[strongSwan] (no subject)

pdaum at gmx.de pdaum at gmx.de
Mon Jun 14 22:20:29 CEST 2010 

I am experiencing a problem connecting a Funkwerk EC VPN25 router (VPN Access 25 version V.7.4 Rev. 1 (Patch 11) with StrongSwan (Linux strongSwan U4.3.2/K2.6.32-22-generic) gateway.

The (StrongSwan) gateway "S" has a fixed IP address, the router "R" has a dynamic one, provided by DynDNS. After an "ipsec update" has been issued on S, S has the current address of R and the establishment of a VPN connection works in both directions, i.e. S as well as R can bring up a connection. 

If the IP address of R changes (e.g. after re-establishment of the connection), S does not get aware of the new address. Accordingly, S cannot initiate a connection, as expected. However, R can still connect to S as the IP address of the latter has not changed. Unfortunately, R's connection request is refused by S with the error message "no connection has been authorized with policy=PUBKEY" (full log below). It seems that the first package of R does not give any indication of R's identity and is subsequently refused by S.

The strange thing is, that I have 2 other locations with Funkwerk routers (same config, same software version, albeit another model) where the scenario described above works perfectly. 

I am now looking for a reason. As the two working locations are connected through another ISP (Colt), I am wondering if there is something special with the internet connection at the troubled location(green.ch). Could a too small MTU cause problems? Also, R is not directly connected to the internet, having a Zyxel ADSL modem between (as bridge).

Any ideas how to analyse (and eventually solve) the problem are appreciated.

Best regards
Peter

Log of failed connection attempt (S):

