[Openswan Users] book example yields - No route to host...not authenticated using

Bruce S. Skinner Bruce.Skinner at norsteadfarm.ca
Sun Nov 26 16:15:29 EST 2006 

Hello,

When I try the Host-to-Host example setup described in "Building and
Implementing Virtual Private Networks with Openswan", page 82, I get
the following "no route / not authenticated" error.

  pluto[4529]: "sample" #1: ERROR: asynchronous network error report
  on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant
  172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1
  (not authenticated)]

Is this an authentication issue or a routing issue?

Before I start ipsec I can ping from host to host. After running
/etc/init.s/ipsec start I see link level routes appear on eth0 of left
and right sides for the ip address of the peer, but no traffic flows
and pluto logs the above error.

I'm running Openswan Linux U2.4.5/K2.6.17-10-generic (netkey) (Ubuntu
"edgy") on both systems.

regards :-)
BruceS

LEFTSIDE
--------

root at gw:~# ip route show
10.1.1.0/24 dev eth0  proto kernel  scope link  src 10.1.1.11 
10.1.2.0/24 dev eth1  proto kernel  scope link  src 10.1.2.1 
default via 10.1.1.1 dev eth0 

root at gw:~# ping 172.31.1.200
PING 172.31.1.200 (172.31.1.200) 56(84) bytes of data.
64 bytes from 172.31.1.200: icmp_seq=1 ttl=63 time=1.71 ms

root at gw:~# traceroute 172.31.1.200
traceroute to 172.31.1.200 (172.31.1.200), 30 hops max, 40 byte packets
 1  10.1.1.1 (10.1.1.1)  0.466 ms  1.308 ms  0.098 ms
 2  172.31.1.200 (172.31.1.200)  0.590 ms  1.134 ms  1.081 ms

root at gw:~# date
Sun Nov 26 14:47:03 AST 2006

root at gw:~# /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec 2.4.5...
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/key/af_key.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/ah4.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/esp4.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/ipcomp.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/tunnel4.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/xfrm4_tunnel.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/xfrm/xfrm_user.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/drivers/char/hw_random.ko 
ipsec_setup: FATAL: Error inserting hw_random (/lib/modules/2.6.17-10-generic/kernel/drivers/char/hw_random.ko): No such device
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/drivers/crypto/padlock.ko 
ipsec_setup: FATAL: Error inserting padlock (/lib/modules/2.6.17-10-generic/kernel/drivers/crypto/padlock.ko): No such device
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/sha1.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/des.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/aes.ko 

root at gw:~# ip route show
172.31.1.200 dev eth0  scope link 
10.1.1.0/24 dev eth0  proto kernel  scope link  src 10.1.1.11 
10.1.2.0/24 dev eth1  proto kernel  scope link  src 10.1.2.1 
default via 10.1.1.1 dev eth0 

root at gw:~# date
Sun Nov 26 14:47:47 AST 2006

/var/log/syslog
---------------

Nov 26 14:47:25 gw kernel: [17179692.816000] NET: Registered protocol family 15
Nov 26 14:47:25 gw kernel: [17179692.904000] Initializing IPsec netlink socket
Nov 26 14:47:25 gw kernel: [17179692.964000] padlock: VIA PadLock not detected.
Nov 26 14:47:25 gw ipsec_setup: KLIPS ipsec0 on eth0 10.1.1.11/255.255.255.0 broadcast 10.1.1.255 
Nov 26 14:47:26 gw ipsec_setup: ...Openswan IPsec started
Nov 26 14:47:26 gw ipsec_setup: Starting Openswan IPsec 2.4.5...
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/key/af_key.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/ah4.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/esp4.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/ipcomp.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/tunnel4.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/xfrm4_tunnel.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/xfrm/xfrm_user.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/drivers/char/hw_random.ko 
Nov 26 14:47:26 gw ipsec_setup: FATAL: Error inserting hw_random (/lib/modules/2.6.17-10-generic/kernel/drivers/char/hw_random.ko): No such device
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/drivers/crypto/padlock.ko 
Nov 26 14:47:26 gw ipsec_setup: FATAL: Error inserting padlock (/lib/modules/2.6.17-10-generic/kernel/drivers/crypto/padlock.ko): No such device
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/sha1.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/des.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/aes.ko 
Nov 26 14:47:26 gw ipsec__plutorun: 104 "sample" #1: STATE_MAIN_I1: initiate
Nov 26 14:47:26 gw ipsec__plutorun: ...could not start conn "sample"

