[Openswan Users] IPsec Transform refused
Craig Chandler
Craig.Chandler at InterDynamics.com
Mon Jul 4 10:44:05 CEST 2005
Hi all,
I have to subnets attempting to via vpn gateways but i'm having issues getting the connection up, help would be greatly appreciated
Network 1
conn Net
authby=rsasig
keylife=24h
left=aaa.aaa.aaa.aaa
leftnexthop=aaa.aaa.aaa.ccc
leftsubnet=192.168.1.0/24
leftsourceip=192.168.1.1
leftrsasigkey=%cert
leftcert=Net_1.pem
right=bbb.bbb.bbb.bbb
rightsubnet=192.168.0.0/24
rightrsasigkey=%cert
rightid="blah blah 1"
auto=start
Network 2
conn Net
authby=rsasig
keylife=24h
left=aaa.aaa.aaa.aaa
leftsubnet=192.168.1.0/24
leftrsasigkey=%cert
leftid="blah blah 2"
right=bbb.bbb.bbb.bbb
rightnexthop=bbb.bbb.bbb.ccc
rightsubnet=192.168.0.0/24
rightsourceip=192.168.0.1
rightrsasigkey=%cert
rightcert=Net_2.pem
auto=start
Network 1 Log
Jul 1 15:04:26 brisgate ipsec__plutorun: Starting Pluto subsystem...
Jul 1 15:04:26 brisgate pluto[32313]: Starting Pluto (Openswan Version 2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Jul 1 15:04:26 brisgate pluto[32313]: Setting port floating to off
Jul 1 15:04:26 brisgate pluto[32313]: port floating activate 0/1
Jul 1 15:04:26 brisgate pluto[32313]: including NAT-Traversal patch (Version 0.6c) [disabled]
Jul 1 15:04:26 brisgate pluto[32313]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 1 15:04:26 brisgate pluto[32313]: starting up 1 cryptographic helpers
Jul 1 15:04:26 brisgate pluto[32313]: started helper pid=32314 (fd:6)
Jul 1 15:04:26 brisgate pluto[32313]: Using Linux 2.6 IPsec interface code
Jul 1 15:04:26 brisgate pluto[32313]: Changing to directory '/etc/ipsec.d/cacerts'
Jul 1 15:04:26 brisgate pluto[32313]: loaded CA cert file 'cacert.pem' (1647 bytes)
Jul 1 15:04:26 brisgate pluto[32313]: Could not change to directory '/etc/ipsec.d/aacerts'
Jul 1 15:04:26 brisgate pluto[32313]: Changing to directory '/etc/ipsec.d/ocspcerts'
Jul 1 15:04:26 brisgate pluto[32313]: Changing to directory '/etc/ipsec.d/crls'
Jul 1 15:04:26 brisgate pluto[32313]: loaded crl file 'crl.pem' (686 bytes)
Jul 1 15:04:29 brisgate pluto[32313]: loaded host cert file '/etc/ipsec.d/certs/Net_1.pem' (1497 bytes)
Jul 1 15:04:29 brisgate pluto[32313]: no subjectAltName matches ID 'aaa.aaa.aaa.aaa', replaced by subject DN
Jul 1 15:04:29 brisgate pluto[32313]: added connection description "Net"
Jul 1 15:04:29 brisgate pluto[32313]: loaded host cert file '/etc/ipsec.d/certs/Net_1.pem' (1497 bytes)
Jul 1 15:04:30 brisgate pluto[32313]: listening for IKE messages
Jul 1 15:04:30 brisgate pluto[32313]: adding interface eth1/eth1 192.168.1.1
Jul 1 15:04:30 brisgate pluto[32313]: adding interface eth0/eth0 aaa.aaa.aaa.aaa
Jul 1 15:04:30 brisgate pluto[32313]: adding interface lo/lo 127.0.0.1
Jul 1 15:04:30 brisgate pluto[32313]: adding interface lo/lo ::1
Jul 1 15:04:30 brisgate pluto[32313]: loading secrets from "/etc/ipsec.secrets"
Jul 1 15:04:30 brisgate pluto[32313]: loaded private key file '/etc/ipsec.d/private/Net_1.key' (887 bytes)
Jul 1 15:04:30 brisgate pluto[32313]: "Net" #1: initiating Main Mode
Jul 1 15:04:30 brisgate pluto[32313]: | no IKE algorithms for this connection
Jul 1 15:04:30 brisgate pluto[32313]: "Net" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 1 15:04:30 brisgate pluto[32313]: "Net" #1: I am sending my cert
Jul 1 15:04:30 brisgate pluto[32313]: "Net" #1: I am sending a certificate request
Jul 1 15:04:30 brisgate pluto[32313]: "Net" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 1 15:04:30 brisgate pluto[32313]: "Net" #1: Main mode peer ID is ID_DER_ASN1_DN: 'blah blah 1'
Jul 1 15:04:30 brisgate pluto[32313]: "Net" #1: crl update for "blah blah 1" is overdue since Mar 18 06:17:28 UTC 2005
Jul 1 15:04:30 brisgate pluto[32313]: "Net" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 1 15:04:30 brisgate pluto[32313]: "Net" #1: ISAKMP SA established
Jul 1 15:04:30 brisgate pluto[32313]: "Net" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Jul 1 15:04:30 brisgate pluto[32313]: "Net" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jul 1 15:04:30 brisgate pluto[32313]: "Net" #1: received and ignored informational message
Network 2 Log
Jul 1 14:42:31 localhost ipsec__plutorun: Starting Pluto subsystem...
