Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
1
Installation and Upgrades / Re: SCM Manager authenticate against LDAP
« on: April 10, 2014, 04:57:23 pm »
I am not an expert in ldap.
what you mean?
what you mean?
2
Installation and Upgrades / SCM Manager authenticate against LDAP
« on: April 08, 2014, 07:31:43 pm »
Hello,
I installed a SCM Manager and I want authenticate the user against the zentyal ldap server.
The server is correct configured and it is possible to authenticate the users.
The following pictures show the configuration of the scm manager and zentyal server.
I think the configuration of the scm manager is wrong, therefore I cant authenticate the scm manager user against ldap.
The string of the "Group search filter" is : (&(objectClass=groupOfUniqueNames)(uniqueMember={0})).
The Group search filters {0} will be replaced by dn of the user.
The user filter {0} will be replaced by the username.
Anybody an idea of the correct configuration of the scm manager ldap plugin?
I installed a SCM Manager and I want authenticate the user against the zentyal ldap server.
The server is correct configured and it is possible to authenticate the users.
The following pictures show the configuration of the scm manager and zentyal server.
I think the configuration of the scm manager is wrong, therefore I cant authenticate the scm manager user against ldap.
The string of the "Group search filter" is : (&(objectClass=groupOfUniqueNames)(uniqueMember={0})).
The Group search filters {0} will be replaced by dn of the user.
The user filter {0} will be replaced by the username.
Anybody an idea of the correct configuration of the scm manager ldap plugin?
3
Installation and Upgrades / Zentyal 3.4 VPN Connection Error
« on: March 18, 2014, 06:44:37 pm »
I configured a VPN Server and downloaded the bundle.
When I connect via "openvpn VPN-client.conf" I get the following error:
Tue Mar 18 18:38:56 2014 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Feb 27 2013
Tue Mar 18 18:38:56 2014 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Tue Mar 18 18:38:56 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 18 18:38:56 2014 Cannot load private key file laptop.sony.pem: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Tue Mar 18 18:38:56 2014 Error: private key password verification failed
Tue Mar 18 18:38:56 2014 Exiting
The conf file content:
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote XXX.XXX.XXX.XXX 1194
# Allow remote peer to change its IP address and/or port number
float
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Comment out user and group if you wish to increase security. Be advised you
# can experience some issues when reconnecting
# user nobody
# the group option may be wrong for some distributions
# normally distributions use wether 'nobody' (Fedora) or 'nogroup'
# for the no-priviligies group name
# group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# Write the PID file for compatibility with Ubuntu init.d script
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca "cacert.pem"
cert "50BB23659425A3D7.pem"
key "laptop.sony.pem"
# Verify server certificate by common name
tls-remote vpn-MeerkatVPN
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Explicitly notify disconnections
explicit-exit-notify 3
# Silence repeating messages
;mute 20
When I connect via "openvpn VPN-client.conf" I get the following error:
Tue Mar 18 18:38:56 2014 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Feb 27 2013
Tue Mar 18 18:38:56 2014 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Tue Mar 18 18:38:56 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 18 18:38:56 2014 Cannot load private key file laptop.sony.pem: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Tue Mar 18 18:38:56 2014 Error: private key password verification failed
Tue Mar 18 18:38:56 2014 Exiting
The conf file content:
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote XXX.XXX.XXX.XXX 1194
# Allow remote peer to change its IP address and/or port number
float
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Comment out user and group if you wish to increase security. Be advised you
# can experience some issues when reconnecting
# user nobody
# the group option may be wrong for some distributions
# normally distributions use wether 'nobody' (Fedora) or 'nogroup'
# for the no-priviligies group name
# group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# Write the PID file for compatibility with Ubuntu init.d script
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca "cacert.pem"
cert "50BB23659425A3D7.pem"
key "laptop.sony.pem"
# Verify server certificate by common name
tls-remote vpn-MeerkatVPN
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Explicitly notify disconnections
explicit-exit-notify 3
# Silence repeating messages
;mute 20
4
Installation and Upgrades / Re: Android can't connect IPSec
« on: March 15, 2014, 07:42:06 am »
If I set the option "IPsec identifier" to "not used" in my android device I got an other error form "ipsec barf":
Mar 15 07:38:03 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:38:03 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:38:03 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:38:03 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:38:03 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:38:03 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:38:03 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #43: responding to Main Mode from unknown peer 56.111.111.111
Mar 15 07:38:03 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #43: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 07:38:03 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #43: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 15 07:38:05 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:38:05 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:38:05 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:38:05 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:38:05 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:38:05 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:38:05 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #44: responding to Main Mode from unknown peer 56.111.111.111
Mar 15 07:38:05 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #44: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 07:38:05 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #44: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 15 07:38:08 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:38:08 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:38:08 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:38:08 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:38:08 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:38:08 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:38:08 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: responding to Main Mode from unknown peer 56.111.111.111
