[Openswan Users] net 2 net connection

William Man williamman at visualrock.co.uk
Wed Sep 14 21:17:22 CEST 2005 

Hi,

I am still having problems when connecting... here is the section out of the
secure.log

Hope someone could shed some light....

Thanks


William

-----------------------------
Sep 14 15:47:28 site1 pluto[6481]: loading secrets from "/etc/ipsec.secrets"
Sep 14 15:47:56 site1 pluto[6481]: packet from 10.0.0.1:500: ignoring Vendor
ID payload [4f454578616c467b5f6f606d]
Sep 14 15:47:56 site1 pluto[6481]: packet from 10.0.0.1:500: received Vendor
ID payload [Dead Peer Detection]
Sep 14 15:47:56 site1 pluto[6481]: packet from 10.0.0.1:500: ignoring Vendor
ID payload [4a131c81070358455c5728f20e95452f]
Sep 14 15:47:56 site1 pluto[6481]: packet from 10.0.0.1:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 14 15:47:56 site1 pluto[6481]: packet from 10.0.0.1:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using
method 108
Sep 14 15:47:56 site1 pluto[6481]: packet from 10.0.0.1:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 14 15:47:56 site1 pluto[6481]: "net-to-net" #1: responding to Main Mode
Sep 14 15:47:56 site1 pluto[6481]: "net-to-net" #1: transition from state
(null) to state STATE_MAIN_R1
Sep 14 15:47:56 site1 pluto[6481]: "net-to-net" #1: NAT-Traversal: Result
using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Sep 14 15:47:56 site1 pluto[6481]: "net-to-net" #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 14 15:47:56 site1 pluto[6481]: "net-to-net" #1: Peer ID is ID_FQDN:
'@site2.hostname.co.uk'
Sep 14 15:47:56 site1 pluto[6481]: "net-to-net" #1: I did not send a
certificate because I do not have one.
Sep 14 15:47:56 site1 pluto[6481]: "net-to-net" #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 14 15:47:56 site1 pluto[6481]: "net-to-net" #1: sent MR3, ISAKMP SA
established
Sep 14 15:47:56 site1 pluto[6481]: "net-to-net" #2: IPsec Transform [ESP_AES
(0), AUTH_ALGORITHM_HMAC_SHA1] refused due to insecure key_len and enc. alg.
not listed in "esp" string
Sep 14 15:47:56 site1 pluto[6481]: "net-to-net" #2: no acceptable Proposal
in IPsec SA
Sep 14 15:47:56 site1 pluto[6481]: "net-to-net" #2: sending encrypted
notification NO_PROPOSAL_CHOSEN to 10.0.0.1:500
Sep 14 15:48:06 site1 pluto[6481]: "net-to-net" #1: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0x64487026
(perhaps this is a duplicated packet)
Sep 14 15:48:06 site1 pluto[6481]: "net-to-net" #1: sending encrypted
notification INVALID_MESSAGE_ID to 10.0.0.1:500
Sep 14 15:48:26 site1 pluto[6481]: "net-to-net" #1: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0x64487026
(perhaps this is a duplicated packet)
Sep 14 15:48:26 site1 pluto[6481]: "net-to-net" #1: sending encrypted
notification INVALID_MESSAGE_ID to 10.0.0.1:500
Sep 14 15:49:52 site1 pluto[6481]: "net-to-net" #3: initiating Quick Mode
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
Sep 14 15:49:52 site1 pluto[6481]: ERROR: "net-to-net" #3: pfkey write() of
SADB_ADD message 6 for Add SA comp.3507 at 10.0.0.2 failed. Errno 22: Invalid
argument
Sep 14 15:49:52 site1 pluto[6481]: |   02 03 00 0a  0b 00 00 00  06 00 00 00
51 19 00 00
Sep 14 15:49:52 site1 pluto[6481]: |   03 00 01 00  00 00 35 07  00 01 00 02
00 00 00 00
Sep 14 15:49:52 site1 pluto[6481]: |   ff ff ff ff  00 00 00 00  03 00 05 00
00 00 00 00
Sep 14 15:49:52 site1 pluto[6481]: |   02 00 00 00  52 2b 2f 0e  00 00 00 00
00 00 00 00
Sep 14 15:49:52 site1 pluto[6481]: |   03 00 06 00  00 00 00 00  02 00 00 00
52 2b 5e 47
Sep 14 15:49:52 site1 pluto[6481]: |   00 00 00 00  00 00 00 00
Sep 14 15:49:52 site1 pluto[6481]: | pfkey_lib_debug:pfkey_msg_parse: satype
0 conversion to proto failed for msg_type 4 (delete).
Sep 14 15:49:52 site1 pluto[6481]: | pfkey_lib_debug:pfkey_msg_build:
Trouble parsing newly built pfkey message, error=-22.
Sep 14 15:49:53 site1 pluto[6481]: "net-to-net" #3: pfkey_msg_build of
Delete SA unk0.1001 at 10.0.0.2 failed, code -22
Sep 14 15:50:02 site1 pluto[6481]: ERROR: "net-to-net" #3: pfkey write() of
SADB_ADD message 9 for Add SA comp.3507 at 10.0.0.2 failed. Errno 22: Invalid
argument
Sep 14 15:50:02 site1 pluto[6481]: |   02 03 00 0a  0b 00 00 00  09 00 00 00
51 19 00 00
Sep 14 15:50:02 site1 pluto[6481]: |   03 00 01 00  00 00 35 07  00 01 00 02
00 00 00 00
