[Openswan Users] Error: "initial Main Mode message received on 192.168.23.23:500 but no connection has been authorized"

Mon Apr 7 17:33:48 EDT 2008

OK...changed plutodebug=all to plutodebug none.

Here's my current ipsec.conf:

# basic configuration
config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%v4:!192.168.23.0/24
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none

# Add connections here
conn DIR130-JON
        # Left security gateway, subnet behind it, nexthop toward right.
        left=192.168.23.23
        leftsubnet=192.168.23.0/24
        leftnexthop=66.27.a.b
        # Right security gateway, subnet behind it, nexthop toward left.
        right=66.27.f.g
        rightsubnet=192.168.99.0/24
        keyexchange=ike
        ikelifetime=480m
        keylife=3600s
        pfs=yes
        compress=no
        authby=secret
        keyingtries=0
        auto=start

Here's my ipsec.secrets

192.168.23.23 66.27.f.g : PSK "mykey"

Seeing these 2 errror in auth.log:

Apr  7 14:23:02 localhost pluto[19788]: loading secrets from "/etc/ipsec.secrets"
Apr  7 14:23:02 localhost pluto[19788]: "DIR130-JON": route-client output: /usr/lib/ipsec/_updown: doroute `ip route add 192.168.99.0/24 via 66.27.a.b dev eth0 ' failed (RTNETLINK answers: Network is unreachable)
Apr  7 14:23:02 localhost pluto[19788]: "DIR130-JON" #1: initiating Main Mode
Apr  7 14:23:02 localhost pluto[19788]: "DIR130-JON" #1: received Vendor ID payload [RFC 3947] method set to=109 
Apr  7 14:23:02 localhost pluto[19788]: "DIR130-JON" #1: received Vendor ID payload [Dead Peer Detection]
Apr  7 14:23:02 localhost pluto[19788]: "DIR130-JON" #1: enabling possible NAT-traversal with method 3
Apr  7 14:23:02 localhost pluto[19788]: "DIR130-JON" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Apr  7 14:23:02 localhost pluto[19788]: "DIR130-JON" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Apr  7 14:23:02 localhost pluto[19788]: "DIR130-JON" #1: I did not send a certificate because I do not have one.
Apr  7 14:23:02 localhost pluto[19788]: "DIR130-JON" #1: NAT-Traversal: Result using 3: i am NATed
Apr  7 14:23:02 localhost pluto[19788]: "DIR130-JON" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Apr  7 14:23:02 localhost pluto[19788]: "DIR130-JON" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Apr  7 14:23:12 localhost pluto[19788]: "DIR130-JON" #1: discarding duplicate packet; already STATE_MAIN_I3
Apr  7 14:23:30 localhost pluto[19788]: packet from 66.27.113.46:500: received Vendor ID payload [RFC 3947] method set to=109 
Apr  7 14:23:30 localhost pluto[19788]: packet from 66.27.113.46:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Apr  7 14:23:30 localhost pluto[19788]: packet from 66.27.113.46:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Apr  7 14:23:30 localhost pluto[19788]: packet from 66.27.113.46:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Apr  7 14:23:30 localhost pluto[19788]: packet from 66.27.113.46:500: received Vendor ID payload [Dead Peer Detection]
Apr  7 14:23:30 localhost pluto[19788]: "DIR130-JON" #2: responding to Main Mode
Apr  7 14:23:30 localhost pluto[19788]: "DIR130-JON" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr  7 14:23:30 localhost pluto[19788]: "DIR130-JON" #2: STATE_MAIN_R1: sent MR1, expecting MI2
Apr  7 14:23:30 localhost pluto[19788]: "DIR130-JON" #2: NAT-Traversal: Result using 3: i am NATed
Apr  7 14:23:30 localhost pluto[19788]: "DIR130-JON" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr  7 14:23:30 localhost pluto[19788]: "DIR130-JON" #2: STATE_MAIN_R2: sent MR2, expecting MI3
Apr  7 14:24:12 localhost pluto[19788]: "DIR130-JON" #1: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
Apr  7 14:24:12 localhost pluto[19788]: "DIR130-JON" #1: starting keying attempt 2 of an unlimited number
Apr  7 14:24:12 localhost pluto[19788]: "DIR130-JON" #3: initiating Main Mode to replace #1
Apr  7 14:24:40 localhost pluto[19788]: "DIR130-JON" #2: max number of retransmissions (2) reached STATE_MAIN_R2Apr  7 14:21:09 localhost pluto[18701]: "DIR130-JON": route-client output: /usr/lib/ipsec/_updown: doroute `ip route add 192.168.99.0/24 via 66.27.a.b dev eth0 ' failed (RTNETLINK answers: Network is unreachable)

Any suggestion on what could be wrong?

----- Original Message ----
From: Jacco de Leeuw <jacco2 at dds.nl>
To: users at openswan.org
Sent: Monday, April 7, 2008 2:10:43 PM
Subject: Re: [Openswan Users] Error: "initial Main Mode message received on 192.168.23.23:500 but no connection has been authorized"

BUI18 wrote:

>         plutodebug=all

Set this to none. It only clutters the log.

> Apr  7 10:57:19 localhost pluto[23888]: "DIR130-JON" #1: Can't
> authenticate: no preshared key found for `192.168.23.23' and
> `66.27.f.g'.  Attribute OAKLEY_AUTHENTICATION_METHOD

Use something like this in your ipsec.secrets:

192.168.23.23 : PSK "ourlittlesecret"

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080407/38a27756/attachment.html 