[Openswan Users] "road" #3: ERROR: asynchronous network error report on eth1 (sport=500) for message to 60.51.211.53 port 500, complainant 60.51.211.53: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Peter McGill
petermcgill at goco.net
Mon Sep 22 09:14:02 EDT 2008
Danny,
You're also using the same keys for both left and right, you need two
certs one for each end of the connection, when using certs.
leftid="C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver,
E=danny at scan-associates.net"
rightid="C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver,
E=danny at scan-associates.net"
Or two RSA keys when using RSA keys.
leftrsasigkey=0sAQNVXmjfKU5XMZqIGYQD5qtn7FpL9Fq0kgXTOnbLp1Lz1mib1xK39xzM+4d/y2qEkYal2HNf+EXuDj2ZXKIGbePXBVLZOLiSR00N1o8Nk9qYkXffi75yK24HxwgJRtC5In6lev7APqa6bufEnylDInXXa4KZ4WKkvOIK+2IQWTqxUsmKuM1Wn2/1TdHQbKJzeCzyLCk3fFDmRW74hj/YGag0uUxT6sRQ1Pl1woIQK3PoBaz7uutTwcwzmbjKw58qrqGL2I4xkWsHHpFWZMzwdwYlfyVj/8SjGFBAvaS2Axea4Ow6dKn9L4tGih4urjaT/p/lWM5fLxR2MTapsTS6Kt2WaAciJ7kEUGOoFHOmz+8xXDol
rightrsasigkey=0sAQNVXmjfKU5XMZqIGYQD5qtn7FpL9Fq0kgXTOnbLp1Lz1mib1xK39xzM+4d/y2qEkYal2HNf+EXuDj2ZXKIGbePXBVLZOLiSR00N1o8Nk9qYkXffi75yK24HxwgJRtC5In6lev7APqa6bufEnylDInXXa4KZ4WKkvOIK+2IQWTqxUsmKuM1Wn2/1TdHQbKJzeCzyLCk3fFDmRW74hj/YGag0uUxT6sRQ1Pl1woIQK3PoBaz7uutTwcwzmbjKw58qrqGL2I4xkWsHHpFWZMzwdwYlfyVj/8SjGFBAvaS2Axea4Ow6dKn9L4tGih4urjaT/p/lWM5fLxR2MTapsTS6Kt2WaAciJ7kEUGOoFHOmz+8xXDol
Using the same key's on both sides defeats the purpose of public key
security, you may as well be using PSKs if your going to do that.
If you use RSA keys, then follow the instructions in doc/install.html
and doc/config.html of the openswan package for setting up RSA keys. To
summarize:
Do this on each machine to create an RSA key pair.
ipsec newhostkey --output /etc/ipsec.secrets --hostname left.example.com
chmod 600 /etc/ipsec.secrets
Then open /etc/ipsec.secrets and find the line that looks like:
#pubkey=0sAQOFppfeE3cC7wqJi...
Copy that line to leftrsasigkey or rightrsasigkey=0sAQOFppfeE3cC7wqJi...
in both your ipsec.conf files, whichever matches the end of the connection.
Peter
Paul Wouters wrote:
> On Mon, 22 Sep 2008, danny dan wrote:
>
>> Subject: [Openswan Users] "road" #3: ERROR: asynchronous network error report
>> on eth1 (sport=500) for message to 60.51.211.53 port 500,
>> complainant 60.51.211.53: Connection refused [errno 111,
>> origin ICMP type 3 code 3 (not authenticated)]
>
> That looks like the other end is not there. Probably related to units
> behind NAT trying to response due to a rekey? or one end actually not
> running.
>
>> conn %default
>> authby=rsasig
>> keyingtries=1
>> compress=yes
>> disablearrivalcheck=no
>> ikelifetime=1h
>> leftrsasigkey=0sAQNVXmjfKU5XMZqIGYQD5qtn7FpL9Fq0kgXTOnbLp1Lz1mib1xK39xzM+4d/y2q
>> EkYal2HNf+EXuDj2ZXKIGbePXBVLZOLiSR00N1o8Nk9qYkXffi75yK24HxwgJRtC5In6lev7APqa6buf
>> EnylDInXXa4KZ4WKkvOIK+2IQWTqxUsmKuM1Wn2/1TdHQbKJzeCzyLCk3fFDmRW74hj/YGag0uUxT6sR
>> Q1Pl1woIQK3PoBaz7uutTwcwzmbjKw58qrqGL2I4xkWsHHpFWZMzwdwYlfyVj/8SjGFBAvaS2Axea4Ow
>> 6dKn9L4tGih4urjaT/p/lWM5fLxR2MTapsTS6Kt2WaAciJ7kEUGOoFHOmz+8xXDol
>> leftcert=/etc/ipsec.d/private/vpnserverKey.pem
>
> You are using both a raw RSA key as well as a X.509 encoded RSA key. I
> have no idea what is going to happen. You should configure one of the two,
> but not both. And it is strongly recommended not to put those entries in
> the %default conn that gets included by all other conns.
