RE: [Users] Connection but no authentication

From: Garrett Laska (laska_at_indigocorp.com)
Date: Mon Jan 13 2003 - 21:48:15 CET

• Next message: Garrett Laska: "RE: [Users] Problem getting connection to be seen"
• Previous message: Emiliano: "Re: [Users] Can't connect from Dinamip IP"
• In reply to: Bjarke Bruun: "[Users] Connection but no authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

        did you try this with iptables rules turned off (default ACCEPT for
everything)?? also, put a catch-all logging rule in iptables to log all
discarded packets to the messages log... in my experience, 49% of problems
encountered are firewall issues, another 49% are routing rule / default
gateway or re-direct definitions, and the final 2% are acutal config
problems with FreeSWan...

Garrett Laska
Indigo Information Systems
laska_at_indigocorp.com

> -----Original Message-----
> From: users-admin_at_lists.freeswan.org
> [mailto:users-admin_at_lists.freeswan.org]On Behalf Of Bjarke Bruun
> Sent: Friday, January 10, 2003 10:42
> To: users_at_lists.freeswan.org
> Subject: [Users] Connection but no authentication
>
>
> Hi there
>
> I've been trying to setup ipsec on a rh7.3 box as a ipsec gateway
> with version
> 1.99 and iptables and a rh7.3 as as roadwarrior with the same version and
> kernel version (2.4.18-3custom).
>
> "Ipsec verify" checksout after changing the "ipchains" checks in
> /usr/local/lib/ipsec/* to iptables etc. on both computers and can
> from the
> client initiate a connection with
>
> [root_at_client root]# ipsec auto --up road
> 104 "road" #6: STATE_MAIN_I1: initiate
> 010 "road" #6: STATE_MAIN_I1: retransmission; will wait 20s for response
>
> but as you can see, it does not connect - in /var/log/secure is says
>
> ---- start ----
> [root_at_client root]# tail /var/log/secure
> Jan 10 16:30:55 linux pluto[4180]: "road" #8: initiating Main Mode
> Jan 10 16:30:56 linux pluto[4180]: "road" #8: ERROR: asynchronous network
> error report on eth1 for message to 80.160.253.153 port 500, complainant
> 80.160.253.153: Connection refused [errno 111, origin ICMP type 3
> code 3 (not
> authenticated)]
> Jan 10 16:31:06 linux pluto[4180]: "road" #8: ERROR: asynchronous network
> error report on eth1 for message to 80.160.253.153 port 500, complainant
> 80.160.253.153: Connection refused [errno 111, origin ICMP type 3
> code 3 (not
> authenticated)]
> Jan 10 16:31:14 linux pluto[4180]: "road": terminating SAs using this
> connection
> Jan 10 16:31:14 linux pluto[4180]: "road" #8: deleting state
> (STATE_MAIN_I1)
> [root_at_client root]#
> ---- end ----
>
> The gateway does not put any information in either /var/log/secure or
> /var/log/messages besides "/etc/init.d/ipsec start/stop/..."
> information that
> checks out fine, for all I know.
>
> It's the "Connection refused [err....." that annoys me since the iptables
> setup is as follows on the gateway and client
>
> [root_at_client root]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500
> dpt:500
> ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500
> dpt:500
> ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
> [root_at_client root]#
>
>
> Does anyone have any idea what I'm doing wrong, or what I need to
> do to get is
> started?
>
> The ipsec.conf on the client is as follows:
> ---- start
> # basic configuration
> config setup
> # THIS SETTING MUST BE CORRECT or almost nothing will work;
> # %defaultroute is okay for most simple cases.
> interfaces=%defaultroute
> # Debug-logging controls: "none" for (almost) none,
> "all" for lots.
> klipsdebug=all
> plutodebug=all
> # Use auto= parameters in conn descriptions to control startup
> actions.
> plutoload=%search
> plutostart=%search
> # Close down old connection when new one using same ID shows up.
> uniqueids=yes
>
> # defaults for subsequent connection descriptions
> conn %default
> # How persistent to be in (re)keying negotiations (0 means very).
> keyingtries=0
> # Parameters for manual-keying testing (DON'T USE OPERATIONALLY).
> # Note: only one test connection at a time can use these
> parameters!
> spi=0x200
> esp=3des-md5-96
> espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0
> espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf
> # RSA authentication with keys from DNS.
> authby=secret
> #leftrsasigkey=%dns
> #rightrsasigkey=%dns
> auto=add
>
> # sample connection
> conn road
> left=a.b.c.d # Gateway's information
> leftid=@gw.example.com #
> leftsubnet=192.168.11.0/24 #
> leftrsasigkey=0sAQOGv8N0dYfWM+u... #
> rightnexthop=%defaultroute # correct in many situations
> right=%any # Wildcard: we don't know the
> laptop's IP
> rightid=client.example.com #
> rightrsasigkey=0sAQOH/DNIUAEfLJuOzn... #
> auto=add # authorizes but doesn't start this
> # connection at startup
> ---- end
>
> The ipsec.conf on the client is as follows:
>
> ---- start
> # basic configuration
> config setup
> # THIS SETTING MUST BE CORRECT or almost nothing will work;
> # %defaultroute is okay for most simple cases.
> interfaces=%defaultroute
> # Debug-logging controls: "none" for (almost) none,
> "all" for lots.
> klipsdebug=none
> plutodebug=none
> # Use auto= parameters in conn descriptions to control startup
> actions.
> plutoload=%search
> plutostart=%search
> # Close down old connection when new one using same ID shows up.
> uniqueids=yes
>
> # defaults for subsequent connection descriptions
> # (these defaults will soon go away)
> conn %default
> keyingtries=0
> disablearrivalcheck=no
> authby=rsasig
> leftrsasigkey=%dnsondemand
> rightrsasigkey=%dnsondemand
>
> conn road
> left=%defaultroute # Picks up our dynamic IP
> leftid=@client.example.com
> leftrsasigkey=0sAQOH/DNIUAEfLJuOznj...
> right=a.b.c.d # Remote information
> rightsubnet=192.168.11.0/24 #
> rightid=@gw.example.com #
> rightrsasigkey=0sAQOGv8N0dYfWM+uUKg...
> auto=add # authorizes but doesn't start this
> # connection at startup
>
> ---- end
>
>
>
> --
> Bjarke Bruun - E-mail: bbj_at_b-nss.com
> __ _
> / / (_)__ __ ____ __
> / /__/ / _ \/ // /\ \/ / . . . t h e c h o i c e o f a
> /____/_/_//_/\_,_/ /_/\_\ G N U g e n e r a t i o n . . .
>
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
>

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Garrett Laska: "RE: [Users] Problem getting connection to be seen"
• Previous message: Emiliano: "Re: [Users] Can't connect from Dinamip IP"
• In reply to: Bjarke Bruun: "[Users] Connection but no authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Wed Jan 15 2003 - 20:11:39 CET