[Openswan Users] "no connection has been authorized with policy=PSK" problem

Andy Gay andy at andynet.net
Thu Apr 5 12:39:03 EDT 2007


Weird formatting in your message. Everything is triple spaced. Or are
your files really like that? Hard to read...

But... I don't see a right= anywhere in your conn definition. You need
to set right=5.6.7.8 (or use right=%any if the remote device is on a
dynamic address).

- Andy


On Thu, 2007-04-05 at 16:56 +0100, James Neave wrote:
> Hi,
> 
>  
> 
> I'm setting up a VPN for my company, this is the first time I have
> tried this.
> 
>  
> 
> Our gateway is a Bering-uClibc 2.3.1 box running Openswan 2.4.5. It
> has a real public IP.
> 
> The client is a Windows XP SP2 box connecting over GPRS (roadwarrior,
> NAT'ed) using pre shared keys. This machine will not connect to the
> IPSec server.
> 
>  
> 
> As far as I can tell this is because of the NATing of the client. But
> I have followed instructions on how to resolve that problem, but it
> will not go away.
> 
>  
> 
> Log files and configuration files follow.
> 
>  
> 
> Many Thanks,
> 
>  
> 
> James.
> 
>  
> 
> Here is what I'm getting in my /var/log/auth.log:
> 
>  
> 
> Apr  5 14:46:04 gateway ipsec__plutorun: Starting Pluto subsystem...
> 
> 
> Starting Pluto (Openswan Version 1.0.9)
> 
> 
>   including X.509 patch with traffic selectors (Version 0.9.42)
> 
> 
>   including NAT-Traversal patch (Version 0.6)
> 
> 
> ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> 
> 
> ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> 
> 
> ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
> 
> 
> ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> 
> 
> ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
> 
> 
> ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
> 
> 
> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> 
> 
> ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok
> (ret=0)
> 
> 
> Changing to directory '/etc/ipsec.d/cacerts'
> 
> 
>   Warning: empty directory
> 
> 
> Changing to directory '/etc/ipsec.d/crls'
> 
> 
>   Warning: empty directory
> 
> 
> OpenPGP certificate file '/etc/pgpcert.pgp' not found
> 
> 
> listening for IKE messages
> 
> 
> adding interface ipsec0/eth0 1.2.3.4
> 
> 
> adding interface ipsec0/eth0 1.2.3.4:4500
> 
> 
> loading secrets from "/etc/ipsec.secrets"
> 
> 
> packet from 5.6.7.8:33315: ignoring Vendor ID payload [MS NT5
> ISAKMPOAKLEY 00000004]
> 
> 
> packet from 5.6.7.8:33315: ignoring Vendor ID payload [FRAGMENTATION]
> 
> 
> packet from 5.6.7.8:33315: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n]
> 
> 
> packet from 5.6.7.8:33315: ignoring Vendor ID payload
> [26244d38eddb61b3172a36e3d0cfb819]
> 
> 
> packet from 5.6.7.8:33315: initial Main Mode message received on
> 1.2.3.4:500 but no connection has been authorized with policy=PSK
> 
> 
> packet from 5.6.7.8:33315: ignoring Vendor ID payload [MS NT5
> ISAKMPOAKLEY 00000004]
> 
> 
> packet from 5.6.7.8:33315: ignoring Vendor ID payload [FRAGMENTATION]
> 
> 
> packet from 5.6.7.8:33315: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n]
> 
> 
> packet from 5.6.7.8:33315: ignoring Vendor ID payload
> [26244d38eddb61b3172a36e3d0cfb819]
> 
> 
> packet from 5.6.7.8:33315: initial Main Mode message received on
> 1.2.3.4:500 but no connection has been authorized with policy=PSK
> 
> 
> Repeated until failure
> 
> 
> 
>  
> 
> Here is my /etc/ipsec.conf file:
> 
>  
> 
> # /etc/ipsec.conf - Openswan IPsec configuration file
> 
> 
>  
> 
> 
> # More elaborate and more varied sample configurations can be found
> 
> 
> # in Openswan's doc/examples file, in the HTML documentation, and
> online
> 
> 
> # at http://www.openswan.org/docs/
> 
> 
>  
> 
> 
> # basic configuration
> 
> 
> config setup
> 
> 
>      # THIS SETTING MUST BE CORRECT or almost nothing will work;
> 
> 
>      # %defaultroute is okay for most simple cases.
> 
> 
>      interfaces=%defaultroute
> 
> 
>      # Debug-logging controls:  "none" for (almost) none, "all" for
> lots.
> 
> 
>      klipsdebug=none
> 
> 
>      plutodebug=none
> 
> 
>      # Use auto= parameters in conn descriptions to control startup
> actions.
> 
> 
>      plutoload=%search
> 
> 
>      plutostart=%search
> 
> 
>      # Don't wait for pluto to complete every plutostart before
> continuing
> 
> 
>      plutowait=no
> 
> 
>      # Close down old connection when new one using same ID shows up.
> 
> 
>      uniqueids=yes
> 
> 
>      nat_traversal=yes
> 
> 
>      virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
> v4:192.168.0.0/16,%v4:!192.168.27.0/24,%v4:!192.168.17.0/24
> 
> 
>  
> 
> 
> # Defaults for all connection descriptions