/var/log/auth.log
-----------------

Nov 26 14:47:25 gw ipsec__plutorun: Starting Pluto subsystem...
Nov 26 14:47:25 gw pluto[4532]: Starting Pluto (Openswan Version 2.4.5 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEGfuJ[Ye{Ah)
Nov 26 14:47:25 gw pluto[4532]: Setting NAT-Traversal port-4500 floating to off
Nov 26 14:47:25 gw pluto[4532]:    port floating activation criteria nat_t=0/port_fload=1
Nov 26 14:47:25 gw pluto[4532]:   including NAT-Traversal patch (Version 0.6c) [disabled]
Nov 26 14:47:25 gw pluto[4532]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 26 14:47:25 gw pluto[4532]: starting up 1 cryptographic helpers
Nov 26 14:47:25 gw pluto[4532]: started helper pid=4538 (fd:6)
Nov 26 14:47:25 gw pluto[4532]: Using Linux 2.6 IPsec interface code on 2.6.17-10-generic
Nov 26 14:47:26 gw pluto[4532]: Changing to directory '/etc/ipsec.d/cacerts'
Nov 26 14:47:26 gw pluto[4532]: Changing to directory '/etc/ipsec.d/aacerts'
Nov 26 14:47:26 gw pluto[4532]: Changing to directory '/etc/ipsec.d/ocspcerts'
Nov 26 14:47:26 gw pluto[4532]: Changing to directory '/etc/ipsec.d/crls'
Nov 26 14:47:26 gw pluto[4532]:   Warning: empty directory
Nov 26 14:47:26 gw pluto[4532]: added connection description "sample"
Nov 26 14:47:26 gw pluto[4532]: listening for IKE messages
Nov 26 14:47:26 gw pluto[4532]: adding interface eth1/eth1 10.1.2.1:500
Nov 26 14:47:26 gw pluto[4532]: adding interface eth0/eth0 10.1.1.11:500
Nov 26 14:47:26 gw pluto[4532]: adding interface lo/lo 127.0.0.1:500
Nov 26 14:47:26 gw pluto[4532]: adding interface lo/lo ::1:500
Nov 26 14:47:26 gw pluto[4532]: loading secrets from "/etc/ipsec.secrets"
Nov 26 14:47:26 gw pluto[4532]: "sample" #1: initiating Main Mode
Nov 26 14:47:39 gw pluto[4532]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 172.31.1.200 port 500, complainant 10.1.1.11: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:49:15 gw pluto[4532]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 172.31.1.200 port 500, complainant 10.1.1.11: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:49:55 gw pluto[4532]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 172.31.1.200 port 500, complainant 10.1.1.11: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:55:04 gw last message repeated 2 times
Nov 26 14:55:44 gw pluto[4532]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 172.31.1.200 port 500, complainant 10.1.1.11: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 15:01:04 gw last message repeated 2 times

