[Openswan Users] but no connection has been authorized with policy=PSK
Thomas Schweikle
tps at vr-web.de
Tue Apr 12 06:46:03 EDT 2011
Am 12.04.2011 01:52, schrieb Willie Gillespie:
> On 4/11/2011 2:56 PM, Thomas Schweikle wrote:
>> Am 11.04.2011 22:43, schrieb Paul Wouters:
>>> On Mon, 11 Apr 2011, Thomas Schweikle wrote:
>>>
>>>> packet from ww.xx.yy.zz:61986: initial\
>>>> Main Mode message received on 222.66.77.27:500 but no connection
>>>> has been authorized with policy=PSK
>>>
>>> You wrote before:
>>>
>>> # LOCAL
>>> leftid= @rz
>>> left= 222.66.77.27
>>> leftnexthop= 222.66.77.1
>>> leftsubnet= 192.168.180.0/23
>>> #
>>> # REMOTE
>>> rightid= @openswan
>>> right= 192.168.1.4
>>> rightnexthop= 192.168.1.1
>>> rightsubnet= 192.168.1.0/24
>>>
>>>
>>> Clearly ww.xx.yy.zz is not matching 192.168.1.4, or it is not using "openswan" as its id.
>>
>> Hmmm. My setup is as:
>>
>> openswan (192.168.1.4) --> router/nat (with unknown IP, since it
>> changes every day once --- this is ww.xx.yy.zz) --> RZ
>> (222.66.77.27) --> Inside (192.168.180.27)
>>
>> on the server side:
>> leftid= @rz
>> left= 222.66.77.27
>> leftnexthop= 222.66.77.1
>> leftsubnet= 192.168.180.0/23
>> #
>> # REMOTE
>> rightid= @openswan
>> right= 192.168.1.4
>> rightnexthop= 192.168.1.1
>> rightsubnet= 192.168.1.0/24
>>
>>
>> on the client side:
>> leftid= @openswan
>> left= 192.168.1.4
>> leftnexthop= 192.168.1.1
>> leftsubnet= 192.168.1.0/24
>> #
>> # REMOTE
>> rightid= @rz
>> right= 222.66.77.27
>> rightnexthop= 222.66.77.1
>> rightsubnet= 192.168.180.0/23
>>
>> I had to switch left and right for the client, because if I left it
>> as it was (two identical config-files), I did not even see
>> connection attempts.
>
> Okay, jumping in here.
>
> The client side (@openswan side) looks okay. The left needs to be an
> address on that machine. It is: 192.168.1.4, so that's good.
>
> However, on the server side (@rz side), it sees the packets coming from
> ww.xx.yy.zz, so that's what it needs defined in the connection. Not
> 192.168.1.4. Unfortunately for you, it changes every day, so you are in
> the same situation as a road-warrior configuration, where you may have
> to use %any for right= on the @rz side of things.
I Had this setup, but searching for an other problem I have kicked
it out, producing other errors... -.-
OK. This error is gone now. The tunnel seems to be established after
restarting daemons on both machines. But:
on the client:
# ping 192.168.180.27
PING 192.168.180.27 (192.168.180.27) 56(84) bytes of data.
64 bytes from 192.168.180.27: icmp_req=1 ttl=64 time=29.6 ms
64 bytes from 192.168.180.27: icmp_req=2 ttl=64 time=27.9 ms
^C
--- 192.168.180.27 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 27.991/28.820/29.650/0.846 ms
on the server:
$ ping 192.168.1.4
PING 192.168.1.4 (192.168.1.4) 56(84) bytes of data.
^C
--- 192.168.1.4 ping statistics ---
67 packets transmitted, 0 received, 100% packet loss, time 66007ms
Packets from client to server are OK, but not the other way round :-(
But even if only the client can start a connection, I need a
transparent tunnel between both! On any system within both subnets
I'd like to just ping any host. It shouldn't mater where they are
located.
I am testing with subnets:
192.168.180.0/23
192.168.1.0/24
--
Thomas
More information about the Users
mailing list