Hosting Provided By

[Users] Pluto error "no suitable connection"

From: bilbogm <bilbogm(at)gmx.de>
Date: Sun Apr 04 2004 - 08:41:20 EDT

Hello!

I´ve a big prob with dail-in from a DSL-Router to Freeswan

I try to dail in to an FreeSwan 2.05 with x.509 Patch (in this case without certifikates but with PSK) from an Draytek Vigor 2600 with Firmware Version 2.5.2_G which can handle IPSec-Conntections

I have found this how-to
http://msgs.securepoint.com/cgi-bin/get/linux-ipsec-0403/13.html which matches my enviroment nearly. Only some changes in the conf and secret are made.

Here some lines from the syslog:

Apr 2 18:34:23 srv-03-001 ipsec_setup: ...FreeS/WAN IPsec started Apr 2 18:34:23 srv-03-001 pluto[5806]: Starting Pluto (FreeS/WAN Version 2.05 X.509-1.5.3 PLUTO_USES_KEYRR)
Apr 2 18:34:23 srv-03-001 pluto[5806]: Using KLIPS IPsec interface code Apr 2 18:34:23 srv-03-001 pluto[5806]: Changing to directory
'/etc/ipsec.d/cacerts'
Apr 2 18:34:23 srv-03-001 pluto[5806]: loaded CA cert file 'cacert.pem' (1533 bytes)
Apr 2 18:34:23 srv-03-001 pluto[5806]: Changing to directory
'/etc/ipsec.d/aacerts'
Apr 2 18:34:23 srv-03-001 pluto[5806]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Apr 2 18:34:23 srv-03-001 pluto[5806]: Changing to directory
'/etc/ipsec.d/crls'
Apr 2 18:34:23 srv-03-001 pluto[5806]: loaded crl file 'crl.pem' (658 bytes)
Apr 2 18:34:23 srv-03-001 pluto[5806]: added connection description "vpnconn"
Apr 2 18:34:23 srv-03-001 pluto[5806]: listening for IKE messages Apr 2 18:34:23 srv-03-001 pluto[5806]: adding interface ipsec0/ppp0 217.81.169.195
Apr 2 18:34:23 srv-03-001 pluto[5806]: loading secrets from "/etc/ipsec.secrets"
Apr 2 18:35:09 srv-03-001 pluto[5806]: "vpnconn" #1: responding to Main Mode

Apr  2 18:35:12 srv-03-001 pluto[5806]: "vpnconn" #1: Peer ID is
ID_USER_FQDN: '@my.routerside.id'
Apr  2 18:35:12 srv-03-001 pluto[5806]: "vpnconn" #1: no suitable connection

for peer '@my.routerside.id'
Apr 2 18:35:12 srv-03-001 pluto[5806]: "vpnconn" #1: sending encrypted notification INVALID_ID_INFORMATION to 217.228.15.39:500

All what I´ve found on the net is that it seems that the router sends not exactly the datas expectet from Freeswan so that no conn or no secret matches.

For futher understanding the relevant configs...

Do you need help?

#NETWORK LAYOUT#

192.168.200.0/24	[Home net]
	||
192.168.200.1	[Draytek Vigor 2600 Firmware 2.5.3]
   w.x.y.z		[dynamic DSL IP (wxyz.dyndns.org)]
	.
	.
	.
   a.b.c.d		[dynamic DSL IP ppp0 (abcd.dyndns.org)]
192.168.254.1	[FreeSwan eth1 (external eth)]
192.168.40.9	[FreeSwan eth0 (internal eth)]
	||
192.168.40.0/24	[Work net]

#IPSEC.CONF# version 2.0

config setup

	myid=@my.linuxside.id
      interfaces=%defaultroute
	uniqueids=no
	fragicmp=no
	overridemtu=1400

conn vpnconn
	type=tunnel
	left=%defaultroute
	leftsubnet=192.168.40.0/24
	right=wxyz.dyndns.org
	keyexchange=ike
	auto=start
	auth=esp
	authby=secret
	pfs=yes
	keylife=8.0h
	rekey=yes
	rekeymargin=9m
	ikelifetime=2.0h
	rekeyfuzz=100%
	keyingtries=3
	compress=no
 

conn block
        auto=ignore

conn clear
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn packetdefault
        auto=ignore

#IPSEC.SECRETS# @my.linuxside.id @my.routerside.id
abcd.dyndns.org wxyz.dyndns.org: PSK "thekey"

#VIGOR CONFIGURATION# COMMON SETTINGS
Profile Name = vpnconn
Enable this profile = x
Call direction = Dail out
Idle Timeout = 300

DAIL-OUT SETTINGS
IPSec-Tunnel = x
Server IP / Host Name for VPN = abcd.dyndns.org IKE Pre-Shared Key = "secretkey"
IPSec Security Method = High (ESP) 3DES Authentication [Advanced]

	IKE phase 1 mode = Main mode
	IKE phase 1 proposal = 3DES_MD5_G2
	IKE phase 1 key lifetime = 28800
	IKE phase 2 key lifetime = 7200
	Perfekt Forward Secret = enable
	Local ID = @my.routerside.id

DAIL-IN SETTINGS
not used

TCP/IP NETWORK SETTINGS
My WAN IP = 0.0.0.0
Remote Gateway IP = 0.0.0.0
Remote Network IP = 192.168.40.0
Remote Network Mask = 255.255.255.0

Do you need more help?

#SYSLOG# Apr 2 18:34:23 srv-03-001 ipsec_setup: ...FreeS/WAN IPsec started Apr 2 18:34:23 srv-03-001 pluto[5806]: Starting Pluto (FreeS/WAN Version 2.05 X.509-1.5.3 PLUTO_USES_KEYRR)
Apr 2 18:34:23 srv-03-001 pluto[5806]: Using KLIPS IPsec interface code Apr 2 18:34:23 srv-03-001 pluto[5806]: Changing to directory
'/etc/ipsec.d/cacerts'
Apr 2 18:34:23 srv-03-001 pluto[5806]: loaded CA cert file 'cacert.pem' (1533 bytes)
Apr 2 18:34:23 srv-03-001 pluto[5806]: Changing to directory
'/etc/ipsec.d/aacerts'
Apr 2 18:34:23 srv-03-001 pluto[5806]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Apr 2 18:34:23 srv-03-001 pluto[5806]: Changing to directory
'/etc/ipsec.d/crls'
Apr 2 18:34:23 srv-03-001 pluto[5806]: loaded crl file 'crl.pem' (658 bytes)
Apr 2 18:34:23 srv-03-001 pluto[5806]: added connection description "vpnconn"
Apr 2 18:34:23 srv-03-001 pluto[5806]: listening for IKE messages Apr 2 18:34:23 srv-03-001 pluto[5806]: adding interface ipsec0/ppp0 217.81.169.195
Apr 2 18:34:23 srv-03-001 pluto[5806]: loading secrets from "/etc/ipsec.secrets"
Apr 2 18:35:09 srv-03-001 pluto[5806]: "vpnconn" #1: responding to Main Mode

Apr  2 18:35:12 srv-03-001 pluto[5806]: "vpnconn" #1: Peer ID is
ID_USER_FQDN: '@my.routerside.id'
Apr  2 18:35:12 srv-03-001 pluto[5806]: "vpnconn" #1: no suitable connection

for peer '@my.routerside.id'

Apr  2 18:35:12 srv-03-001 pluto[5806]: "vpnconn" #1: sending encrypted
notification INVALID_ID_INFORMATION to 217.228.15.39:500 
Apr  2 18:35:16 srv-03-001 pluto[5806]: "vpnconn" #1: Peer ID is

ID_USER_FQDN: '@my.routerside.id'
Apr 2 18:35:16 srv-03-001 pluto[5806]: "vpnconn" #1: no suitable connection for peer '@my.routerside.id'

Apr  2 18:35:16 srv-03-001 pluto[5806]: "vpnconn" #1: sending encrypted
notification INVALID_ID_INFORMATION to 217.228.15.39:500 
Apr  2 18:35:22 srv-03-001 pluto[5806]: "vpnconn" #1: Peer ID is
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek

ID_USER_FQDN: '@my.routerside.id'
Apr 2 18:35:22 srv-03-001 pluto[5806]: "vpnconn" #1: no suitable connection for peer '@my.routerside.id'
Apr 2 18:35:22 srv-03-001 pluto[5806]: "vpnconn" #1: sending encrypted notification INVALID_ID_INFORMATION to 217.228.15.39:500

Any idea !?

Is there a possibility to see with which data the vigor-router comes to make the authentication?

HELP!!! Dennis

Virus checked by G DATA AntiVirusKit
Version: AVK 14.0.614 from 27.03.2004
Virus news: www.antiviruslab.com

FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr Received on Sun Apr 4 08:47:50 2004

This message: [ Message body ]
Next message: Andreas Steffen: "Re: [Users] Pluto error "no suitable connection""
Previous message: Uncased A. Calamine: "[Users] Up to 80 percent off on medication, Users."
In reply to Mache Creeger: "[Users] Problems Getting XP and- Freeswan Roadwarrior/ Roadwarrior-net to Work"
Next in thread: Andreas Steffen: "Re: [Users] Pluto error "no suitable connection""
Reply: Andreas Steffen: "Re: [Users] Pluto error "no suitable connection""

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:02:30 EDT