[Openswan Users] packet rejected: should have been encrypted

Bram Bouwens bbouwens at xs4all.nl
Sat Jul 2 23:46:09 CEST 2005 

Hi!

I'm now trying to work out a setup for our Windows addicts.
In the test setup I have a Windows XP machine behind a NAT
gateway (my Linux home server with ipsec disabled).
We have an openswan gateway at the office (2.4.20-37_40.rh7.3.at
with openswan-2.3.1-21.rh7.3.at) and I'm following
http://www.natecarlson.com/linux/ipsec-x509.php .

After some struggling I get in my /var/log/secure:


Jul  2 22:23:10 port pluto[16264]: "roadwarrior"[2] 80.126.5.18 #1: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Jul  2 22:23:10 port pluto[16264]: | sending 1228 bytes for retransmit in response to duplicate through eth2:4500 to 80.126.5.18:4500:
Jul  2 22:23:10 port pluto[16264]: |
Jul  2 22:23:10 port pluto[16264]: | *received 232 bytes from 80.126.5.18:500 on eth2 (port=500)
Jul  2 22:23:10 port pluto[16264]: | **parse ISAKMP Message:
Jul  2 22:23:11 port pluto[16264]: |    initiator cookie:
Jul  2 22:23:11 port pluto[16264]: |   5a 10 b6 01  2a f9 54 e1
Jul  2 22:23:11 port pluto[16264]: |    responder cookie:
Jul  2 22:23:11 port pluto[16264]: |   65 ef 39 cd  56 5d f9 45
Jul  2 22:23:11 port pluto[16264]: |    next payload type: ISAKMP_NEXT_KE
Jul  2 22:23:11 port pluto[16264]: |    ISAKMP version: ISAKMP Version 1.0
Jul  2 22:23:11 port pluto[16264]: |    exchange type: ISAKMP_XCHG_IDPROT
Jul  2 22:23:11 port pluto[16264]: |    flags: none
Jul  2 22:23:11 port pluto[16264]: |    message ID:  00 00 00 00
Jul  2 22:23:11 port pluto[16264]: |    length: 232
Jul  2 22:23:11 port pluto[16264]: | ICOOKIE:  5a 10 b6 01  2a f9 54 e1
Jul  2 22:23:11 port pluto[16264]: | RCOOKIE:  65 ef 39 cd  56 5d f9 45
Jul  2 22:23:11 port pluto[16264]: | peer:  50 7e 05 12
Jul  2 22:23:11 port pluto[16264]: | state hash entry 31
Jul  2 22:23:11 port pluto[16264]: | peer and cookies match on #1, provided msgid 00000000 vs 00000000
Jul  2 22:23:11 port pluto[16264]: | state object #1 found, in STATE_MAIN_R3
Jul  2 22:23:12 port pluto[16264]: | processing connection roadwarrior[2] 80.126.5.18
Jul  2 22:23:12 port pluto[16264]: "roadwarrior"[2] 80.126.5.18 #1: packet rejected: should have been encrypted
Jul  2 22:23:12 port pluto[16264]: "roadwarrior"[2] 80.126.5.18 #1: sending notification INVALID_FLAGS to 80.126.5.18:4500
Jul  2 22:23:12 port pluto[16264]: "roadwarrior"[2] 80.126.5.18 #1: failed to build notification for spisize=0
Jul  2 22:23:12 port pluto[16264]: | next event EVENT_RETRANSMIT in 13 seconds for #3


So I think the question is: why is this packet not encrypted while it should?

/etc/ipsec.conf:

version 2.0     # conforms to second version of ipsec.conf specification

config setup
         plutodebug="oppo parsing nat-t control"
         nat_traversal=yes
         virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
         keyingtries=1
         compress=yes
         disablearrivalcheck=no
         authby=rsasig
         leftrsasigkey=%cert
         rightrsasigkey=%cert


conn roadwarrior-net
         leftsubnet=192.168.0.0/24
         also=roadwarrior

conn roadwarrior
         left=%defaultroute
         leftcert=port.fredhopper.com.pem
         right=%any
         rightsubnet=vhost:%no,%priv
         auto=add
         pfs=yes

# .. and the usual block/private/..

On the windows machine ipsec.conf:

conn roadwarrior
         left=%any
         right=82.94.15.138
         rightca="C=NL, S=Noord Holland, L=Amsterdam, O=Fredhopper, CN=FredCA, E=sysadm at fredhopper.com"
         network=auto
         auto=start
         pfs=yes

conn roadwarrior-net
         left=%any
         right=82.94.15.138
         rightsubnet=192.168.0.0/24
         rightca="C=NL, S=Noord Holland, L=Amsterdam, O=Fredhopper, CN=FredCA, E=sysadm at fredhopper.com"
         network=auto
         auto=start
         pfs=yes

So the obvious question: what is missing?

Thank you for any suggestion...

Bram

More information about the Users mailing list