No connection has been authorized was: Re: [Openswan Users] payload problem

Wed Nov 16 20:04:46 CET 2005

"Paul Wouters" wrote:

>> Checking tun0x1002 at 81.174.27.90 from 10.0.0.0/24 to 192.168.1.0/24 
>> [FAILED]
>
> Looks like you are not excluding NAT for ipsec packets....

.. but that I don't understand is then because the vpn connection work well 
occasionally ?? ..in the log file I have:

Nov 16 19:26:56 fw4 pluto[1659]: packet from 81.174.9.14:500: received 
Vendor ID payload [Openswan (this version) cvs2002Mar11_19:19:03 
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Nov 16 19:26:56 fw4 pluto[1659]: packet from 81.174.9.14:500: received 
Vendor ID payload [Dead Peer Detection]
Nov 16 19:26:56 fw4 pluto[1659]: packet from 81.174.9.14:500: initial Main 
Mode message received on 213.92.106.59:500 but no connection has been 
authorized

but in ..

[root at fw4 root]# ipsec whack --status
000 interface ipsec0/eth0 213.92.106.59
...
000
000 "sedeprinsedesecond": 
10.0.0.0/24===213.92.106.59[@213-92-106-59.f5.ngi.it]---213.92.106.57...81.174.27.89---81.174.27.90[@81-174-27-90.f5.ngi.it]===192.168.1.0/24; 
erouted; eroute owner: #2

I have a different address ??
and the the ipsec connection is created..

...
#2: "sedeprinsedesecond":500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 23056s; newest IPSEC; eroute owner

..on the other end-point I have:

000 "sedeprinsedesecond": 
192.168.1.0/24===81.174.27.90[@81-174-27-90.f5.ngi.it]---81.174.27.89...213.92.106.57---213.92.106.59[@213-92-106-59.f5.ngi.it]===10.0.0.0/24; 
erouted; eroute owner: #45
000 "sedeprinsedesecond":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "sedeprinsedesecond":   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "sedeprinsedesecond":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 
24,24; interface: eth0;
000 "sedeprinsedesecond":   newest ISAKMP SA: #49; newest IPsec SA: #45;
000 "sedeprinsedesecond":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "sedeprinsedesecond":   ESP algorithms wanted: 3_000-1, 3_000-2, 
flags=-strict
000 "sedeprinsedesecond":   ESP algorithms loaded: 3_000-1, 3_000-2, 
flags=-strict
000 "sedeprinsedesecond":   ESP algorithm newest: 3DES_0-HMAC_MD5; 
pfsgroup=<Phase1>
000
000 #49: "sedeprinsedesecond":7 STATE_MAIN_R3 (sent MR3, ISAKMP SA 
established); EVENT_SA_REPLACE in 749s; newest ISAKMP; lastdpd=-1s(seq in:0 
out:0)
000 #45: "sedeprinsedesecond":7 STATE_QUICK_R2 (IPsec SA established); 
EVENT_SA_REPLACE in 23426s; newest IPSEC; eroute owner
000 #45: "sedeprinsedesecond" used 269s ago; esp.2ed3f37b at 213.92.106.59 
esp.bb383322 at 81.174.27.90 tun.100c at 213.92.106.59 tun.100b at 81.174.27.90
000 #53: "sedeprinsedesecond":500 STATE_MAIN_I1 (sent MI1, expecting MR1); 
EVENT_RETRANSMIT in 24s; nodpd
000 #53: pending Phase 2 for "sedeprinsedesecond" replacing #26
000 #53: pending Phase 2 for "sedeprinsedesecond" replacing #3
000 #53: pending Phase 2 for "sedeprinsedesecond" replacing #0
000

thanks again.

------
Salvatore.