No connection has been authorized was: Re: [Openswan Users]
payloadproblem
sasa
sasa at shoponweb.it
Thu Nov 17 13:46:08 CET 2005
Hi, I am becoming crazy with this vpn !..
the ipsec connection is up in fact:
>#2: "sedeprinsedesecond":500 STATE_QUICK_I2 (sent QI2, IPsec SA
>established); EVENT_SA_REPLACE in 23056s; newest IPSEC; eroute owner
..but I have an error message:
>Nov 16 10:45:45 fw4 pluto[3936]: packet from 1.2.3.5:500: initial Main Mode
>message received on 5.6.7.8:500 but no connection has been authorized
..now because I have a connection not authorized ? .. the ip address 1.2.3.5
is router address and isn't pubblic address on fw/vpn, in fact the
ipsec.conf I have:
#public ip on fw/vpn
left=1.2.3.4
leftsubnet=192.168.1.0/24
#public ip on router (gw for fw/vpn)
leftnexthop=1.2.3.5
#public ip on fw/vpn
right=5.6.7.8
leftsubnet=10.0.0.0/24
#public ip on router (gw for fw/vpn)
rightnexthop=5.6.7.9
..the vpn connection (when log file say not authorized) it would not have to
make reference to 1.2.3.4 ?? and not to 1.2.3.5 !!
in fact:
#ipsec whack --status
...
000 "sedeprinsedesecond":
10.0.0.0/24===5.6.7.8[@5.6.7.8.f5.ngi.it]---5.6.7.9...1.2.3.5---1.2.3.4[@1.2.3.4.f5.ngi.it]===192.168.1.0/24;
thanks again.
------
Salvatore.
----- Original Message -----
From: "sasa" <sasa at shoponweb.it>
To: "Paul Wouters" <paul at xelerance.com>
Cc: <users at openswan.org>
Sent: Wednesday, November 16, 2005 11:32 AM
Subject: No connection has been authorized was: Re: [Openswan Users]
payloadproblem
> Hi, unfortunately the hard disk on one machine is wrong and now I have
> another machine in vpn and the error message is changed, in particular on
> new machine I have:
>
> [root at fw4 root]# tail /var/log/secure
> Nov 16 10:45:11 fw4 pluto[3936]: "sedeprinsedesecond" #1: transition from
> state STATE_MAIN_I3 to state STATE_MAIN_I4
> Nov 16 10:45:11 fw4 pluto[3936]: "sedeprinsedesecond" #1: ISAKMP SA
> established
> Nov 16 10:45:11 fw4 pluto[3936]: "sedeprinsedesecond" #2: initiating Quick
> Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> Nov 16 10:45:12 fw4 pluto[3936]: "sedeprinsedesecond" #2: transition from
> state STATE_QUICK_I1 to state STATE_QUICK_I2
> Nov 16 10:45:12 fw4 pluto[3936]: "sedeprinsedesecond" #2: sent QI2, IPsec
> SA established {ESP=>0x4e967ad3 <0xad0ad0df xfrm=3DES_0-HMAC_MD5}
> Nov 16 10:45:28 fw4 pluto[3936]: "sedeprinsedesecond" #1: ignoring Delete
> SA payload: PROTO_IPSEC_ESP SA(0x4e967ad2) not found (maybe expired)
> Nov 16 10:45:28 fw4 pluto[3936]: "sedeprinsedesecond" #1: received and
> ignored informational message
> Nov 16 10:45:45 fw4 pluto[3936]: packet from 1.2.3.4:500: received Vendor
> ID payload [Openswan (this version) cvs2002Mar11_19:19:03 X.509-1.5.4
> PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
> Nov 16 10:45:45 fw4 pluto[3936]: packet from 1.2.3.4:500: received Vendor
> ID payload [Dead Peer Detection]
> Nov 16 10:45:45 fw4 pluto[3936]: packet from 1.2.3.4:500: initial Main
> Mode message received on 5.6.7.8:500 but no connection has been authorized
>
> [root at fw4 root]# ipsec verify
> ...
> Checking tun0x1002 at 81.174.27.90 from 10.0.0.0/24 to 192.168.1.0/24
> [FAILED]
> ...