Sep 14 15:50:02 site1 pluto[6481]: |   ff ff ff ff  00 00 00 00  03 00 05 00
00 00 00 00
Sep 14 15:50:02 site1 pluto[6481]: |   02 00 00 00  52 2b 2f 0e  00 00 00 00
00 00 00 00
Sep 14 15:50:02 site1 pluto[6481]: |   03 00 06 00  00 00 00 00  02 00 00 00
52 2b 5e 47
Sep 14 15:50:02 site1 pluto[6481]: |   00 00 00 00  00 00 00 00
Sep 14 15:50:02 site1 pluto[6481]: | pfkey_lib_debug:pfkey_msg_parse: satype
0 conversion to proto failed for msg_type 4 (delete).
Sep 14 15:50:02 site1 pluto[6481]: | pfkey_lib_debug:pfkey_msg_build:
Trouble parsing newly built pfkey message, error=-22.
Sep 14 15:50:02 site1 pluto[6481]: "net-to-net" #3: pfkey_msg_build of
Delete SA unk0.1002 at 10.0.0.2 failed, code -22
Sep 14 15:50:23 site1 pluto[6481]: ERROR: "net-to-net" #3: pfkey write() of
SADB_ADD message 12 for Add SA comp.3507 at 10.0.0.2 failed. Errno 22: Invalid
argument
Sep 14 15:50:23 site1 pluto[6481]: |   02 03 00 0a  0b 00 00 00  0c 00 00 00
51 19 00 00
Sep 14 15:50:23 site1 pluto[6481]: |   03 00 01 00  00 00 35 07  00 01 00 02
00 00 00 00
Sep 14 15:50:23 site1 pluto[6481]: |   ff ff ff ff  00 00 00 00  03 00 05 00
00 00 00 00
Sep 14 15:50:23 site1 pluto[6481]: |   02 00 00 00  52 2b 2f 0e  00 00 00 00
00 00 00 00
Sep 14 15:50:23 site1 pluto[6481]: |   03 00 06 00  00 00 00 00  02 00 00 00
52 2b 5e 47
Sep 14 15:50:23 site1 pluto[6481]: |   00 00 00 00  00 00 00 00
Sep 14 15:50:23 site1 pluto[6481]: | pfkey_lib_debug:pfkey_msg_parse: satype
0 conversion to proto failed for msg_type 4 (delete).
Sep 14 15:50:23 site1 pluto[6481]: | pfkey_lib_debug:pfkey_msg_build:
Trouble parsing newly built pfkey message, error=-22.
Sep 14 15:50:23 site1 pluto[6481]: "net-to-net" #3: pfkey_msg_build of
Delete SA unk0.1003 at 10.0.0.2 failed, code -22
Sep 14 15:51:03 site1 pluto[6481]: ERROR: "net-to-net" #3: pfkey write() of
SADB_ADD message 15 for Add SA comp.3507 at 10.0.0.2 failed. Errno 22: Invalid
argument
Sep 14 15:51:03 site1 pluto[6481]: |   02 03 00 0a  0b 00 00 00  0f 00 00 00
51 19 00 00
Sep 14 15:51:03 site1 pluto[6481]: |   03 00 01 00  00 00 35 07  00 01 00 02
00 00 00 00
Sep 14 15:51:03 site1 pluto[6481]: |   ff ff ff ff  00 00 00 00  03 00 05 00
00 00 00 00
Sep 14 15:51:03 site1 pluto[6481]: |   02 00 00 00  52 2b 2f 0e  00 00 00 00
00 00 00 00
Sep 14 15:51:03 site1 pluto[6481]: |   03 00 06 00  00 00 00 00  02 00 00 00
52 2b 5e 47
Sep 14 15:51:03 site1 pluto[6481]: |   00 00 00 00  00 00 00 00
Sep 14 15:51:03 site1 pluto[6481]: | pfkey_lib_debug:pfkey_msg_parse: satype
0 conversion to proto failed for msg_type 4 (delete).
Sep 14 15:51:03 site1 pluto[6481]: | pfkey_lib_debug:pfkey_msg_build:
Trouble parsing newly built pfkey message, error=-22.
Sep 14 15:51:03 site1 pluto[6481]: "net-to-net" #3: pfkey_msg_build of
Delete SA unk0.1004 at 10.0.0.2 failed, code -22
Sep 14 15:51:03 site1 pluto[6481]: "net-to-net" #3: max number of
retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our
first Quick Mode message: perhaps peer likes no proposal
Sep 14 15:51:42 site1 pluto[6481]: "net-to-net" #1: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0xe869ae43
(perhaps this is a duplicated packet)
Sep 14 15:51:42 site1 pluto[6481]: "net-to-net" #1: sending encrypted
notification INVALID_MESSAGE_ID to 10.0.0.1:500
Sep 14 15:52:23 site1 pluto[6481]: "net-to-net" #1: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0xe869ae43
(perhaps this is a duplicated packet)
Sep 14 15:52:23 site1 pluto[6481]: "net-to-net" #1: sending encrypted
notification INVALID_MESSAGE_ID to 10.0.0.1:500
Sep 14 15:52:32 site1 pluto[6481]: "net-to-net" #1: received Delete SA
payload: deleting ISAKMP State #1
Sep 14 15:52:32 site1 pluto[6481]: packet from 10.0.0.1:500: received and
ignored informational message
Sep 14 15:52:32 site1 pluto[6481]: ERROR: asynchronous network error report
on eth0 for message to 10.0.0.1 port 500, complainant 10.0.0.1: Connection
refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Sep 14 15:52:46 site1 pluto[6481]: shutting down
Sep 14 15:52:46 site1 pluto[6481]: forgetting secrets
Sep 14 15:52:46 site1 pluto[6481]: "net-to-net": deleting connection
Sep 14 15:52:46 site1 pluto[6481]: shutting down interface ipsec0/eth0
10.0.0.2
Sep 14 15:52:47 site1 pluto[6481]: shutting down interface ipsec0/eth0
10.0.0.2
-----------------------------




