[Openswan Users] Problems, I think NAT related

Mark Hayward mhayward at epitiro.com
Mon Nov 5 10:31:56 EST 2007


I don't get any errors.
Thanks,
Mark
 


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: 05 November 2007 15:20
To: Mark Hayward
Cc: users at openswan.org
Subject: Re: [Openswan Users] Problems, I think NAT related

On Mon, 5 Nov 2007, Mark Hayward wrote:

> I have made the alterations but I still get the following error message.
>
> packet from 86.148.87.91:49315: initial Main Mode message received on
> 80.102.114.86:500 but no connection has been authorized with policy=RSASIG

Run:

ipsec auto --replace manchester

What error do you get?

Paul

> Is it not something to do with the NAT? the port the message is being sent
> from is a perculiar port isn't it?
>
> I am not sure what I can do :(
>
>
> The configs now look like this :
>
>
> IP cop:
>
> conn manchester #RED
>         left=cardiffadmin.demon.co.uk
>         leftnexthop=%defaultroute
>         leftsubnet=192.168.2.0/255.255.254.0
>         right=86.148.87.91
>         rightsubnet=10.0.5.0/255.255.255.0
>         rightnexthop=%defaultroute
>         leftid="@80.102.114.86"
>         rightid="@86.148.87.91"
>
>
ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-m
>
odp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1
> 024
>         esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
>         ikelifetime=1h
>         keylife=8h
>         dpddelay=30
>         dpdtimeout=120
>         dpdaction=restart
>         pfs=no
>         authby=rsasig
>         auto=start
>         leftrsasigkey=0sAQNiLMF3XScMlY$
> 	  rightrsasigkey=0sAQO8ROHi0Cb2Bx$
>
>
> OpenSwan:
>
> conn vpnserver
>         right=80.102.114.86
>         rightnexthop=%defaultroute
>         rightsubnet=192.168.2.0/255.255.254.0
>         left=192.168.1.65
>         leftsubnet=10.0.5.0/255.255.255.0
>         leftnexthop=%defaultroute
>         leftid="@86.148.87.91"
>         rightid="@80.102.114.86"
>         ike=aes
>         esp=aes
>         ikelifetime=1h
>         keylife=8h
>         dpddelay=30
>         dpdtimeout=120
>         dpdaction=restart
>         pfs=yes
>         authby=rsasig
>         rightrsasigkey=0sAQNiLMF3XScMlY$
>         leftrsasigkey=0sAQO8ROHi0Cb2Bx$
>         auto=start
>
> Many Thanks,
> Mark
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: 02 November 2007 20:03
> To: Mark Hayward
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Problems, I think NAT related
>
> On Fri, 2 Nov 2007, Mark Hayward wrote:
>
> > packet from 86.148.87.91:49179: initial Main Mode message received on
> > 80.102.114.86:500 but no connection has been authorized with policy=PSK
>
> Looks like you have authby=rsasigkey but the incoming connectin has
> authby=secret
>
> > conn manchester #RED
>
> I am not sure sure about using #'s there...
>
> >         left=cardiffadmin.demon.co.uk
> >         leftnexthop=%defaultroute
> >         leftsubnet=192.168.2.0/255.255.254.0
> >         right=86.148.87.91
> >         rightsubnet=10.0.5.0/255.255.255.0
> >         rightnexthop=%defaultroute
> >         leftid="@80.102.114.86"
> >         rightid="@86.148.87.91"
> >         aggrmode=yes
>
> You really want that?
>
> >         authby=secret
>
> You do seem to have PSK enabled here.
>
> > My ipsec.secrets from IPcop looks like this:
>
> > conn vpnserver
> >         right=80.102.114.86
> >         rightnexthop=%defaultroute
> >         rightsubnet=192.168.2.0/255.255.254.0
> >         left=10.0.5.12
> >         leftsubnet=10.0.5.0/255.255.255.0
> >         leftnexthop=%defaultroute
> >         leftid="@86.148.87.91"
> >         rightid="@80.102.114.86"
> >         ike=aes
> >         esp=aes
> >         ikelifetime=1h
> >         keylife=8h
> >         dpddelay=30
> >         dpdtimeout=120
> >         dpdaction=restart
> >         pfs=yes
> >         authby=secret
>
> Hmm same here.
>
> Guess you're falling in the category "NAT traversal and PSK really do not
> go well together".
>
> I would switch to using RSA for this case. Both ends are openswan,
> so it should be trivial to switch. Just use remove the authby=secret
> lines, and add the proper rightrsasigkey= and leftrsasigkey=.
> You can generate the proper value using 'ipsec showhostkey --right (or
> --left)'
>
> Paul
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



More information about the Users mailing list