[Openswan Users] pure ipsec tunnel iphone| XAUTH & certificates | error no suitable connection for peer

Richard Pagotto richard at vspec.net
Thu May 26 07:42:28 EDT 2011 

Hello again,

Ive totally redone my certificates; further cleaned up my config but cant get past these messages

pluto[16726]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
pluto[16726]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'

config and full logs are below.

thanks,
Rich

ipsec.conf

config setup
        plutoopts="--perpeerlog"
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25/8
        oe=off
        protostack=netkey


conn iphone
        auto=add
        dpdaction=clear
        dpdtimeout=15
        dpddelay=10
        pfs=no
        leftcert=/etc/ipsec.d/certs/OpenswanCert.pem
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftxauthserver=yes
        leftmodecfgserver=yes
        leftrsasigkey=%cert
        right=%any
        rightid='@#0x70736b'
        rightmodecfgclient=yes
        rightsubnet=vhost:%priv,%no
        modecfgpull=yes



/var/log/secure output

May 26 20:14:33 linuxserver pluto[16726]: Starting Pluto (Openswan Version 2.6.33; Vendor ID OEghI_w\134ALFy) pid:16726
May 26 20:14:33 linuxserver pluto[16726]: LEAK_DETECTIVE support [disabled]
May 26 20:14:33 linuxserver pluto[16726]: OCF support for IKE [disabled]
May 26 20:14:33 linuxserver pluto[16726]: SAref support [disabled]: Protocol not available
May 26 20:14:33 linuxserver pluto[16726]: SAbind support [disabled]: Protocol not available
May 26 20:14:33 linuxserver pluto[16726]: NSS support [disabled]
May 26 20:14:33 linuxserver pluto[16726]: HAVE_STATSD notification support not compiled in
May 26 20:14:33 linuxserver pluto[16726]: Setting NAT-Traversal port-4500 floating to on
May 26 20:14:33 linuxserver pluto[16726]:    port floating activation criteria nat_t=1/port_float=1
May 26 20:14:33 linuxserver pluto[16726]:    NAT-Traversal support  [enabled]
May 26 20:14:33 linuxserver pluto[16726]: using /dev/urandom as source of random entropy
May 26 20:14:33 linuxserver pluto[16726]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
May 26 20:14:33 linuxserver pluto[16726]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
May 26 20:14:33 linuxserver pluto[16726]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
May 26 20:14:33 linuxserver pluto[16726]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
May 26 20:14:33 linuxserver pluto[16726]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
May 26 20:14:33 linuxserver pluto[16726]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
May 26 20:14:33 linuxserver pluto[16726]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
May 26 20:14:33 linuxserver pluto[16726]: starting up 1 cryptographic helpers
May 26 20:14:33 linuxserver pluto[16731]: using /dev/urandom as source of random entropy
May 26 20:14:33 linuxserver pluto[16726]: started helper pid=16731 (fd:7)
May 26 20:14:33 linuxserver pluto[16726]: Using Linux 2.6 IPsec interface code on 2.6.21.5-smp (experimental code)
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_add(): ERROR: Algorithm already exists
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_add(): ERROR: Algorithm already exists
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_add(): ERROR: Algorithm already exists
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_add(): ERROR: Algorithm already exists
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_add(): ERROR: Algorithm already exists
May 26 20:14:35 linuxserver pluto[16726]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
May 26 20:14:35 linuxserver pluto[16726]: Changed path to directory '/etc/ipsec.d/cacerts'
May 26 20:14:35 linuxserver pluto[16726]:   loaded CA cert file 'OpenswanCert.pem' (1330 bytes)
May 26 20:14:35 linuxserver pluto[16726]: Changed path to directory '/etc/ipsec.d/aacerts'
May 26 20:14:35 linuxserver pluto[16726]: Changed path to directory '/etc/ipsec.d/ocspcerts'
May 26 20:14:35 linuxserver pluto[16726]: Changing to directory '/etc/ipsec.d/crls'
May 26 20:14:35 linuxserver pluto[16726]:   loaded crl file 'crl3.pem' (609 bytes)
May 26 20:14:35 linuxserver pluto[16726]:   loaded crl file 'crl2.pem' (609 bytes)
May 26 20:14:35 linuxserver pluto[16726]:   loaded crl file 'crl.pem' (609 bytes)
May 26 20:14:35 linuxserver pluto[16726]: loading certificate from /etc/ipsec.d/certs/OpenswanCert.pem
May 26 20:14:35 linuxserver pluto[16726]:   loaded host cert file '/etc/ipsec.d/certs/OpenswanCert.pem' (1330 bytes)
May 26 20:14:35 linuxserver pluto[16726]: added connection description "iphone"
May 26 20:14:36 linuxserver pluto[16726]: listening for IKE messages
May 26 20:14:36 linuxserver pluto[16726]: adding interface eth0/eth0 192.168.0.2:500
May 26 20:14:36 linuxserver pluto[16726]: adding interface eth0/eth0 192.168.0.2:4500
May 26 20:14:36 linuxserver pluto[16726]: adding interface lo/lo 127.0.0.1:500
May 26 20:14:36 linuxserver pluto[16726]: adding interface lo/lo 127.0.0.1:4500
May 26 20:14:36 linuxserver pluto[16726]: adding interface lo/lo ::1:500
May 26 20:14:36 linuxserver pluto[16726]: loading secrets from "/etc/ipsec.secrets"
May 26 20:14:36 linuxserver pluto[16726]:   loaded private key file '/etc/ipsec.d/private/hostKey.pem' (1743 bytes)
May 26 20:14:36 linuxserver pluto[16726]: loaded private key for keyid: PPK_RSA:AwEAAb3qE
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: received Vendor ID payload [RFC 3947] method set to=109
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: received Vendor ID payload [XAUTH]
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: received Vendor ID payload [Cisco-Unity]
May 26 20:16:13 linuxserver pluto[16726]: packet from 203.20.35.28:29561: received Vendor ID payload [Dead Peer Detection]
May 26 20:16:13 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: responding to Main Mode from unknown peer 203.20.35.28
May 26 20:16:13 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 26 20:16:13 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: STATE_MAIN_R1: sent MR1, expecting MI2
May 26 20:16:14 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
May 26 20:16:14 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 26 20:16:14 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: STATE_MAIN_R2: sent MR2, expecting MI3
May 26 20:16:16 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 26 20:16:16 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 26 20:16:16 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 26 20:16:16 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:29561
May 26 20:16:20 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 26 20:16:20 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 26 20:16:20 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 26 20:16:20 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:29561
May 26 20:16:22 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 26 20:16:22 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 26 20:16:22 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 26 20:16:22 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:29561
May 26 20:16:24 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 26 20:16:24 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 26 20:16:24 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 26 20:16:24 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:29561
May 26 20:16:25 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 26 20:16:25 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 26 20:16:25 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 26 20:16:25 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:29561
May 26 20:16:38 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 26 20:16:38 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 26 20:16:38 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 26 20:16:38 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:29561
May 26 20:16:45 linuxserver pluto[16726]: ERROR: asynchronous network error report on eth0 (sport=500) for message to 203.20.35.28 port 29561, complainant 203.20.35.28: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
May 26 20:17:24 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28 #1: max number of retransmissions (2) reached STATE_MAIN_R2
May 26 20:17:24 linuxserver pluto[16726]: "iphone"[1] 203.20.35.28: deleting connection "iphone" instance with peer 203.20.35.28 {isakmp=#0/ipsec=#0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110526/1f4a78ce/attachment-0001.html

More information about the Users mailing list