[Openswan Users] "no connection has been authorized with policy=PSK" problem

James Neave JNeave at spursolutions.com
Thu Apr 5 11:56:56 EDT 2007 

Hi,

 

I'm setting up a VPN for my company, this is the first time I have tried
this.

 

Our gateway is a Bering-uClibc 2.3.1 box running Openswan 2.4.5. It has
a real public IP.

The client is a Windows XP SP2 box connecting over GPRS (roadwarrior,
NAT'ed) using pre shared keys. This machine will not connect to the
IPSec server.

 

As far as I can tell this is because of the NATing of the client. But I
have followed instructions on how to resolve that problem, but it will
not go away.

 

Log files and configuration files follow.

 

Many Thanks,

 

James.

 

Here is what I'm getting in my /var/log/auth.log:

 

Apr  5 14:46:04 gateway ipsec__plutorun: Starting Pluto subsystem...

Starting Pluto (Openswan Version 1.0.9)

  including X.509 patch with traffic selectors (Version 0.9.42)

  including NAT-Traversal patch (Version 0.6)

ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)

ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)

ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)

ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)

ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)

ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)

ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)

ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)

Changing to directory '/etc/ipsec.d/cacerts'

  Warning: empty directory

Changing to directory '/etc/ipsec.d/crls'

  Warning: empty directory

OpenPGP certificate file '/etc/pgpcert.pgp' not found

listening for IKE messages

adding interface ipsec0/eth0 1.2.3.4

adding interface ipsec0/eth0 1.2.3.4:4500

loading secrets from "/etc/ipsec.secrets"

packet from 5.6.7.8:33315: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY 00000004]

packet from 5.6.7.8:33315: ignoring Vendor ID payload [FRAGMENTATION]

packet from 5.6.7.8:33315: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]

packet from 5.6.7.8:33315: ignoring Vendor ID payload
[26244d38eddb61b3172a36e3d0cfb819]

packet from 5.6.7.8:33315: initial Main Mode message received on
1.2.3.4:500 but no connection has been authorized with policy=PSK

packet from 5.6.7.8:33315: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY 00000004]

packet from 5.6.7.8:33315: ignoring Vendor ID payload [FRAGMENTATION]

packet from 5.6.7.8:33315: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]

packet from 5.6.7.8:33315: ignoring Vendor ID payload
[26244d38eddb61b3172a36e3d0cfb819]

packet from 5.6.7.8:33315: initial Main Mode message received on
1.2.3.4:500 but no connection has been authorized with policy=PSK

Repeated until failure

 

Here is my /etc/ipsec.conf file:

 

# /etc/ipsec.conf - Openswan IPsec configuration file

 

# More elaborate and more varied sample configurations can be found

# in Openswan's doc/examples file, in the HTML documentation, and online

# at http://www.openswan.org/docs/

 

# basic configuration

config setup

     # THIS SETTING MUST BE CORRECT or almost nothing will work;

     # %defaultroute is okay for most simple cases.

     interfaces=%defaultroute

     # Debug-logging controls:  "none" for (almost) none, "all" for
lots.

     klipsdebug=none

     plutodebug=none

     # Use auto= parameters in conn descriptions to control startup
actions.

     plutoload=%search

     plutostart=%search

     # Don't wait for pluto to complete every plutostart before
continuing

     plutowait=no

     # Close down old connection when new one using same ID shows up.

     uniqueids=yes

     nat_traversal=yes

 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:
!192.168.27.0/24,%v4:!192.168.17.0/24

 

# Defaults for all connection descriptions

#conn %default

#    keyingtries=0

#    disablearrivalcheck=no

#    leftrsasigkey=%dnsondemand

#    rightrsasigkey=%dnsondemand

#    authby=secret

#    auto=add

 

# Example VPN connection for the following scenario:

#

# leftsubnet

#
172.16.0.0/24---([172.16.0.1]left[10.0.0.10])---([10.0.0.1]router)------
-\

#
|

# rightsubnet
|

#
192.168.0.0/24--([192.168.0.1]right[10.12.12.10])---([10.12.12.1]router)
-/

#

#conn sample

#    # Left security gateway, subnet behind it, next hop toward right.

#    left=10.0.0.10

#    leftnexthop=10.0.0.1

#    leftsubnet=172.16.0.0/24

#    # Right security gateway, subnet behind it, next hop toward left.

#    right=10.12.12.10

#    rightnexthop=10.12.12.1

#    rightsubnet=192.168.0.0/24

#    # To initiate this connection automatically at startup,

#    # uncomment this:

#    #auto=start

 

# Configuration supporting multiple users with any type of

# IPsec/L2TP client. This includes the updated Windows 2000/XP

# (MS KB Q818043), Vista and Mac OS X 10.3+ but excludes the

# non-updated Windows 2000/XP.

#

# Authenticates through a Pre-Shared Key. Supports clients that

# are not behind NAT. Does not support clients that are behind NAT.

 

conn L2TP-PSK

        #

        authby=secret

        pfs=no

        rekey=no

        keyingtries=3

     aggrmode=yes

        #

        # ----------------------------------------------------------

        # The VPN server.

        #

        # Allow incoming connections on the external network interface.

        # If you want to use a different interface or if there is no

        # defaultroute, you can use:   left=your.ip.addr.ess

        #

        left=%defaultroute

        #

        leftprotoport=17/1701

        # If you insist on supporting non-updated Windows clients,

        # you can use:    leftprotoport=17/%any

        #

        # ----------------------------------------------------------

        # The remote user(s).

        #

        # Allow incoming connections only from this IP address.

        #right=234.234.234.234

        # If you want to allow multiple connections from any IP address,

        # you can use:    right=%any

        #

        rightprotoport=17/%any

     rightsubnet=vhost:%no,%priv

        #

        # ----------------------------------------------------------

        # Change 'ignore' to 'add' to enable this configuration.

        #

        auto=add

 

And finally my ipsec.secrets file:

 

# This file holds shared secrets or RSA private keys for inter-Pluto

# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

 

# RSA private key for this host, authenticating it to any other host

# which knows the public part.  Suitable public keys, for ipsec.conf,
DNS,

# or configuration of other implementations, can be extracted
conveniently

# with "ipsec showhostkey".

#: RSA    {

#    # -- Create your own RSA key with "ipsec rsasigkey"

#    }

# do not change the indenting of that "}"

 

#

# Sample /etc/ipsec.secrets file

# The Openswan server has an IP address of 123.123.123.123

#

# Preshared Keys for two clients with fixed IP addresses:

 

#123.123.123.123 234.234.234.234: PSK "keyforoneclient"

#123.123.123.123 111.222.111.222: PSK "keyforanotherclient"

 

# Preshared Key for clients connecting from any IP address:

1.2.3.4 %any: PSK "NotTellingYou "

# (Line above only works on recent versions of Openswan).

 

# There is a subtle difference with the following

# (see also 'man ipsec.secrets') which affects NATed

# clients that use a PSK:

1.2.3.4 : PSK "NotTellingYou"

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070405/64b49d61/attachment-0001.html

More information about the Users mailing list