> Hello, I tried to connect 2 networks, both running DCD and IPSEC 1.91. One
> network is 192.168.3.x and the other is 192.168.9.x. After some efforts, I
> made both IPSEC start up without error.
>
> Now pinging from 192.168.9 to 192.168.3 does not work. When I have a look
at
> /var/log/auth.log, I see all messages with pattern like:
>
> ---
> Apr 21 07:06:29 router Pluto[1575]: "Bin" #402: starting keying attempt
201
> of an unlimited number
> Apr 21 07:06:29 router Pluto[1575]: "Bin" #404: initiating Main Mode
> Apr 21 07:06:39 router Pluto[1575]: "Bin" #404: discarding duplicate
packet;
> already STATE_MAIN_I3
> Apr 21 07:06:43 router Pluto[1575]: "Bin" #405: responding to Main Mode
> Apr 21 07:06:43 router Pluto[1575]: "Bin" #403: max number of
> retransmissions (2) reached STATE_MAIN_R2
> Apr 21 07:06:44 router Pluto[1575]: "Bin" #405: no suitable connection for
> peer '@subnet9.btsoft.net'
> Apr 21 07:06:54 router Pluto[1575]: "Bin" #405: no suitable connection for
> peer '@subnet9.btsoft.net'
> Apr 21 07:06:59 router Pluto[1575]: "Bin" #404: discarding duplicate
packet;
> already STATE_MAIN_I3
> Apr 21 07:07:14 router Pluto[1575]: "Bin" #405: no suitable connection for
> peer '@subnet9.btsoft.net'
> Apr 21 07:07:39 router Pluto[1575]: "Bin" #404: max number of
> retransmissions (2) reached STATE_MAIN_I3. Possible authentication
failure:
> no acceptable response to our first encrypted message
> ---
>
> What can be a reason?
This looks like a configuration file problem. The "no suitable connection
for peer" error generally indicates there's a problem with your
configuration file, so FreeS/WAN doens't think it knows how to talk to the
far end. This could be caused by a bad public RSA key...see below.
> Is that may be something wrong with the key? The way I enter the key is:
>
> - I generated the key using "ipsec rsasigkey --verbose 512 > mykey". Then
I
> insert the file mykey into ipsec.secrets between the lines
> : RSA {
> # -- Create your own RSA key with "ipsec rsasigkey"
> #### HERE the file mykey went <<<<-----------------
> }
> # do not change the indenting of that "}"
This sounds fine...
> then I copy the part after line Modulus: 0x5652...
>
> and put it in line leftrsasigkey (similar for rightsasigkey with the other
> key) in ipsec.conf, so e.g
>
> leftrsasigkey=0x5652...
>
> Is that OK or not.
This is *NOT* correct. The Modulus is *NOT* the public portion of the key.
The part you want should be the line above this. When I run ipsec
rsasigkey, I get a commented line (ie: #pubkey=0s12345...). The very large
number after "pubkey=" is what you put in the IPSec configuration file.
NOTE: Earlier versions of FreeS/WAN used hex encoding (0x1234...) rather
than the more compact "0s" format...both numbers are identical too
FreeS/WAN, they just differ in format (ie the difference between 255 and
0xFF).
> - Do I have to use "leftfirewall=yes" or not? From the archive and
Charles'
> example, I do not see that, so I do not use this line.
You either need [left|right]firewall=yes, or you need to explicitly allow
UDP port 500 and IP protocol 50/51 traffic to/from the machine at the other
end of the VPN.
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
