[Openswan Users] "road" #3: ERROR: asynchronous network error report on eth1 (sport=500) for message to 60.51.211.53 port 500, complainant 60.51.211.53: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

Paul Wouters paul at xelerance.com
Mon Sep 22 00:39:14 EDT 2008


On Mon, 22 Sep 2008, danny dan wrote:

> Subject: [Openswan Users] "road" #3: ERROR: asynchronous network error report
>     on eth1 (sport=500) for message to 60.51.211.53 port 500,
>     complainant 60.51.211.53: Connection refused [errno 111,
>     origin ICMP type 3 code 3 (not authenticated)]

That looks like the other end is not there. Probably related to units
behind NAT trying to response due to a rekey? or one end actually not
running.

> conn %default
>       authby=rsasig
>       keyingtries=1
>       compress=yes
>       disablearrivalcheck=no
>       ikelifetime=1h
>      leftrsasigkey=0sAQNVXmjfKU5XMZqIGYQD5qtn7FpL9Fq0kgXTOnbLp1Lz1mib1xK39xzM+4d/y2q
> EkYal2HNf+EXuDj2ZXKIGbePXBVLZOLiSR00N1o8Nk9qYkXffi75yK24HxwgJRtC5In6lev7APqa6buf
> EnylDInXXa4KZ4WKkvOIK+2IQWTqxUsmKuM1Wn2/1TdHQbKJzeCzyLCk3fFDmRW74hj/YGag0uUxT6sR
> Q1Pl1woIQK3PoBaz7uutTwcwzmbjKw58qrqGL2I4xkWsHHpFWZMzwdwYlfyVj/8SjGFBAvaS2Axea4Ow
> 6dKn9L4tGih4urjaT/p/lWM5fLxR2MTapsTS6Kt2WaAciJ7kEUGOoFHOmz+8xXDol
>       leftcert=/etc/ipsec.d/private/vpnserverKey.pem

You are using both a raw RSA key as well as a X.509 encoded RSA key. I
have no idea what is going to happen. You should configure one of the two,
but not both. And it is strongly recommended not to put those entries in
the %default conn that gets included by all other conns.

> conn road
>      type=tunnel
>     forceencaps=yes
>      left=219.93.36.214  # this is my eth1 connected to DMZ
>    # left=%defaultroute
>     leftcert=vpnserverKey.pem
>     leftid="C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver,
> E=danny at scan-associates.net"
>    #  leftid=@vpnserver.scan-associates.net
>    # leftnexthop=219.93.36.193
>      right=60.54.220.178 # this is my public ip of the windows xp client
>    # right=%any
>    # rightsubnet=vhost:%no,%priv
>      rightprotoport=17/1701
>    # rightnexthop=%defaultroute
>      leftprotoport=17/1701

type=tunnel and port 1701? L2TP mode is normally in transport mode, not
tunnel mode.

>      leftsubnet=192.168.1.0/24
>      esp=aes128-sha1
>      ike=aes128-sha
>      rightid="C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver,
> E=danny at scan-associates.net"
>      pfs=no
>      dpddelay=40
>      dpdtimeout=130
>      dpdaction=clear
>      leftupdown=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh
>      rightupdown=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh
>      auto=add
> 
> conn block
>      auto=ignore
> 
> conn private
>      auto=ignore
> 
> conn private-or-clear
>      auto=ignore
> 
> conn clear-or-private
>      auto=ignore
> 
> conn clear
>      auto=ignore
> 
> conn packetdefault
>      auto=ignore
>     
> # sample VPN connections, see /etc/ipsec.d/examples/
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> this is my ipsec auto --status
> root at vpnserver:~# ipsec auto --status
> 000 interface eth0/eth0 2001:328:2002:5ca2:21b:11ff:fe51:751f
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 192.168.1.148
> 000 interface eth0/eth0 192.168.1.148
> 000 interface eth1/eth1 219.93.36.214
> 000 interface eth1/eth1 219.93.36.214
> 000 %myid = (none)
> 000 debug none
> 000  
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
> keysizemax=0
> 000  
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000  
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,36}
> trans={0,4,480} attrs={0,4,320} 
> 000  
> 000 "road": 192.168.1.0/24===219.93.36.214[C=MY, ST=Selangor, O=Scan
> Berhad, OU=Isd, CN=vpnserver,
> E=danny at scan-associates.net]:17/1701...60.54.220.178[C=MY, ST=Selangor,
> O=Scan Berhad, OU=Isd, CN=vpnserver,
> E=danny at scan-associates.net]:17/1701; unrouted; eroute owner: #0
> 000 "road":     srcip=unset; dstip=unset;
> srcup=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh;
> dstup=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh;
> 000 "road":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 1
> 000 "road":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+UP; prio: 24,32;
> interface: eth1; encap: udp;
> 000 "road":   dpd: action:clear; delay:40; timeout:130; 
> 000 "road":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
> 000 "road":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP1536(5),
> AES_CBC(7)_128-SHA1(2)-MODP1024(2); flags=strict
> 000 "road":   IKE algorithms found:
> AES_CBC(7)_128-SHA1(2)_160-MODP1536(5),
> AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
> 000 "road":   ESP algorithms wanted: AES(12)_128-SHA1(2); flags=strict
> 000 "road":   ESP algorithms loaded: AES(12)_128-SHA1(2); flags=strict
> 000  
> 000  
> 
> this is my ipsec verify
> root at vpnserver:~# ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.4.9/K2.6.24-16-server (netkey)
> Checking for IPsec support in kernel                            [OK]
> NETKEY detected, testing for disabled ICMP send_redirects       [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
> Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing                                  [OK]
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption Support                              
>  [DISABLED]
> 
> this is my error log when trying to up the connection..
> 
> "road" #3: initiating Main Mode
> "road" #3: ERROR: asynchronous network error report on eth1 (sport=500)
> for message to 60.54.220.178 port 500, complainant 60.54.220.178:
> Connection refused [errno 111, origin ICMP type 3 code 3 (not
> authenticated)]

Looks like a firewalling issue or no IPsec started on that host.

Paul


More information about the Users mailing list