[Openswan Users] "no connection has been authorized with policy=PSK" problem
Andy Gay
andy at andynet.net
Thu Apr 5 12:39:03 EDT 2007
Weird formatting in your message. Everything is triple spaced. Or are
your files really like that? Hard to read...
But... I don't see a right= anywhere in your conn definition. You need
to set right=5.6.7.8 (or use right=%any if the remote device is on a
dynamic address).
- Andy
On Thu, 2007-04-05 at 16:56 +0100, James Neave wrote:
> Hi,
>
>
>
> I'm setting up a VPN for my company, this is the first time I have
> tried this.
>
>
>
> Our gateway is a Bering-uClibc 2.3.1 box running Openswan 2.4.5. It
> has a real public IP.
>
> The client is a Windows XP SP2 box connecting over GPRS (roadwarrior,
> NAT'ed) using pre shared keys. This machine will not connect to the
> IPSec server.
>
>
>
> As far as I can tell this is because of the NATing of the client. But
> I have followed instructions on how to resolve that problem, but it
> will not go away.
>
>
>
> Log files and configuration files follow.
>
>
>
> Many Thanks,
>
>
>
> James.
>
>
>
> Here is what I'm getting in my /var/log/auth.log:
>
>
>
> Apr 5 14:46:04 gateway ipsec__plutorun: Starting Pluto subsystem...
>
>
> Starting Pluto (Openswan Version 1.0.9)
>
>
> including X.509 patch with traffic selectors (Version 0.9.42)
>
>
> including NAT-Traversal patch (Version 0.6)
>
>
> ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
>
>
> ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
>
>
> ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
>
>
> ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
>
>
> ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
>
>
> ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
>
>
> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
>
>
> ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok
> (ret=0)
>
>
> Changing to directory '/etc/ipsec.d/cacerts'
>
>
> Warning: empty directory
>
>
> Changing to directory '/etc/ipsec.d/crls'
>
>
> Warning: empty directory
>
>
> OpenPGP certificate file '/etc/pgpcert.pgp' not found
>
>
> listening for IKE messages
>
>
> adding interface ipsec0/eth0 1.2.3.4
>
>
> adding interface ipsec0/eth0 1.2.3.4:4500
>
>
> loading secrets from "/etc/ipsec.secrets"
>
>
> packet from 5.6.7.8:33315: ignoring Vendor ID payload [MS NT5
> ISAKMPOAKLEY 00000004]
>
>
> packet from 5.6.7.8:33315: ignoring Vendor ID payload [FRAGMENTATION]
>
>
> packet from 5.6.7.8:33315: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n]
>
>
> packet from 5.6.7.8:33315: ignoring Vendor ID payload
> [26244d38eddb61b3172a36e3d0cfb819]
>
>
> packet from 5.6.7.8:33315: initial Main Mode message received on
> 1.2.3.4:500 but no connection has been authorized with policy=PSK
>
>
> packet from 5.6.7.8:33315: ignoring Vendor ID payload [MS NT5
> ISAKMPOAKLEY 00000004]
>
>
> packet from 5.6.7.8:33315: ignoring Vendor ID payload [FRAGMENTATION]
>
>
> packet from 5.6.7.8:33315: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n]
>
>
> packet from 5.6.7.8:33315: ignoring Vendor ID payload
> [26244d38eddb61b3172a36e3d0cfb819]
>
>
> packet from 5.6.7.8:33315: initial Main Mode message received on
> 1.2.3.4:500 but no connection has been authorized with policy=PSK
>
>
> Repeated until failure
>
>
>
>
>
> Here is my /etc/ipsec.conf file:
>
>
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
>
>
>
>
>
> # More elaborate and more varied sample configurations can be found
>
>
> # in Openswan's doc/examples file, in the HTML documentation, and
> online
>
>
> # at http://www.openswan.org/docs/
>
>
>
>
>
> # basic configuration
>
>
> config setup
>
>
> # THIS SETTING MUST BE CORRECT or almost nothing will work;
>
>
> # %defaultroute is okay for most simple cases.
>
>
> interfaces=%defaultroute
>
>
> # Debug-logging controls: "none" for (almost) none, "all" for
> lots.
>
>
> klipsdebug=none
>
>
> plutodebug=none
>
>
> # Use auto= parameters in conn descriptions to control startup
> actions.
>
>
> plutoload=%search
>
>
> plutostart=%search
>
>
> # Don't wait for pluto to complete every plutostart before
> continuing
>
>
> plutowait=no
>
>
> # Close down old connection when new one using same ID shows up.