Jun 13 16:11:50 router pluto[899]: | 
Jun 13 16:11:50 router pluto[899]: | *received 124 bytes from xxx.yyy.98.213:610 on eth0:1
Jun 13 16:11:50 router pluto[899]: |   18 f2 ee 24  6b d2 49 c9  00 00 00 00  00 00 00 00
Jun 13 16:11:50 router pluto[899]: |   01 10 02 00  00 00 00 00  00 00 00 7c  0d 00 00 38
Jun 13 16:11:50 router pluto[899]: |   00 00 00 01  00 00 00 01  00 00 00 2c  00 01 00 01
Jun 13 16:11:50 router pluto[899]: |   00 00 00 24  00 01 00 00  80 01 00 07  80 0e 00 80
Jun 13 16:11:50 router pluto[899]: |   80 02 00 02  80 03 00 03  80 04 00 05  80 0b 00 01
Jun 13 16:11:50 router pluto[899]: |   80 0c 03 84  0d 00 00 14  00 48 e2 27  0b ea 83 95
Jun 13 16:11:50 router pluto[899]: |   ed 77 8d 34  3c c2 a0 76  00 00 00 14  af ca d7 13
Jun 13 16:11:50 router pluto[899]: |   68 a1 f1 c9  6b 86 96 fc  77 57 01 00
Jun 13 16:11:50 router pluto[899]: | **parse ISAKMP Message:
Jun 13 16:11:50 router pluto[899]: |    initiator cookie:
Jun 13 16:11:50 router pluto[899]: |   18 f2 ee 24  6b d2 49 c9
Jun 13 16:11:50 router pluto[899]: |    responder cookie:
Jun 13 16:11:50 router pluto[899]: |   00 00 00 00  00 00 00 00
Jun 13 16:11:50 router pluto[899]: |    next payload type: ISAKMP_NEXT_SA
Jun 13 16:11:50 router pluto[899]: |    ISAKMP version: ISAKMP Version 1.0
Jun 13 16:11:50 router pluto[899]: |    exchange type: ISAKMP_XCHG_IDPROT
Jun 13 16:11:50 router pluto[899]: |    flags: none
Jun 13 16:11:50 router pluto[899]: |    message ID:  00 00 00 00
Jun 13 16:11:50 router pluto[899]: |    length: 124
Jun 13 16:11:50 router pluto[899]: | ***parse ISAKMP Security Association Payload:
Jun 13 16:11:50 router pluto[899]: |    next payload type: ISAKMP_NEXT_VID
Jun 13 16:11:50 router pluto[899]: |    length: 56
Jun 13 16:11:50 router pluto[899]: |    DOI: ISAKMP_DOI_IPSEC
Jun 13 16:11:50 router pluto[899]: | ***parse ISAKMP Vendor ID Payload:
Jun 13 16:11:50 router pluto[899]: |    next payload type: ISAKMP_NEXT_VID
Jun 13 16:11:50 router pluto[899]: |    length: 20
Jun 13 16:11:50 router pluto[899]: | ***parse ISAKMP Vendor ID Payload:
Jun 13 16:11:50 router pluto[899]: |    next payload type: ISAKMP_NEXT_NONE
Jun 13 16:11:50 router pluto[899]: |    length: 20
Jun 13 16:11:50 router pluto[899]: packet from xxx.yyy.98.213:610: ignoring Vendor ID payload [0048e2270bea8395ed778d343cc2a076]
Jun 13 16:11:50 router pluto[899]: packet from xxx.yyy.98.213:610: received Vendor ID payload [Dead Peer Detection]
Jun 13 16:11:50 router pluto[899]: | ****parse IPsec DOI SIT:
Jun 13 16:11:50 router pluto[899]: |    IPsec DOI SIT: SIT_IDENTITY_ONLY
Jun 13 16:11:50 router pluto[899]: | ****parse ISAKMP Proposal Payload:
Jun 13 16:11:50 router pluto[899]: |    next payload type: ISAKMP_NEXT_NONE
Jun 13 16:11:50 router pluto[899]: |    length: 44
Jun 13 16:11:50 router pluto[899]: |    proposal number: 0
Jun 13 16:11:50 router pluto[899]: |    protocol ID: PROTO_ISAKMP
Jun 13 16:11:50 router pluto[899]: |    SPI size: 0
Jun 13 16:11:50 router pluto[899]: |    number of transforms: 1
Jun 13 16:11:50 router pluto[899]: | *****parse ISAKMP Transform Payload (ISAKMP):
Jun 13 16:11:50 router pluto[899]: |    next payload type: ISAKMP_NEXT_NONE
Jun 13 16:11:50 router pluto[899]: |    length: 36
Jun 13 16:11:50 router pluto[899]: |    transform number: 0
Jun 13 16:11:50 router pluto[899]: |    transform ID: KEY_IKE
Jun 13 16:11:50 router pluto[899]: | ******parse ISAKMP Oakley attribute:
Jun 13 16:11:50 router pluto[899]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
Jun 13 16:11:50 router pluto[899]: |    length/value: 7
Jun 13 16:11:50 router pluto[899]: | ******parse ISAKMP Oakley attribute:
Jun 13 16:11:50 router pluto[899]: |    af+type: OAKLEY_KEY_LENGTH
Jun 13 16:11:50 router pluto[899]: |    length/value: 128
Jun 13 16:11:50 router pluto[899]: | ******parse ISAKMP Oakley attribute:
Jun 13 16:11:50 router pluto[899]: |    af+type: OAKLEY_HASH_ALGORITHM
Jun 13 16:11:50 router pluto[899]: |    length/value: 2
Jun 13 16:11:50 router pluto[899]: | ******parse ISAKMP Oakley attribute:
Jun 13 16:11:50 router pluto[899]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
Jun 13 16:11:50 router pluto[899]: |    length/value: 3
Jun 13 16:11:50 router pluto[899]: | ******parse ISAKMP Oakley attribute:
Jun 13 16:11:50 router pluto[899]: |    af+type: OAKLEY_GROUP_DESCRIPTION
Jun 13 16:11:50 router pluto[899]: |    length/value: 5
Jun 13 16:11:50 router pluto[899]: | ******parse ISAKMP Oakley attribute:
Jun 13 16:11:50 router pluto[899]: |    af+type: OAKLEY_LIFE_TYPE
Jun 13 16:11:50 router pluto[899]: |    length/value: 1
Jun 13 16:11:50 router pluto[899]: | ******parse ISAKMP Oakley attribute:
Jun 13 16:11:50 router pluto[899]: |    af+type: OAKLEY_LIFE_DURATION
Jun 13 16:11:50 router pluto[899]: |    length/value: 900
Jun 13 16:11:50 router pluto[899]: | preparse_isakmp_policy: peer requests PUBKEY authentication
Jun 13 16:11:50 router pluto[899]: packet from xxx.yyy.98.213:610: initial Main Mode message received on uuu.vvv.2.8:500 but no connection has been authorized with policy=PUBKEY


-- 
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01

More information about the Users mailing list