[Openswan Users] Problems, I think NAT related

Paul Wouters paul at xelerance.com
Fri Nov 2 16:03:23 EDT 2007


On Fri, 2 Nov 2007, Mark Hayward wrote:

> packet from 86.148.87.91:49179: initial Main Mode message received on
> 80.102.114.86:500 but no connection has been authorized with policy=PSK

Looks like you have authby=rsasigkey but the incoming connectin has authby=secret

> conn manchester #RED

I am not sure sure about using #'s there...

>         left=cardiffadmin.demon.co.uk
>         leftnexthop=%defaultroute
>         leftsubnet=192.168.2.0/255.255.254.0
>         right=86.148.87.91
>         rightsubnet=10.0.5.0/255.255.255.0
>         rightnexthop=%defaultroute
>         leftid="@80.102.114.86"
>         rightid="@86.148.87.91"
>         aggrmode=yes

You really want that?

>         authby=secret

You do seem to have PSK enabled here.

> My ipsec.secrets from IPcop looks like this:

> conn vpnserver
>         right=80.102.114.86
>         rightnexthop=%defaultroute
>         rightsubnet=192.168.2.0/255.255.254.0
>         left=10.0.5.12
>         leftsubnet=10.0.5.0/255.255.255.0
>         leftnexthop=%defaultroute
>         leftid="@86.148.87.91"
>         rightid="@80.102.114.86"
>         ike=aes
>         esp=aes
>         ikelifetime=1h
>         keylife=8h
>         dpddelay=30
>         dpdtimeout=120
>         dpdaction=restart
>         pfs=yes
>         authby=secret

Hmm same here.

Guess you're falling in the category "NAT traversal and PSK really do not
go well together".

I would switch to using RSA for this case. Both ends are openswan,
so it should be trivial to switch. Just use remove the authby=secret
lines, and add the proper rightrsasigkey= and leftrsasigkey=.
You can generate the proper value using 'ipsec showhostkey --right (or --left)'

Paul


More information about the Users mailing list