[Users] RE: !!!HELP - no connection has been authorized !!!

From: LK Yeung (lkyeung_at_net-yan.com)
Date: Mon Sep 30 2002 - 18:24:06 CEST

I noticed that the source port for IKE message was being changed to 964
along the path, probably by the source ISP (NAPT). I guess Pluto will not
accept source port not equal to 500 and hence rejected the request at a very
early stage. Please advise whether this is the cause of the problem and what
is then the fix. I am currently using Shorewall 1.3.7c for firewalling.
Appreciate your help.

 -----Original Message-----
From: LK Yeung [mailto:lkyeung_at_net-yan.com]
Sent: Saturday, September 28, 2002 7:14 PM
To: 'users_at_lists.freeswan.org'
Subject: !!!HELP - no connection has been authorized !!!

Hi all,

I am a newbie in FreeS/WAN and have been fiddling around for three weeks to
set up VPN between my home network and my W2K notebook. I had read through
many HOWTOs and guides and still cannot be able to get the connection
established.

The network connection is:

192.168.1.0/24 (private subnet)
    |
    |
192.168.1.201 (eth1)
FreeS/WAN Gateway
210.3.207.187 (eth2 - ip address obtained from ISP via DHCP)
    |
    |
210.3.206.1 (ISP gateway address)
    |
Internet
    |
public ip address (Corporate Firewall or another ISP gateway via GPRS
network)
    |
10.x (W2K ip address obtained via DHCP)

The FreeS/WAN gateway version is 1.98b with X.509 patch.

ipsec.conf on Linux FreeS/WAN gateway:
--------------------------------------------------
# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces="ipsec0=eth2"
        # Debug-logging controls: "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes

# defaults for subsequent connection descriptions
conn %default
        keyingtries=0
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        # my side is left - the FreeS/WAN gateway
        leftrsasigkey=%cert
        leftcert=/sys/config/cert/yeung88.crt
        leftnexthop=210.3.206.1
        left=210.3.207.187
        # the other side is right
        rightrsasigkey=%cert
        # load connection definitions automatically
        auto=add

# RoadWarrior to DMZ subnet connection
conn rw-dmz
        leftsubnet=192.168.1.0/24
        also=rw-gate

# RoadWarrior to gateway connection
conn rw-gate
        right=%any
        rightsubnet=0/0
        rightnexthop=
        #rightcert=/sys/config/cert/lkyeung.crt
        keyingtries=1
        auto=add
        pfs=yes

ipsec.conf on W2K notebook:
-----------------------------------
conn %default
        #dial=MSN Internet

conn Yeung88
        left=%any
        leftsubnet=*
        right=yeung88.dyndns.info
        rightsubnet=192.168.1.0/24
        rightca="C=HK,ST=Hong Kong,L=Hung Hom,O=Online Choice Technology
Limited,CN=OCTL,Email=www_at_octl88.com"
        network=auto
        auto=start
        pfs=yes

/var/log/secure extract:
---------------------------
Sep 23 22:49:33 sysx pluto[6610]: packet from 203.210.1.2:964: initial Main
Mode message received on 210.3.207.187:500 but no connection has been
authorized
Sep 23 22:49:36 sysx pluto[6610]: packet from 203.210.1.2:964: ignoring
Vendor ID payload
Sep 23 22:49:36 sysx pluto[6610]: packet from 203.210.1.2:964: initial Main
Mode message received on 210.3.207.187:500 but no connection has been
authorized
Sep 23 22:49:40 sysx pluto[6610]: packet from 203.210.1.2:964: ignoring
Vendor ID payload
Sep 23 22:49:40 sysx pluto[6610]: packet from 203.210.1.2:964: initial Main
Mode message received on 210.3.207.187:500 but no connection has been
authorized
Sep 23 22:49:48 sysx pluto[6610]: packet from 203.210.1.2:964: ignoring
Vendor ID payload
Sep 23 22:49:48 sysx pluto[6610]: packet from 203.210.1.2:964: initial Main
Mode message received on 210.3.207.187:500 but no connection has been
authorized
Sep 23 22:50:04 sysx pluto[6610]: packet from 203.210.1.2:964: ignoring
Vendor ID payload
Sep 23 22:50:04 sysx pluto[6610]: packet from 203.210.1.2:964: initial Main
Mode message received on 210.3.207.187:500 but no connection has been
authorized
Sep 23 22:50:35 sysx pluto[6610]: packet from 203.210.1.2:964: ignoring
Delete SA payload: not encrypted

ipsec auto --status output:
-------------------------------
000 interface ipsec0/eth2 210.3.207.187
000
000 "rw-dmz": 192.168.1.0/24===210.3.207.187[C=HK, ST=Hong Kong, O=Online
Choice Technology Limited, OU=Yeung88, CN=yeung88.dyndns.info,
E=lkyeung2_at_yahoo.com]---210.3.206.1...%any===0.0.0.0/0
000 "rw-dmz": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 1
000 "rw-dmz": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; interface: eth2;
unrouted
000 "rw-dmz": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "rw-gate": 210.3.207.187[C=HK, ST=Hong Kong, O=Online Choice Technology
Limited, OU=Yeung88, CN=yeung88.dyndns.info,
E=lkyeung2_at_yahoo.com]---210.3.206.1...%any===0.0.0.0/0
000 "rw-gate": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 1
000 "rw-gate": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; interface:
eth2; unrouted
000 "rw-gate": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000
000

Your help is very much appreciated.
Thanks,
LK

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Tue Oct 01 2002 - 05:20:18 CEST