[Openswan Users] but no connection has been authorized ....any solution for this error

Dannysius Naim danny71395 at gmail.com
Wed Nov 5 04:54:45 EST 2008


can anyone help me how to solve this problems...  i already google it but no
solution i found..

my log at /var/log/auth.log is look like this;

Nov  5 17:44:07 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Nov  5 17:44:07 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
ignoring Vendor ID payload [FRAGMENTATION]
Nov  5 17:44:07 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Nov  5 17:44:07 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
ignoring Vendor ID payload [Vid-Initial-Contact]
Nov  5 17:44:07 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
initial Main Mode message received on 219.93.36.214:500 but no connection
has been authorized
Nov  5 17:44:08 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Nov  5 17:44:08 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
ignoring Vendor ID payload [FRAGMENTATION]
Nov  5 17:44:08 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Nov  5 17:44:08 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
ignoring Vendor ID payload [Vid-Initial-Contact]
Nov  5 17:44:08 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
initial Main Mode message received on 219.93.36.214:500 but no connection
has been authorized
Nov  5 17:44:10 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Nov  5 17:44:10 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
ignoring Vendor ID payload [FRAGMENTATION]
Nov  5 17:44:10 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Nov  5 17:44:10 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
ignoring Vendor ID payload [Vid-Initial-Contact]
Nov  5 17:44:10 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
initial Main Mode message received on 219.93.36.214:500 but no connection
has been authorized
Nov  5 17:44:14 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Nov  5 17:44:14 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
ignoring Vendor ID payload [FRAGMENTATION]
Nov  5 17:44:14 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Nov  5 17:44:14 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
ignoring Vendor ID payload [Vid-Initial-Contact]
Nov  5 17:44:14 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
initial Main Mode message received on 219.93.36.214:500 but no connection
has been authorized
Nov  5 17:46:37 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
ignoring Delete SA payload: not encrypted
Nov  5 17:46:37 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
received and ignored informational message

this is my ipsec.conf
Nov  5 17:46:37 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
ignoring Delete SA payload: not encrypted
Nov  5 17:46:37 vpnserver pluto[23542]: packet from 219.93.36.194:31764:
received and ignored informational message
conn roadwarrior-net
   leftsubnet=0.0.0.0/0
   also=roadwarrior

conn roadwarrior-all
   leftsubnet=0.0.0.0/0
   also=roadwarrior

conn roadwarrior
   left=%defaultroute
   leftcert=host.example.com.pem
   right=60.51.211.53
  # rightsubnet=vhost:%no,%priv
   rightsubnet=0.0.0.0/0
   auto=add
   pfs=yes

conn roadwarrior-l2tp
   type=transport
   left=%defaultroute
   leftcert=host.example.com.pem
   leftprotoport=17/1701
   right=60.51.211.51
   rightprotoport=17/1701
   pfs=no
   auto=add
conn roadwarrior-l2tp
   type=transport
   left=%defaultroute
   leftcert=host.example.com.pem
   leftprotoport=17/1701
   right=60.51.211.51
   rightprotoport=17/1701
   pfs=no
   auto=add

conn roadwarrior-l2tp-oldwin
   left=%defaultroute
   leftcert=host.example.com.pem
   leftprotoport=17/0
   right=60.51.211.51
   rightprotoport=17/1701
  # rightsubnet=vhost:%no,%priv
   rightsubnet=0.0.0.0/0
   pfs=no
   auto=add

