[Openswan Users] [Openswan dev] book example yields - No route to host...not authenticated using

Bruce S. Skinner Bruce.Skinner at norsteadfarm.ca
Tue Nov 28 21:29:55 EST 2006 

Paul Wouters <paul at xelerance.com> writes:

> On Sun, 26 Nov 2006, Bruce S. Skinner wrote:
>
>> >> >> Is this an authentication issue or a routing issue?
>> >> >
>> >> > A router in the midde, 172.31.1.200, cannot reach 10.1.1.11.
>
>> > that should not happen. Are you sure you are not firewalling udp port 500?
>>
>> iptables -L shows nothing on all three machines left, right and router.
>
>> Nov 26 19:37:33 gw pluto[4867]: "sample" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 172.31.1.200 port 500, complainant 10.1.1.11: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
>
>> I know.  These three machines are vmware virtual machines, and are
>> just templates for real hardware once I see this flying...
>
> then I guess it has to do with the vmware bridging magic.

It doesn't appear to be VMware related.

I've tried this with a stack of three intel machines with intel NIC's
and gotten the same failure.  I can replace the router with an
ethernet cable and change the ip address of the right machine so that
it's on the same subnet as the left and get a successful IKE, but not
with the router in the middle...


  After boot: gateway to gateway pings work
  
  Start ipsec with /etc/init.d/ipsec start
  
  Trigger IKE by sending a ping from right to left
  
  tcpdump on the router shows:
  
  <---- ISAKMP (main mode) ------
  ----- ICMP (Dest and Port Unreachable) ----->
             (Type: 3 code: 3 port 500 )
  <---- ARP ----
  ----- ARP --->
  ----- ISAKMP (main mode) ----->
  
  gateway to gateway pings don't work
  
  Stop ipsec with /etc/init.d/ipsec stop
  
  gateway to gateway pings work again.
  

Is this ICMP Type: 3 Code: 3 bogus?

Pluto was apparently listening because there is a return ISAKMP
packet, so where does the ICMP port unreachable come from?

Any suggestions on how to proceed from here are much appreciated as
I'm running out of ideas...

regards :-)
BruceS

>
> Paul
> -- 
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-- 

Norstead Farm - Bruce & Carole Skinner
RR#1 Waterville NS Canada B0P 1V0
 Tel: 902-538-1765
Cell: 902-670-6456
 Fax: 902-538-1794
<mailto:bruce.skinner at norsteadfarm.ca>

More information about the Users mailing list