/etc/ipsec.conf
---------------

# /etc/ipsec.conf - Openswan IPsec configuration file

version	2.0

config setup
	interfaces=%defaultroute

conn %default
	authby=rsasig

conn sample
	left=10.1.1.11
	right=172.31.1.200
	type=tunnel
	# RSA 2048 bits   gw   Sun Nov 26 11:45:54 2006
	leftrsasigkey=0sAQOLN9ThgpqFfu+hpcpy/BDCJj82oakzQ/X87KKAT1Ba+jj1DyUN4oTBd1WrNgaqMS4XOZeCZCFjDrO4LYgLTL0lBXKkz/+nmtVJadLlWesVUVNLPBZ+GQMrv8i4a257Ut6G4PAI0fInXP3T5SAEJ8k0S/ix5KVzxpGo5noZ5QKW/C04F2xVGyUqah98Q1wdQBIIE/9N8nkU5CL4GfEBTw0RVuLIVwsP0UXNvIYqhxzfXLkiotYBcoKKwOKCjr8BEIrpsGPRQDeHFGOrLlXRq11MeCCHnumJEze9J6WpqQ2vk+QbohZZae1v+/Y858FVii9H2A/8h9eieEA8Y1TadHvV
	# RSA 2048 bits   gw   Sun Nov 26 11:57:40 2006
	rightrsasigkey=0sAQN4diBgDiCl2HcJ74M3Ggnp9BjA2KtxKNJiAmpLNn+jjr/Y9xv5JIXS2mdrWmEwbqYm0PzRpJIOJ6raXc+s86LRf7fC3EE+HsG8Gp9T11AyLdiSwwXFnrCPLwi7VP6C2oM6d3I3X3N0uC7vlNsbTZZiqfWw9iHVlh/DmpHPgvjyf9jc0fFRhWHWE8/lZTTP7fGLr+l7ve8L6we3x1EaRuIz+nPc32l21ZnfSQci3QY5I8e8WWLgjovIAlpcnnvEyyMJEoJKRumjdnTJFZ6uXR+S3m9zgaCt5dsQyDqs3ACNlHwqPqiyYkarstbReJx9KI5jgyB+EmkNq1aDAeJJDp8P
	auto=start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

/etc/ipsec.secrets
------------------

# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
: RSA	{
	# RSA 2048 bits   gw   Sun Nov 26 11:45:54 2006
	# for signatures only, UNSAFE FOR ENCRYPTION
	#pubkey=0sAQOLN9ThgpqFfu+hpcpy/BDCJj82oakzQ/X87KKAT1Ba+jj1DyUN4oTBd1WrNgaqMS4XOZeCZCFjDrO4LYgLTL0lBXKkz/+nmtVJadLlWesVUVNLPBZ+GQMrv8i4a257Ut6G4PAI0fInXP3T5SAEJ8k0S/ix5KVzxpGo5noZ5QKW/C04F2xVGyUqah98Q1wdQBIIE/9N8nkU5CL4GfEBTw0RVuLIVwsP0UXNvIYqhxzfXLkiotYBcoKKwOKCjr8BEIrpsGPRQDeHFGOrLlXRq11MeCCHnumJEze9J6WpqQ2vk+QbohZZae1v+/Y858FVii9H2A/8h9eieEA8Y1TadHvV
	Modulus: 0x8b37d4e1829a857eefa1a5ca72fc10c2263f36a1a93343f5fceca2804f505afa38f50f250de284c17755ab3606aa312e173997826421630eb3b82d880b4cbd250572a4cfffa79ad54969d2e559eb1551534b3c167e19032bbfc8b86b6e7b52de86e0f008d1f2275cfdd3e5200427c9344bf8b1e4a573c691a8e67a19e50296fc2d38176c551b252a6a1f7c435c1d40120813ff4df27914e422f819f1014f0d1156e2c8570b0fd145cdbc862a871cdf5cb922a2d60172828ac0e2828ebf01108ae9b063d14037871463ab2e55d1ab5d4c7820879ee9891337bd27a5a9a90daf93e41ba2165969ed6ffbf63ce7c1558a2f47d80ffc87d7a278403c6354da747bd5
	PublicExponent: 0x03
	# everything after this point is secret
	PrivateExponent: 0x0251ff4806718239950f7e7f1b84337ab3d6630b3a496344198c7a2cce1f34b75ed0e262c03b3df228638fa74ce93c8d917428ecd7008e7371edbc7e0030365a378eb5f26664ed3f49c1c383d290b7d26c0e0dcd2cc4aefc76657a8a52e87494c683bfbbe15da2ca154c109e6678213856997a6e7a3965715c6a3dc4b2c00b0cb5f0bad21ba9c15e6f927c448ae027a86536bd78d766f85ddd0fe8e6e42e7e5ae79b3f75fd58682ff7ddde567c953a9b782d208fa5331ad031dbb80f3c26c394be3af805683e4a346e9d6995cdca4c42120f9130141b72d8be9ca2d1980639bf1989a0a749f1f8c6e230f49657a3da9c243b7d87afa8e28b60f150a05941dcbb
	Prime1: 0xfa8dcc1003ea2907271666bbca3e061920191e45dafd443412fbe445de3d72f985b7eb609ae467c58c792a126b15813b1a83da4efce0ef32011bf7cfe35d277f638f63212b610f3f44911905f71860c9d13318bc91819b04f5a29e39864915c2797d278ca1b96a3abfdb3b8066b45e40ff323e6dd38410388a58a2f8e83b1d71
	Prime2: 0x8e3e821dd567aa011cb3f5770555ee812f2678b59b599ab040419f8da82bfcc988c7fd4f0f72fe4229433fd2e90da1b1740b26dc4c974a8d1047672cc28e122ef04edf6ba63d138b323556339f291d066b47679da1988d661acede50814f11076e5cd35462fa349838a1ae2ad039ef55cab465c188be7994fd54dac706c9a2a5
	Exponent1: 0xa70932b557f170af6f64447d317eaebb6abb6983e75382cd61fd42d93ed3a1fbae7a9ceb11ed9a83b2fb71619cb900d211ad3c34a895f4cc00bd4fdfece8c4ff97b4ecc0c7960a2a2db610aea4baeb313622107db6566758a3c1bed10430b92c50fe1a5dc12646d1d53cd25599cd942b54cc299e8d02b57b06e5c1fb457cbe4b
	Exponent2: 0x5ed456be8e451c00bdcd4e4f58e3f4561f6efb23bce667202ad66a5e701d533105daa8df5fa1fed6c62cd537460916764d5cc492ddba31b3602f9a1dd7096174a03494f26ed3625ccc238ecd14c613599cda4513c1105e4411df3ee05634b604f43de23841fc231025c11ec7357bf4e3dc7843d65b29a663538de72f59dbc1c3
	Coefficient: 0xb770b22ff39c2143f936fd0065b725cffd9759f2ca4d71044ca8d305eabd4857e578e6f59e04d74a07eaab3186290a8fe815302c7d99653ccd0612c356d1df48c8279f8951c5ce7a14b9457aaf3b868e31d5cd4d810b0045686d71eb2999809a4c98cf9e67a50a07f81657b20f9c70db17eb1cfcc5e2eb9b82e50044e36a57f2
	}

