[Openswan Users] when protostack=mast ==> no connection has been authorized with policy=PSK!!!

Majid Khonji majid at khonji.org
Sun Jun 27 04:06:30 EDT 2010


using protostack=klips, when i try to connect by another client behind a
nat, I get the following log info at the server side:


Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5:
STATE_MAIN_R1: sent MR1, expecting MI2
Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5:
STATE_MAIN_R2: sent MR2, expecting MI3
Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5: Main
mode peer ID is ID_IPV4_ADDR: '192.168.0.198'
Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5: new
NAT mapping for #5, was xxx.yyy.zzz.aaa:879, now xxx.yyy.zzz.aaa:50320
Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_128 prf=oakley_sha group=modp2048}
Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5: the
peer proposed: 10.0.0.0/24:0/0 -> 192.168.0.0/24:0/0
Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #6:
responding to Quick Mode proposal {msgid:391d4cf3}
Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #6:
us: 10.0.0.105<10.0.0.105>[94.202.86.118,+S=C]---10.0.0.1
Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #6:
them: 10.0.0.1---xxx.yyy.zzz.aaa[192.168.0.198,+S=C]===192.168.0.0/24
Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #6:
cannot install eroute -- it is in use for "road"[2] xxx.yyy.zzz.aaa #2
Jun 27 12:00:29 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #6:
discarding duplicate packet; already STATE_QUICK_R0
Jun 27 12:00:49 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #6:
discarding duplicate packet; already STATE_QUICK_R0
Jun 27 12:01:29 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5: the
peer proposed: 10.0.0.0/24:0/0 -> 192.168.0.0/24:0/0
Jun 27 12:01:29 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Jun 27 12:01:29 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #7:
responding to Quick Mode proposal {msgid:bf6863d2}
Jun 27 12:01:29 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #7:
us: 10.0.0.105<10.0.0.105>[94.202.86.118,+S=C]---10.0.0.1
Jun 27 12:01:29 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #7:
them: 10.0.0.1---xxx.yyy.zzz.aaa[192.168.0.198,+S=C]===192.168.0.0/24
Jun 27 12:01:29 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #7:
cannot install eroute -- it is in use for "road"[2] xxx.yyy.zzz.aaa #2




On Sun, Jun 27, 2010 at 11:37 AM, Majid Khonji <majid at khonji.org> wrote:

> Yes I have mast0 interface with the same IP of eth0 (not exactly the
> external since I have a nat router at my home GW)
> I actually want to narrow down the problem to ipsec only. I want
> to establish a secure SA using mast (multiple clients behind a nat), after
> that I will solve the other issues. (I actually succeeded with netkey and
> xl2tp on a linux client and an android phone)
>
>
>
> On Sun, Jun 27, 2010 at 3:56 AM, Paul Wouters <paul at xelerance.com> wrote:
>
>> On Sun, 27 Jun 2010, Majid Khonji wrote:
>>
>>  When i use protostack=mast
>>> I get the following error (when i connect a client)
>>> packet from 10.0.0.1:500: initial Main Mode message received on
>>> 10.0.0.105:500 but no connection has been authorized with
>>> policy=PSK
>>>
>>
>>
>> Do you have a mast0 interface? Does it have the same ip as your external
>> ip?
>>
>>
>>  mast0     Link encap:UNSPEC  HWaddr
>>> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>>>           inet addr:10.0.0.105  Mask:255.255.255.255
>>>
>>
>>  conn road
>>>
>>
>>  left=10.0.0.105
>>> leftsubnet=10.0.0.0/24
>>>
>>
>>  conn road-l2tp
>>> also=road
>>>
>>
>> That is not going to work because l2tp does not use a subnet= on the
>> server side. Please see examples in /etc/ipsec.d/examples/l2tp*
>>
>>
>>  #because Mac clients don't like 1701
>>> rightprotoport=17/1701
>>>
>>
>> That should be 17/%any
>>
>>  conn road-l2tp-mac
>>>
>>
>> A separate conn should not be needed.
>>
>> Paul
>>
>
>
>
> --
> Regards,
>
> Majid Khonji
>
>


-- 
Regards,

Majid Khonji
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100627/78b6d192/attachment.html 


More information about the Users mailing list