[Swan] Help configuring libreswan with XAUTH, NSS and remote clients (road warriors)
Enrico Brunetta
enrico at bitproductions.com
Thu Sep 18 14:57:02 EEST 2014
I found out the error in the conf that was causing this:
> Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: initial Main Mode message received on 172.31.48.104:500 but no connection has been authorized with policy=RSASIG+XAUTH
if was this line:
> left=172.31.28.183
this ip was coming from a different box: my ip should have been 172.31.48.104
Now it looks like the connection is found but it fails differently:
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: Starting Pluto (Libreswan Version 3.10 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER KLIPS_MAST CURL(non-NSS)) pid:2054
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: core dump dir: /var/run/pluto/
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: secrets file: /etc/ipsec.secrets
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: leak-detective disabled
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: SAref support [disabled]: Protocol not available
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: SAbind support [disabled]: Protocol not available
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: NSS crypto [enabled]
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: XAUTH PAM support [enabled]
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: NAT-Traversal support [enabled]
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok (ret=0)
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: no crypto helpers will be started; all cryptographic operations will be done inline
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: Using Linux XFRM/NETKEY IPsec interface code on 3.13.0-35-generic
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: Warning: failed to register algo_aes_ccm_8 for IKE
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: ike_alg_register_enc(): Activating aes_ccm_12: Ok (ret=0)
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: Warning: failed to register algo_aes_ccm_12 for IKE
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: ike_alg_register_enc(): Activating aes_ccm_16: Ok (ret=0)
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: Warning: failed to register algo_aes_ccm_16 for IKE
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: ike_alg_register_enc(): Activating aes_gcm_8: Ok (ret=0)
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: Warning: failed to register algo_aes_gcm_8 for IKE
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: ike_alg_register_enc(): Activating aes_gcm_12: Ok (ret=0)
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: Warning: failed to register algo_aes_gcm_12 for IKE
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: ike_alg_register_enc(): Activating aes_gcm_16: Ok (ret=0)
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: Warning: failed to register algo_aes_gcm_16 for IKE
Sep 18 11:53:59 ip-172-31-48-104 pluto[2054]: added connection description "xauth-rsa"
Sep 18 11:53:59 ip-172-31-48-104 pluto[2054]: listening for IKE messages
Sep 18 11:53:59 ip-172-31-48-104 pluto[2054]: adding interface eth0/eth0 172.31.48.104:500
Sep 18 11:53:59 ip-172-31-48-104 pluto[2054]: adding interface eth0/eth0 172.31.48.104:4500
Sep 18 11:53:59 ip-172-31-48-104 pluto[2054]: adding interface lo/lo 127.0.0.1:500
Sep 18 11:53:59 ip-172-31-48-104 pluto[2054]: adding interface lo/lo 127.0.0.1:4500
Sep 18 11:53:59 ip-172-31-48-104 pluto[2054]: loading secrets from "/etc/ipsec.secrets"
Sep 18 11:53:59 ip-172-31-48-104 pluto[2054]: loaded private key for keyid: PPK_RSA:AwEAAdS9l
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: received Vendor ID payload [RFC 3947]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: received Vendor ID payload [XAUTH]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: received Vendor ID payload [Cisco-Unity]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: received Vendor ID payload [FRAGMENTATION 80000000]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: received Vendor ID payload [Dead Peer Detection]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: responding to Main Mode from unknown peer 70.117.100.63
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I am behind NAT+peer behind NAT
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Sep 18 11:54:17 ip-172-31-48-104 pluto[2054]: ERROR: asynchronous network error report on eth0 (sport=500) for message to 70.117.100.63 port 500, complainant 70.117.100.63: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Sep 18 11:54:26 ip-172-31-48-104 pluto[2054]: ERROR: asynchronous network error report on eth0 (sport=500) for message to 70.117.100.63 port 500, complainant 70.117.100.63: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Sep 18 11:54:46 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: max number of retransmissions (2) reached STATE_MAIN_R2
Sep 18 11:54:46 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63: deleting connection "xauth-rsa" instance with peer 70.117.100.63 {isakmp=#0/ipsec=#0}
More information about the Swan
mailing list