RIGHTSIDE
---------

root at gw:~# ip route show
10.2.1.0/24 dev eth1  proto kernel  scope link  src 10.2.1.1 
172.31.1.0/24 dev eth0  proto kernel  scope link  src 172.31.1.200 
default via 172.31.1.1 dev eth0 

root at gw:~# ping 10.1.1.11
PING 10.1.1.11 (10.1.1.11) 56(84) bytes of data.
64 bytes from 10.1.1.11: icmp_seq=1 ttl=63 time=1.29 ms

root at gw:~# traceroute 10.1.1.11
traceroute to 10.1.1.11 (10.1.1.11), 30 hops max, 40 byte packets
 1  172.31.1.1 (172.31.1.1)  0.866 ms  1.024 ms  0.223 ms
 2  10.1.1.11 (10.1.1.11)  1.331 ms  0.426 ms  0.254 ms

root at gw:~# date
Sun Nov 26 14:46:40 AST 2006

root at gw:~# /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec 2.4.5...
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/key/af_key.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/ah4.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/esp4.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/ipcomp.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/tunnel4.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/xfrm4_tunnel.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/xfrm/xfrm_user.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/drivers/char/hw_random.ko 
ipsec_setup: FATAL: Error inserting hw_random (/lib/modules/2.6.17-10-generic/kernel/drivers/char/hw_random.ko): No such device
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/drivers/crypto/padlock.ko 
ipsec_setup: FATAL: Error inserting padlock (/lib/modules/2.6.17-10-generic/kernel/drivers/crypto/padlock.ko): No such device
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/sha1.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/des.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/aes.ko 

root at gw:~# ip route show
10.1.1.11 dev eth0  scope link 
10.2.1.0/24 dev eth1  proto kernel  scope link  src 10.2.1.1 
172.31.1.0/24 dev eth0  proto kernel  scope link  src 172.31.1.200 
default via 172.31.1.1 dev eth0 

root at gw:~# date
Sun Nov 26 14:48:49 AST 2006

root at gw:~# ping 10.1.1.11
connect: Resource temporarily unavailable
root at gw:~# date
Sun Nov 26 14:49:01 AST 2006
root at gw:~# ping 10.1.1.11
connect: Resource temporarily unavailable
root at gw:~# 