Mar 15 07:38:08 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 07:38:08 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 15 07:38:11 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:38:11 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:38:11 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:38:11 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:38:11 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:38:11 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:38:11 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #46: responding to Main Mode from unknown peer 56.111.111.111
Mar 15 07:38:11 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #46: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 07:38:11 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #46: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 15 07:38:14 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:38:14 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:38:14 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:38:14 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:38:14 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:38:14 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:38:14 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #47: responding to Main Mode from unknown peer 56.111.111.111
Mar 15 07:38:14 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #47: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 07:38:14 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #47: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 15 07:38:17 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:38:17 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:38:17 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:38:17 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:38:17 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:38:17 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:38:17 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #48: responding to Main Mode from unknown peer 56.111.111.111
Mar 15 07:38:17 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #48: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 07:38:17 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #48: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: Main mode peer ID is ID_IPV4_ADDR: '10.222.222.22'
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: new NAT mapping for #45, was 56.111.111.111:500, now 56.111.111.111:4500
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: received and ignored informational message
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: the peer proposed: 144.33.33.22/32:17/1701 -> 10.222.222.22/32:17/0
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #49: responding to Quick Mode proposal {msgid:21a303bc}
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #49: us: 192.168.122.2<192.168.122.2>[+S=C]:17/1701
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #49: them: 56.111.111.111[10.222.222.22,+S=C]:17/0
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #49: keeping refhim=4294901761 during rekey
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #49: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #49: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #49: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #49: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x081c45f7 <0x5b05c5f3 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=56.111.111.111:4500 DPD=none}
Mar 15 07:38:24 zentyal pluto[29023]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 56.111.111.111 port 4500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:24 zentyal pluto[29023]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 56.111.111.111 port 4500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:25 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #47: ERROR: asynchronous network error report on eth0 (sport=500) for message to 56.111.111.111 port 500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:26 zentyal pluto[29023]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 56.111.111.111 port 4500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:26 zentyal pluto[29023]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 56.111.111.111 port 4500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:28 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #48: ERROR: asynchronous network error report on eth0 (sport=500) for message to 56.111.111.111 port 500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:33 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #43: ERROR: asynchronous network error report on eth0 (sport=500) for message to 56.111.111.111 port 500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:35 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #44: ERROR: asynchronous network error report on eth0 (sport=500) for message to 56.111.111.111 port 500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:41 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #46: ERROR: asynchronous network error report on eth0 (sport=500) for message to 56.111.111.111 port 500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:44 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #47: ERROR: asynchronous network error report on eth0 (sport=500) for message to 56.111.111.111 port 500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:47 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #48: ERROR: asynchronous network error report on eth0 (sport=500) for message to 56.111.111.111 port 500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:03 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:38:03 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:38:03 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:38:03 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:38:03 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:38:03 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:38:03 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #43: responding to Main Mode from unknown peer 56.111.111.111
Mar 15 07:38:03 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #43: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 07:38:03 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #43: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 15 07:38:05 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:38:05 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:38:05 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:38:05 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:38:05 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:38:05 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:38:05 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #44: responding to Main Mode from unknown peer 56.111.111.111
