Re: [Users] Message on secure log - no acceptable Oakley Transform policy does not allow OAKLEY_PRESHARED_KEY authentication

From: Arthur L. Mandalho (arthurm_at_konsultex.com.br)
Date: Fri Nov 08 2002 - 16:53:17 CET

Next message: Ken Bantoft: "Re: [Users] Message on secure log - no acceptable Oakley Transform policy does not allow OAKLEY_PRESHARED_KEY authentication"
Previous message: Nate Carlson: "Re: [Users] Are virtual IPs on Windows Road Warrios possible?"
In reply to: Ken Bantoft: "Re: [Users] Message on secure log - no acceptable Oakley Transform policy does not allow OAKLEY_PRESHARED_KEY authentication"
Next in thread: Ken Bantoft: "Re: [Users] Message on secure log - no acceptable Oakley Transform policy does not allow OAKLEY_PRESHARED_KEY authentication"
Reply: Ken Bantoft: "Re: [Users] Message on secure log - no acceptable Oakley Transform policy does not allow OAKLEY_PRESHARED_KEY authentication"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ken

First I had sent to you the files from RedHat side, now I send to the
Conectiva side files.
I found one diference between the files and one error that appear on
Conectiva side and NOT on RedHat side.

The diference:
on RedHat side we have
leftsubnet=192.168.106.0/24

on Conectiva side we have
leftsubnet=192.168.106.1/24

The number "1" could implicate in this error?

And the error:

Nov 8 10:48:26 srv1 Pluto[30275]: "ce490" #3037: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE message

I have a question:
If I change this leftsubnet on RedHat side to be equal , may I need to
rebuild the key?

Thansk a lot!!!!

Arthur

********************************************************************************
IPSEC.SECRET

: RSA {
    # RSA 1024 bits srv1.hfc.com.br Wed Nov 6 09:57:27 2002
    # for signatures only, UNSAFE FOR ENCRYPTION

#pubkey=0sAQNdtg1dTMAhAu6uEHQFIdnjDFFKoYyAGzwUnqs1Q1sYh/wNxDIhunk9a3OKHmc+W7WXs7T33XIf4/p35BEmBUC9zXv8onmDXhIZ9s+J2FMdZ1Qek8AqHvmlUYiWv7mKq2PsyAJxZyI8BFONzJmJiuGp/PKYG0poCi0FCCa+QBoE5w==
    #IN KEY 0x4200 4 1
AQNdtg1dTMAhAu6uEHQFIdnjDFFKoYyAGzwUnqs1Q1sYh/wNxDIhunk9a3OKHmc+W7WXs7T33XIf4/p35BEmBUC9zXv8onmDXhIZ9s+J2FMdZ1Qek8AqHvmlUYiWv7mKq2PsyAJxZyI8BFONzJmJiuGp/PKYG0poCi0FCCa+QBoE5w==
    # (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
    Modulus:
0x5db60d5d4cc02102eeae10740521d9e30c514aa18c801b3c149eab35435b1887fc0dc43221ba793d6b738a1e673e5bb597b3b4f7dd721fe3fa77e411260540bdcd7bfca279835e1219f6cf89d8531d67541e93c02a1ef9a5518896bfb98aab63ecc8027167223c04538dcc99898ae1a9fcf2981b4a680a2d050826be401a04e7
    PublicExponent: 0x03
    # everything after this point is secret
    PrivateExponent:
0x0f9e578f8ccab02b27c7ad68ab85a450820d8c70421559df58c51c88e08f2ec154acf6085af4698a3c9341afbbdfb9f399489e294f930550a9bea602dbab8aca18c54cc6b48af04643fff439e6dfc32cbed0d62ac5bd34e440d2a370c2eb079365aef6a1e42c34b5aa681e13ffd43d1e01692bef1ae8d633b590f5046f3b3a07
    Prime1:
0xb258948e83ffbaebde2cddb918b476be4671ed8073911aed6b0556b04a9aee0db64d1893b4bc9dde2380ae1168ecc3c2cd17f28f6f16cde118fbd33ad3d79de5
    Prime2:
0x86839b6bba420180a3ca38755660139c94c7a13f141ea15e61936b6add6d8fe1d4612212595c61e4319c6a1021a4af3327639df139dc3715aaa69568d0df0adb
    Exponent1:
0x76e5b85f02aa7c9d3ec893d0bb22f9d42ef69e55a260bc9e4758e4758711f409243365b7cdd313e96d00740b9b488281de0ff70a4a0f33eb65fd377c8d3a6943
    Exponent2:
0x59ad1247d1815655c286d04e39956268632fc0d4b8146b94410cf2473e490a968d9616b6e63d96982112f160166dca221a42694b7be824b91c6f0e45e094b1e7
    Coefficient:
0x7f824c6a799f0dc3720a837f59134e925b407e43c9f8f1620d0745d0ee3f1df9abcdb7f939c13b9e1bd1a2029b5d27cb93bec45c9c23809e0fc2b80cb2b0bbeb
    }
# do not change the indenting of that "}"

