[Openswan Users] [Openswan dev] book example yields - No route to host...not authenticated using

Bruce S. Skinner Bruce.Skinner at norsteadfarm.ca
Sun Nov 26 16:40:25 EST 2006 

Paul Wouters <paul at xelerance.com> writes:

> On Sun, 26 Nov 2006, Bruce S. Skinner wrote:
>
> [changed dev@ to user@ as this is not an openswan bug/issue]
Sorry about that, I realized that after I sent it, but wasn't quick
enough at blowing it out of the mail queue.  A case of fingers quicker
than the mind again...

>
>>
>> When I try the Host-to-Host example setup described in "Building and
>> Implementing Virtual Private Networks with Openswan", page 82, I get
>> the following "no route / not authenticated" error.
>>
>>   pluto[4529]: "sample" #1: ERROR: asynchronous network error report
>>   on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant
>>   172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1
>>   (not authenticated)]
>>
>> Is this an authentication issue or a routing issue?
>
> A router in the midde, 172.31.1.200, cannot reach 10.1.1.11.

It doesn't appear to be that simple, as the router in the middle is a
single machine with two interfaces one at 172.31.1.1 and 10.1.1.1.  It
routes both ways before I start openswan as indicated in the
traceroute/ping examples below.  It appears that routing breaks only
after openswan is started...

>
>> Before I start ipsec I can ping from host to host. After running
>> /etc/init.s/ipsec start I see link level routes appear on eth0 of left
>> and right sides for the ip address of the peer, but no traffic flows
>> and pluto logs the above error.
>
> I don't know why that routing would suddenly break.
>
> Paul
> -- 
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


LEFTSIDE
--------

root at gw:~# ip route show
10.1.1.0/24 dev eth0  proto kernel  scope link  src 10.1.1.11 
10.1.2.0/24 dev eth1  proto kernel  scope link  src 10.1.2.1 
default via 10.1.1.1 dev eth0 

root at gw:~# ping 172.31.1.200
PING 172.31.1.200 (172.31.1.200) 56(84) bytes of data.
64 bytes from 172.31.1.200: icmp_seq=1 ttl=63 time=1.71 ms

root at gw:~# traceroute 172.31.1.200
traceroute to 172.31.1.200 (172.31.1.200), 30 hops max, 40 byte packets
 1  10.1.1.1 (10.1.1.1)  0.466 ms  1.308 ms  0.098 ms
 2  172.31.1.200 (172.31.1.200)  0.590 ms  1.134 ms  1.081 ms

root at gw:~# date
Sun Nov 26 14:47:03 AST 2006

root at gw:~# /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec 2.4.5...
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/key/af_key.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/ah4.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/esp4.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/ipcomp.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/tunnel4.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/xfrm4_tunnel.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/xfrm/xfrm_user.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/drivers/char/hw_random.ko 
ipsec_setup: FATAL: Error inserting hw_random (/lib/modules/2.6.17-10-generic/kernel/drivers/char/hw_random.ko): No such device
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/drivers/crypto/padlock.ko 
ipsec_setup: FATAL: Error inserting padlock (/lib/modules/2.6.17-10-generic/kernel/drivers/crypto/padlock.ko): No such device
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/sha1.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/des.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/aes.ko 

root at gw:~# ip route show
172.31.1.200 dev eth0  scope link 
10.1.1.0/24 dev eth0  proto kernel  scope link  src 10.1.1.11 
10.1.2.0/24 dev eth1  proto kernel  scope link  src 10.1.2.1 
default via 10.1.1.1 dev eth0 

