[Openswan Users] no connection has been authorized

Herbert.Augustiny at sptroth.com Herbert.Augustiny at sptroth.com
Mon Jun 13 09:04:31 CEST 2005 







Paul Wouters <paul at xelerance.com> wrote on 13.06.2005 01:02:44:

> On Sun, 12 Jun 2005 Herbert.Augustiny at sptroth.com wrote:
>
> > My connection is configured to use PSK and I was able to get connected
> > using Win2000 and PSK. Below is my config. I'm trying to use the
definition
> > for client.
>
> > conn china
> >        left=%defaultroute
> >        leftsubnet=10.0.0.0/16
> >        leftcert=certs/RothGWcert.pem
> >        right=w.x.y.z
> >        rightsubnet=10.4.0.0/16
> >        rightid="C=CN, O=organisation, CN=china name"
> >        auto=start
> >
> > conn asia
> >        left=%defaultroute
> >        leftsubnet=10.0.0.0/16
> >        leftcert=certs/RothGWcert.pem
> >        right=z.y.x.w
> >        rightsubnet=10.2.0.0/24
> >        rightid="C=SG, O=organisation, CN=asia name"
> >        auto=start
> >
> >
> > conn client
> >        left=%defaultroute
> >        leftsubnet=10.0.0.0/24
> >        authby=secret
> >        right=%any
> >        rightid=%any
> >        aggrmode=yes
> >        auto=add
>
> You know cliennt uses /24 and not /16 like the others?
> rightid=%any makes no sense. Especially combined with
> right=%any and PSK (and aggressive mode on top of that).

I have changed to the following:

conn client
        left=%defaultroute
        leftsubnet=10.0.0.0/16
        authby=secret
        right=%any
        esp=3des-md5,3des-sha1

ike=3des-md5-modp1536,3des-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024
        aggrmode=yes
        auto=add
>
> You cannot have multiple machines connecting from random and
> expect to distinguish them. Using an explicit rightid=@palm
> or something will help openswan pick the proper connection.
> Wit haggressive mode you should always specify esp= and ike=
> lines. Later versions of openswan force this.
>
There is no way to specify the ID on the palm, an therefore, I think I
can't specify rightid=@palm. Or am I wrong about this?

I'm still getting the same error...

Here is the output of ipsec auto --status:
000 "client": 10.0.0.0/16===net.ip.bla.230---net.ip.bla.1...%any
000 "client":   CAs: '%any'...'%any'
000 "client":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "client":   policy: PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE; interface: eth2;
unrouted
000 "client":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "client":   IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5,
5_000-2-2, flags=-strict
000 "client":   IKE algorithms found:  5_192-1_128-5, 5_192-1_128-2,
5_192-2_160-5, 5_192-2_160-2,
000 "client":   ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "client":   ESP algorithms loaded: 3_168-1_128, 3_168-2_160,

What does the line CAs:... mean? Is this causing my problems?

Herbert

> Paul

More information about the Users mailing list