> 
> 
> #conn %default
> 
> 
> #    keyingtries=0
> 
> 
> #    disablearrivalcheck=no
> 
> 
> #    leftrsasigkey=%dnsondemand
> 
> 
> #    rightrsasigkey=%dnsondemand
> 
> 
> #    authby=secret
> 
> 
> #    auto=add
> 
> 
>  
> 
> 
> # Example VPN connection for the following scenario:
> 
> 
> #
> 
> 
> # leftsubnet
> 
> 
> #
> 172.16.0.0/24---([172.16.0.1]left[10.0.0.10])---([10.0.0.1]router)-------\
> 
> 
> #
>                                                |
> 
> 
> # rightsubnet
> |
> 
> 
> #
> 192.168.0.0/24--([192.168.0.1]right[10.12.12.10])---([10.12.12.1]router)-/
> 
> 
> #
> 
> 
> #conn sample
> 
> 
> #    # Left security gateway, subnet behind it, next hop toward right.
> 
> 
> #    left=10.0.0.10
> 
> 
> #    leftnexthop=10.0.0.1
> 
> 
> #    leftsubnet=172.16.0.0/24
> 
> 
> #    # Right security gateway, subnet behind it, next hop toward left.
> 
> 
> #    right=10.12.12.10
> 
> 
> #    rightnexthop=10.12.12.1
> 
> 
> #    rightsubnet=192.168.0.0/24
> 
> 
> #    # To initiate this connection automatically at startup,
> 
> 
> #    # uncomment this:
> 
> 
> #    #auto=start
> 
> 
>  
> 
> 
> # Configuration supporting multiple users with any type of
> 
> 
> # IPsec/L2TP client. This includes the updated Windows 2000/XP
> 
> 
> # (MS KB Q818043), Vista and Mac OS X 10.3+ but excludes the
> 
> 
> # non-updated Windows 2000/XP.
> 
> 
> #
> 
> 
> # Authenticates through a Pre-Shared Key. Supports clients that
> 
> 
> # are not behind NAT. Does not support clients that are behind NAT.
> 
> 
>  
> 
> 
> conn L2TP-PSK
> 
> 
>         #
> 
> 
>         authby=secret
> 
> 
>         pfs=no
> 
> 
>         rekey=no
> 
> 
>         keyingtries=3
> 
> 
>      aggrmode=yes
> 
> 
>         #
> 
> 
>         # ----------------------------------------------------------
> 
> 
>         # The VPN server.
> 
> 
>         #
> 
> 
>         # Allow incoming connections on the external network
> interface.
> 
> 
>         # If you want to use a different interface or if there is no
> 
> 
>         # defaultroute, you can use:   left=your.ip.addr.ess
> 
> 
>         #
> 
> 
>         left=%defaultroute
> 
> 
>         #
> 
> 
>         leftprotoport=17/1701
> 
> 
>         # If you insist on supporting non-updated Windows clients,
> 
> 
>         # you can use:    leftprotoport=17/%any
> 
> 
>         #
> 
> 
>         # ----------------------------------------------------------
> 
> 
>         # The remote user(s).
> 
> 
>         #
> 
> 
>         # Allow incoming connections only from this IP address.
> 
> 
>         #right=234.234.234.234
> 
> 
>         # If you want to allow multiple connections from any IP
> address,
> 
> 
>         # you can use:    right=%any
> 
> 
>         #
> 
> 
>         rightprotoport=17/%any
> 
> 
>      rightsubnet=vhost:%no,%priv
> 
> 
>         #
> 
> 
>         # ----------------------------------------------------------
> 
> 
>         # Change 'ignore' to 'add' to enable this configuration.
> 
> 
>         #
> 
> 
>         auto=add
> 
> 
> 
>  
> 
> And finally my ipsec.secrets file:
> 
>  
> 
> # This file holds shared secrets or RSA private keys for inter-Pluto
> 
> 
> # authentication.  See ipsec_pluto(8) manpage, and HTML documentation.
> 
> 
>  
> 
> 
> # RSA private key for this host, authenticating it to any other host
> 
> 
> # which knows the public part.  Suitable public keys, for ipsec.conf,
> DNS,
> 
> 
> # or configuration of other implementations, can be extracted
> conveniently
> 
> 
> # with "ipsec showhostkey".
> 
> 
> #: RSA    {
> 
> 
> #    # -- Create your own RSA key with "ipsec rsasigkey"
> 
> 
> #    }
> 
> 
> # do not change the indenting of that "}"
> 
> 
>  
> 
> 
> #
> 
> 
> # Sample /etc/ipsec.secrets file
> 
> 
> # The Openswan server has an IP address of 123.123.123.123
> 
> 
> #
> 
> 
> # Preshared Keys for two clients with fixed IP addresses:
> 
> 
>  
> 
> 
> #123.123.123.123 234.234.234.234: PSK "keyforoneclient"
> 
> 
> #123.123.123.123 111.222.111.222: PSK "keyforanotherclient"
> 
> 
>  
> 
> 
> # Preshared Key for clients connecting from any IP address:
> 
> 
> 1.2.3.4 %any: PSK "NotTellingYou "
> 
> 
> # (Line above only works on recent versions of Openswan).
> 
> 
>  
> 
> 
> # There is a subtle difference with the following
> 
> 
> # (see also 'man ipsec.secrets') which affects NATed
> 
> 
> # clients that use a PSK:
> 
> 
> 1.2.3.4 : PSK "NotTellingYou"
> 
> 
> 
>  
> 
> 
> 
> -- 
> This message has been scanned for viruses and 
> dangerous content by MailScanner, and is 
> believed to be clean. 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



More information about the Users mailing list