Jul 1 14:42:31 localhost pluto[13280]: Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Jul 1 14:42:31 localhost pluto[13280]: including NAT-Traversal patch (Version 0.6c) [disabled]
Jul 1 14:42:31 localhost pluto[13280]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 1 14:42:31 localhost pluto[13280]: Using Linux 2.6 IPsec interface code
Jul 1 14:42:32 localhost pluto[13280]: Changing to directory '/etc/ipsec.d/cacerts'
Jul 1 14:42:32 localhost pluto[13280]: loaded CA cert file 'cacert.pem' (1647 bytes)
Jul 1 14:42:32 localhost pluto[13280]: Could not change to directory '/etc/ipsec.d/aacerts'
Jul 1 14:42:32 localhost pluto[13280]: Changing to directory '/etc/ipsec.d/ocspcerts'
Jul 1 14:42:32 localhost pluto[13280]: Changing to directory '/etc/ipsec.d/crls'
Jul 1 14:42:32 localhost pluto[13280]: loaded crl file 'crl.pem' (686 bytes)
Jul 1 14:42:32 localhost pluto[13280]: loaded host cert file '/etc/ipsec.d/certs/Net_2.pem' (1489 bytes)
Jul 1 14:42:32 localhost pluto[13280]: added connection description "Net"
Jul 1 14:42:32 localhost pluto[13280]: listening for IKE messages
Jul 1 14:42:32 localhost pluto[13280]: adding interface eth1/eth1 bbb.bbb.bbb.bbb
Jul 1 14:42:32 localhost pluto[13280]: adding interface eth0/eth0 192.168.0.1
Jul 1 14:42:32 localhost pluto[13280]: adding interface lo/lo 127.0.0.1
Jul 1 14:42:32 localhost pluto[13280]: adding interface lo/lo ::1
Jul 1 14:42:32 localhost pluto[13280]: loading secrets from "/etc/ipsec.secrets"
Jul 1 14:42:32 localhost pluto[13280]: loaded private key file '/etc/ipsec.d/private/Net_2.pem' (887 bytes)
Jul 1 14:42:32 localhost pluto[13280]: "Brisbane_Office" #1: initiating Main Mode
Jul 1 14:42:33 localhost pluto[13280]: "Brisbane_Office" #1: ERROR: asynchronous network error report on eth1 for message to aaa.aaa.aaa.aaa port 500, complainant aaa.aaa.aaa.aaa: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Jul 1 14:42:34 localhost pluto[13280]: packet from aaa.aaa.aaa.aaa:500: received Vendor ID payload [Dead Peer Detection]
Jul 1 14:42:34 localhost pluto[13280]: "Net" #2: responding to Main Mode
Jul 1 14:42:34 localhost pluto[13280]: "Net" #2: transition from state (null) to state STATE_MAIN_R1
Jul 1 14:42:34 localhost pluto[13280]: "Net" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 1 14:42:34 localhost pluto[13280]: "Net" #2: Peer ID is ID_DER_ASN1_DN: 'blah blah 2'
Jul 1 14:42:34 localhost pluto[13280]: "Net" #2: crl update for "blah blah 1" is overdue since Mar 18 06:17:28 UTC 2005
Jul 1 14:42:34 localhost pluto[13280]: "Net" #2: I am sending my cert
Jul 1 14:42:34 localhost pluto[13280]: "Net" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 1 14:42:34 localhost pluto[13280]: "Net" #2: sent MR3, ISAKMP SA established
Jul 1 14:42:35 localhost pluto[13280]: "Net" #3: IPsec Transform [ESP_AES (0), AUTH_ALGORITHM_HMAC_SHA1] refused due to insecure key_len and enc. alg. not listed in "esp" string
Jul 1 14:42:35 localhost pluto[13280]: "Net" #3: no acceptable Proposal in IPsec SA
Jul 1 14:42:35 localhost pluto[13280]: "Net" #3: sending encrypted notification NO_PROPOSAL_CHOSEN to aaa.aaa.aaa.aaa:500
does anyone have suggestions as to why i would be getting these errors and possible solutions...?
Cheers
--
Craig Chandler
Application Developer
InterDynamics Pty. Ltd.
Adelaide Office: Brisbane Office:
24th Floor, Santos House Level 3, Christie Centre
91 King William St. 320 Adelaide St.
Adelaide SA 5000 Brisbane Qld 4000
Tel: +61 8 8233 5965 +61 7 3229 8300
Fax: +61 8 8233 5858 +61 7 3010 9001
Craig.Chandler at InterDynamics.com
InterDynamics Web Page : http://www.InterDynamics.com
More information about the Users
mailing list