[Openswan Users] Error: "initial Main Mode message received on 192.168.23.23:500 but no connection has been authorized"
BUI18
lbui18 at yahoo.com
Mon Apr 7 15:06:29 EDT 2008
Jacco - I modified the ipsec.secrets file and got pass the PSK issue.
192.168.23.23 66.27.f.g : PSK "mykey"
Now I see this in "ipsec auto --status"
000 #1: "DIR130-JON":4500 STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 9s; lastdpd=-1s(seq in:0 out:0)
000 #1: pending Phase 2 for "DIR130-JON" replacing #0
I then stopped Openswan and restarted. Now I see this when I run "ipsec auto --status"
000 #1: "DIR130-JON":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 2s; nodpd
000 #1: pending Phase 2 for "DIR130-JON" replacing #0
Looks like it wants port 4500. But then the next time it wants port 500 (which I opened already). Ran same thing several more times and it stayed at port 500.
Getting this in auth.log:
handling event EVENT_RETRANSMIT
Apr 7 12:03:36 localhost pluto[19631]: | event after this is EVENT_PENDING_PHASE2 in 46 seconds
Apr 7 12:03:36 localhost pluto[19631]: | processing connection DIR130-JON
Apr 7 12:03:36 localhost pluto[19631]: | handling event EVENT_RETRANSMIT for 66.27.113.46 "DIR130-JON" #1
Apr 7 12:03:36 localhost pluto[19631]: | sending 292 bytes for EVENT_RETRANSMIT through eth0:500 to 66.27.f.g:500:
Apr 7 12:03:36 localhost pluto[19631]: | 38 32 ae 3c ff 21 c5 e4 00 00 00 00 00 00 00 00
Apr 7 12:03:36 localhost pluto[19631]: | 01 10 02 00 00 00 00 00 00 00 01 24 0d 00 00 94
Apr 7 12:03:36 localhost pluto[19631]: | 00 00 00 01 00 00 00 01 00 00 00 88 00 01 00 04
Apr 7 12:03:36 localhost pluto[19631]: | 03 00 00 20 00 01 00 00 80 0b 00 01 80 0c 70 80
Apr 7 12:03:36 localhost pluto[19631]: | 80 01 00 05 80 02 00 01 80 03 00 01 80 04 00 05
Apr 7 12:03:36 localhost pluto[19631]: | 03 00 00 20 01 01 00 00 80 0b 00 01 80 0c 70 80
Apr 7 12:03:36 localhost pluto[19631]: | 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 05
Apr 7 12:03:36 localhost pluto[19631]: | 03 00 00 20 02 01 00 00 80 0b 00 01 80 0c 70 80
Apr 7 12:03:36 localhost pluto[19631]: | 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 02
Apr 7 12:03:36 localhost pluto[19631]: | 00 00 00 20 03 01 00 00 80 0b 00 01 80 0c 70 80
Apr 7 12:03:36 localhost pluto[19631]: | 80 01 00 05 80 02 00 01 80 03 00 01 80 04 00 02
Apr 7 12:03:36 localhost pluto[19631]: | 0d 00 00 10 4f 45 7a 7d 46 46 46 66 67 72 5f 65
Apr 7 12:03:36 localhost pluto[19631]: | 0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc
Apr 7 12:03:36 localhost pluto[19631]: | 77 57 01 00 0d 00 00 14 4a 13 1c 81 07 03 58 45
Apr 7 12:03:36 localhost pluto[19631]: | 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 7d 94 19 a6
Apr 7 12:03:36 localhost pluto[19631]: | 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 0d 00 00 14
Apr 7 12:03:36 localhost pluto[19631]: | cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48
Apr 7 12:03:36 localhost pluto[19631]: | 00 00 00 14 44 85 15 2d 18 b6 bb cd 0b e8 a8 46
Apr 7 12:03:36 localhost pluto[19631]: | 95 79 dd cc
Apr 7 12:03:36 localhost pluto[19631]: | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #1
Apr 7 12:03:36 localhost pluto[19631]: | next event EVENT_RETRANSMIT in 40 seconds for #1
Making some progress...almost there. Any idea on why it's retransimitting.?
thx
----- Original Message ----
From: BUI18 <lbui18 at yahoo.com>
To: users at openswan.org
Sent: Monday, April 7, 2008 11:16:14 AM
Subject: Re: [Openswan Users] Error: "initial Main Mode message received on 192.168.23.23:500 but no connection has been authorized"
Jacco -
I made some progress based on your suggestion, but not completely there.
Here's the new ipsec.conf
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%v4:!192.168.23.0/24
interfaces=%defaultroute
klipsdebug=none
plutodebug=all
# Add connections here
conn DIR130-JON
# Left security gateway, subnet behind it, nexthop toward right.
#left=66.27.a.b
left=192.168.23.23
leftsubnet=192.168.23.0/24
#leftnexthop=24.25.c.d
leftnexthop=66.27.a.b
# Right security gateway, subnet behind it, nexthop toward left.
right=66.27.f.g
rightsubnet=192.168.99.0/24
#rightnexthop=66.27.e.1
keyexchange=ike
ikelifetime=480m
keylife=3600s
pfs=yes
compress=no
authby=secret
keyingtries=0
auto=start
Here's "ipsec auto --status"
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "DIR130-JON": 192.168.23.0/24===192.168.23.23---66.27.82.147...66.27.113.46===192.168.99.0/24; prospective erouted; eroute owner: #0
000 "DIR130-JON": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "DIR130-JON": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "DIR130-JON": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0;
000 "DIR130-JON": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #1: "DIR130-JON":500 STATE_MAIN_I1 (sent MI1, expecting MR1); none in -1s; lastdpd=-1s(seq in:0 out:0)
000 #1: pending Phase 2 for "DIR130-JON" replacing #0
000
You can see that it made it through Phase 1, but choking on Phase 2.