>
> .. on another machine I have:
>
> [root at fw root]# tail /var/log/secure
> Nov 16 10:45:33 fw pluto[2526]: "sedeprinsedesecond" #4: STATE_MAIN_R2:
> sent MR2, expecting MI3
> Nov 16 10:45:33 fw pluto[2526]: "sedeprinsedesecond" #4: Main mode peer ID
> is ID_IPV4_ADDR: '5.6.7.8'
> Nov 16 10:45:33 fw pluto[2526]: "sedeprinsedesecond" #4: I did not send a
> certificate because I do not have one.
> Nov 16 10:45:33 fw pluto[2526]: "sedeprinsedesecond" #4: transition from
> state STATE_MAIN_R2 to state STATE_MAIN_R3
> Nov 16 10:45:33 fw pluto[2526]: "sedeprinsedesecond" #4: STATE_MAIN_R3:
> sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
> cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
> Nov 16 10:45:34 fw pluto[2526]: "sedeprinsedesecond" #5: responding to
> Quick Mode {msgid:6317e120}
> Nov 16 10:45:34 fw pluto[2526]: "sedeprinsedesecond" #5: transition from
> state STATE_QUICK_R0 to state STATE_QUICK_R1
> Nov 16 10:45:34 fw pluto[2526]: "sedeprinsedesecond" #5: STATE_QUICK_R1:
> sent QR1, inbound IPsec SA installed, expecting QI2
> Nov 16 10:45:34 fw pluto[2526]: "sedeprinsedesecond" #5: transition from
> state STATE_QUICK_R1 to state STATE_QUICK_R2
> Nov 16 10:45:34 fw pluto[2526]: "sedeprinsedesecond" #5: STATE_QUICK_R2:
> IPsec SA established {ESP=>0xad0ad0df <0x4e967ad3 xfrm=3DES_0-HMAC_MD5
> NATD=none DPD=none}
>
> [root at fw root]# ipsec verify
> ..
> Checking tun0x1004 at 213.92.106.59 from 192.168.1.0/24 to 10.0.0.0/24
> [FAILED]
> ...
>
> .. the ipsec.conf on both end-point is:
>
> interfaces="ipsec0=eth0"
> conn %default
> authby=rsasig
> esp=3des
> conn sedeprinsedesecond
> auto=start
> pfs=yes
> left=1.2.3.4
> leftsubnet=192.168.1.0/24
> leftnexthop=1.2.3.5
> leftrsasigkey=0sAQO...
> right=5.6.7.8
> rightsubnet=10.0.0.0/24
> rightnexthop=5.6.7.9
> rightrsasigkey=0sAQ...
>
> thanks again.
>
> ------
> Salvatore.
>
>
> ----- Original Message -----
> From: "Paul Wouters" <paul at xelerance.com>
> To: "sasa" <sasa at shoponweb.it>
> Cc: <users at openswan.org>
> Sent: Thursday, November 10, 2005 9:55 PM
> Subject: Re: [Openswan Users] payload problem
>
>
>> On Thu, 10 Nov 2005, sasa wrote:
>>
>>> [root at fw root]# ipsec version
>>> Linux Openswan Ucvs2002Mar11_19:19:03/K2.1.2rc3 (klips)
>>> See `ipsec --copyright' for copyright information.
>>> [root at fw root]# rpm -qa|grep openswan
>>> openswan-2.4.0-23.rhfc1.at
>>> openswan-kmdl-2.4.22-1.2199.nptl_53.rhfc1.at-2.3.1-21.rhfc1.at
>>
>> That is not a healty combination. the klips module loaded is
>> 2.1.2 based and not 2.3.1 like the rpm claims. Also, the userland
>> is a cvs snapshot while the rpm claims 2.4.0? You might have an
>> install in /usr and /usr/local
>>
>>> [root at fw4 ~]# ipsec version
>>> Linux Openswan U2.4.0/K2.6.12-1.1381_FC3 (netkey)
>>> See `ipsec --copyright' for copyright information.
>>> [root at fw4 ~]# rpm -qa|grep openswan
>>> openswan-2.4.0-1
>>> openswan-klips-2.4.0-2.6.12_1.1378_FC3_1
>>
>> You are using NETKEY, not KLIPS on that machine.
>>
>> Paul
>>
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
More information about the Users
mailing list