Mar 15 07:38:05 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #44: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 07:38:05 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #44: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 15 07:38:08 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:38:08 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:38:08 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:38:08 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:38:08 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:38:08 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:38:08 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: responding to Main Mode from unknown peer 56.111.111.111
Mar 15 07:38:08 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 07:38:08 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 15 07:38:11 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:38:11 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:38:11 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:38:11 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:38:11 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:38:11 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:38:11 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #46: responding to Main Mode from unknown peer 56.111.111.111
Mar 15 07:38:11 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #46: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 07:38:11 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #46: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 15 07:38:14 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:38:14 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:38:14 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:38:14 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:38:14 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:38:14 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:38:14 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #47: responding to Main Mode from unknown peer 56.111.111.111
Mar 15 07:38:14 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #47: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 07:38:14 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #47: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 15 07:38:17 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:38:17 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:38:17 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:38:17 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:38:17 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:38:17 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:38:17 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #48: responding to Main Mode from unknown peer 56.111.111.111
Mar 15 07:38:17 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #48: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 07:38:17 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #48: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: Main mode peer ID is ID_IPV4_ADDR: '10.222.222.22'
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: new NAT mapping for #45, was 56.111.111.111:500, now 56.111.111.111:4500
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Mar 15 07:38:18 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: received and ignored informational message
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #45: the peer proposed: 144.33.33.22/32:17/1701 -> 10.222.222.22/32:17/0
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #49: responding to Quick Mode proposal {msgid:21a303bc}
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #49: us: 192.168.122.2<192.168.122.2>[+S=C]:17/1701
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #49: them: 56.111.111.111[10.222.222.22,+S=C]:17/0
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #49: keeping refhim=4294901761 during rekey
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #49: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #49: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #49: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 15 07:38:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #49: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x081c45f7 <0x5b05c5f3 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=56.111.111.111:4500 DPD=none}
Mar 15 07:38:24 zentyal pluto[29023]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 56.111.111.111 port 4500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:24 zentyal pluto[29023]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 56.111.111.111 port 4500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:25 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #47: ERROR: asynchronous network error report on eth0 (sport=500) for message to 56.111.111.111 port 500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:26 zentyal pluto[29023]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 56.111.111.111 port 4500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:26 zentyal pluto[29023]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 56.111.111.111 port 4500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:28 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #48: ERROR: asynchronous network error report on eth0 (sport=500) for message to 56.111.111.111 port 500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:33 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #43: ERROR: asynchronous network error report on eth0 (sport=500) for message to 56.111.111.111 port 500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:35 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #44: ERROR: asynchronous network error report on eth0 (sport=500) for message to 56.111.111.111 port 500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:41 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #46: ERROR: asynchronous network error report on eth0 (sport=500) for message to 56.111.111.111 port 500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:44 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #47: ERROR: asynchronous network error report on eth0 (sport=500) for message to 56.111.111.111 port 500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 07:38:47 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #48: ERROR: asynchronous network error report on eth0 (sport=500) for message to 56.111.111.111 port 500, complainant 56.111.111.111: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
5
Installation and Upgrades / Re: iptables forward port to IPSec
« on: March 15, 2014, 07:33:54 am »
I try to to connect my android device to zentyal ipsec server. But it doesn't works.