********************************************************************************
IPSEC.CONF

config setup
    interfaces=%defaultroute
    klipsdebug=none
    plutodebug=none
    plutoload=%search
    plutostart=%search

conn ce490
    # Configuracao remoto
    keyingtries=0
    authby=rsasig
    left=200.207.13.229
    leftsubnet=192.168.106.1/24
    leftnexthop=200.207.13.193
    leftid=@ce490.hf.com.br

leftrsasigkey=0sAQNeb5JDJ5+zCyavB7bxeBsj1YywgEcQ88mZESazaLLzMYBJDV7YdZVlleSQrCkbGjfyIDdT+sOOXgR5V2MEfDcakkmA3b3LlIe1rMKQ6MXmQGXeXUBzxyhapcdwKWRKM6OROWorEHfWQ4NexRRWPsKDTOWQRwNRpfA5+M6wXLAl2w==
    # Configuracao LOCAL
    right=200.201.132.42
    rightsubnet=192.168.100.0/24
    rightnexthop=200.201.132.41
    rightid=@srv1.hfc.com.br

rightrsasigkey=0sAQNdtg1dTMAhAu6uEHQFIdnjDFFKoYyAGzwUnqs1Q1sYh/wNxDIhunk9a3OKHmc+W7WXs7T33XIf4/p35BEmBUC9zXv8onmDXhIZ9s+J2FMdZ1Qek8AqHvmlUYiWv7mKq2PsyAJxZyI8BFONzJmJiuGp/PKYG0poCi0FCCa+QBoE5w==
    auto=start

********************************************************************************
LOG

Nov 8 10:48:26 srv1 Pluto[30275]: "ce490" #3037: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE message
Nov 8 10:48:26 srv1 Pluto[30275]: "ce490" #3037: starting keying attempt 3037 of an unlimited number
Nov 8 10:48:26 srv1 Pluto[30275]: "ce490" #3038: initiating Main Mode to replace #3037

I get the files from the other side.

Ken Bantoft wrote:

>On Thu, 7 Nov 2002, Arthur L. Mandalho wrote:
>
>>Ken
>>
>>I did that change that you suggest but the message still on my secure log.
>>
>>There is nothing wrong about my key?
>>
>>I'm not sure but if I "interpret" the log :
>>
>>pluto[2793]: | ******parse ISAKMP Oakley attribute:
>>pluto[2793]: | af+type: OAKLEY_AUTHENTICATION_METHOD
>>pluto[2793]: | length/value: 1
>>pluto[2793]: | [1 is OAKLEY_PRESHARED_KEY]
>>
>
>For some reason, one of the sides is attempting to use PSK's to connect.
>This will be due to a config error some on one of the boxes. Restart
>freeswan on each side and watch the log files (/var/log/secure on RH) to
>ensure the connection is loaded without errors.
>
>
>

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Sat Nov 09 2002 - 05:20:36 CET