root at gw:~# date
Sun Nov 26 14:47:47 AST 2006

/var/log/syslog
---------------

Nov 26 14:47:25 gw kernel: [17179692.816000] NET: Registered protocol family 15
Nov 26 14:47:25 gw kernel: [17179692.904000] Initializing IPsec netlink socket
Nov 26 14:47:25 gw kernel: [17179692.964000] padlock: VIA PadLock not detected.
Nov 26 14:47:25 gw ipsec_setup: KLIPS ipsec0 on eth0 10.1.1.11/255.255.255.0 broadcast 10.1.1.255 
Nov 26 14:47:26 gw ipsec_setup: ...Openswan IPsec started
Nov 26 14:47:26 gw ipsec_setup: Starting Openswan IPsec 2.4.5...
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/key/af_key.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/ah4.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/esp4.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/ipcomp.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/tunnel4.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/xfrm4_tunnel.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/xfrm/xfrm_user.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/drivers/char/hw_random.ko 
Nov 26 14:47:26 gw ipsec_setup: FATAL: Error inserting hw_random (/lib/modules/2.6.17-10-generic/kernel/drivers/char/hw_random.ko): No such device
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/drivers/crypto/padlock.ko 
Nov 26 14:47:26 gw ipsec_setup: FATAL: Error inserting padlock (/lib/modules/2.6.17-10-generic/kernel/drivers/crypto/padlock.ko): No such device
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/sha1.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/des.ko 
Nov 26 14:47:26 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/aes.ko 
Nov 26 14:47:26 gw ipsec__plutorun: 104 "sample" #1: STATE_MAIN_I1: initiate
Nov 26 14:47:26 gw ipsec__plutorun: ...could not start conn "sample"

/var/log/auth.log
-----------------

Nov 26 14:47:25 gw ipsec__plutorun: Starting Pluto subsystem...
Nov 26 14:47:25 gw pluto[4532]: Starting Pluto (Openswan Version 2.4.5 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEGfuJ[Ye{Ah)
Nov 26 14:47:25 gw pluto[4532]: Setting NAT-Traversal port-4500 floating to off
Nov 26 14:47:25 gw pluto[4532]:    port floating activation criteria nat_t=0/port_fload=1
Nov 26 14:47:25 gw pluto[4532]:   including NAT-Traversal patch (Version 0.6c) [disabled]
Nov 26 14:47:25 gw pluto[4532]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 26 14:47:25 gw pluto[4532]: starting up 1 cryptographic helpers
Nov 26 14:47:25 gw pluto[4532]: started helper pid=4538 (fd:6)
Nov 26 14:47:25 gw pluto[4532]: Using Linux 2.6 IPsec interface code on 2.6.17-10-generic
Nov 26 14:47:26 gw pluto[4532]: Changing to directory '/etc/ipsec.d/cacerts'
Nov 26 14:47:26 gw pluto[4532]: Changing to directory '/etc/ipsec.d/aacerts'
Nov 26 14:47:26 gw pluto[4532]: Changing to directory '/etc/ipsec.d/ocspcerts'
Nov 26 14:47:26 gw pluto[4532]: Changing to directory '/etc/ipsec.d/crls'
Nov 26 14:47:26 gw pluto[4532]:   Warning: empty directory
Nov 26 14:47:26 gw pluto[4532]: added connection description "sample"
Nov 26 14:47:26 gw pluto[4532]: listening for IKE messages
Nov 26 14:47:26 gw pluto[4532]: adding interface eth1/eth1 10.1.2.1:500
Nov 26 14:47:26 gw pluto[4532]: adding interface eth0/eth0 10.1.1.11:500
Nov 26 14:47:26 gw pluto[4532]: adding interface lo/lo 127.0.0.1:500
Nov 26 14:47:26 gw pluto[4532]: adding interface lo/lo ::1:500
Nov 26 14:47:26 gw pluto[4532]: loading secrets from "/etc/ipsec.secrets"
Nov 26 14:47:26 gw pluto[4532]: "sample" #1: initiating Main Mode
Nov 26 14:47:39 gw pluto[4532]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 172.31.1.200 port 500, complainant 10.1.1.11: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:49:15 gw pluto[4532]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 172.31.1.200 port 500, complainant 10.1.1.11: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:49:55 gw pluto[4532]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 172.31.1.200 port 500, complainant 10.1.1.11: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:55:04 gw last message repeated 2 times
Nov 26 14:55:44 gw pluto[4532]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 172.31.1.200 port 500, complainant 10.1.1.11: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 15:01:04 gw last message repeated 2 times

