[Openswan Users] [Openswan dev] book example yields - No route to host...not authenticated using

Bruce S. Skinner Bruce.Skinner at norsteadfarm.ca
Sun Nov 26 18:56:41 EST 2006


Paul Wouters <paul at xelerance.com> writes:

> On Sun, 26 Nov 2006, Bruce S. Skinner wrote:
>
>> >>   pluto[4529]: "sample" #1: ERROR: asynchronous network error report
>> >>   on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant
>> >>   172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1
>> >>   (not authenticated)]
>> >>
>> >> Is this an authentication issue or a routing issue?
>> >
>> > A router in the midde, 172.31.1.200, cannot reach 10.1.1.11.
>>
>> It doesn't appear to be that simple, as the router in the middle is a
>> single machine with two interfaces one at 172.31.1.1 and 10.1.1.1.  It
>> routes both ways before I start openswan as indicated in the
>> traceroute/ping examples below.  It appears that routing breaks only
>> after openswan is started...
>
> that should not happen. Are you sure you are not firewalling udp port 500?
>

iptables -L shows nothing on all three machines left, right and router.

>> 	left=10.1.1.11
>> 	right=172.31.1.200
>> 	type=tunnel
>> 	# RSA 2048 bits   gw   Sun Nov 26 11:45:54 2006
>> 	leftrsasigkey=0sAQOLN9ThgpqFfu+hpcpy/BDCJj82oakzQ/X87KKAT1Ba+jj1DyUN4oTBd1WrNgaqMS4XOZeCZCFjDrO4LYgLTL0lBXKkz/+nmtVJadLlWesVUVNLPBZ+GQMrv8i4a257Ut6G4PAI0fInXP3T5SAEJ8k0S/ix5KVzxpGo5noZ5QKW/C04F2xVGyUqah98Q1wdQBIIE/9N8nkU5CL4GfEBTw0RVuLIVwsP0UXNvIYqhxzfXLkiotYBcoKKwOKCjr8BEIrpsGPRQDeHFGOrLlXRq11MeCCHnumJEze9J6WpqQ2vk+QbohZZae1v+/Y858FVii9H2A/8h9eieEA8Y1TadHvV
>> 	# RSA 2048 bits   gw   Sun Nov 26 11:57:40 2006
>> 	rightrsasigkey=0sAQN4diBgDiCl2HcJ74M3Ggnp9BjA2KtxKNJiAmpLNn+jjr/Y9xv5JIXS2mdrWmEwbqYm0PzRpJIOJ6raXc+s86LRf7fC3EE+HsG8Gp9T11AyLdiSwwXFnrCPLwi7VP6C2oM6d3I3X3N0uC7vlNsbTZZiqfWw9iHVlh/DmpHPgvjyf9jc0fFRhWHWE8/lZTTP7fGLr+l7ve8L6we3x1EaRuIz+nPc32l21ZnfSQci3QY5I8e8WWLgjovIAlpcnnvEyyMJEoJKRumjdnTJFZ6uXR+S3m9zgaCt5dsQyDqs3ACNlHwqPqiyYkarstbReJx9KI5jgyB+EmkNq1aDAeJJDp8P
>> 	auto=start
>
> What happens if you add leftnexthop=172.31.1.200 ?
>

I tried: leftnexthop=172.31.1.200
                 and
         leftnexthop=172.31.1.200
         rightnexthop=10.1.1.11

left reports:
-------------

Nov 26 19:37:20 gw pluto[4867]: "sample" #1: initiating Main Mode
Nov 26 19:37:31 gw pluto[4867]: initiate on demand from 10.1.1.11:0 to 172.31.1.200:0 proto=0 state: fos_start because: acquire
Nov 26 19:37:33 gw pluto[4867]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 172.31.1.200 port 500, complainant 10.1.1.11: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 19:37:53 gw pluto[4867]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 172.31.1.200 port 500, complainant 10.1.1.11: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 19:39:08 gw pluto[4867]: packet from 172.31.1.200:500: received Vendor ID payload [Openswan (this version) 2.4.5  X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Nov 26 19:39:08 gw pluto[4867]: packet from 172.31.1.200:500: received Vendor ID payload [Dead Peer Detection]
Nov 26 19:39:08 gw pluto[4867]: "sample" #2: responding to Main Mode
Nov 26 19:39:08 gw pluto[4867]: "sample" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 26 19:39:08 gw pluto[4867]: "sample" #2: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 26 19:39:11 gw pluto[4867]: "sample" #2: ERROR: asynchronous network error report on eth0 (sport=500) for message to 172.31.1.200 port 500, complainant 10.1.1.11: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 19:39:11 gw pluto[4867]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 172.31.1.200 port 500, complainant 10.1.1.11: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 19:39:21 gw pluto[4867]: "sample" #2: ERROR: asynchronous network error report on eth0 (sport=500) for message to 172.31.1.200 port 500, complainant 10.1.1.11: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Nov 26 19:39:41 gw pluto[4867]: "sample" #2: ERROR: asynchronous network error report on eth0 (sport=500) for message to 172.31.1.200 port 500, complainant 10.1.1.11: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

right reports:
--------------

Nov 26 19:36:51 gw pluto[4830]: "sample" #1: initiating Main Mode
Nov 26 19:36:51 gw pluto[4830]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 10.1.1.11: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Nov 26 19:37:02 gw pluto[4830]: packet from 10.1.1.11:500: received Vendor ID payload [Openswan (this version) 2.4.5  X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Nov 26 19:37:02 gw pluto[4830]: packet from 10.1.1.11:500: received Vendor ID payload [Dead Peer Detection]
Nov 26 19:37:02 gw pluto[4830]: "sample" #2: responding to Main Mode
Nov 26 19:37:02 gw pluto[4830]: "sample" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 26 19:37:02 gw pluto[4830]: "sample" #2: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 26 19:37:04 gw pluto[4830]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant 172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]



>> # RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
>
> You just published your secret key. You should destroy it and create a new
> one now.

I know.  These three machines are vmware virtual machines, and are
just templates for real hardware once I see this flying...

>
> Paul
> -- 
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-- 

Norstead Farm - Bruce & Carole Skinner
RR#1 Waterville NS Canada B0P 1V0
 Tel: 902-538-1765
Cell: 902-670-6456
 Fax: 902-538-1794
<mailto:bruce.skinner at norsteadfarm.ca>


More information about the Users mailing list