> Hello, I tried to connect 2 networks, both running DCD and IPSEC 1.91. One > network is 192.168.3.x and the other is 192.168.9.x. After some efforts, I > made both IPSEC start up without error. > > Now pinging from 192.168.9 to 192.168.3 does not work. When I have a look at > /var/log/auth.log, I see all messages with pattern like: > > --- > Apr 21 07:06:29 router Pluto[1575]: "Bin" #402: starting keying attempt 201 > of an unlimited number > Apr 21 07:06:29 router Pluto[1575]: "Bin" #404: initiating Main Mode > Apr 21 07:06:39 router Pluto[1575]: "Bin" #404: discarding duplicate packet; > already STATE_MAIN_I3 > Apr 21 07:06:43 router Pluto[1575]: "Bin" #405: responding to Main Mode > Apr 21 07:06:43 router Pluto[1575]: "Bin" #403: max number of > retransmissions (2) reached STATE_MAIN_R2 > Apr 21 07:06:44 router Pluto[1575]: "Bin" #405: no suitable connection for > peer '@subnet9.btsoft.net' > Apr 21 07:06:54 router Pluto[1575]: "Bin" #405: no suitable connection for > peer '@subnet9.btsoft.net' > Apr 21 07:06:59 router Pluto[1575]: "Bin" #404: discarding duplicate packet; > already STATE_MAIN_I3 > Apr 21 07:07:14 router Pluto[1575]: "Bin" #405: no suitable connection for > peer '@subnet9.btsoft.net' > Apr 21 07:07:39 router Pluto[1575]: "Bin" #404: max number of > retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: > no acceptable response to our first encrypted message > --- > > What can be a reason?
This looks like a configuration file problem. The "no suitable connection for peer" error generally indicates there's a problem with your configuration file, so FreeS/WAN doens't think it knows how to talk to the far end. This could be caused by a bad public RSA key...see below. > Is that may be something wrong with the key? The way I enter the key is: > > - I generated the key using "ipsec rsasigkey --verbose 512 > mykey". Then I > insert the file mykey into ipsec.secrets between the lines > : RSA { > # -- Create your own RSA key with "ipsec rsasigkey" > #### HERE the file mykey went <<<<----------------- > } > # do not change the indenting of that "}" This sounds fine... > then I copy the part after line Modulus: 0x5652... > > and put it in line leftrsasigkey (similar for rightsasigkey with the other > key) in ipsec.conf, so e.g > > leftrsasigkey=0x5652... > > Is that OK or not. This is *NOT* correct. The Modulus is *NOT* the public portion of the key. The part you want should be the line above this. When I run ipsec rsasigkey, I get a commented line (ie: #pubkey=0s12345...). The very large number after "pubkey=" is what you put in the IPSec configuration file. NOTE: Earlier versions of FreeS/WAN used hex encoding (0x1234...) rather than the more compact "0s" format...both numbers are identical too FreeS/WAN, they just differ in format (ie the difference between 255 and 0xFF). > - Do I have to use "leftfirewall=yes" or not? From the archive and Charles' > example, I do not see that, so I do not use this line. You either need [left|right]firewall=yes, or you need to explicitly allow UDP port 500 and IP protocol 50/51 traffic to/from the machine at the other end of the VPN. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user