/etc/ipsec.conf
---------------

# /etc/ipsec.conf - Openswan IPsec configuration file

version	2.0

config setup
	interfaces=%defaultroute

conn %default
	authby=rsasig

conn sample
	left=10.1.1.11
	right=172.31.1.200
	type=tunnel
	# RSA 2048 bits   gw   Sun Nov 26 11:45:54 2006
	leftrsasigkey=0sAQOLN9ThgpqFfu+hpcpy/BDCJj82oakzQ/X87KKAT1Ba+jj1DyUN4oTBd1WrNgaqMS4XOZeCZCFjDrO4LYgLTL0lBXKkz/+nmtVJadLlWesVUVNLPBZ+GQMrv8i4a257Ut6G4PAI0fInXP3T5SAEJ8k0S/ix5KVzxpGo5noZ5QKW/C04F2xVGyUqah98Q1wdQBIIE/9N8nkU5CL4GfEBTw0RVuLIVwsP0UXNvIYqhxzfXLkiotYBcoKKwOKCjr8BEIrpsGPRQDeHFGOrLlXRq11MeCCHnumJEze9J6WpqQ2vk+QbohZZae1v+/Y858FVii9H2A/8h9eieEA8Y1TadHvV
	# RSA 2048 bits   gw   Sun Nov 26 11:57:40 2006
	rightrsasigkey=0sAQN4diBgDiCl2HcJ74M3Ggnp9BjA2KtxKNJiAmpLNn+jjr/Y9xv5JIXS2mdrWmEwbqYm0PzRpJIOJ6raXc+s86LRf7fC3EE+HsG8Gp9T11AyLdiSwwXFnrCPLwi7VP6C2oM6d3I3X3N0uC7vlNsbTZZiqfWw9iHVlh/DmpHPgvjyf9jc0fFRhWHWE8/lZTTP7fGLr+l7ve8L6we3x1EaRuIz+nPc32l21ZnfSQci3QY5I8e8WWLgjovIAlpcnnvEyyMJEoJKRumjdnTJFZ6uXR+S3m9zgaCt5dsQyDqs3ACNlHwqPqiyYkarstbReJx9KI5jgyB+EmkNq1aDAeJJDp8P
	auto=start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

/etc/ipsec.secrets
------------------

# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
: RSA	{
	# RSA 2048 bits   gw   Sun Nov 26 11:45:54 2006
	# for signatures only, UNSAFE FOR ENCRYPTION
	#pubkey=0sAQOLN9ThgpqFfu+hpcpy/BDCJj82oakzQ/X87KKAT1Ba+jj1DyUN4oTBd1WrNgaqMS4XOZeCZCFjDrO4LYgLTL0lBXKkz/+nmtVJadLlWesVUVNLPBZ+GQMrv8i4a257Ut6G4PAI0fInXP3T5SAEJ8k0S/ix5KVzxpGo5noZ5QKW/C04F2xVGyUqah98Q1wdQBIIE/9N8nkU5CL4GfEBTw0RVuLIVwsP0UXNvIYqhxzfXLkiotYBcoKKwOKCjr8BEIrpsGPRQDeHFGOrLlXRq11MeCCHnumJEze9J6WpqQ2vk+QbohZZae1v+/Y858FVii9H2A/8h9eieEA8Y1TadHvV
	Modulus: 0x8b37d4e1829a857eefa1a5ca72fc10c2263f36a1a93343f5fceca2804f505afa38f50f250de284c17755ab3606aa312e173997826421630eb3b82d880b4cbd250572a4cfffa79ad54969d2e559eb1551534b3c167e19032bbfc8b86b6e7b52de86e0f008d1f2275cfdd3e5200427c9344bf8b1e4a573c691a8e67a19e50296fc2d38176c551b252a6a1f7c435c1d40120813ff4df27914e422f819f1014f0d1156e2c8570b0fd145cdbc862a871cdf5cb922a2d60172828ac0e2828ebf01108ae9b063d14037871463ab2e55d1ab5d4c7820879ee9891337bd27a5a9a90daf93e41ba2165969ed6ffbf63ce7c1558a2f47d80ffc87d7a278403c6354da747bd5
	PublicExponent: 0x03
	# everything after this point is secret
	PrivateExponent: 0x0251ff4806718239950f7e7f1b84337ab3d6630b3a496344198c7a2cce1f34b75ed0e262c03b3df228638fa74ce93c8d917428ecd7008e7371edbc7e0030365a378eb5f26664ed3f49c1c383d290b7d26c0e0dcd2cc4aefc76657a8a52e87494c683bfbbe15da2ca154c109e6678213856997a6e7a3965715c6a3dc4b2c00b0cb5f0bad21ba9c15e6f927c448ae027a86536bd78d766f85ddd0fe8e6e42e7e5ae79b3f75fd58682ff7ddde567c953a9b782d208fa5331ad031dbb80f3c26c394be3af805683e4a346e9d6995cdca4c42120f9130141b72d8be9ca2d1980639bf1989a0a749f1f8c6e230f49657a3da9c243b7d87afa8e28b60f150a05941dcbb
	Prime1: 0xfa8dcc1003ea2907271666bbca3e061920191e45dafd443412fbe445de3d72f985b7eb609ae467c58c792a126b15813b1a83da4efce0ef32011bf7cfe35d277f638f63212b610f3f44911905f71860c9d13318bc91819b04f5a29e39864915c2797d278ca1b96a3abfdb3b8066b45e40ff323e6dd38410388a58a2f8e83b1d71
	Prime2: 0x8e3e821dd567aa011cb3f5770555ee812f2678b59b599ab040419f8da82bfcc988c7fd4f0f72fe4229433fd2e90da1b1740b26dc4c974a8d1047672cc28e122ef04edf6ba63d138b323556339f291d066b47679da1988d661acede50814f11076e5cd35462fa349838a1ae2ad039ef55cab465c188be7994fd54dac706c9a2a5
	Exponent1: 0xa70932b557f170af6f64447d317eaebb6abb6983e75382cd61fd42d93ed3a1fbae7a9ceb11ed9a83b2fb71619cb900d211ad3c34a895f4cc00bd4fdfece8c4ff97b4ecc0c7960a2a2db610aea4baeb313622107db6566758a3c1bed10430b92c50fe1a5dc12646d1d53cd25599cd942b54cc299e8d02b57b06e5c1fb457cbe4b
	Exponent2: 0x5ed456be8e451c00bdcd4e4f58e3f4561f6efb23bce667202ad66a5e701d533105daa8df5fa1fed6c62cd537460916764d5cc492ddba31b3602f9a1dd7096174a03494f26ed3625ccc238ecd14c613599cda4513c1105e4411df3ee05634b604f43de23841fc231025c11ec7357bf4e3dc7843d65b29a663538de72f59dbc1c3
	Coefficient: 0xb770b22ff39c2143f936fd0065b725cffd9759f2ca4d71044ca8d305eabd4857e578e6f59e04d74a07eaab3186290a8fe815302c7d99653ccd0612c356d1df48c8279f8951c5ce7a14b9457aaf3b868e31d5cd4d810b0045686d71eb2999809a4c98cf9e67a50a07f81657b20f9c70db17eb1cfcc5e2eb9b82e50044e36a57f2
	}

