Am 18.09.2014 15:25, schrieb Paul Wouters:
On Thu, 18 Sep 2014, Enrico Brunetta wrote:
Now it looks like the connection is found but it fails differently:
Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: Starting Pluto
(Libreswan Version 3.10 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG
XAUTH_PAM NETWORKMANAGER KLIPS_MAST CURL(non-NSS)) pid:2054
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from
70.117.100.63:500: received Vendor ID payload [XAUTH]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from
70.117.100.63:500: received Vendor ID payload [Cisco-Unity]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from
70.117.100.63:500: received Vendor ID payload [FRAGMENTATION 80000000]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from
70.117.100.63:500: received Vendor ID payload [Dead Peer Detection]
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
70.117.100.63 #1: enabling possible NAT-traversal with method RFC 3947
(NAT-Traversal)
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
70.117.100.63 #1: responding to Main Mode from unknown peer 70.117.100.63
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
70.117.100.63 #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
70.117.100.63 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
70.117.100.63 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal)
sender port 500: I am behind NAT+peer behind NAT
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
70.117.100.63 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
70.117.100.63 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Sep 18 11:54:17 ip-172-31-48-104 pluto[2054]: ERROR: asynchronous
network error report on eth0 (sport=500) for message to 70.117.100.63
port 500, complainant 70.117.100.63: Connection refused [errno 111,
origin ICMP type 3 code 3 (not authenticated)]
This looks like a fragmentation issue, or MTU/firewall issue. Try
ike-frag=force, as the cisco you are talking to seems to support
FRAGMENTATION. If that fails, you can try to lower the mtu of your
interface a little.
This also can happen if the vpn service is not allowed to read the
certificate. The vpn service will stop to listen on udp/500 than.
Can you check the permissions of the certificate in the keychain
settings on your mac or check the log on mac site.
Wolfgang
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan