Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] FreeSwan 1.95:Server dying after VPN connection

From: eperez_at_consultant.com
Date: Thu Mar 28 2002 - 06:07:57 CET

Next message: Andreas Steffen: "Re: [Users] Win2k - Freeswan: Windows CryptVerifySignature error"
Previous message: Ding GuiJin: "[Users] A cdrom VPN firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I have a Mandrake 8.1 PC with the freeswan 1.95 RPM.

Server:
Mandrake 8.1
Eth0 200.75.203.138
Eth1 192.168.1.1
Eth2 192.168.0.1
/proc/sys/net/ipv4/conf/ipsec0/rp_filter 0
/proc/sys/net/ipv4/conf/eth2/rp_filter 1
/proc/sys/net/ipv4/conf/eth1/rp_filter 1
/proc/sys/net/ipv4/conf/eth0/rp_filter 1
/proc/sys/net/ipv4/conf/default/rp_filter 1
/proc/sys/net/ipv4/conf/all/rp_filter 1

iptables rule : -A POSTROUTING -o eth0 -j MASQUERADE

Client:
Road warrior using SSH Sentinel 1.3-Beta2, first connecting via dial-up
to the Internet, then attempting connection to VPN Server to access the
internal network.

Problem:
Testing the connection with the Diag option in Sentinel works OK. But
After trying to do an actual VPN the Server dies. I have to reboot the
server.

Contents of /etc/freeswan/ipsec.conf

config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        keyingtries=1
        disablearrivalcheck=no
        # authby=rsasig
        authby=secret
        leftrsasigkey=%dns
        rightrsasigkey=%dns

# conn for road warrior
conn interno-dialup
        left=200.75.203.138
        leftsubnet=192.168.0.0/24
        leftnexthop=200.75.203.137
        right=%any
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        pfs=yes
        compress=no
        authby=secret
        auto=add
        keyingtries=1

/etc/freeswan/ipsec.secrets
200.75.203.138 %any: PSK "ommited_for_obvious_reasons"

Content of /var/log/secure
Mar 27 03:37:51 redbaron ipsec__plutorun: Starting Pluto subsystem...
Mar 27 03:37:51 redbaron Pluto[4516]: Starting Pluto (FreeS/WAN Version
1.95)
Mar 27 03:37:52 redbaron Pluto[4516]: added connection description
"interno-dialup"
Mar 27 03:37:52 redbaron Pluto[4516]: listening for IKE messages
Mar 27 03:37:52 redbaron Pluto[4516]: adding interface ipsec0/eth0
200.75.203.138
Mar 27 03:37:52 redbaron Pluto[4516]: loading secrets from
"/etc/freeswan/ipsec.secrets"
Mar 27 03:50:41 redbaron Pluto[4516]: packet from 209.127.71.139:500:
ignoring Vendor ID payload
Mar 27 03:50:41 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#1: responding to Main Mode from unknown peer 209.127.71.139
Mar 27 03:50:41 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#1: next payload type of ISAKMP Identification Payload has an unknown
value: 34
Mar 27 03:50:41 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#1: probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet
Mar 27 03:50:42 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#1: next payload type of ISAKMP Identification Payload has an unknown
value: 34
Mar 27 03:50:42 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#1: probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet
Mar 27 03:50:44 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#1: next payload type of ISAKMP Identification Payload has an unknown
value: 34
Mar 27 03:50:44 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#1: probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet
Mar 27 03:50:48 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#1: next payload type of ISAKMP Identification Payload has an unknown
value: 34
Mar 27 03:50:48 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#1: probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet
Mar 27 03:50:52 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#1: next payload type of ISAKMP Identification Payload has an unknown
value: 34
Mar 27 03:50:52 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#1: probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet
Mar 27 03:51:51 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#1: max number of retransmissions (2) reached STATE_MAIN_R2
Mar 27 03:51:51 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139:
deleting connection "interno-dialup" instance with peer 209.127.71.139
Mar 27 03:53:19 redbaron Pluto[4516]: packet from 209.127.71.139:500:
ignoring Vendor ID payload
Mar 27 03:53:19 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#2: responding to Main Mode from unknown peer 209.127.71.139
Mar 27 03:53:20 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#2: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Mar 27 03:53:20 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#2: sent MR3, ISAKMP SA established
Mar 27 03:53:20 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#3: responding to Quick Mode
Mar 27 03:53:21 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#3: IPsec SA established
Mar 27 03:53:21 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#2: ignoring Delete SA payload
Mar 27 03:53:21 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#2: received and ignored informational message
Mar 27 04:48:51 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS to replace #3
Mar 27 04:50:01 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#4: max number of retransmissions (2) reached STATE_QUICK_I1
Mar 27 04:53:21 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#3: IPsec SA expired (LATEST!)
Mar 27 07:48:50 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#5: initiating Main Mode to replace #2
Mar 27 07:50:00 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#5: max number of retransmissions (2) reached STATE_MAIN_I1. No
acceptable response to our first IKE message
Mar 27 07:53:20 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139
#2: ISAKMP SA expired (LATEST!)
Mar 27 07:53:20 redbaron Pluto[4516]: "interno-dialup" 209.127.71.139:
deleting connection "interno-dialup" instance with peer 209.127.71.139
Mar 27 09:35:08 redbaron Pluto[4516]: packet from 209.127.71.43:500:
ignoring Vendor ID payload
Mar 27 09:35:08 redbaron Pluto[4516]: "interno-dialup" 209.127.71.43 #6:
responding to Main Mode from unknown peer 209.127.71.43
Mar 27 09:35:09 redbaron Pluto[4516]: "interno-dialup" 209.127.71.43 #6:
discarding duplicate packet; already STATE_MAIN_R2
Mar 27 09:35:10 redbaron Pluto[4516]: "interno-dialup" 209.127.71.43 #6:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Mar 27 09:35:10 redbaron Pluto[4516]: "interno-dialup" 209.127.71.43 #6:
sent MR3, ISAKMP SA established
Mar 27 09:35:11 redbaron Pluto[4516]: "interno-dialup" 209.127.71.43 #7:
responding to Quick Mode
Mar 27 09:35:12 redbaron Pluto[4516]: "interno-dialup" 209.127.71.43 #7:
IPsec SA established
Mar 27 10:30:42 redbaron Pluto[4516]: "interno-dialup" 209.127.71.43 #8:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS to replace #7
Mar 27 10:30:48 redbaron Pluto[4516]: ERROR: asynchronous network error
report on eth0 for message to 209.127.71.43 port 500, complainant
209.127.71.2: No route to host [errno 113, origin ICMP type 3 code 1
(not authenticated)]
Mar 27 10:31:18 redbaron last message repeated 2 times
Mar 27 10:31:52 redbaron Pluto[4516]: "interno-dialup" 209.127.71.43 #8:
max number of retransmissions (2) reached STATE_QUICK_I1
Mar 27 10:35:12 redbaron Pluto[4516]: "interno-dialup" 209.127.71.43 #7:
IPsec SA expired (LATEST!)
Mar 27 13:30:40 redbaron Pluto[4516]: "interno-dialup" 209.127.71.43 #9:
initiating Main Mode to replace #6
Mar 27 13:31:50 redbaron Pluto[4516]: "interno-dialup" 209.127.71.43 #9:
max number of retransmissions (2) reached STATE_MAIN_I1. No acceptable
response to our first IKE message
Mar 27 13:35:10 redbaron Pluto[4516]: "interno-dialup" 209.127.71.43 #6:
ISAKMP SA expired (LATEST!)
Mar 27 13:35:10 redbaron Pluto[4516]: "interno-dialup" 209.127.71.43:
deleting connection "interno-dialup" instance with peer 209.127.71.43

Thanks,

Erick A. Perez H.
Asesor de Seguridad informatica
y TeleComunicaciones
Panama, Republica de Panama
Tel. (507) 226-6217
Movil. (507) 652-4889
eperez_at_consultant.com

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Andreas Steffen: "Re: [Users] Win2k - Freeswan: Windows CryptVerifySignature error"
Previous message: Ding GuiJin: "[Users] A cdrom VPN firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:47 CEST