RIGHTSIDE
---------

root at gw:~# ip route show
10.2.1.0/24 dev eth1  proto kernel  scope link  src 10.2.1.1 
172.31.1.0/24 dev eth0  proto kernel  scope link  src 172.31.1.200 
default via 172.31.1.1 dev eth0 

root at gw:~# ping 10.1.1.11
PING 10.1.1.11 (10.1.1.11) 56(84) bytes of data.
64 bytes from 10.1.1.11: icmp_seq=1 ttl=63 time=1.29 ms

root at gw:~# traceroute 10.1.1.11
traceroute to 10.1.1.11 (10.1.1.11), 30 hops max, 40 byte packets
 1  172.31.1.1 (172.31.1.1)  0.866 ms  1.024 ms  0.223 ms
 2  10.1.1.11 (10.1.1.11)  1.331 ms  0.426 ms  0.254 ms

root at gw:~# date
Sun Nov 26 14:46:40 AST 2006

root at gw:~# /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec 2.4.5...
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/key/af_key.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/ah4.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/esp4.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/ipcomp.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/tunnel4.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/xfrm4_tunnel.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/xfrm/xfrm_user.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/drivers/char/hw_random.ko 
ipsec_setup: FATAL: Error inserting hw_random (/lib/modules/2.6.17-10-generic/kernel/drivers/char/hw_random.ko): No such device
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/drivers/crypto/padlock.ko 
ipsec_setup: FATAL: Error inserting padlock (/lib/modules/2.6.17-10-generic/kernel/drivers/crypto/padlock.ko): No such device
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/sha1.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/des.ko 
ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/aes.ko 

root at gw:~# ip route show
10.1.1.11 dev eth0  scope link 
10.2.1.0/24 dev eth1  proto kernel  scope link  src 10.2.1.1 
172.31.1.0/24 dev eth0  proto kernel  scope link  src 172.31.1.200 
default via 172.31.1.1 dev eth0 

root at gw:~# date
Sun Nov 26 14:48:49 AST 2006

root at gw:~# ping 10.1.1.11
connect: Resource temporarily unavailable
root at gw:~# date
Sun Nov 26 14:49:01 AST 2006
root at gw:~# ping 10.1.1.11
connect: Resource temporarily unavailable
root at gw:~# 