>
>> conn road
>> type=tunnel
>> forceencaps=yes
>> left=219.93.36.214 # this is my eth1 connected to DMZ
>> # left=%defaultroute
>> leftcert=vpnserverKey.pem
>> leftid="C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver,
>> E=danny at scan-associates.net"
>> # leftid=@vpnserver.scan-associates.net
>> # leftnexthop=219.93.36.193
>> right=60.54.220.178 # this is my public ip of the windows xp client
>> # right=%any
>> # rightsubnet=vhost:%no,%priv
>> rightprotoport=17/1701
>> # rightnexthop=%defaultroute
>> leftprotoport=17/1701
>
> type=tunnel and port 1701? L2TP mode is normally in transport mode, not
> tunnel mode.
>
>> leftsubnet=192.168.1.0/24
>> esp=aes128-sha1
>> ike=aes128-sha
>> rightid="C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver,
>> E=danny at scan-associates.net"
>> pfs=no
>> dpddelay=40
>> dpdtimeout=130
>> dpdaction=clear
>> leftupdown=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh
>> rightupdown=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh
>> auto=add
>>
>> conn block
>> auto=ignore
>>
>> conn private
>> auto=ignore
>>
>> conn private-or-clear
>> auto=ignore
>>
>> conn clear-or-private
>> auto=ignore
>>
>> conn clear
>> auto=ignore
>>
>> conn packetdefault
>> auto=ignore
>>
>> # sample VPN connections, see /etc/ipsec.d/examples/
>>
>> #Disable Opportunistic Encryption
>> include /etc/ipsec.d/examples/no_oe.conf
>>
>> this is my ipsec auto --status
>> root at vpnserver:~# ipsec auto --status
>> 000 interface eth0/eth0 2001:328:2002:5ca2:21b:11ff:fe51:751f
>> 000 interface lo/lo ::1
>> 000 interface lo/lo 127.0.0.1
>> 000 interface lo/lo 127.0.0.1
>> 000 interface eth0/eth0 192.168.1.148
>> 000 interface eth0/eth0 192.168.1.148
>> 000 interface eth1/eth1 219.93.36.214
>> 000 interface eth1/eth1 219.93.36.214
>> 000 %myid = (none)
>> 000 debug none
>> 000
>> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
>> keysizemax=64
>> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
>> keysizemax=192
>> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
>> keysizemin=40, keysizemax=448
>> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
>> keysizemax=0
>> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
>> keysizemax=256
>> 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128,
>> keysizemax=256
>> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
>> keysizemin=128, keysizemax=128
>> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
>> keysizemin=160, keysizemax=160
>> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
>> keysizemin=256, keysizemax=256
>> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
>> keysizemin=128, keysizemax=128
>> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
>> keysizemax=0
>> 000
>> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
>> keydeflen=192
>> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
>> keydeflen=128
>> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
>> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
>> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
>> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
>> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
>> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
>> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
>> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
>> 000
>> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,36}
>> trans={0,4,480} attrs={0,4,320}
>> 000
>> 000 "road": 192.168.1.0/24===219.93.36.214[C=MY, ST=Selangor, O=Scan
>> Berhad, OU=Isd, CN=vpnserver,
>> E=danny at scan-associates.net]:17/1701...60.54.220.178[C=MY, ST=Selangor,
>> O=Scan Berhad, OU=Isd, CN=vpnserver,
>> E=danny at scan-associates.net]:17/1701; unrouted; eroute owner: #0
>> 000 "road": srcip=unset; dstip=unset;
>> srcup=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh;
>> dstup=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh;
>> 000 "road": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
>> rekey_fuzz: 100%; keyingtries: 1
>> 000 "road": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+UP; prio: 24,32;
>> interface: eth1; encap: udp;
>> 000 "road": dpd: action:clear; delay:40; timeout:130;
>> 000 "road": newest ISAKMP SA: #0; newest IPsec SA: #0;
>> 000 "road": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP1536(5),
>> AES_CBC(7)_128-SHA1(2)-MODP1024(2); flags=strict
>> 000 "road": IKE algorithms found:
>> AES_CBC(7)_128-SHA1(2)_160-MODP1536(5),
>> AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
>> 000 "road": ESP algorithms wanted: AES(12)_128-SHA1(2); flags=strict
>> 000 "road": ESP algorithms loaded: AES(12)_128-SHA1(2); flags=strict
>> 000
>> 000
>>
>> this is my ipsec verify
>> root at vpnserver:~# ipsec verify
>> Checking your system to see if IPsec got installed and started correctly:
>> Version check and ipsec on-path [OK]
>> Linux Openswan U2.4.9/K2.6.24-16-server (netkey)
>> Checking for IPsec support in kernel [OK]
>> NETKEY detected, testing for disabled ICMP send_redirects [OK]
>> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
>> Checking for RSA private key (/etc/ipsec.secrets) [OK]
>> Checking that pluto is running [OK]
>> Two or more interfaces found, checking IP forwarding [OK]
>> Checking NAT and MASQUERADEing [OK]
>> Checking for 'ip' command [OK]
>> Checking for 'iptables' command [OK]
>> Opportunistic Encryption Support
>> [DISABLED]
>>
>> this is my error log when trying to up the connection..
>>
>> "road" #3: initiating Main Mode
>> "road" #3: ERROR: asynchronous network error report on eth1 (sport=500)
>> for message to 60.54.220.178 port 500, complainant 60.54.220.178:
>> Connection refused [errno 111, origin ICMP type 3 code 3 (not
>> authenticated)]
>
> Looks like a firewalling issue or no IPsec started on that host.
>
> Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list