>
>
> uniqueids=yes
>
>
> nat_traversal=yes
>
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
> v4:192.168.0.0/16,%v4:!192.168.27.0/24,%v4:!192.168.17.0/24
>
>
>
>
>
> # Defaults for all connection descriptions
>
>
> #conn %default
>
>
> # keyingtries=0
>
>
> # disablearrivalcheck=no
>
>
> # leftrsasigkey=%dnsondemand
>
>
> # rightrsasigkey=%dnsondemand
>
>
> # authby=secret
>
>
> # auto=add
>
>
>
>
>
> # Example VPN connection for the following scenario:
>
>
> #
>
>
> # leftsubnet
>
>
> #
> 172.16.0.0/24---([172.16.0.1]left[10.0.0.10])---([10.0.0.1]router)-------\
>
>
> #
> |
>
>
> # rightsubnet
> |
>
>
> #
> 192.168.0.0/24--([192.168.0.1]right[10.12.12.10])---([10.12.12.1]router)-/
>
>
> #
>
>
> #conn sample
>
>
> # # Left security gateway, subnet behind it, next hop toward right.
>
>
> # left=10.0.0.10
>
>
> # leftnexthop=10.0.0.1
>
>
> # leftsubnet=172.16.0.0/24
>
>
> # # Right security gateway, subnet behind it, next hop toward left.
>
>
> # right=10.12.12.10
>
>
> # rightnexthop=10.12.12.1
>
>
> # rightsubnet=192.168.0.0/24
>
>
> # # To initiate this connection automatically at startup,
>
>
> # # uncomment this:
>
>
> # #auto=start
>
>
>
>
>
> # Configuration supporting multiple users with any type of
>
>
> # IPsec/L2TP client. This includes the updated Windows 2000/XP
>
>
> # (MS KB Q818043), Vista and Mac OS X 10.3+ but excludes the
>
>
> # non-updated Windows 2000/XP.
>
>
> #
>
>
> # Authenticates through a Pre-Shared Key. Supports clients that
>
>
> # are not behind NAT. Does not support clients that are behind NAT.
>
>
>
>
>
> conn L2TP-PSK
>
>
> #
>
>
> authby=secret
>
>
> pfs=no
>
>
> rekey=no
>
>
> keyingtries=3
>
>
> aggrmode=yes
>
>
> #
>
>
> # ----------------------------------------------------------
>
>
> # The VPN server.
>
>
> #
>
>
> # Allow incoming connections on the external network
> interface.
>
>
> # If you want to use a different interface or if there is no
>
>
> # defaultroute, you can use: left=your.ip.addr.ess
>
>
> #
>
>
> left=%defaultroute
>
>
> #
>
>
> leftprotoport=17/1701
>
>
> # If you insist on supporting non-updated Windows clients,
>
>
> # you can use: leftprotoport=17/%any
>
>
> #
>
>
> # ----------------------------------------------------------
>
>
> # The remote user(s).
>
>
> #
>
>
> # Allow incoming connections only from this IP address.
>
>
> #right=234.234.234.234
>
>
> # If you want to allow multiple connections from any IP
> address,
>
>
> # you can use: right=%any
>
>
> #
>
>
> rightprotoport=17/%any
>
>
> rightsubnet=vhost:%no,%priv
>
>
> #
>
>
> # ----------------------------------------------------------
>
>
> # Change 'ignore' to 'add' to enable this configuration.
>
>
> #
>
>
> auto=add
>
>
>
>
>
> And finally my ipsec.secrets file:
>
>
>
> # This file holds shared secrets or RSA private keys for inter-Pluto
>
>
> # authentication. See ipsec_pluto(8) manpage, and HTML documentation.
>
>
>
>
>
> # RSA private key for this host, authenticating it to any other host
>
>
> # which knows the public part. Suitable public keys, for ipsec.conf,
> DNS,
>
>
> # or configuration of other implementations, can be extracted
> conveniently
>
>
> # with "ipsec showhostkey".
>
>
> #: RSA {
>
>
> # # -- Create your own RSA key with "ipsec rsasigkey"
>
>
> # }
>
>
> # do not change the indenting of that "}"
>
>
>
>
>
> #
>
>
> # Sample /etc/ipsec.secrets file
>
>
> # The Openswan server has an IP address of 123.123.123.123
>
>
> #
>
>
> # Preshared Keys for two clients with fixed IP addresses:
>
>
>
>
>
> #123.123.123.123 234.234.234.234: PSK "keyforoneclient"
>
>
> #123.123.123.123 111.222.111.222: PSK "keyforanotherclient"
>
>
>
>
>
> # Preshared Key for clients connecting from any IP address:
>
>
> 1.2.3.4 %any: PSK "NotTellingYou "
>
>
> # (Line above only works on recent versions of Openswan).
>
>
>
>
>
> # There is a subtle difference with the following
>
>
> # (see also 'man ipsec.secrets') which affects NATed
>
>
> # clients that use a PSK:
>
>
> 1.2.3.4 : PSK "NotTellingYou"
>
>
>
>
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list