conn block
   auto=ignore

conn private
   auto=ignore

conn private-or-clear
   auto=ignore
conn clear-or-private
   auto=ignore

conn clear
   auto=ignore

conn packetdefault
   auto=ignore

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


This is my ipsec auto --status;
000 interface eth0/eth0 2001:328:2002:5ca2:21b:11ff:fe51:751f
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.148
000 interface eth0/eth0 192.168.1.148
000 interface eth1/eth1 219.93.36.214
000 interface eth1/eth1 219.93.36.214
000 interface tun0/tun0 1.1.1.1
000 interface tun0/tun0 1.1.1.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "roadwarrior": 219.93.36.214[C=MY, ST=Selangor, L=Kuala Lumpur, O=Scan
Berhad, OU=Isd, CN=vpnserver, E=danny at scan-associates.net]...60.51.
211.53===0.0.0.0/0; unrouted; eroute owner: #0
000 "roadwarrior":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "roadwarrior":   CAs: 'C=MY, ST=Selangor, O=Scan Berhad, OU=Isd,
CN=vpnserver, E=danny at scan-associates.net'...'%any'
000 "roadwarrior":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 5
000 "roadwarrior":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 32,0;
interface: eth1; encap: esp;
000 "roadwarrior":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-all": 0.0.0.0/0===219.93.36.214[C=MY, ST=Selangor, L=Kuala
Lumpur, O=Scan Berhad, OU=Isd, CN=vpnserver, E=danny at scan-associat
es.net]...60.51.211.53===0.0.0.0/0; unrouted; eroute owner: #0
000 "roadwarrior-all":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "roadwarrior-all":   CAs: 'C=MY, ST=Selangor, O=Scan Berhad, OU=Isd,
CN=vpnserver, E=danny at scan-associates.net'...'%any'
000 "roadwarrior-all":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 5
000 "roadwarrior-all":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio:
0,0; interface: eth1; encap: esp;
000 "roadwarrior-all":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-l2tp": 219.93.36.214[C=MY, ST=Selangor, L=Kuala Lumpur,
O=Scan Berhad, OU=Isd, CN=vpnserver, E=danny at scan-associates.net]:17/
1701...60.51.211.51:17/1701; unrouted; eroute owner: #0
000 "roadwarrior-l2tp":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "roadwarrior-l2tp":   CAs: 'C=MY, ST=Selangor, O=Scan Berhad, OU=Isd,
CN=vpnserver, E=danny at scan-associates.net'...'%any'
000 "roadwarrior-l2tp":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 5
000 "roadwarrior-l2tp":   policy: RSASIG+ENCRYPT+COMPRESS; prio: 32,32;
interface: eth1; encap: esp;
000 "roadwarrior-l2tp":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-l2tp-oldwin": 219.93.36.214[C=MY, ST=Selangor, L=Kuala
Lumpur, O=Scan Berhad, OU=Isd, CN=vpnserver, E=danny at scan-associates.n
et]:17/0...60.51.211.51:17/1701===0.0.0.0/0; unrouted; eroute owner: #0
000 "roadwarrior-l2tp-oldwin":     srcip=unset; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "roadwarrior-l2tp-oldwin":   CAs: 'C=MY, ST=Selangor, O=Scan Berhad,
OU=Isd, CN=vpnserver, E=danny at scan-associates.net'...'%any'
000 "roadwarrior-l2tp-oldwin":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5
000 "roadwarrior-l2tp-oldwin":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL;
prio: 32,0; interface: eth1; encap: esp;
000 "roadwarrior-l2tp-oldwin":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-net": 0.0.0.0/0===219.93.36.214[C=MY, ST=Selangor, L=Kuala
Lumpur, O=Scan Berhad, OU=Isd, CN=vpnserver, E=danny at scan-associat
es.net]...60.51.211.53===0.0.0.0/0; unrouted; eroute owner: #0
000 "roadwarrior-net":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "roadwarrior-net":   CAs: 'C=MY, ST=Selangor, O=Scan Berhad, OU=Isd,
CN=vpnserver, E=danny at scan-associates.net'...'%any'
000 "roadwarrior-net":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 5
000 "roadwarrior-net":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio:
0,0; interface: eth1; encap: esp;
000 "roadwarrior-net":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000


this is my ipsec verify..
root at vpnserver:~# ipsec varify
/usr/sbin/ipsec: unknown IPsec command `varify' (`ipsec --help' for list)
root at vpnserver:~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.9/K2.6.24-16-server (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081105/33de4a85/attachment-0001.html 


More information about the Users mailing list