[Openswan Users] Error: "initial Main Mode message received on 192.168.23.23:500 but no connection has been authorized"

BUI18 lbui18 at yahoo.com
Mon Apr 7 14:16:14 EDT 2008 

Jacco -
 
I made some progress based on your suggestion, but not completely there.
 
Here's the new ipsec.conf
 
# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%v4:!192.168.23.0/24
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=all
# Add connections here
conn DIR130-JON
        # Left security gateway, subnet behind it, nexthop toward right.
        #left=66.27.a.b
        left=192.168.23.23
        leftsubnet=192.168.23.0/24
        #leftnexthop=24.25.c.d
        leftnexthop=66.27.a.b
        # Right security gateway, subnet behind it, nexthop toward left.
        right=66.27.f.g
        rightsubnet=192.168.99.0/24
        #rightnexthop=66.27.e.1
        keyexchange=ike
        ikelifetime=480m
        keylife=3600s
        pfs=yes
        compress=no
        authby=secret
        keyingtries=0
        auto=start
 
Here's "ipsec auto --status"
 
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 "DIR130-JON": 192.168.23.0/24===192.168.23.23---66.27.82.147...66.27.113.46===192.168.99.0/24; prospective erouted; eroute owner: #0
000 "DIR130-JON":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "DIR130-JON":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "DIR130-JON":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; 
000 "DIR130-JON":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000  
000 #1: "DIR130-JON":500 STATE_MAIN_I1 (sent MI1, expecting MR1); none in -1s; lastdpd=-1s(seq in:0 out:0)
000 #1: pending Phase 2 for "DIR130-JON" replacing #0
000

You can see that it made it through Phase 1, but choking on Phase 2.
 
Here's auth.log output:
 
 started looking for secret for 192.168.23.23->66.27.f.g of kind PPK_PSK
Apr  7 10:57:19 localhost pluto[23888]: | actually looking for secret for 192.168.23.23->66.27.f.g of kind PPK_PSK
Apr  7 10:57:19 localhost pluto[23888]: | 1: compared PSK 66.27.f.g to 192.168.23.23 / 66.27.f.g -> 2
Apr  7 10:57:19 localhost pluto[23888]: | 2: compared PSK 66.27.a.b to 192.168.23.23 / 66.27.f.g -> 2
Apr  7 10:57:19 localhost pluto[23888]: | concluding with best_match=0 best=(nil) (lineno=-1)
Apr  7 10:57:19 localhost pluto[23888]: "DIR130-JON" #1: Can't authenticate: no preshared key found for `192.168.23.23' and `66.27.f.g'.  Attribute OAKLEY_AUTHENTICATION_METHOD
Apr  7 10:57:19 localhost pluto[23888]: "DIR130-JON" #1: no acceptable Oakley Transform
Apr  7 10:57:19 localhost pluto[23888]: | complete state transition with (null)
Apr  7 10:57:19 localhost pluto[23888]: "DIR130-JON" #1: sending notification NO_PROPOSAL_CHOSEN to 66.27.113.46:500
Apr  7 10:57:19 localhost pluto[23888]: | **emit ISAKMP Message:
Apr  7 10:57:19 localhost pluto[23888]: |    initiator cookie:
Apr  7 10:57:19 localhost pluto[23888]: |   0c c5 00 e5  e4 aa 6c ff
Apr  7 10:57:19 localhost pluto[23888]: |    responder cookie:
Apr  7 10:57:19 localhost pluto[23888]: |   00 00 00 00  00 00 00 00
Apr  7 10:57:19 localhost pluto[23888]: |    next payload type: ISAKMP_NEXT_N
Apr  7 10:57:19 localhost pluto[23888]: |    ISAKMP version: ISAKMP Version 1.0
Apr  7 10:57:19 localhost pluto[23888]: |    exchange type: ISAKMP_XCHG_INFO
Apr  7 10:57:19 localhost pluto[23888]: |    flags: none
Apr  7 10:57:19 localhost pluto[23888]: |    message ID:  00 00 00 00
Apr  7 10:57:19 localhost pluto[23888]: | ***emit ISAKMP Notification Payload:
Apr  7 10:57:19 localhost pluto[23888]: |    next payload type: ISAKMP_NEXT_NONE
Apr  7 10:57:19 localhost pluto[23888]: |    DOI: ISAKMP_DOI_IPSEC
Apr  7 10:57:19 localhost pluto[23888]: |    protocol ID: 1
Apr  7 10:57:19 localhost pluto[23888]: |    SPI size: 0
Apr  7 10:57:19 localhost pluto[23888]: |    Notify Message Type: NO_PROPOSAL_CHOSEN
Apr  7 10:57:19 localhost pluto[23888]: | emitting length of ISAKMP Notification Payload: 12
Apr  7 10:57:19 localhost pluto[23888]: | emitting length of ISAKMP Message: 40
Apr  7 10:57:19 localhost pluto[23888]: | sending 40 bytes for notification packet through eth0:500 to 66.27.f.g:500:
Apr  7 10:57:19 localhost pluto[23888]: |   0c c5 00 e5  e4 aa 6c ff  00 00 00 00  00 00 00 00
Apr  7 10:57:19 localhost pluto[23888]: |   0b 10 05 00  00 00 00 00  00 00 00 28  00 00 00 0c
Apr  7 10:57:19 localhost pluto[23888]: |   00 00 00 01  01 00 00 0e
Apr  7 10:57:19 localhost pluto[23888]: | state transition function for STATE_MAIN_I1 failed: NO_PROPOSAL_CHOSEN
Apr  7 10:57:19 localhost pluto[23888]: | next event EVENT_PENDING_PHASE2 in 103 seconds

Not sure what's happening here...something about the authentication, any ideas?
 
thx



----- Original Message ----
From: Jacco de Leeuw <jacco2 at dds.nl>
To: users at openswan.org
Sent: Monday, April 7, 2008 10:30:07 AM
Subject: Re: [Openswan Users] Error: "initial Main Mode message received on 192.168.23.23:500 but no connection has been authorized"

BUI18 wrote:

> I thought that "left" is suppose to be the Openswan's internet gateway, 
> which is why I specified 66.27.a.b.

No, this should be the IP address of the Openswan server itself.

> I did a tcpdump on the Openswan server and indeed it was receiving an
> initialization request on udp port 500.

Yes, but presumably for 192.168.23.23.

> Any suggestion on what left, leftnexthop and right, rightnexthop should be
> for this to work?

left=192.168.23.23
leftnexthop=192.168.23.1
leftsubnet=192.168.23.0/24
right=66.27.f.g
rightsubnet=192.168.99.0/24

I'm not sure if this will work but you should get a bit further and
if it does not work the logfile will tell which parameters are required.

Jacco
-- 
Jacco de Leeuw                        mailto:jacco2 at dds.nl
Zaandam, The Netherlands          http://www.jacco2.dds.nl


      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080407/e4afc4bf/attachment.html

More information about the Users mailing list