/var/log/syslog
---------------

Nov 26 14:47:01 gw kernel: [17179698.772000] NET: Registered protocol family 15
Nov 26 14:47:01 gw kernel: [17179698.852000] Initializing IPsec netlink socket
Nov 26 14:47:01 gw kernel: [17179698.916000] padlock: VIA PadLock not detected.
Nov 26 14:47:01 gw ipsec_setup: KLIPS ipsec0 on eth0 172.31.1.200/255.255.255.0 broadcast 172.31.1.255 
Nov 26 14:47:01 gw ipsec_setup: ...Openswan IPsec started
Nov 26 14:47:01 gw ipsec_setup: Starting Openswan IPsec 2.4.5...
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/key/af_key.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/ah4.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/esp4.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/ipcomp.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/tunnel4.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/xfrm4_tunnel.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/xfrm/xfrm_user.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/drivers/char/hw_random.ko 
Nov 26 14:47:01 gw ipsec_setup: FATAL: Error inserting hw_random (/lib/modules/2.6.17-10-generic/kernel/drivers/char/hw_random.ko): No such device
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/drivers/crypto/padlock.ko 
Nov 26 14:47:01 gw ipsec_setup: FATAL: Error inserting padlock (/lib/modules/2.6.17-10-generic/kernel/drivers/crypto/padlock.ko): No such device
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/sha1.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/des.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/aes.ko 
Nov 26 14:47:02 gw ipsec__plutorun: 104 "sample" #1: STATE_MAIN_I1: initiate
Nov 26 14:47:02 gw ipsec__plutorun: ...could not start conn "sample"

/var/log/auth.log
-----------------

Nov 26 14:47:01 gw ipsec__plutorun: Starting Pluto subsystem...
Nov 26 14:47:02 gw pluto[4529]: Starting Pluto (Openswan Version 2.4.5 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEGfuJ[Ye{Ah)
Nov 26 14:47:02 gw pluto[4529]: Setting NAT-Traversal port-4500 floating to off
Nov 26 14:47:02 gw pluto[4529]:    port floating activation criteria nat_t=0/port_fload=1
Nov 26 14:47:02 gw pluto[4529]:   including NAT-Traversal patch (Version 0.6c) [disabled]
Nov 26 14:47:02 gw pluto[4529]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 26 14:47:02 gw pluto[4529]: starting up 1 cryptographic helpers
Nov 26 14:47:02 gw pluto[4529]: started helper pid=4541 (fd:6)
Nov 26 14:47:02 gw pluto[4529]: Using Linux 2.6 IPsec interface code on 2.6.17-10-generic
Nov 26 14:47:02 gw pluto[4529]: Changing to directory '/etc/ipsec.d/cacerts'
Nov 26 14:47:02 gw pluto[4529]: Changing to directory '/etc/ipsec.d/aacerts'
Nov 26 14:47:02 gw pluto[4529]: Changing to directory '/etc/ipsec.d/ocspcerts'
Nov 26 14:47:02 gw pluto[4529]: Changing to directory '/etc/ipsec.d/crls'
Nov 26 14:47:02 gw pluto[4529]:   Warning: empty directory
Nov 26 14:47:02 gw pluto[4529]: added connection description "sample"
Nov 26 14:47:02 gw pluto[4529]: listening for IKE messages
Nov 26 14:47:02 gw pluto[4529]: adding interface eth1/eth1 10.2.1.1:500
Nov 26 14:47:02 gw pluto[4529]: adding interface eth0/eth0 172.31.1.200:500
Nov 26 14:47:02 gw pluto[4529]: adding interface lo/lo 127.0.0.1:500
Nov 26 14:47:02 gw pluto[4529]: adding interface lo/lo ::1:500
Nov 26 14:47:02 gw pluto[4529]: loading secrets from "/etc/ipsec.secrets"
Nov 26 14:47:02 gw pluto[4529]: "sample" #1: initiating Main Mode
Nov 26 14:47:02 gw pluto[4529]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 10.1.1.11: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Nov 26 14:47:06 gw pluto[4529]: packet from 10.1.1.11:500: received Vendor ID payload [Openswan (this version) 2.4.5  X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Nov 26 14:47:06 gw pluto[4529]: packet from 10.1.1.11:500: received Vendor ID payload [Dead Peer Detection]
Nov 26 14:47:06 gw pluto[4529]: "sample" #2: responding to Main Mode
Nov 26 14:47:06 gw pluto[4529]: "sample" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 26 14:47:06 gw pluto[4529]: "sample" #2: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 26 14:47:09 gw pluto[4529]: "sample" #2: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:47:15 gw pluto[4529]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:47:19 gw pluto[4529]: "sample" #2: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:48:53 gw pluto[4529]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:48:53 gw pluto[4529]: "sample" #2: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:48:53 gw pluto[4529]: initiate on demand from 172.31.1.200:0 to 10.1.1.11:0 proto=0 state: fos_start because: acquire
Nov 26 14:49:30 gw pluto[4529]: "sample" #2: max number of retransmissions (2) reached STATE_MAIN_R1
Nov 26 14:49:34 gw pluto[4529]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:51:59 gw pluto[4529]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:54:39 gw pluto[4529]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