-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]On
Behalf Of William Man
Sent: Wednesday, September 14, 2005 9:32 AM
To: users at openswan.org
Subject: Re: [Openswan Users] net 2 net connection


Doh, Ah yes.  I did infact add this line, copied from some tutorial site.
However, they added the '#' char in the front, which i didn't realize meant
that it is commented out.

At least ipsec is starting up now, now need to see if i can connect

Thanks!

William


----- Original Message -----
From: "Paul Wouters" <paul at xelerance.com>
To: "William Man" <williamman at visualrock.co.uk>
Cc: <users at openswan.org>
Sent: Tuesday, September 13, 2005 3:13 PM
Subject: Re: [Openswan Users] net 2 net connection


> On Tue, 13 Sep 2005, William Man wrote:
>
> > This is the first time i'm posting so apologies if i make any mistakes.
> > I am looking to make an ipsec connection between 2 sites, both running
> > Linux, below are some details
> > Site_1. External IP 20.0.0.1. Subnet 192.168.1.0/24
> > Site_2. External IP 10.0.0.1. Subnet 192.168.3.0/24
> > Site_1 is using red hat 9, using "Linux Openswan
Ucvs2002Mar11_19:19:03/K"
> > Site_2 is using fedora core 3, using "Linux Openswan U2.3.1/K"
>
> > when site_2 starts up ipsec, the whole of site_2 subnet goes down.
Internet
> > is lost.
> > similar happens to site_1, intenet is lost.
> > I think there is some kind of routing error, but I'm not sure.
> > The firewall is iptables, and allows accept for 4500, 500, and ipsec
> > protocols.
> > Below is the log of site_2.secure
>
> It looks like you did not disable OE.
> On the openswan-2.3.1 side add an "include
/etc/ipsec.d/examples/no_oe.conf
> On the RH9 side you might need something similar, but the no_oe.conf might
> not be part of that install. Either copy the file or contents to the other
> machine for inclusion.
>
> Paul
> ________________________________________________________________
> This email has been scanned by ClamAV, and should be virus free.
>

________________________________________________________________
This email has been scanned by ClamAV, and should be virus free.
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
________________________________________________________________
This email has been scanned by ClamAV, and should be virus free.

--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.24/101 - Release Date: 13/09/2005

--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.24/101 - Release Date: 13/09/2005

________________________________________________________________
This email has been scanned by ClamAV, and should be virus free.

More information about the Users mailing list