[Openswan Users] Problems, I think NAT related
Paul Wouters
paul at xelerance.com
Mon Nov 5 10:19:41 EST 2007
On Mon, 5 Nov 2007, Mark Hayward wrote:
> I have made the alterations but I still get the following error message.
>
> packet from 86.148.87.91:49315: initial Main Mode message received on
> 80.102.114.86:500 but no connection has been authorized with policy=RSASIG
Run:
ipsec auto --replace manchester
What error do you get?
Paul
> Is it not something to do with the NAT? the port the message is being sent
> from is a perculiar port isn't it?
>
> I am not sure what I can do :(
>
>
> The configs now look like this :
>
>
> IP cop:
>
> conn manchester #RED
> left=cardiffadmin.demon.co.uk
> leftnexthop=%defaultroute
> leftsubnet=192.168.2.0/255.255.254.0
> right=86.148.87.91
> rightsubnet=10.0.5.0/255.255.255.0
> rightnexthop=%defaultroute
> leftid="@80.102.114.86"
> rightid="@86.148.87.91"
>
> ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-m
> odp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1
> 024
> esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
> ikelifetime=1h
> keylife=8h
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart
> pfs=no
> authby=rsasig
> auto=start
> leftrsasigkey=0sAQNiLMF3XScMlY$
> rightrsasigkey=0sAQO8ROHi0Cb2Bx$
>
>
> OpenSwan:
>
> conn vpnserver
> right=80.102.114.86
> rightnexthop=%defaultroute
> rightsubnet=192.168.2.0/255.255.254.0
> left=192.168.1.65
> leftsubnet=10.0.5.0/255.255.255.0
> leftnexthop=%defaultroute
> leftid="@86.148.87.91"
> rightid="@80.102.114.86"
> ike=aes
> esp=aes
> ikelifetime=1h
> keylife=8h
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart
> pfs=yes
> authby=rsasig
> rightrsasigkey=0sAQNiLMF3XScMlY$
> leftrsasigkey=0sAQO8ROHi0Cb2Bx$
> auto=start
>
> Many Thanks,
> Mark
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: 02 November 2007 20:03
> To: Mark Hayward
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Problems, I think NAT related
>
> On Fri, 2 Nov 2007, Mark Hayward wrote:
>
> > packet from 86.148.87.91:49179: initial Main Mode message received on
> > 80.102.114.86:500 but no connection has been authorized with policy=PSK
>
> Looks like you have authby=rsasigkey but the incoming connectin has
> authby=secret
>
> > conn manchester #RED
>
> I am not sure sure about using #'s there...
>
> > left=cardiffadmin.demon.co.uk
> > leftnexthop=%defaultroute
> > leftsubnet=192.168.2.0/255.255.254.0
> > right=86.148.87.91
> > rightsubnet=10.0.5.0/255.255.255.0
> > rightnexthop=%defaultroute
> > leftid="@80.102.114.86"
> > rightid="@86.148.87.91"
> > aggrmode=yes
>
> You really want that?
>
> > authby=secret
>
> You do seem to have PSK enabled here.
>
> > My ipsec.secrets from IPcop looks like this:
>
> > conn vpnserver
> > right=80.102.114.86
> > rightnexthop=%defaultroute
> > rightsubnet=192.168.2.0/255.255.254.0
> > left=10.0.5.12
> > leftsubnet=10.0.5.0/255.255.255.0
> > leftnexthop=%defaultroute
> > leftid="@86.148.87.91"
> > rightid="@80.102.114.86"
> > ike=aes
> > esp=aes
> > ikelifetime=1h
> > keylife=8h
> > dpddelay=30
> > dpdtimeout=120
> > dpdaction=restart
> > pfs=yes
> > authby=secret
>
> Hmm same here.
>
> Guess you're falling in the category "NAT traversal and PSK really do not
> go well together".
>
> I would switch to using RSA for this case. Both ends are openswan,
> so it should be trivial to switch. Just use remove the authby=secret
> lines, and add the proper rightrsasigkey= and leftrsasigkey=.
> You can generate the proper value using 'ipsec showhostkey --right (or
> --left)'
>
> Paul
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list