[Openswan Users] "road" #3: ERROR: asynchronous network error report on eth1 (sport=500) for message to 60.51.211.53 port 500, complainant 60.51.211.53: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

danny dan danny71395 at gmail.com
Sun Sep 21 22:57:55 EDT 2008


this is my network structure
roadwarrior========Nat firewall=====DMZ====(eth1)vpnserver=====
192.168.1.xxxoffice network
                                    ||
     ||(eth0)
                                    ||
     ||
                                    ||
     ||
                                 LAN=====================||


eth1=219.93.36.xxx  # connected to DMZ
eht0=192.168.1.xx    #connected to LAN


this is my  /etc/ipsec.confversion 2.0     # conforms to second version of
ipsec.conf specification

# basic configuration
config setup
        interfaces="ipsec1=eth1"
      #  interfaces=%defaultroute
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg: plutodebug="control parsing"
        #
        # ONLY enable plutodebug=all or klipsdebug=all if you are a
developer !!
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        virtual_private=%v4:
219.93.36.0/24,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24<http://219.93.36.0/24,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:%21192.168.1.0/24>
        plutodebug=none
        plutostderrlog=/var/log/pluto.log
        #
        # enable this if you see "failed to find any available worker"
        # nhelpers=0
        # uniqueids=yes

# Add connections here

conn %default
      authby=rsasig
      keyingtries=1
      compress=yes
      disablearrivalcheck=no
      ikelifetime=1h

 leftrsasigkey=0sAQNVXmjfKU5XMZqIGYQD5qtn7FpL9Fq0kgXTOnbLp1Lz1mib1xK39xzM+4d/y2qEkYal2HNf+EXuDj2ZXKIGbePXBVLZOLiSR00N1o8Nk9qYkXffi75yK24HxwgJRtC5In6lev7APqa6bufEnylDInXXa4KZ4WKkvOIK+2IQWTqxUsmKuM1Wn2/1TdHQbKJzeCzyLCk3fFDmRW74hj/YGag0uUxT6sRQ1Pl1woIQK3PoBaz7uutTwcwzmbjKw58qrqGL2I4xkWsHHpFWZMzwdwYlfyVj/8SjGFBAvaS2Axea4Ow6dKn9L4tGih4urjaT/p/lWM5fLxR2MTapsTS6Kt2WaAciJ7kEUGOoFHOmz+8xXDol
      leftcert=/etc/ipsec.d/private/vpnserverKey.pem

 rightrsasigkey=0sAQNVXmjfKU5XMZqIGYQD5qtn7FpL9Fq0kgXTOnbLp1Lz1mib1xK39xzM+4d/y2qEkYal2HNf+EXuDj2ZXKIGbePXBVLZOLiSR00N1o8Nk9qYkXffi75yK24HxwgJRtC5In6lev7APqa6bufEnylDInXXa4KZ4WKkvOIK+2IQWTqxUsmKuM1Wn2/1TdHQbKJzeCzyLCk3fFDmRW74hj/YGag0uUxT6sRQ1Pl1woIQK3PoBaz7uutTwcwzmbjKw58qrqGL2I4xkWsHHpFWZMzwdwYlfyVj/8SjGFBAvaS2Axea4Ow6dKn9L4tGih4urjaT/p/lWM5fLxR2MTapsTS6Kt2WaAciJ7kEUGOoFHOmz+8xXDol
      auto=ignore


    #conn roadwarrior-all
    #     leftsubnet=0.0.0.0/0
    #     also=roadwarrior

conn road
     type=tunnel
    forceencaps=yes
     left=219.93.36.214  # this is my eth1 connected to DMZ
   # left=%defaultroute
    leftcert=vpnserverKey.pem
    leftid="C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver, E=
danny at scan-associates.net"
   #  leftid=@vpnserver.scan-associates.net
   # leftnexthop=219.93.36.193
     right=60.54.220.178 # this is my public ip of the windows xp client
   # right=%any
   # rightsubnet=vhost:%no,%priv
     rightprotoport=17/1701
   # rightnexthop=%defaultroute
     leftprotoport=17/1701
     leftsubnet=192.168.1.0/24
     esp=aes128-sha1
     ike=aes128-sha
     rightid="C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver, E=
danny at scan-associates.net"
     pfs=no
     dpddelay=40
     dpdtimeout=130
     dpdaction=clear
     leftupdown=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh
     rightupdown=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh
     auto=add

conn block
     auto=ignore

conn private
     auto=ignore

conn private-or-clear
     auto=ignore

conn clear-or-private
     auto=ignore

conn clear
     auto=ignore

conn packetdefault
     auto=ignore

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

this is my ipsec auto --status
root at vpnserver:~# ipsec auto --status
000 interface eth0/eth0 2001:328:2002:5ca2:21b:11ff:fe51:751f
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.148
000 interface eth0/eth0 192.168.1.148
000 interface eth1/eth1 219.93.36.214
000 interface eth1/eth1 219.93.36.214
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,36}
trans={0,4,480} attrs={0,4,320}
000
000 "road": 192.168.1.0/24===219.93.36.214[C=MY<http://192.168.1.0/24===219.93.36.214%5BC=MY>,
ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver, E=
danny at scan-associates.net]:17/1701...60.54.220.178[C=MY, ST=Selangor, O=Scan
Berhad, OU=Isd, CN=vpnserver, E=danny at scan-associates.net]:17/1701;
unrouted; eroute owner: #0
000 "road":     srcip=unset; dstip=unset;
srcup=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh;
dstup=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh;
000 "road":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 1
000 "road":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+UP; prio: 24,32;
interface: eth1; encap: udp;
000 "road":   dpd: action:clear; delay:40; timeout:130;
000 "road":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "road":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP1536(5),
AES_CBC(7)_128-SHA1(2)-MODP1024(2); flags=strict
000 "road":   IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1536(5),
AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "road":   ESP algorithms wanted: AES(12)_128-SHA1(2); flags=strict
000 "road":   ESP algorithms loaded: AES(12)_128-SHA1(2); flags=strict
000
000

this is my ipsec verify
root at vpnserver:~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.9/K2.6.24-16-server (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

this is my error log when trying to up the connection..

"road" #3: initiating Main Mode
"road" #3: ERROR: asynchronous network error report on eth1 (sport=500) for
message to 60.54.220.178 port 500, complainant 60.54.220.178: Connection
refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
"road" #3: ERROR: asynchronous network error report on eth1 (sport=500) for
message to 60.54.220.178 port 500, complainant 60.54.220.178: Connection
refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
"road" #3: ERROR: asynchronous network error report on eth1 (sport=500) for
message to 60.54.220.178 port 500, complainant 60.54.220.178: Connection
refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
"road" #3: max number of retransmissions (2) reached STATE_MAIN_I1.  No
response (or no acceptable response) to our first IKE message
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080922/2e2332b4/attachment-0001.html 


More information about the Users mailing list