[Openswan Users] cannot respond to IPsec SA request because no connection is known for 134.159.111.98
Sebastian McDonagh
openswan at agbnielsen.com.au
Mon Jan 28 19:08:12 EST 2008
Good morning all,
This is my first post to the list, and first openswan installation. I have
read copious amounts of documentation and have bought the book Building and
Integrating Virtual Private Networks with Openswan, which has been helpfull
though at times confusing to date.
I apologise for the length of the email i have tried to provide the necessary
details through the logs as ipsec barf provides a little bit more information
about the corporate firewall than i am allowed to give.
I have followed Nate Carlsons openswan ipsec.conf setup and am trying to
connect two linux boxes (debian + ubuntu) using the netkey ipsec stack in a
roadwarrior config.
The vpn server is on a static ip, and the "roadwarrior" is behind a Billion
adsl router.
When i try to bring up the connection with ipsec auto --up roadwarrior
I get the following
tail -f /var/log/auth.log | grep pluto
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: packet from 124.178.229.192:500:
received Vendor ID payload [Openswan (this version) 2.4.6 X.509-1.5.4
LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: packet from 124.178.229.192:500:
received Vendor ID payload [Dead Peer Detection]
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: packet from 124.178.229.192:500:
received Vendor ID payload [RFC 3947] method set to=110
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: packet from 124.178.229.192:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 110
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: packet from 124.178.229.192:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 110
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: packet from 124.178.229.192:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 110
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: packet from 124.178.229.192:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192 #2:
responding to Main Mode from unknown peer 124.178.229.192
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192 #2:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192 #2:
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192 #2:
NAT-Traversal: Result using 3: peer is NATed
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192 #2:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192 #2:
STATE_MAIN_R2: sent MR2, expecting MI3
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192 #2:
Main mode peer ID is ID_DER_ASN1_DN: 'C=AU, ST=NSW, O=AGB Nielsen Media
Research, CN=seb at agbnielsen.com.au'
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192 #2:
I am sending my cert
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192 #2:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: | NAT-T: new mapping
124.178.229.192:500/4500)
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192 #2:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192 #2:
cannot respond to IPsec SA request because no connection is known for
134.159.111.98[C=XX, ST=XXX, O=XXXXXX,
CN=aussvfw0106.agbnielsen.com.au]...124.178.229.192[C=AU, ST=XXX,
O=XXXXXXXXXXX, CN=XXXXXXXXXXXX]===10.45.0.2/32
Jan 29 10:50:01 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192 #2:
sending encrypted notification INVALID_ID_INFORMATION to 124.178.229.192:4500
Jan 29 10:50:11 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192 #2:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xe454cf8a (perhaps this is a duplicated packet)
Jan 29 10:50:11 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192 #2:
sending encrypted notification INVALID_MESSAGE_ID to 124.178.229.192:4500
Jan 29 10:50:30 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192 #2:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xe454cf8a (perhaps this is a duplicated packet)
Jan 29 10:50:30 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192 #2:
sending encrypted notification INVALID_MESSAGE_ID to 124.178.229.192:4500
Jan 29 10:53:57 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192 #2:
received Delete SA payload: deleting ISAKMP State #2
Jan 29 10:53:57 AUSSVFW0106 pluto[14396]: "roadwarrior"[2] 124.178.229.192:
deleting connection "roadwarrior" instance with peer 124.178.229.192
{isakmp=#0/ipsec=#0}
Jan 29 10:53:57 AUSSVFW0106 pluto[14396]: packet from 124.178.229.192:4500:
received and ignored informational message
Jan 29 10:53:57 AUSSVFW0106 pluto[14396]: ERROR: asynchronous network error
