[Openswan Users] but no connection has been authorized with policy=PSK

Thomas Schweikle tps at vr-web.de
Mon Apr 11 15:50:15 EDT 2011


Am 11.04.2011 21:35, schrieb Paul Wouters:
> On Mon, 11 Apr 2011, Thomas Schweikle wrote:
> 
>>> ipsec auto --status ?
>> 000 using kernel interface: netkey
>> 000 interface lo/lo ::1
>> 000 interface lo/lo 127.0.0.1
>> 000 interface lo/lo 127.0.0.1
>> 000 interface eth0/eth0 222.66.77.27
>> 000 interface eth0/eth0 222.66.77.27
>> 000 interface eth1/eth1 192.168.180.27
>> 000 interface eth1/eth1 192.168.180.27
>> 000 interface eth2/eth2 172.19.0.27
>> 000 interface eth2/eth2 172.19.0.27
>> 000 interface tap0/tap0 10.8.0.1
>> 000 interface tap0/tap0 10.8.0.1
>> 000 %myid = (none)
>> 000 debug none
> 
>> I have in ipsec.conf:
>> config setup
>>        plutostderrlog=  "/var/log/pluto.err"
>>        plutodebug=      "none"
>>        nat_traversal=   yes
>>        virtual_private= %v4:10.0.0.0/8,\
>>                         %v4:192.168.0.0/16,\
>>                         %v4:172.16.0.0/12,%v4
>>        oe=              off
>>        protostack=      netkey
>>        interfaces=      %none
> 
> Remove the interfaces=      %none
I've removed the entire line.

>> I am not aware of a way to exclude my used private address-space
>> from virtual_private!
> 
> Add: %v4:!192.168.180.0/24,%v4:!10.8.0.0/16 to virtual_private
Did that too.
Log says:
Plutorun started on Mon Apr 11 21:41:23 CEST 2011
adjusting ipsec.d to /etc/ipsec.d
Starting Pluto (Openswan Version 2.6.28; Vendor ID OEQ{O\177nez{CQ)
pid:2818
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
Setting NAT-Traversal port-4500 floating to on
   port floating activation criteria nat_t=1/port_float=1
   NAT-Traversal support  [enabled]
using /dev/urandom as source of random entropy
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
starting up 1 cryptographic helpers
started helper pid=2820 (fd:4)
Using Linux 2.6 IPsec interface code on 2.6.38-8-virtual
(experimental code)
using /dev/urandom as source of random entropy
ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Changed path to directory '/etc/ipsec.d/cacerts'
Changed path to directory '/etc/ipsec.d/aacerts'
Changed path to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
  Warning: empty directory
added connection description "noris-openswan"
listening for IKE messages
NAT-Traversal: Trying new style NAT-T
NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family
IPv4 (errno=19)
NAT-Traversal: Trying old style NAT-T
adding interface tap0/tap0 10.8.0.1:500
adding interface tap0/tap0 10.8.0.1:4500
adding interface eth2/eth2 172.19.0.27:500
adding interface eth2/eth2 172.19.0.27:4500
adding interface eth1/eth1 192.168.180.27:500
adding interface eth1/eth1 192.168.180.27:4500
adding interface eth0/eth0 222.66.77.27:500
adding interface eth0/eth0 222.66.77.27:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"
packet from 79.229.106.193:61986:\
  ignoring unknown Vendor ID payload [4f45504b7e7a764d4e645f57]
packet from 79.229.106.193:61986:\
  received Vendor ID payload [Dead Peer Detection]
packet from 79.229.106.193:61986:\
  received Vendor ID payload [RFC 3947] method set to=109
packet from 79.229.106.193:61986:\
  received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]\
  meth=108, but already using method 109
packet from 79.229.106.193:61986:\
  received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]\
  meth=106, but already using method 109
packet from 79.229.106.193:61986:\
  received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]\
  meth=107, but already using method 109
packet from 79.229.106.193:61986:\
  received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]\
packet from ww.xx.yy.zz:61986: initial\
  Main Mode message received on 222.66.77.27:500 but no connection
has been authorized with policy=PSK


-- 
Thomas


More information about the Users mailing list