[strongSwan] (no subject)
pdaum at gmx.de
pdaum at gmx.de
Mon Jun 14 22:20:29 CEST 2010
I am experiencing a problem connecting a Funkwerk EC VPN25 router (VPN Access 25 version V.7.4 Rev. 1 (Patch 11) with StrongSwan (Linux strongSwan U4.3.2/K2.6.32-22-generic) gateway.
The (StrongSwan) gateway "S" has a fixed IP address, the router "R" has a dynamic one, provided by DynDNS. After an "ipsec update" has been issued on S, S has the current address of R and the establishment of a VPN connection works in both directions, i.e. S as well as R can bring up a connection.
If the IP address of R changes (e.g. after re-establishment of the connection), S does not get aware of the new address. Accordingly, S cannot initiate a connection, as expected. However, R can still connect to S as the IP address of the latter has not changed. Unfortunately, R's connection request is refused by S with the error message "no connection has been authorized with policy=PUBKEY" (full log below). It seems that the first package of R does not give any indication of R's identity and is subsequently refused by S.
The strange thing is, that I have 2 other locations with Funkwerk routers (same config, same software version, albeit another model) where the scenario described above works perfectly.
I am now looking for a reason. As the two working locations are connected through another ISP (Colt), I am wondering if there is something special with the internet connection at the troubled location(green.ch). Could a too small MTU cause problems? Also, R is not directly connected to the internet, having a Zyxel ADSL modem between (as bridge).
Any ideas how to analyse (and eventually solve) the problem are appreciated.
Best regards
Peter
Log of failed connection attempt (S):
Jun 13 16:11:50 router pluto[899]: |
Jun 13 16:11:50 router pluto[899]: | *received 124 bytes from xxx.yyy.98.213:610 on eth0:1
Jun 13 16:11:50 router pluto[899]: | 18 f2 ee 24 6b d2 49 c9 00 00 00 00 00 00 00 00
Jun 13 16:11:50 router pluto[899]: | 01 10 02 00 00 00 00 00 00 00 00 7c 0d 00 00 38
Jun 13 16:11:50 router pluto[899]: | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01
Jun 13 16:11:50 router pluto[899]: | 00 00 00 24 00 01 00 00 80 01 00 07 80 0e 00 80
Jun 13 16:11:50 router pluto[899]: | 80 02 00 02 80 03 00 03 80 04 00 05 80 0b 00 01
Jun 13 16:11:50 router pluto[899]: | 80 0c 03 84 0d 00 00 14 00 48 e2 27 0b ea 83 95
Jun 13 16:11:50 router pluto[899]: | ed 77 8d 34 3c c2 a0 76 00 00 00 14 af ca d7 13
Jun 13 16:11:50 router pluto[899]: | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
Jun 13 16:11:50 router pluto[899]: | **parse ISAKMP Message:
Jun 13 16:11:50 router pluto[899]: | initiator cookie:
Jun 13 16:11:50 router pluto[899]: | 18 f2 ee 24 6b d2 49 c9
Jun 13 16:11:50 router pluto[899]: | responder cookie:
Jun 13 16:11:50 router pluto[899]: | 00 00 00 00 00 00 00 00
Jun 13 16:11:50 router pluto[899]: | next payload type: ISAKMP_NEXT_SA
Jun 13 16:11:50 router pluto[899]: | ISAKMP version: ISAKMP Version 1.0
Jun 13 16:11:50 router pluto[899]: | exchange type: ISAKMP_XCHG_IDPROT
Jun 13 16:11:50 router pluto[899]: | flags: none
Jun 13 16:11:50 router pluto[899]: | message ID: 00 00 00 00
Jun 13 16:11:50 router pluto[899]: | length: 124
Jun 13 16:11:50 router pluto[899]: | ***parse ISAKMP Security Association Payload:
Jun 13 16:11:50 router pluto[899]: | next payload type: ISAKMP_NEXT_VID