/etc/ipsec.conf
---------------

# /etc/ipsec.conf - Openswan IPsec configuration file

version	2.0

config setup
	interfaces=%defaultroute

conn %default
	authby=rsasig

conn sample
	left=10.1.1.11
	right=172.31.1.200
	type=tunnel
	# RSA 2048 bits   gw   Sun Nov 26 11:45:54 2006
	leftrsasigkey=0sAQOLN9ThgpqFfu+hpcpy/BDCJj82oakzQ/X87KKAT1Ba+jj1DyUN4oTBd1WrNgaqMS4XOZeCZCFjDrO4LYgLTL0lBXKkz/+nmtVJadLlWesVUVNLPBZ+GQMrv8i4a257Ut6G4PAI0fInXP3T5SAEJ8k0S/ix5KVzxpGo5noZ5QKW/C04F2xVGyUqah98Q1wdQBIIE/9N8nkU5CL4GfEBTw0RVuLIVwsP0UXNvIYqhxzfXLkiotYBcoKKwOKCjr8BEIrpsGPRQDeHFGOrLlXRq11MeCCHnumJEze9J6WpqQ2vk+QbohZZae1v+/Y858FVii9H2A/8h9eieEA8Y1TadHvV
	# RSA 2048 bits   gw   Sun Nov 26 11:57:40 2006
	rightrsasigkey=0sAQN4diBgDiCl2HcJ74M3Ggnp9BjA2KtxKNJiAmpLNn+jjr/Y9xv5JIXS2mdrWmEwbqYm0PzRpJIOJ6raXc+s86LRf7fC3EE+HsG8Gp9T11AyLdiSwwXFnrCPLwi7VP6C2oM6d3I3X3N0uC7vlNsbTZZiqfWw9iHVlh/DmpHPgvjyf9jc0fFRhWHWE8/lZTTP7fGLr+l7ve8L6we3x1EaRuIz+nPc32l21ZnfSQci3QY5I8e8WWLgjovIAlpcnnvEyyMJEoJKRumjdnTJFZ6uXR+S3m9zgaCt5dsQyDqs3ACNlHwqPqiyYkarstbReJx9KI5jgyB+EmkNq1aDAeJJDp8P
	auto=start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

