[Openswan Users] Problems, I think NAT related

Mark Hayward mhayward at epitiro.com
Mon Nov 5 07:51:45 EST 2007 

Thanks for the replies,

I have made the alterations but I still get the following error message.

packet from 86.148.87.91:49315: initial Main Mode message received on
80.102.114.86:500 but no connection has been authorized with policy=RSASIG

Is it not something to do with the NAT? the port the message is being sent
from is a perculiar port isn't it?

I am not sure what I can do :(


The configs now look like this :


IP cop:

conn manchester #RED
        left=cardiffadmin.demon.co.uk
        leftnexthop=%defaultroute
        leftsubnet=192.168.2.0/255.255.254.0
        right=86.148.87.91
        rightsubnet=10.0.5.0/255.255.255.0
        rightnexthop=%defaultroute
        leftid="@80.102.114.86"
        rightid="@86.148.87.91"
 
ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-m
odp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1
024
        esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
        ikelifetime=1h
        keylife=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        pfs=no
        authby=rsasig
        auto=start
        leftrsasigkey=0sAQNiLMF3XScMlY$		  	      
	  rightrsasigkey=0sAQO8ROHi0Cb2Bx$


OpenSwan:

conn vpnserver
        right=80.102.114.86
        rightnexthop=%defaultroute
        rightsubnet=192.168.2.0/255.255.254.0
        left=192.168.1.65
        leftsubnet=10.0.5.0/255.255.255.0
        leftnexthop=%defaultroute
        leftid="@86.148.87.91"
        rightid="@80.102.114.86"
        ike=aes
        esp=aes
        ikelifetime=1h
        keylife=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        pfs=yes
        authby=rsasig
        rightrsasigkey=0sAQNiLMF3XScMlY$
        leftrsasigkey=0sAQO8ROHi0Cb2Bx$
        auto=start

Many Thanks,
Mark

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: 02 November 2007 20:03
To: Mark Hayward
Cc: users at openswan.org
Subject: Re: [Openswan Users] Problems, I think NAT related

On Fri, 2 Nov 2007, Mark Hayward wrote:

> packet from 86.148.87.91:49179: initial Main Mode message received on
> 80.102.114.86:500 but no connection has been authorized with policy=PSK

Looks like you have authby=rsasigkey but the incoming connectin has
authby=secret

> conn manchester #RED

I am not sure sure about using #'s there...

>         left=cardiffadmin.demon.co.uk
>         leftnexthop=%defaultroute
>         leftsubnet=192.168.2.0/255.255.254.0
>         right=86.148.87.91
>         rightsubnet=10.0.5.0/255.255.255.0
>         rightnexthop=%defaultroute
>         leftid="@80.102.114.86"
>         rightid="@86.148.87.91"
>         aggrmode=yes

You really want that?

>         authby=secret

You do seem to have PSK enabled here.

> My ipsec.secrets from IPcop looks like this:

> conn vpnserver
>         right=80.102.114.86
>         rightnexthop=%defaultroute
>         rightsubnet=192.168.2.0/255.255.254.0
>         left=10.0.5.12
>         leftsubnet=10.0.5.0/255.255.255.0
>         leftnexthop=%defaultroute
>         leftid="@86.148.87.91"
>         rightid="@80.102.114.86"
>         ike=aes
>         esp=aes
>         ikelifetime=1h
>         keylife=8h
>         dpddelay=30
>         dpdtimeout=120
>         dpdaction=restart
>         pfs=yes
>         authby=secret

Hmm same here.

Guess you're falling in the category "NAT traversal and PSK really do not
go well together".

I would switch to using RSA for this case. Both ends are openswan,
so it should be trivial to switch. Just use remove the authby=secret
lines, and add the proper rightrsasigkey= and leftrsasigkey=.
You can generate the proper value using 'ipsec showhostkey --right (or
--left)'

Paul

More information about the Users mailing list