/var/log/syslog
---------------

Nov 26 14:47:01 gw kernel: [17179698.772000] NET: Registered protocol family 15
Nov 26 14:47:01 gw kernel: [17179698.852000] Initializing IPsec netlink socket
Nov 26 14:47:01 gw kernel: [17179698.916000] padlock: VIA PadLock not detected.
Nov 26 14:47:01 gw ipsec_setup: KLIPS ipsec0 on eth0 172.31.1.200/255.255.255.0 broadcast 172.31.1.255 
Nov 26 14:47:01 gw ipsec_setup: ...Openswan IPsec started
Nov 26 14:47:01 gw ipsec_setup: Starting Openswan IPsec 2.4.5...
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/key/af_key.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/ah4.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/esp4.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/ipcomp.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/tunnel4.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/ipv4/xfrm4_tunnel.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/net/xfrm/xfrm_user.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/drivers/char/hw_random.ko 
Nov 26 14:47:01 gw ipsec_setup: FATAL: Error inserting hw_random (/lib/modules/2.6.17-10-generic/kernel/drivers/char/hw_random.ko): No such device
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/drivers/crypto/padlock.ko 
Nov 26 14:47:01 gw ipsec_setup: FATAL: Error inserting padlock (/lib/modules/2.6.17-10-generic/kernel/drivers/crypto/padlock.ko): No such device
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/sha1.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/des.ko 
Nov 26 14:47:01 gw ipsec_setup: insmod /lib/modules/2.6.17-10-generic/kernel/crypto/aes.ko 
Nov 26 14:47:02 gw ipsec__plutorun: 104 "sample" #1: STATE_MAIN_I1: initiate
Nov 26 14:47:02 gw ipsec__plutorun: ...could not start conn "sample"

/var/log/auth.log
-----------------

Nov 26 14:47:01 gw ipsec__plutorun: Starting Pluto subsystem...
Nov 26 14:47:02 gw pluto[4529]: Starting Pluto (Openswan Version 2.4.5 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEGfuJ[Ye{Ah)
Nov 26 14:47:02 gw pluto[4529]: Setting NAT-Traversal port-4500 floating to off
Nov 26 14:47:02 gw pluto[4529]:    port floating activation criteria nat_t=0/port_fload=1
Nov 26 14:47:02 gw pluto[4529]:   including NAT-Traversal patch (Version 0.6c) [disabled]
Nov 26 14:47:02 gw pluto[4529]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 26 14:47:02 gw pluto[4529]: starting up 1 cryptographic helpers
Nov 26 14:47:02 gw pluto[4529]: started helper pid=4541 (fd:6)
Nov 26 14:47:02 gw pluto[4529]: Using Linux 2.6 IPsec interface code on 2.6.17-10-generic
Nov 26 14:47:02 gw pluto[4529]: Changing to directory '/etc/ipsec.d/cacerts'
Nov 26 14:47:02 gw pluto[4529]: Changing to directory '/etc/ipsec.d/aacerts'
Nov 26 14:47:02 gw pluto[4529]: Changing to directory '/etc/ipsec.d/ocspcerts'
Nov 26 14:47:02 gw pluto[4529]: Changing to directory '/etc/ipsec.d/crls'
Nov 26 14:47:02 gw pluto[4529]:   Warning: empty directory
Nov 26 14:47:02 gw pluto[4529]: added connection description "sample"
Nov 26 14:47:02 gw pluto[4529]: listening for IKE messages
Nov 26 14:47:02 gw pluto[4529]: adding interface eth1/eth1 10.2.1.1:500
Nov 26 14:47:02 gw pluto[4529]: adding interface eth0/eth0 172.31.1.200:500
Nov 26 14:47:02 gw pluto[4529]: adding interface lo/lo 127.0.0.1:500
Nov 26 14:47:02 gw pluto[4529]: adding interface lo/lo ::1:500
Nov 26 14:47:02 gw pluto[4529]: loading secrets from "/etc/ipsec.secrets"
Nov 26 14:47:02 gw pluto[4529]: "sample" #1: initiating Main Mode
Nov 26 14:47:02 gw pluto[4529]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 10.1.1.11: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Nov 26 14:47:06 gw pluto[4529]: packet from 10.1.1.11:500: received Vendor ID payload [Openswan (this version) 2.4.5  X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Nov 26 14:47:06 gw pluto[4529]: packet from 10.1.1.11:500: received Vendor ID payload [Dead Peer Detection]
Nov 26 14:47:06 gw pluto[4529]: "sample" #2: responding to Main Mode
Nov 26 14:47:06 gw pluto[4529]: "sample" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 26 14:47:06 gw pluto[4529]: "sample" #2: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 26 14:47:09 gw pluto[4529]: "sample" #2: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:47:15 gw pluto[4529]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:47:19 gw pluto[4529]: "sample" #2: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:48:53 gw pluto[4529]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:48:53 gw pluto[4529]: "sample" #2: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:48:53 gw pluto[4529]: initiate on demand from 172.31.1.200:0 to 10.1.1.11:0 proto=0 state: fos_start because: acquire
Nov 26 14:49:30 gw pluto[4529]: "sample" #2: max number of retransmissions (2) reached STATE_MAIN_R1
Nov 26 14:49:34 gw pluto[4529]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:51:59 gw pluto[4529]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 14:54:39 gw pluto[4529]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

