road"[1] road_ip #1: retransmitting in response
to duplicate packet; already STATE_MAIN_R3
Jan 24 14:20:46 [pluto] "road"[1] road_ip #1: cannot respond to IPsec SA
request because no connection is known for
10.30.0.0/24===gw_ip[@pernambuco.dyndns.org]...road_ip[C=BR, O=Grupo F
Arquitetura, OU=TI, CN=remote at grupof.com.br]
Jan 24 14:20:46 [pluto] "road"[1] road_ip #1: sending encrypted
notification INVALID_ID_INFORMATION to road_ip:500
ipsec.conf:
version 2.0 # set version
# basic configuration
config setup
interfaces="ipsec0=ppp0"
klipsdebug=all
plutodebug=all
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# default settings for connections
conn %default
authby=rsasig
left=pernambuco.dyndns.org
leftcert=pernambuco-gw.pem
compress=yes
rightrsasigkey=%cert
auto=add
conn road
right=%any
leftid=@pernambuco.dyndns.org
rightid="/C=BR/O=Grupo F Arquitetura/OU=TI/CN=remote at grupof.com.br"
rightsubnet=10.30.0.0/24
ipsec auto --status:
000 "road": IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5,
5_000-2-2, flags=-strict
000 "road": IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2,
5_192-2_160-5, 5_192-2_160-2,
000 "road": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "road": ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
000 "road"[1]: gw_ip[@pernambuco.dyndns.org]...road_ip[C=BR, O=Grupo F
Arquitetura, OU=TI, CN=remote at grupof.com.br]===10.30.0.0/24; unrouted;
eroute owner: #0
000 "road"[1]: CAs: 'C=BR, ST=Sao Paulo, L=Sao Paulo, O=Grupo F
Arquitetura, OU=TI, CN=pernambuco.dyndns.org'...'%any'
000 "road"[1]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "road"[1]: policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio:
32,24; interface: ppp0;
000 "road"[1]: newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "road"[1]: IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5,
5_000-2-2, flags=-strict
000 "road"[1]: IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2,
5_192-2_160-5, 5_192-2_160-2,
000 "road"[1]: IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "road"[1]: ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "road"[1]: ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.7.2 - Release Date: 21/1/2005
More information about the Users
mailing list