Zentyal IPSec Server Configuration:
Name: IPSecNet
Type: General L2TP/IPSec Settings
Public IP address: 192.168.122.2 --> IPTables forward all traffic to this address
Remote Address: Any
PSK Shared Secret: ipsecserverpassword
Tunnel IP: 192.168.100.101
Primary nameserver: local
Secondary nameserver: not set
WINS server: local
Ranges: 192.168.100.240 - 192.168.100.250
Zentyal IPsec Server User Settings:
User: test.android.user
Password: XXXXX
IP Adddress: 192.168.100.241/32
Android Device IPSec VPN Configuration
Type: L2TP/IPSec PSK
Server Address: Public address of my server
L2TP Key: Not used
IPSec Identifier: IPsecNet
IPsec Pre-Shared Key: ipsecserverpassword
ipsec barf returns the following log messages:
Mar 15 07:12:54 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:12:54 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:12:54 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:12:54 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:12:54 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:12:54 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:12:54 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #33: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:12:54 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #33: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:12:54 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #33: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:12:54 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #33: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:12:55 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:12:55 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:12:55 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:12:55 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:12:55 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:12:55 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:12:55 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #34: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:12:55 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #34: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:12:55 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #34: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:12:55 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #34: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:12:58 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:12:58 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:12:58 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:12:58 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:12:58 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:12:58 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:12:58 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #35: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:12:58 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #35: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:12:58 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #35: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:12:58 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #35: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:13:01 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:13:01 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:13:01 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:13:01 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:13:01 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:13:01 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:13:01 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #36: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:13:01 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #36: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:13:01 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #36: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:13:01 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #36: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:13:04 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:13:04 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:13:04 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:13:04 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:13:04 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:13:04 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:13:04 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #37: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:13:04 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #37: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:13:04 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #37: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:13:04 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #37: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:13:07 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:13:07 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:13:07 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:13:07 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:13:07 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:13:07 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:13:07 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #38: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:13:07 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #38: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:13:07 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #38: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:13:07 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #38: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:13:10 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:13:10 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:13:10 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:13:10 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:13:10 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:13:10 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:13:10 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #39: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:13:10 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #39: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:13:10 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #39: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:13:10 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #39: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:13:13 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:13:13 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:13:13 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:13:13 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:13:13 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:13:13 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:13:13 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #40: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:13:13 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #40: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:13:13 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #40: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:13:13 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #40: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:13:16 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:13:16 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:13:16 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:13:16 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:13:16 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:13:16 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:13:16 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #41: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:13:16 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #41: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:13:16 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #41: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:13:16 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #41: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:13:19 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:13:19 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:13:19 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:13:19 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:13:19 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:13:19 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:13:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #42: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:13:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #42: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:13:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #42: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:13:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #42: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
What I am doing wrong?
Thanks in advance for any hints and suggestions.
Zentyal IPSec Server Configuration:
Name: IPSecNet
Type: General L2TP/IPSec Settings
Public IP address: 192.168.122.2 --> IPTables forward all traffic to this address
Remote Address: Any
PSK Shared Secret: ipsecserverpassword
Tunnel IP: 192.168.100.101
Primary nameserver: local
Secondary nameserver: not set
WINS server: local
Ranges: 192.168.100.240 - 192.168.100.250
Zentyal IPsec Server User Settings:
User: test.android.user
Password: XXXXX
IP Adddress: 192.168.100.241/32
Android Device IPSec VPN Configuration
Type: L2TP/IPSec PSK
Server Address: Public address of my server
L2TP Key: Not used
IPSec Identifier: IPsecNet
IPsec Pre-Shared Key: ipsecserverpassword
ipsec barf returns the following log messages:
Mar 15 07:12:54 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:12:54 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:12:54 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:12:54 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:12:54 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:12:54 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:12:54 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #33: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:12:54 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #33: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:12:54 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #33: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:12:54 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #33: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:12:55 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:12:55 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:12:55 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:12:55 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:12:55 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:12:55 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:12:55 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #34: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:12:55 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #34: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:12:55 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #34: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:12:55 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #34: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:12:58 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:12:58 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:12:58 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:12:58 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:12:58 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:12:58 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:12:58 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #35: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:12:58 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #35: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:12:58 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #35: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:12:58 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #35: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:13:01 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:13:01 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:13:01 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:13:01 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:13:01 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:13:01 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:13:01 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #36: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:13:01 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #36: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:13:01 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #36: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:13:01 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #36: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:13:04 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:13:04 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:13:04 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:13:04 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:13:04 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:13:04 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:13:04 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #37: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:13:04 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #37: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:13:04 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #37: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:13:04 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #37: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:13:07 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:13:07 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:13:07 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:13:07 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:13:07 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:13:07 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:13:07 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #38: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:13:07 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #38: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:13:07 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #38: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:13:07 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #38: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:13:10 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:13:10 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:13:10 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:13:10 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:13:10 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:13:10 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:13:10 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #39: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:13:10 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #39: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:13:10 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #39: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:13:10 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #39: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:13:13 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:13:13 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:13:13 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:13:13 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:13:13 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:13:13 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:13:13 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #40: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:13:13 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #40: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:13:13 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #40: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:13:13 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #40: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:13:16 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:13:16 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:13:16 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:13:16 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:13:16 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:13:16 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:13:16 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #41: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:13:16 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #41: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:13:16 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #41: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:13:16 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #41: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
Mar 15 07:13:19 zentyal pluto[29023]: packet from 56.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Mar 15 07:13:19 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 15 07:13:19 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 15 07:13:19 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 15 07:13:19 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 07:13:19 zentyal pluto[29023]: packet from 56.111.111.111:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 07:13:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #42: Aggressive mode peer ID is ID_KEY_ID: '@#0x49507365634e6574'
Mar 15 07:13:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #42: no suitable connection for peer '@#0x49507365634e6574'
Mar 15 07:13:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #42: initial Aggressive Mode packet claiming to be from 10.222.222.22 on 56.111.111.111 but no connection has been authorized
Mar 15 07:13:19 zentyal pluto[29023]: "IPsecNet"[4] 56.111.111.111 #42: sending notification INVALID_ID_INFORMATION to 56.111.111.111:500
What I am doing wrong?
Thanks in advance for any hints and suggestions.
6
Installation and Upgrades / Android can't connect IPSec
« on: March 12, 2014, 07:34:23 pm »
Hello,
I try to forward all ipsec request via iptables to my zentyal ipsec server which is running within a virtual machine.
My iptables rules doesn't work.
I tried this:
sudo iptables -A FORWARD ! -s 192.168.0.0/16 -d 192.168.122.2/32 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 500 -j ACCEPT
sudo iptables -t nat -A PREROUTING ! -s 192.168.0.0/16 -p udp -m udp --dport 500 -j DNAT --to-destination 192.168.122.2:500
sudo iptables -A FORWARD ! -s 192.168.0.0/16 -d 192.168.122.2/32 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 4500 -j ACCEPT
sudo iptables -t nat -A PREROUTING ! -s 192.168.0.0/16 -p udp -m udp --dport 4500 -j DNAT --to-destination 192.168.122.2:4500
Anyone an idea?
I try to forward all ipsec request via iptables to my zentyal ipsec server which is running within a virtual machine.
My iptables rules doesn't work.
I tried this:
sudo iptables -A FORWARD ! -s 192.168.0.0/16 -d 192.168.122.2/32 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 500 -j ACCEPT
sudo iptables -t nat -A PREROUTING ! -s 192.168.0.0/16 -p udp -m udp --dport 500 -j DNAT --to-destination 192.168.122.2:500
sudo iptables -A FORWARD ! -s 192.168.0.0/16 -d 192.168.122.2/32 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 4500 -j ACCEPT
sudo iptables -t nat -A PREROUTING ! -s 192.168.0.0/16 -p udp -m udp --dport 4500 -j DNAT --to-destination 192.168.122.2:4500
Anyone an idea?
7
Installation and Upgrades / Re: Redirect Url Web Server
« on: February 06, 2014, 06:55:19 pm »
All my Servers are VMs and running on a kvm host(Root Server, only ssh).
There are two networks:
192.168.122.0/24 --> Nat
192.168.100.0/24 --> Isolated & no DHCP, zentyal makes dhcp and gateway
The Zentyal Server has the addresses:
eth0 = 192.168.122.2 (zentyal.example.lan)
--> This marked as external. All desired port are forwarded to this vm. Included the port 80 & 443
eth1 = 192.168.100.2
--> This is the internal network. Vms inside the network 192.168.100..0/24 are not accessible from the kvm host and the internet. The zentyal acts as dhcp server and gateway for this network.
The domain suffix *.lan denotes that is an internal network and the suffix *.de denotes the domain as external.