/etc/ipsec.secerets
-------------------

# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
: RSA	{
	# RSA 2048 bits   gw   Sun Nov 26 11:57:40 2006
	# for signatures only, UNSAFE FOR ENCRYPTION
	#pubkey=0sAQN4diBgDiCl2HcJ74M3Ggnp9BjA2KtxKNJiAmpLNn+jjr/Y9xv5JIXS2mdrWmEwbqYm0PzRpJIOJ6raXc+s86LRf7fC3EE+HsG8Gp9T11AyLdiSwwXFnrCPLwi7VP6C2oM6d3I3X3N0uC7vlNsbTZZiqfWw9iHVlh/DmpHPgvjyf9jc0fFRhWHWE8/lZTTP7fGLr+l7ve8L6we3x1EaRuIz+nPc32l21ZnfSQci3QY5I8e8WWLgjovIAlpcnnvEyyMJEoJKRumjdnTJFZ6uXR+S3m9zgaCt5dsQyDqs3ACNlHwqPqiyYkarstbReJx9KI5jgyB+EmkNq1aDAeJJDp8P
	Modulus: 0x787620600e20a5d87709ef83371a09e9f418c0d8ab7128d262026a4b367fa38ebfd8f71bf92485d2da676b5a61306ea626d0fcd1a4920e27aada5dcfacf3a2d17fb7c2dc413e1ec1bc1a9f53d750322dd892c305c59eb08f2f08bb54fe82da833a7772375f7374b82eef94db1b4d9662a9f5b0f621d5961fc39a91cf82f8f27fd8dcd1f1518561d613cfe56534cfedf18bafe97bbdef0beb07b7c7511a46e233fa73dcdf6976d599df490722dd063923c7bc5962e08e8bc8025a5c9e7bc4cb230912824a46e9a37674c9159eae5d1f92de6f7381a0ade5db10c83aacdc008d947c2a3ea8b26246abb2d6d1789c7d288e6383207e12690dab568301e2490e9f0f
	PublicExponent: 0x03
	# everything after this point is secret
	PrivateExponent: 0x1413b010025ac64ebe81a7eb33d9ac51a8aecacec73d86cdbb00670c891545ed1ff97e84a986164dcf113c8f1032bd1bb122d4cd9b6dad069c79ba4d477df0783ff3f5cf603505204a046fe34e8d5db24ec32080f6451d6d3281748e2a6b246b34693db3e53de8c95d27ee24848cee65c6fe482905a399054b446da295d4286a699a3587c3702a3230c3658966d342c3213ed2025439a4b052a8a7470a0f22efd4317c31bed56800b56cf1fa8aac820fa4346d1fe56a782e77d84ef3a4604bf011a77f20591999dab19123b9df7f98c193505756c3e94b1c9a79e262a4ccba50667dfc8f536cecac43059d793c3ec0f10c50ee9c81d34bd98423ea1a4232c4c7
	Prime1: 0xb203d5adf07a7f770e91504515f15b3903bb330fac5c90492b9cfaedb4fda5cfb8a2a287d7a05c4190ae4c3398f3a4a0eae6f546f56e15fb76038b373ad69d670a12213ca5ac4f5335c8997e9a136491a735eec5f864b65fe1572c6eaf1b5400f319abbfac9484340c60ebe64a02548bf8ba27a90de73de36234abf5e9b31f73
	Prime2: 0xad3bbb14cc69e531e0aa33e7b5eb0225c07bca5e18389f7fec26e0b928ee6ac548a8512d18d609540e0d0f1004078825039ad55c8aa1a4b5bd44f7b166ac661b9513664b8aa3b9031599a5c4d74c2677c35778b310d16ccf9095bfee5018dbb1221ca78d1140366e145434bae9024e5c20e36129f98e08aedb76d94ed22ae2f5
	Exponent1: 0x76ad391ea051aa4f5f0b8ad8b94b9226027cccb51d930adb7268a7492353c3dfd06c6c5a8fc03d810b1edd77bb4d186b4744a384a39eb9524ead077a2739be44b1616b7dc3c834e223db10ff1162430bc4ce9f2ea598799540e4c849ca123800a2111d2a730dad7808409d443156e307fb26c51b5e9a2942417872a3f12214f7
	Exponent2: 0x737d276332f1437695c6cd4523f2016e805286e9657b14fff2c495d0c5f4472e3070361e108eb0e2b408b4b55805056e026738e85c6bc323d3834fcb99c84412636244325c6d26020e666e833a32c44fd78fa5ccb5e0f3350b0e7ff43565e7cb6c131a5e0b80244962e2cdd1f0ac343d6b4240c6a65eb074924f3b89e171eca3
	Coefficient: 0x708e62e04d744f030557a27d189fcf7c374774f24aad62406236d93bfd03bd8a860cba70fa78184168760c7820335470ea4361bfbb9d24617ff60b844abefc8d0fff8710759dc26e10f03aa432f00139772463cf5bf524e02c6d7112fe942210e52682453dbb13f6aed15959d8db3c4285176acd4762ca8e7715681dc1e8b323
	}

-- 

Norstead Farm - Bruce & Carole Skinner
RR#1 Waterville NS Canada B0P 1V0
 Tel: 902-538-1765
Cell: 902-670-6456
 Fax: 902-538-1794
<mailto:bruce.skinner at norsteadfarm.ca>

More information about the Users mailing list