[Users] Connection but no authentication

From: Bjarke Bruun (bbj_at_b-nss.com)
Date: Fri Jan 10 2003 - 16:41:58 CET

Hi there

I've been trying to setup ipsec on a rh7.3 box as a ipsec gateway with version
1.99 and iptables and a rh7.3 as as roadwarrior with the same version and
kernel version (2.4.18-3custom).

"Ipsec verify" checksout after changing the "ipchains" checks in
/usr/local/lib/ipsec/* to iptables etc. on both computers and can from the
client initiate a connection with

[root_at_client root]# ipsec auto --up road
104 "road" #6: STATE_MAIN_I1: initiate
010 "road" #6: STATE_MAIN_I1: retransmission; will wait 20s for response

but as you can see, it does not connect - in /var/log/secure is says

---- start ----
[root_at_client root]# tail /var/log/secure
Jan 10 16:30:55 linux pluto[4180]: "road" #8: initiating Main Mode
Jan 10 16:30:56 linux pluto[4180]: "road" #8: ERROR: asynchronous network
error report on eth1 for message to 80.160.253.153 port 500, complainant
80.160.253.153: Connection refused [errno 111, origin ICMP type 3 code 3 (not
authenticated)]
Jan 10 16:31:06 linux pluto[4180]: "road" #8: ERROR: asynchronous network
error report on eth1 for message to 80.160.253.153 port 500, complainant
80.160.253.153: Connection refused [errno 111, origin ICMP type 3 code 3 (not
authenticated)]
Jan 10 16:31:14 linux pluto[4180]: "road": terminating SAs using this
connection
Jan 10 16:31:14 linux pluto[4180]: "road" #8: deleting state (STATE_MAIN_I1)
[root_at_client root]#
---- end ----

The gateway does not put any information in either /var/log/secure or
/var/log/messages besides "/etc/init.d/ipsec start/stop/..." information that
checks out fine, for all I know.

It's the "Connection refused [err....." that annoys me since the iptables
setup is as follows on the gateway and client

[root_at_client root]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500
dpt:500
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500
dpt:500
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
[root_at_client root]#

Does anyone have any idea what I'm doing wrong, or what I need to do to get is
started?

The ipsec.conf on the client is as follows:
---- start
# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls: "none" for (almost) none, "all" for lots.
        klipsdebug=all
        plutodebug=all
        # Use auto= parameters in conn descriptions to control startup
actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes

# defaults for subsequent connection descriptions
conn %default
        # How persistent to be in (re)keying negotiations (0 means very).
        keyingtries=0
        # Parameters for manual-keying testing (DON'T USE OPERATIONALLY).
        # Note: only one test connection at a time can use these parameters!
        spi=0x200
        esp=3des-md5-96
        espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0
        espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf
        # RSA authentication with keys from DNS.
        authby=secret
        #leftrsasigkey=%dns
        #rightrsasigkey=%dns
        auto=add

# sample connection
conn road
    left=a.b.c.d # Gateway's information
    leftid=@gw.example.com #
    leftsubnet=192.168.11.0/24 #
    leftrsasigkey=0sAQOGv8N0dYfWM+u... #
    rightnexthop=%defaultroute # correct in many situations
    right=%any # Wildcard: we don't know the laptop's IP
    rightid=client.example.com #
    rightrsasigkey=0sAQOH/DNIUAEfLJuOzn... #
    auto=add # authorizes but doesn't start this
                                   # connection at startup
---- end

The ipsec.conf on the client is as follows:

---- start
# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls: "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup
actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes

# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%dnsondemand
        rightrsasigkey=%dnsondemand

conn road
    left=%defaultroute # Picks up our dynamic IP
    leftid=@client.example.com
    leftrsasigkey=0sAQOH/DNIUAEfLJuOznj...
    right=a.b.c.d # Remote information
    rightsubnet=192.168.11.0/24 #
    rightid=@gw.example.com #
    rightrsasigkey=0sAQOGv8N0dYfWM+uUKg...
    auto=add # authorizes but doesn't start this
                                        # connection at startup

---- end 

-- 
Bjarke Bruun - E-mail: bbj_at_b-nss.com
   __   _
  / /  (_)__  __ ____  __
 / /__/ / _ \/ // /\ \/ /  . . .  t h e   c h o i c e   o f   a
/____/_/_//_/\_,_/ /_/\_\              G N U   g e n e r a t i o n . . .
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Wed Jan 15 2003 - 20:11:38 CET