/etc/ipsec.conf
---------------

# /etc/ipsec.conf - Openswan IPsec configuration file

version	2.0

config setup
	interfaces=%defaultroute

conn %default
	authby=rsasig

conn sample
	left=10.1.1.11
	right=172.31.1.200
	type=tunnel
	# RSA 2048 bits   gw   Sun Nov 26 11:45:54 2006
	leftrsasigkey=0sAQOLN9ThgpqFfu+hpcpy/BDCJj82oakzQ/X87KKAT1Ba+jj1DyUN4oTBd1WrNgaqMS4XOZeCZCFjDrO4LYgLTL0lBXKkz/+nmtVJadLlWesVUVNLPBZ+GQMrv8i4a257Ut6G4PAI0fInXP3T5SAEJ8k0S/ix5KVzxpGo5noZ5QKW/C04F2xVGyUqah98Q1wdQBIIE/9N8nkU5CL4GfEBTw0RVuLIVwsP0UXNvIYqhxzfXLkiotYBcoKKwOKCjr8BEIrpsGPRQDeHFGOrLlXRq11MeCCHnumJEze9J6WpqQ2vk+QbohZZae1v+/Y858FVii9H2A/8h9eieEA8Y1TadHvV
	# RSA 2048 bits   gw   Sun Nov 26 11:57:40 2006
	rightrsasigkey=0sAQN4diBgDiCl2HcJ74M3Ggnp9BjA2KtxKNJiAmpLNn+jjr/Y9xv5JIXS2mdrWmEwbqYm0PzRpJIOJ6raXc+s86LRf7fC3EE+HsG8Gp9T11AyLdiSwwXFnrCPLwi7VP6C2oM6d3I3X3N0uC7vlNsbTZZiqfWw9iHVlh/DmpHPgvjyf9jc0fFRhWHWE8/lZTTP7fGLr+l7ve8L6we3x1EaRuIz+nPc32l21ZnfSQci3QY5I8e8WWLgjovIAlpcnnvEyyMJEoJKRumjdnTJFZ6uXR+S3m9zgaCt5dsQyDqs3ACNlHwqPqiyYkarstbReJx9KI5jgyB+EmkNq1aDAeJJDp8P
	auto=start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