report on eth5 (sport=4500) for message to 10.45.0.2 port 4500, complainant
124.178.229.192: Connection refused [errno 111, origin ICMP type 3 code 3
(not authenticated)]
On the roadwarrior side i get the following
pluto[13312]: "roadwarrior" #1: initiating Main Mode
Jan 29 10:50:04 uberpoot pluto[13312]: "roadwarrior" #1: received Vendor ID
payload [Openswan (this version) 2.4.6 X.509-1.5.4 LDAP_V3
PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Jan 29 10:50:04 uberpoot pluto[13312]: "roadwarrior" #1: received Vendor ID
payload [Dead Peer Detection]
Jan 29 10:50:04 uberpoot pluto[13312]: "roadwarrior" #1: received Vendor ID
payload [RFC 3947] method set to=110
Jan 29 10:50:04 uberpoot pluto[13312]: "roadwarrior" #1: enabling possible
NAT-traversal with method 3
Jan 29 10:50:04 uberpoot pluto[13312]: "roadwarrior" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 29 10:50:04 uberpoot pluto[13312]: "roadwarrior" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
Jan 29 10:50:04 uberpoot pluto[13312]: "roadwarrior" #1: NAT-Traversal: Result
using 3: i am NATed
Jan 29 10:50:04 uberpoot pluto[13312]: "roadwarrior" #1: I am sending my cert
Jan 29 10:50:04 uberpoot pluto[13312]: "roadwarrior" #1: I am sending a
certificate request
Jan 29 10:50:04 uberpoot pluto[13312]: "roadwarrior" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 29 10:50:04 uberpoot pluto[13312]: "roadwarrior" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
Jan 29 10:50:04 uberpoot pluto[13312]: "roadwarrior" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=AU, ST=NSW, O=AGB Nielsen Media Research,
CN=aussvfw0106.agbnielsen.com.au'
Jan 29 10:50:04 uberpoot pluto[13312]: "roadwarrior" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Jan 29 10:50:04 uberpoot pluto[13312]: "roadwarrior" #1: STATE_MAIN_I4: ISAKMP
SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}
Jan 29 10:50:04 uberpoot pluto[13312]: "roadwarrior" #2: initiating Quick Mode
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
Jan 29 10:50:04 uberpoot pluto[13312]: "roadwarrior" #1: ignoring
informational payload, type INVALID_ID_INFORMATION
Jan 29 10:50:04 uberpoot pluto[13312]: "roadwarrior" #1: received and ignored
informational message
Jan 29 10:50:15 uberpoot pluto[13312]: "roadwarrior" #1: ignoring
informational payload, type INVALID_MESSAGE_ID
Jan 29 10:50:15 uberpoot pluto[13312]: "roadwarrior" #1: received and ignored
informational message
Jan 29 10:50:34 uberpoot pluto[13312]: "roadwarrior" #1: ignoring
informational payload, type INVALID_MESSAGE_ID
Jan 29 10:50:34 uberpoot pluto[13312]: "roadwarrior" #1: received and ignored
informational message
Jan 29 10:51:14 uberpoot pluto[13312]: "roadwarrior" #2: max number of
retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our
first Quick Mode message: perhaps peer likes no proposal
My ipsec.conf on the vpn server is as below
version 2
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,
%v4:192.168.0.0/16,v4:!10.130.0.0/16
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=yes
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-l2tp
pfs=no
leftprotoport=17/0
rightprotoport=17/1701
rightca=%same
also=roadwarrior
conn roadwarrior-l2tp-updatedwin
pfs=no
leftprotoport=17/1701
rightprotoport=17/1701
rightca=%same
also=roadwarrior
conn roadwarrior-net
leftsubnet=10.130.5.0/24
also=roadwarrior
conn xauth-roadwarrior
leftxauthserver=yes
left=134.159.111.98
right=%any
rightxauthclient=yes
auto=add
authby=secret
conn roadwarrior
left=%defaultroute
leftcert=aussvfw0106.agbnielsen.com.au.pem
right=%any
rightsubnet=vhost:%no,%priv
rightcert=seb at agbnielsen.com.au.pem
auto=add
pfs=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
include /etc/ipsec.d/examples/no_oe.conf
--------
and the ipsec.conf on the client machine is as follows.
version 2
config setup
interfaces=%defaultroute
nat_traversal=yes
conn %default
keyingtries=1
compress=yes
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
leftsubnet=10.130.5.0/24
also=roadwarrior
conn roadwarrior
left=134.159.111.98
leftsubnet=134.159.111.98/32
leftcert=aussvfw0106.agbnielsen.com.au.pem
right=%defaultroute
rightnexthop=10.45.0.254
rightcert=seb at agbnielsen.com.au.pem
auto=add
pfs=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
include /etc/ipsec.d/examples/no_oe.conf
I am assuming i have made a configuration error in my setup, if anyone more
knowledgable than myself on openswan is able to please assist it would be
greatly appreciated.
Regards
--
Sebastian McDonagh
More information about the Users
mailing list