No connection has been authorized was: Re: [Openswan Users] payload problem

sasa sasa at shoponweb.it
Wed Nov 16 11:32:27 CET 2005 

Hi, unfortunately the hard disk on one machine is wrong and now I have 
another machine in vpn and the error message is changed, in particular on 
new machine I have:

[root at fw4 root]# tail /var/log/secure
Nov 16 10:45:11 fw4 pluto[3936]: "sedeprinsedesecond" #1: transition from 
state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 16 10:45:11 fw4 pluto[3936]: "sedeprinsedesecond" #1: ISAKMP SA 
established
Nov 16 10:45:11 fw4 pluto[3936]: "sedeprinsedesecond" #2: initiating Quick 
Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Nov 16 10:45:12 fw4 pluto[3936]: "sedeprinsedesecond" #2: transition from 
state STATE_QUICK_I1 to state STATE_QUICK_I2
Nov 16 10:45:12 fw4 pluto[3936]: "sedeprinsedesecond" #2: sent QI2, IPsec SA 
established {ESP=>0x4e967ad3 <0xad0ad0df xfrm=3DES_0-HMAC_MD5}
Nov 16 10:45:28 fw4 pluto[3936]: "sedeprinsedesecond" #1: ignoring Delete SA 
payload: PROTO_IPSEC_ESP SA(0x4e967ad2) not found (maybe expired)
Nov 16 10:45:28 fw4 pluto[3936]: "sedeprinsedesecond" #1: received and 
ignored informational message
Nov 16 10:45:45 fw4 pluto[3936]: packet from 1.2.3.4:500: received Vendor ID 
payload [Openswan (this version) cvs2002Mar11_19:19:03  X.509-1.5.4 
PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Nov 16 10:45:45 fw4 pluto[3936]: packet from 1.2.3.4:500: received Vendor ID 
payload [Dead Peer Detection]
Nov 16 10:45:45 fw4 pluto[3936]: packet from 1.2.3.4:500: initial Main Mode 
message received on 5.6.7.8:500 but no connection has been authorized

[root at fw4 root]# ipsec verify
...
Checking tun0x1002 at 81.174.27.90 from 10.0.0.0/24 to 192.168.1.0/24 
[FAILED]
...

.. on another machine I have:

[root at fw root]# tail /var/log/secure
Nov 16 10:45:33 fw pluto[2526]: "sedeprinsedesecond" #4: STATE_MAIN_R2: sent 
MR2, expecting MI3
Nov 16 10:45:33 fw pluto[2526]: "sedeprinsedesecond" #4: Main mode peer ID 
is ID_IPV4_ADDR: '5.6.7.8'
Nov 16 10:45:33 fw pluto[2526]: "sedeprinsedesecond" #4: I did not send a 
certificate because I do not have one.
Nov 16 10:45:33 fw pluto[2526]: "sedeprinsedesecond" #4: transition from 
state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 16 10:45:33 fw pluto[2526]: "sedeprinsedesecond" #4: STATE_MAIN_R3: sent 
MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 
prf=oakley_md5 group=modp1536}
Nov 16 10:45:34 fw pluto[2526]: "sedeprinsedesecond" #5: responding to Quick 
Mode {msgid:6317e120}
Nov 16 10:45:34 fw pluto[2526]: "sedeprinsedesecond" #5: transition from 
state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov 16 10:45:34 fw pluto[2526]: "sedeprinsedesecond" #5: STATE_QUICK_R1: 
sent QR1, inbound IPsec SA installed, expecting QI2
Nov 16 10:45:34 fw pluto[2526]: "sedeprinsedesecond" #5: transition from 
state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov 16 10:45:34 fw pluto[2526]: "sedeprinsedesecond" #5: STATE_QUICK_R2: 
IPsec SA established {ESP=>0xad0ad0df <0x4e967ad3 xfrm=3DES_0-HMAC_MD5 
NATD=none DPD=none}

[root at fw root]# ipsec verify
..
Checking tun0x1004 at 213.92.106.59 from 192.168.1.0/24 to 10.0.0.0/24 
[FAILED]
...

.. the ipsec.conf on both end-point is:

interfaces="ipsec0=eth0"
conn %default
authby=rsasig
esp=3des
conn sedeprinsedesecond
auto=start
pfs=yes
left=1.2.3.4
leftsubnet=192.168.1.0/24
leftnexthop=1.2.3.5
leftrsasigkey=0sAQO...
right=5.6.7.8
rightsubnet=10.0.0.0/24
rightnexthop=5.6.7.9
rightrsasigkey=0sAQ...

thanks again.

------
Salvatore.


----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "sasa" <sasa at shoponweb.it>
Cc: <users at openswan.org>
Sent: Thursday, November 10, 2005 9:55 PM
Subject: Re: [Openswan Users] payload problem


> On Thu, 10 Nov 2005, sasa wrote:
>
>> [root at fw root]# ipsec version
>> Linux Openswan Ucvs2002Mar11_19:19:03/K2.1.2rc3 (klips)
>> See `ipsec --copyright' for copyright information.
>> [root at fw root]# rpm -qa|grep openswan
>> openswan-2.4.0-23.rhfc1.at
>> openswan-kmdl-2.4.22-1.2199.nptl_53.rhfc1.at-2.3.1-21.rhfc1.at
>
> That is not a healty combination. the klips module loaded is
> 2.1.2 based and not 2.3.1 like the rpm claims. Also, the userland
> is a cvs snapshot while the rpm claims 2.4.0? You might have an
> install in /usr and /usr/local
>
>> [root at fw4 ~]# ipsec version
>> Linux Openswan U2.4.0/K2.6.12-1.1381_FC3 (netkey)
>> See `ipsec --copyright' for copyright information.
>> [root at fw4 ~]# rpm -qa|grep openswan
>> openswan-2.4.0-1
>> openswan-klips-2.4.0-2.6.12_1.1378_FC3_1
>
> You are using NETKEY, not KLIPS on that machine.
>
> Paul
>

More information about the Users mailing list