I am running serveral VMs in the isolated Network which are connected over zentyal server. Everythings works fine.
One VM acts as Mediawiki server(192.168.100.112, http://mywiki.example.lan).
I can request the wiki from the internal network.
Now I want reach my wiki from outside my internal network.
Therefore I configured my server as follow:
"Web Server" Section I created a new Virtual Host named http://mywiki.example.de. This is the address which i want to use to call the wiki over the internet.
If I want to forward my http request from 192.168.122.2 to http://mywiki.example.lan. I need to change the following file:
/etc/apache2/sites-available/user-ebox-mywiki.example.de/000-default
ProxyPass / http://mywiki.example.lan/
ProxyPassReverse / http://mywiki.example.lan/
and it happens the same behavior like explained in my last post?
why it is not possible to forward a web url root(like http://mywiki,example.de) to an internal web server like http://mywiki.example.lan(Document root in apache is: /) ??
because this:
/etc/apache2/sites-available/user-ebox-mywiki.example.de/000-default
ProxyPass /mywiki http://mywiki.example.lan/mywiki
ProxyPassReverse /mywiki http://mywiki.example.lan/mywiki
works perfectly.
I hope I could make my problem understandable.
My apache configuration is wrong and I need the right one.
Sorry the idea with the dns is not possible and there are no errors.
There are two networks:
192.168.122.0/24 --> Nat
192.168.100.0/24 --> Isolated & no DHCP, zentyal makes dhcp and gateway
The Zentyal Server has the addresses:
eth0 = 192.168.122.2 (zentyal.example.lan)
--> This marked as external. All desired port are forwarded to this vm. Included the port 80 & 443
eth1 = 192.168.100.2
--> This is the internal network. Vms inside the network 192.168.100..0/24 are not accessible from the kvm host and the internet. The zentyal acts as dhcp server and gateway for this network.
The domain suffix *.lan denotes that is an internal network and the suffix *.de denotes the domain as external.
I am running serveral VMs in the isolated Network which are connected over zentyal server. Everythings works fine.
One VM acts as Mediawiki server(192.168.100.112, http://mywiki.example.lan).
I can request the wiki from the internal network.
Now I want reach my wiki from outside my internal network.
Therefore I configured my server as follow:
"Web Server" Section I created a new Virtual Host named http://mywiki.example.de. This is the address which i want to use to call the wiki over the internet.
If I want to forward my http request from 192.168.122.2 to http://mywiki.example.lan. I need to change the following file:
/etc/apache2/sites-available/user-ebox-mywiki.example.de/000-default
ProxyPass / http://mywiki.example.lan/
ProxyPassReverse / http://mywiki.example.lan/
and it happens the same behavior like explained in my last post?
why it is not possible to forward a web url root(like http://mywiki,example.de) to an internal web server like http://mywiki.example.lan(Document root in apache is: /) ??
because this:
/etc/apache2/sites-available/user-ebox-mywiki.example.de/000-default
ProxyPass /mywiki http://mywiki.example.lan/mywiki
ProxyPassReverse /mywiki http://mywiki.example.lan/mywiki
works perfectly.
I hope I could make my problem understandable.
My apache configuration is wrong and I need the right one.
Sorry the idea with the dns is not possible and there are no errors.
8
Installation and Upgrades / Re: Redirect Url Web Server
« on: February 05, 2014, 06:57:39 pm »
Use Case: I type https://mymusic.externaldomain.de in my browser
This doesn't works:
File:
/etc/apache2/sites-available/user-ebox-mymusic.externaldomain.de/000-default
Content:
ProxyPass / http://mymusic.example.lan:4040/
ProxyPassReverse / http://mymusic.example.lan:4040/
this redirects to the zentyal server(https://example.lan).