Jun 13 16:11:50 router pluto[899]: | length: 56
Jun 13 16:11:50 router pluto[899]: | DOI: ISAKMP_DOI_IPSEC
Jun 13 16:11:50 router pluto[899]: | ***parse ISAKMP Vendor ID Payload:
Jun 13 16:11:50 router pluto[899]: | next payload type: ISAKMP_NEXT_VID
Jun 13 16:11:50 router pluto[899]: | length: 20
Jun 13 16:11:50 router pluto[899]: | ***parse ISAKMP Vendor ID Payload:
Jun 13 16:11:50 router pluto[899]: | next payload type: ISAKMP_NEXT_NONE
Jun 13 16:11:50 router pluto[899]: | length: 20
Jun 13 16:11:50 router pluto[899]: packet from xxx.yyy.98.213:610: ignoring Vendor ID payload [0048e2270bea8395ed778d343cc2a076]
Jun 13 16:11:50 router pluto[899]: packet from xxx.yyy.98.213:610: received Vendor ID payload [Dead Peer Detection]
Jun 13 16:11:50 router pluto[899]: | ****parse IPsec DOI SIT:
Jun 13 16:11:50 router pluto[899]: | IPsec DOI SIT: SIT_IDENTITY_ONLY
Jun 13 16:11:50 router pluto[899]: | ****parse ISAKMP Proposal Payload:
Jun 13 16:11:50 router pluto[899]: | next payload type: ISAKMP_NEXT_NONE
Jun 13 16:11:50 router pluto[899]: | length: 44
Jun 13 16:11:50 router pluto[899]: | proposal number: 0
Jun 13 16:11:50 router pluto[899]: | protocol ID: PROTO_ISAKMP
Jun 13 16:11:50 router pluto[899]: | SPI size: 0
Jun 13 16:11:50 router pluto[899]: | number of transforms: 1
Jun 13 16:11:50 router pluto[899]: | *****parse ISAKMP Transform Payload (ISAKMP):
Jun 13 16:11:50 router pluto[899]: | next payload type: ISAKMP_NEXT_NONE
Jun 13 16:11:50 router pluto[899]: | length: 36
Jun 13 16:11:50 router pluto[899]: | transform number: 0
Jun 13 16:11:50 router pluto[899]: | transform ID: KEY_IKE
Jun 13 16:11:50 router pluto[899]: | ******parse ISAKMP Oakley attribute:
Jun 13 16:11:50 router pluto[899]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
Jun 13 16:11:50 router pluto[899]: | length/value: 7
Jun 13 16:11:50 router pluto[899]: | ******parse ISAKMP Oakley attribute:
Jun 13 16:11:50 router pluto[899]: | af+type: OAKLEY_KEY_LENGTH
Jun 13 16:11:50 router pluto[899]: | length/value: 128
Jun 13 16:11:50 router pluto[899]: | ******parse ISAKMP Oakley attribute:
Jun 13 16:11:50 router pluto[899]: | af+type: OAKLEY_HASH_ALGORITHM
Jun 13 16:11:50 router pluto[899]: | length/value: 2
Jun 13 16:11:50 router pluto[899]: | ******parse ISAKMP Oakley attribute:
Jun 13 16:11:50 router pluto[899]: | af+type: OAKLEY_AUTHENTICATION_METHOD
Jun 13 16:11:50 router pluto[899]: | length/value: 3
Jun 13 16:11:50 router pluto[899]: | ******parse ISAKMP Oakley attribute:
Jun 13 16:11:50 router pluto[899]: | af+type: OAKLEY_GROUP_DESCRIPTION
Jun 13 16:11:50 router pluto[899]: | length/value: 5
Jun 13 16:11:50 router pluto[899]: | ******parse ISAKMP Oakley attribute:
Jun 13 16:11:50 router pluto[899]: | af+type: OAKLEY_LIFE_TYPE
Jun 13 16:11:50 router pluto[899]: | length/value: 1
Jun 13 16:11:50 router pluto[899]: | ******parse ISAKMP Oakley attribute:
Jun 13 16:11:50 router pluto[899]: | af+type: OAKLEY_LIFE_DURATION
Jun 13 16:11:50 router pluto[899]: | length/value: 900
Jun 13 16:11:50 router pluto[899]: | preparse_isakmp_policy: peer requests PUBKEY authentication
Jun 13 16:11:50 router pluto[899]: packet from xxx.yyy.98.213:610: initial Main Mode message received on uuu.vvv.2.8:500 but no connection has been authorized with policy=PUBKEY
--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
More information about the Users
mailing list