No connection has been authorized was: Re: [Openswan Users] payload
problem
sasa
sasa at shoponweb.it
Wed Nov 16 11:32:27 CET 2005
Hi, unfortunately the hard disk on one machine is wrong and now I have
another machine in vpn and the error message is changed, in particular on
new machine I have:
[root at fw4 root]# tail /var/log/secure
Nov 16 10:45:11 fw4 pluto[3936]: "sedeprinsedesecond" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 16 10:45:11 fw4 pluto[3936]: "sedeprinsedesecond" #1: ISAKMP SA
established
Nov 16 10:45:11 fw4 pluto[3936]: "sedeprinsedesecond" #2: initiating Quick
Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Nov 16 10:45:12 fw4 pluto[3936]: "sedeprinsedesecond" #2: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Nov 16 10:45:12 fw4 pluto[3936]: "sedeprinsedesecond" #2: sent QI2, IPsec SA
established {ESP=>0x4e967ad3 <0xad0ad0df xfrm=3DES_0-HMAC_MD5}
Nov 16 10:45:28 fw4 pluto[3936]: "sedeprinsedesecond" #1: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x4e967ad2) not found (maybe expired)
Nov 16 10:45:28 fw4 pluto[3936]: "sedeprinsedesecond" #1: received and
ignored informational message
Nov 16 10:45:45 fw4 pluto[3936]: packet from 1.2.3.4:500: received Vendor ID
payload [Openswan (this version) cvs2002Mar11_19:19:03 X.509-1.5.4
PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Nov 16 10:45:45 fw4 pluto[3936]: packet from 1.2.3.4:500: received Vendor ID
payload [Dead Peer Detection]
Nov 16 10:45:45 fw4 pluto[3936]: packet from 1.2.3.4:500: initial Main Mode
message received on 5.6.7.8:500 but no connection has been authorized
[root at fw4 root]# ipsec verify
...
Checking tun0x1002 at 81.174.27.90 from 10.0.0.0/24 to 192.168.1.0/24
[FAILED]
...
.. on another machine I have:
[root at fw root]# tail /var/log/secure
Nov 16 10:45:33 fw pluto[2526]: "sedeprinsedesecond" #4: STATE_MAIN_R2: sent
MR2, expecting MI3
Nov 16 10:45:33 fw pluto[2526]: "sedeprinsedesecond" #4: Main mode peer ID
is ID_IPV4_ADDR: '5.6.7.8'
Nov 16 10:45:33 fw pluto[2526]: "sedeprinsedesecond" #4: I did not send a
certificate because I do not have one.
Nov 16 10:45:33 fw pluto[2526]: "sedeprinsedesecond" #4: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 16 10:45:33 fw pluto[2526]: "sedeprinsedesecond" #4: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1536}
Nov 16 10:45:34 fw pluto[2526]: "sedeprinsedesecond" #5: responding to Quick
Mode {msgid:6317e120}
Nov 16 10:45:34 fw pluto[2526]: "sedeprinsedesecond" #5: transition from
state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov 16 10:45:34 fw pluto[2526]: "sedeprinsedesecond" #5: STATE_QUICK_R1:
sent QR1, inbound IPsec SA installed, expecting QI2
Nov 16 10:45:34 fw pluto[2526]: "sedeprinsedesecond" #5: transition from
state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov 16 10:45:34 fw pluto[2526]: "sedeprinsedesecond" #5: STATE_QUICK_R2:
IPsec SA established {ESP=>0xad0ad0df <0x4e967ad3 xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
[root at fw root]# ipsec verify
..
Checking tun0x1004 at 213.92.106.59 from 192.168.1.0/24 to 10.0.0.0/24
[FAILED]
...
.. the ipsec.conf on both end-point is:
interfaces="ipsec0=eth0"
conn %default
authby=rsasig
esp=3des
conn sedeprinsedesecond
auto=start
pfs=yes
left=1.2.3.4
leftsubnet=192.168.1.0/24
leftnexthop=1.2.3.5
leftrsasigkey=0sAQO...
right=5.6.7.8
rightsubnet=10.0.0.0/24
rightnexthop=5.6.7.9
rightrsasigkey=0sAQ...
thanks again.
------
Salvatore.
----- Original Message -----
From: "Paul Wouters" <paul at xelerance.com>
To: "sasa" <sasa at shoponweb.it>
Cc: <users at openswan.org>
Sent: Thursday, November 10, 2005 9:55 PM
Subject: Re: [Openswan Users] payload problem
> On Thu, 10 Nov 2005, sasa wrote:
>
>> [root at fw root]# ipsec version
>> Linux Openswan Ucvs2002Mar11_19:19:03/K2.1.2rc3 (klips)
>> See `ipsec --copyright' for copyright information.
>> [root at fw root]# rpm -qa|grep openswan
>> openswan-2.4.0-23.rhfc1.at
>> openswan-kmdl-2.4.22-1.2199.nptl_53.rhfc1.at-2.3.1-21.rhfc1.at
>
> That is not a healty combination. the klips module loaded is
> 2.1.2 based and not 2.3.1 like the rpm claims. Also, the userland
> is a cvs snapshot while the rpm claims 2.4.0? You might have an
> install in /usr and /usr/local
>
>> [root at fw4 ~]# ipsec version
>> Linux Openswan U2.4.0/K2.6.12-1.1381_FC3 (netkey)
>> See `ipsec --copyright' for copyright information.
>> [root at fw4 ~]# rpm -qa|grep openswan
>> openswan-2.4.0-1
>> openswan-klips-2.4.0-2.6.12_1.1378_FC3_1
>
> You are using NETKEY, not KLIPS on that machine.
>
> Paul
>
More information about the Users
mailing list