Here's auth.log output:
started looking for secret for 192.168.23.23->66.27.f.g of kind PPK_PSK
Apr 7 10:57:19 localhost pluto[23888]: | actually looking for secret for 192.168.23.23->66.27.f.g of kind PPK_PSK
Apr 7 10:57:19 localhost pluto[23888]: | 1: compared PSK 66.27.f.g to 192.168.23.23 / 66.27.f.g -> 2
Apr 7 10:57:19 localhost pluto[23888]: | 2: compared PSK 66.27.a.b to 192.168.23.23 / 66.27.f.g -> 2
Apr 7 10:57:19 localhost pluto[23888]: | concluding with best_match=0 best=(nil) (lineno=-1)
Apr 7 10:57:19 localhost pluto[23888]: "DIR130-JON" #1: Can't authenticate: no preshared key found for `192.168.23.23' and `66.27.f.g'. Attribute OAKLEY_AUTHENTICATION_METHOD
Apr 7 10:57:19 localhost pluto[23888]: "DIR130-JON" #1: no acceptable Oakley Transform
Apr 7 10:57:19 localhost pluto[23888]: | complete state transition with (null)
Apr 7 10:57:19 localhost pluto[23888]: "DIR130-JON" #1: sending notification NO_PROPOSAL_CHOSEN to 66.27.113.46:500
Apr 7 10:57:19 localhost pluto[23888]: | **emit ISAKMP Message:
Apr 7 10:57:19 localhost pluto[23888]: | initiator cookie:
Apr 7 10:57:19 localhost pluto[23888]: | 0c c5 00 e5 e4 aa 6c ff
Apr 7 10:57:19 localhost pluto[23888]: | responder cookie:
Apr 7 10:57:19 localhost pluto[23888]: | 00 00 00 00 00 00 00 00
Apr 7 10:57:19 localhost pluto[23888]: | next payload type: ISAKMP_NEXT_N
Apr 7 10:57:19 localhost pluto[23888]: | ISAKMP version: ISAKMP Version 1.0
Apr 7 10:57:19 localhost pluto[23888]: | exchange type: ISAKMP_XCHG_INFO
Apr 7 10:57:19 localhost pluto[23888]: | flags: none
Apr 7 10:57:19 localhost pluto[23888]: | message ID: 00 00 00 00
Apr 7 10:57:19 localhost pluto[23888]: | ***emit ISAKMP Notification Payload:
Apr 7 10:57:19 localhost pluto[23888]: | next payload type: ISAKMP_NEXT_NONE
Apr 7 10:57:19 localhost pluto[23888]: | DOI: ISAKMP_DOI_IPSEC
Apr 7 10:57:19 localhost pluto[23888]: | protocol ID: 1
Apr 7 10:57:19 localhost pluto[23888]: | SPI size: 0
Apr 7 10:57:19 localhost pluto[23888]: | Notify Message Type: NO_PROPOSAL_CHOSEN
Apr 7 10:57:19 localhost pluto[23888]: | emitting length of ISAKMP Notification Payload: 12
Apr 7 10:57:19 localhost pluto[23888]: | emitting length of ISAKMP Message: 40
Apr 7 10:57:19 localhost pluto[23888]: | sending 40 bytes for notification packet through eth0:500 to 66.27.f.g:500:
Apr 7 10:57:19 localhost pluto[23888]: | 0c c5 00 e5 e4 aa 6c ff 00 00 00 00 00 00 00 00
Apr 7 10:57:19 localhost pluto[23888]: | 0b 10 05 00 00 00 00 00 00 00 00 28 00 00 00 0c
Apr 7 10:57:19 localhost pluto[23888]: | 00 00 00 01 01 00 00 0e
Apr 7 10:57:19 localhost pluto[23888]: | state transition function for STATE_MAIN_I1 failed: NO_PROPOSAL_CHOSEN
Apr 7 10:57:19 localhost pluto[23888]: | next event EVENT_PENDING_PHASE2 in 103 seconds
Not sure what's happening here...something about the authentication, any ideas?
thx
----- Original Message ----
From: Jacco de Leeuw <jacco2 at dds.nl>
To: users at openswan.org
Sent: Monday, April 7, 2008 10:30:07 AM
Subject: Re: [Openswan Users] Error: "initial Main Mode message received on 192.168.23.23:500 but no connection has been authorized"
BUI18 wrote:
> I thought that "left" is suppose to be the Openswan's internet gateway,
> which is why I specified 66.27.a.b.
No, this should be the IP address of the Openswan server itself.
> I did a tcpdump on the Openswan server and indeed it was receiving an
> initialization request on udp port 500.
Yes, but presumably for 192.168.23.23.
> Any suggestion on what left, leftnexthop and right, rightnexthop should be
> for this to work?
left=192.168.23.23
leftnexthop=192.168.23.1
leftsubnet=192.168.23.0/24
right=66.27.f.g
rightsubnet=192.168.99.0/24
I'm not sure if this will work but you should get a bit further and
if it does not work the logfile will tell which parameters are required.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.
____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080407/dd08b41b/attachment-0001.html
More information about the Users
mailing list