[Openswan Users] Error: "initial Main Mode message received on 192.168.23.23:500 but no connection has been authorized"

BUI18 lbui18 at yahoo.com
Sun Apr 6 20:58:45 EDT 2008 

Hi -

Can someone assist with this error?  I am trying to create a site to site between a D-Link DIR-130 VPN router and Openswan.

My setup:
Left Side = Openswan
Right Side = DIR-130 Router

Left Side LAN (192.168.23.0/24) --- Left Side Router's LAN IP (192.168.23.1) --- WAN IP (66.27.a.b) --- Next Left Hop (24.25.c.d) .....INTERNET...... Next Right Hop (66.27.e.1) --- WAN IP (66.27.f.g) --- DIR-130's LAN IP (192.168.99.1) --- Right Side LAN (192.168.99.0/24)

The DIR-130 is set to use PSK, 3DES, MD5, modp1024

You can see from the log that the Openswan server does indeed receive initialization from the router.  But then....nothing.

Here's an excerpt from auth.log:

 packet from 66.27.113.46:500: received Vendor ID payload [RFC 3947] method set to=109 
Apr  6 17:43:50 localhost pluto[20252]: packet from 66.27.113.46:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Apr  6 17:43:50 localhost pluto[20252]: packet from 66.27.113.46:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Apr  6 17:43:51 localhost pluto[20252]: packet from 66.27.113.46:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Apr  6 17:43:51 localhost pluto[20252]: packet from 66.27.113.46:500: received Vendor ID payload [Dead Peer Detection]
Apr  6 17:43:51 localhost pluto[20252]: | nat-t detected, sending nat-t VID
Apr  6 17:43:51 localhost pluto[20252]: | find_host_connection called from main_inI1_outR1
Apr  6 17:43:51 localhost pluto[20252]: | find_host_pair_conn (find_host_connection2): 192.168.23.23:500 66.27.113.46:500 -> hp:none 
Apr  6 17:43:51 localhost pluto[20252]: | find_host_connection called from main_inI1_outR1
Apr  6 17:43:51 localhost pluto[20252]: | find_host_pair_conn (find_host_connection2): 192.168.23.23:500 %any:500 -> hp:none 
Apr  6 17:43:51 localhost pluto[20252]: packet from 66.27.113.46:500: initial Main Mode message received on 192.168.23.23:500 but no connection has been authorized


Here are the results from "ipsec auto --status":

000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000  
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000  
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000  
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 "DIR130-JON": 192.168.23.0/24===66.27.a.b---24.25.c.d...66.27.e.1---66.27.f.g===192.168.99.0/24; unrouted; eroute owner: #0
000 "DIR130-JON":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "DIR130-JON":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "DIR130-JON":   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 24,24; interface: ; 
000 "DIR130-JON":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000  
000

Here's my ipsec.conf:

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%v4:!192.168.23.0/24
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=all
# Add connections here
conn DIR130-JON
        # Left security gateway, subnet behind it, nexthop toward right.
        left=66.27.a.b
        leftsubnet=192.168.23.0/24
        leftnexthop=24.25.c.d
        # Right security gateway, subnet behind it, nexthop toward left.
        right=66.27.f.g
        rightsubnet=192.168.99.0/24
        rightnexthop=66.27.e.1
        keyexchange=ike
        ikelifetime=480m
        keylife=3600s
        pfs=yes
        compress=no
        authby=secret
        keyingtries=0
        auto=start
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

If you need any additional info, please let me know.
Any help would be greatly appreciated.

Thanks


      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080406/ce3d8d7c/attachment.html

More information about the Users mailing list