/etc/ipsec.secerets
-------------------

# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
: RSA	{
	# RSA 2048 bits   gw   Sun Nov 26 11:57:40 2006
	# for signatures only, UNSAFE FOR ENCRYPTION
	#pubkey=0sAQN4diBgDiCl2HcJ74M3Ggnp9BjA2KtxKNJiAmpLNn+jjr/Y9xv5JIXS2mdrWmEwbqYm0PzRpJIOJ6raXc+s86LRf7fC3EE+HsG8Gp9T11AyLdiSwwXFnrCPLwi7VP6C2oM6d3I3X3N0uC7vlNsbTZZiqfWw9iHVlh/DmpHPgvjyf9jc0fFRhWHWE8/lZTTP7fGLr+l7ve8L6we3x1EaRuIz+nPc32l21ZnfSQci3QY5I8e8WWLgjovIAlpcnnvEyyMJEoJKRumjdnTJFZ6uXR+S3m9zgaCt5dsQyDqs3ACNlHwqPqiyYkarstbReJx9KI5jgyB+EmkNq1aDAeJJDp8P
	Modulus: 0x787620600e20a5d87709ef83371a09e9f418c0d8ab7128d262026a4b367fa38ebfd8f71bf92485d2da676b5a61306ea626d0fcd1a4920e27aada5dcfacf3a2d17fb7c2dc413e1ec1bc1a9f53d750322dd892c305c59eb08f2f08bb54fe82da833a7772375f7374b82eef94db1b4d9662a9f5b0f621d5961fc39a91cf82f8f27fd8dcd1f1518561d613cfe56534cfedf18bafe97bbdef0beb07b7c7511a46e233fa73dcdf6976d599df490722dd063923c7bc5962e08e8bc8025a5c9e7bc4cb230912824a46e9a37674c9159eae5d1f92de6f7381a0ade5db10c83aacdc008d947c2a3ea8b26246abb2d6d1789c7d288e6383207e12690dab568301e2490e9f0f
	PublicExponent: 0x03
	# everything after this point is secret
	PrivateExponent: 0x1413b010025ac64ebe81a7eb33d9ac51a8aecacec73d86cdbb00670c891545ed1ff97e84a986164dcf113c8f1032bd1bb122d4cd9b6dad069c79ba4d477df0783ff3f5cf603505204a046fe34e8d5db24ec32080f6451d6d3281748e2a6b246b34693db3e53de8c95d27ee24848cee65c6fe482905a399054b446da295d4286a699a3587c3702a3230c3658966d342c3213ed2025439a4b052a8a7470a0f22efd4317c31bed56800b56cf1fa8aac820fa4346d1fe56a782e77d84ef3a4604bf011a77f20591999dab19123b9df7f98c193505756c3e94b1c9a79e262a4ccba50667dfc8f536cecac43059d793c3ec0f10c50ee9c81d34bd98423ea1a4232c4c7
	Prime1: 0xb203d5adf07a7f770e91504515f15b3903bb330fac5c90492b9cfaedb4fda5cfb8a2a287d7a05c4190ae4c3398f3a4a0eae6f546f56e15fb76038b373ad69d670a12213ca5ac4f5335c8997e9a136491a735eec5f864b65fe1572c6eaf1b5400f319abbfac9484340c60ebe64a02548bf8ba27a90de73de36234abf5e9b31f73
	Prime2: 0xad3bbb14cc69e531e0aa33e7b5eb0225c07bca5e18389f7fec26e0b928ee6ac548a8512d18d609540e0d0f1004078825039ad55c8aa1a4b5bd44f7b166ac661b9513664b8aa3b9031599a5c4d74c2677c35778b310d16ccf9095bfee5018dbb1221ca78d1140366e145434bae9024e5c20e36129f98e08aedb76d94ed22ae2f5
	Exponent1: 0x76ad391ea051aa4f5f0b8ad8b94b9226027cccb51d930adb7268a7492353c3dfd06c6c5a8fc03d810b1edd77bb4d186b4744a384a39eb9524ead077a2739be44b1616b7dc3c834e223db10ff1162430bc4ce9f2ea598799540e4c849ca123800a2111d2a730dad7808409d443156e307fb26c51b5e9a2942417872a3f12214f7
	Exponent2: 0x737d276332f1437695c6cd4523f2016e805286e9657b14fff2c495d0c5f4472e3070361e108eb0e2b408b4b55805056e026738e85c6bc323d3834fcb99c84412636244325c6d26020e666e833a32c44fd78fa5ccb5e0f3350b0e7ff43565e7cb6c131a5e0b80244962e2cdd1f0ac343d6b4240c6a65eb074924f3b89e171eca3
	Coefficient: 0x708e62e04d744f030557a27d189fcf7c374774f24aad62406236d93bfd03bd8a860cba70fa78184168760c7820335470ea4361bfbb9d24617ff60b844abefc8d0fff8710759dc26e10f03aa432f00139772463cf5bf524e02c6d7112fe942210e52682453dbb13f6aed15959d8db3c4285176acd4762ca8e7715681dc1e8b323
	}

-- 

Norstead Farm - Bruce & Carole Skinner
RR#1 Waterville NS Canada B0P 1V0
 Tel: 902-538-1765
Cell: 902-670-6456
 Fax: 902-538-1794
<mailto:bruce.skinner at norsteadfarm.ca>

More information about the Users mailing list