____________
Use Case: I type https://externaldomain.de/mymusic in my browser
This doesn't works:
File: /etc/apache2/sites-available/user-ebox-externaldomain.de/000-default
Content: ProxyPass /mymusic http://mymusic.example.lan:4040/
ProxyPassReverse /mymusic http://mymusic.example.lan:4040/
results in a wrong url.
https://externaldomain.de/login.html but it must be https://externaldomain.de/mymusic/login.html
This doesn't works:
File:
/etc/apache2/sites-available/user-ebox-mymusic.externaldomain.de/000-default
Content:
ProxyPass / http://mymusic.example.lan:4040/
ProxyPassReverse / http://mymusic.example.lan:4040/
this redirects to the zentyal server(https://example.lan).
____________
Use Case: I type https://externaldomain.de/mymusic in my browser
This doesn't works:
File: /etc/apache2/sites-available/user-ebox-externaldomain.de/000-default
Content: ProxyPass /mymusic http://mymusic.example.lan:4040/
ProxyPassReverse /mymusic http://mymusic.example.lan:4040/
results in a wrong url.
https://externaldomain.de/login.html but it must be https://externaldomain.de/mymusic/login.html
9
Installation and Upgrades / Re: Redirect Url Web Server
« on: February 02, 2014, 03:29:10 pm »
For example:
ProxyPass http://mywiki.example.de http://mywiki.example.lan/mediawiki
ProxyPassReverse http://mywiki.example.de http://mywiki.example.lan/mediawiki
is has no effects.
ProxyPass http://mywiki.example.de http://mywiki.example.lan/mediawiki
ProxyPassReverse http://mywiki.example.de http://mywiki.example.lan/mediawiki
is has no effects.
10
Installation and Upgrades / Redirect Url Web Server
« on: February 02, 2014, 12:07:31 pm »
I want redirect an http request from my zentyal server to an internal apache server.
Therefore I created an Virtual Host in the Web Server section.
Virtual Host name: undesired.example.com
I tried something like this:
<VirtualHost *:80>
ServerName undesired.example.com
Redirect / http://internalnet.lan/
</VirtualHost>
And many other things but i got only errors.
Whats the correct configuration for the file '/etc/apache2/sites-available/user-ebox-<domain>/'
Therefore I created an Virtual Host in the Web Server section.
Virtual Host name: undesired.example.com
I tried something like this:
<VirtualHost *:80>
ServerName undesired.example.com
Redirect / http://internalnet.lan/
</VirtualHost>
And many other things but i got only errors.
Whats the correct configuration for the file '/etc/apache2/sites-available/user-ebox-<domain>/'
11
Installation and Upgrades / Re: Zentyal refused DNS queries from vpn network
« on: March 20, 2013, 03:17:05 pm »
ok. I fixed the dns problem. It was a hard way.
The next problem is: I have to set an additional route in pptp client for internet. But after setting my route. The dns resolution works anymore. Ok i can edit my resolv.conf and everthings works but i am looking for a better way.
The next problem is: I have to set an additional route in pptp client for internet. But after setting my route. The dns resolution works anymore. Ok i can edit my resolv.conf and everthings works but i am looking for a better way.
12
Installation and Upgrades / Re: Zentyal dns refused DNS queries
« on: March 20, 2013, 11:42:28 am »
dig returned following output. I used my vpn gateway address 192.168.210.1 for this.
pptp-client1@virtual-machine:~$ dig google.com 192.168.210.1
; <<>> DiG 9.8.1-P1 <<>> google.com 192.168.210.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 27086
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN A
;; Query time: 1 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Mar 20 11:38:42 2013
;; MSG SIZE rcvd: 28
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54292
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;192.168.210.1. IN A
;; ANSWER SECTION:
192.168.210.1. 0 IN A 192.168.210.1
;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Mar 20 11:38:42 2013
;; MSG SIZE rcvd: 47
Of course the internal name resolution works perfect.
pptp-client1@virtual-machine:~$ dig zentyal.lan 192.168.210.1
; <<>> DiG 9.8.1-P1 <<>> zentyal.lan 192.168.210.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47108
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;zentyal.lan. IN A
;; ANSWER SECTION:
zentyal.lan. 259200 IN A 192.168.122.209
;; AUTHORITY SECTION:
zentyal.lan. 259200 IN NS zentyal.zentyal.lan.
;; ADDITIONAL SECTION:
zentyal.zentyal.lan. 259200 IN A 192.168.122.209
;; Query time: 1 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Mar 20 11:41:31 2013
;; MSG SIZE rcvd: 83
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19011
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;192.168.210.1. IN A
;; ANSWER SECTION:
192.168.210.1. 0 IN A 192.168.210.1
;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Mar 20 11:41:31 2013
;; MSG SIZE rcvd: 47
pptp-client1@virtual-machine:~$ dig google.com 192.168.210.1
; <<>> DiG 9.8.1-P1 <<>> google.com 192.168.210.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 27086
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN A
;; Query time: 1 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Mar 20 11:38:42 2013
;; MSG SIZE rcvd: 28
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54292
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;192.168.210.1. IN A
;; ANSWER SECTION:
192.168.210.1. 0 IN A 192.168.210.1
;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Mar 20 11:38:42 2013
;; MSG SIZE rcvd: 47
Of course the internal name resolution works perfect.
pptp-client1@virtual-machine:~$ dig zentyal.lan 192.168.210.1
; <<>> DiG 9.8.1-P1 <<>> zentyal.lan 192.168.210.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47108
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;zentyal.lan. IN A
;; ANSWER SECTION:
zentyal.lan. 259200 IN A 192.168.122.209
;; AUTHORITY SECTION:
zentyal.lan. 259200 IN NS zentyal.zentyal.lan.
;; ADDITIONAL SECTION:
zentyal.zentyal.lan. 259200 IN A 192.168.122.209
;; Query time: 1 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Mar 20 11:41:31 2013
;; MSG SIZE rcvd: 83
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19011
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;192.168.210.1. IN A
;; ANSWER SECTION:
192.168.210.1. 0 IN A 192.168.210.1
;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Mar 20 11:41:31 2013
;; MSG SIZE rcvd: 47
13
Installation and Upgrades / Re: Zentyal dns refused DNS queries
« on: March 20, 2013, 10:21:58 am »
I'm thinking thats is a dns zone problem. I play around with the zentyal dns stubs.
How can i add my vpn network to the dns zones?
How can i add my vpn network to the dns zones?
14
Installation and Upgrades / Re: Zentyal dns refused DNS queries
« on: March 19, 2013, 06:05:54 pm »
pptp-client1@virtual-machine:~$ nslookup google.com 192.168.122.209(Zentyal Server)
Server: 192.168.122.209
Address: 192.168.122.209#53
Non-authoritative answer:
Name: google.com
Address: 173.194.70.102
Name: google.com
Address: 173.194.70.113
Name: google.com
Address: 173.194.70.138
Name: google.com
Address: 173.194.70.139
Name: google.com
Address: 173.194.70.100
Name: google.com
Address: 173.194.70.101
pptp-client1@virtual-machine:~$ nslookup google.com 192.168.210.1(VPN Gateway -> works for intern)
Server: 192.168.210.1
Address: 192.168.210.1#53
** server can't find google.com: REFUSED
How you can see, the dns server(i use the vpn address 192.168.210.1) doesn't resolved externals url's.
Server: 192.168.122.209
Address: 192.168.122.209#53
Non-authoritative answer:
Name: google.com
Address: 173.194.70.102
Name: google.com
Address: 173.194.70.113
Name: google.com
Address: 173.194.70.138
Name: google.com
Address: 173.194.70.139
Name: google.com
Address: 173.194.70.100
Name: google.com
Address: 173.194.70.101
pptp-client1@virtual-machine:~$ nslookup google.com 192.168.210.1(VPN Gateway -> works for intern)
Server: 192.168.210.1
Address: 192.168.210.1#53
** server can't find google.com: REFUSED
How you can see, the dns server(i use the vpn address 192.168.210.1) doesn't resolved externals url's.
15
Installation and Upgrades / Re: Zentyal dns refused DNS queries
« on: March 19, 2013, 05:48:24 pm »
It's possible that i need Advertised networks. Advertised networks able for openvpn in zentyal.
Pages: [1] 2