VPN + Openswan - no suitable connection for peer

["Enrico Gusek" <debian-maillist@bit-dd.de>]

Hallo,

ich bin grad (d.h. seit einer Woche) am verzweifeln mit einem Versuch eine
VPN Verbindung zu erstellen. Habe schon vieles probiert und bin echt am
verzweifeln. Die angefügte Konfiguration schien mir noch die besten
Ergebnisse zu liefern, bei alle anderen Konstellationen brach der Vorgang
immer etwas früher ab.

Ich bin dankbar für jeden (auch noch so kleinen) Hinweis oder Tipp oder
Denkanstoss.

Bitte helft mir, bekomme jetzt auch wirklich zeit probleme.


Es handelt sich um einen Linux Server (als Gateway) (mit Kernel
kernel-image-2.6.7-hardened [empfohlen von Openswan.org]) und einem WinXP
SP2 (als Client).

Client IP: 10.254.254.155/24
Server IP: eth0 10.254.254.200/24
	     eth1 10.254.0.200/24

Ach ja...es gibt noch einen Server der auf der 10.254.0.1/24 sitzt

Auszug aus der c:\Programme\IPsec\ipsec.conf (vom Client)
============================================================================
conn Roadwarrior
	left=%any
	right=10.254.254.200
	rightsubnet=10.254.0.0/24
	rightca="C=DE, S=Saxony, L=Dresden, O=Enrico Gusek bIT, OU=WAN,
CN=CA Enrico Gusek bIT"
	network=lan
	auto=start
	pfs=yes



Hier kommt alles vom Server

Auszug aus der /etc/ipsec.conf
============================================================================
==================================

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        #interfaces="ipsec0=eth0"
        plutodebug=none
        klipsdebug=none
        uniqueids=no

        #plutodebug="control"
        #klipsdebug=none
        #plutodebug=all
        #klipsdebug=all


conn %default
        keyingtries=0
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        left=%defaultroute
        #left=10.254.254.200
        leftsubnet=10.254.0.0/24
        leftid="C=DE, ST=Saxony, O=Enrico Gusek bIT, OU=WAN, CN=SVRVPN"

conn Roadwarrior
        right=%any
        #right=10.254.254.155
        type=tunnel
        keyexchange=ike
        pfs=yes
        auto=add
        #auto=start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


Auszug aus ipsec whack --status
============================================================================
==================================
svrvpn:/home/enrico# ipsec whack --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.254.254.200
000 interface eth1/eth1 10.254.0.200
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "Roadwarrior": 10.254.0.0/24===10.254.254.200[C=DE, ST=Saxony, O=Enrico
Gusek bIT, OU=WAN, CN=SVRVPN]---10.254.254.254...%any; unrouted; eroute
owner: #0
000 "Roadwarrior":     srcip=unset; dstip=unset
000 "Roadwarrior":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "Roadwarrior":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 24,32;
interface: eth0;
000 "Roadwarrior":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000


Auszug aus ipsec verify
============================================================================
==================================
svrvpn:/home/enrico# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                         [OK]
Linux Openswan U2.3.0/K2.6.7-hardened (netkey)
Checking for IPsec support in kernel                                    [OK]
Checking for RSA private key (/etc/ipsec.secrets)
[FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                          [OK]
Two or more interfaces found, checking IP forwarding                    [OK]
Checking NAT and MASQUERADEing
[N/A]
Checking for 'ip' command                                               [OK]
Checking for 'iptables' command                                         [OK]
Checking for 'setkey' command for NETKEY IPsec stack support            [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: svrvpn
[MISSING]
svrvpn does not exist, try again
   Does the machine have at least one non-private address?
[FAILED]


Auszug aus der /var/log/auth.log
============================================================================
==================================

Mar 30 20:17:33 svrvpn ipsec__plutorun: Starting Pluto subsystem...
Mar 30 20:17:34 svrvpn pluto[11639]: Starting Pluto (Openswan Version 2.3.0
X.509-1.5.4 PLUTO_USES_KEYRR)
Mar 30 20:17:34 svrvpn pluto[11639]: Setting port floating to off
Mar 30 20:17:34 svrvpn pluto[11639]: port floating activate 0/1
Mar 30 20:17:34 svrvpn pluto[11639]:   including NAT-Traversal patch
(Version 0.6c) [disabled]
Mar 30 20:17:35 svrvpn pluto[11639]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Mar 30 20:17:35 svrvpn pluto[11639]: starting up 1 cryptographic helpers
Mar 30 20:17:36 svrvpn pluto[11639]: started helper pid=11640 (fd:6)
Mar 30 20:17:37 svrvpn pluto[11639]: Using Linux 2.6 IPsec interface code
Mar 30 20:17:38 svrvpn pluto[11639]: Changing to directory
'/etc/ipsec.d/cacerts'
Mar 30 20:17:38 svrvpn pluto[11639]:   loaded CA cert file 'caCert.pem'
(1554 bytes)
Mar 30 20:17:38 svrvpn pluto[11639]: Changing to directory
'/etc/ipsec.d/aacerts'
Mar 30 20:17:38 svrvpn pluto[11639]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Mar 30 20:17:38 svrvpn pluto[11639]: Changing to directory
'/etc/ipsec.d/crls'
Mar 30 20:17:38 svrvpn pluto[11639]:   loaded crl file 'crl.pem' (658 bytes)
Mar 30 20:17:42 svrvpn pluto[11639]: added connection description
"Roadwarrior"
Mar 30 20:17:42 svrvpn pluto[11639]: listening for IKE messages
Mar 30 20:17:42 svrvpn pluto[11639]: adding interface eth1/eth1 10.254.0.200
Mar 30 20:17:42 svrvpn pluto[11639]: adding interface eth0/eth0
10.254.254.200
Mar 30 20:17:42 svrvpn pluto[11639]: adding interface lo/lo 127.0.0.1
Mar 30 20:17:42 svrvpn pluto[11639]: adding interface lo/lo ::1
Mar 30 20:17:42 svrvpn pluto[11639]: loading secrets from
"/etc/ipsec.secrets"
Mar 30 20:17:42 svrvpn pluto[11639]:   loaded private key file
'/etc/ipsec.d/private/gwKey.pem' (951 bytes)
Mar 30 20:17:46 svrvpn pluto[11639]: packet from 10.254.254.155:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar 30 20:17:46 svrvpn pluto[11639]: packet from 10.254.254.155:500:
ignoring Vendor ID payload [FRAGMENTATION]
Mar 30 20:17:46 svrvpn pluto[11639]: packet from 10.254.254.155:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
port floating is off
Mar 30 20:17:47 svrvpn pluto[11639]: packet from 10.254.254.155:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Mar 30 20:17:47 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
responding to Main Mode from unknown peer 10.254.254.155
Mar 30 20:17:47 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 30 20:17:47 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 30 20:17:47 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Saxony, O=Enrico Gusek bIT,
OU=WAN, CN=eGusek'
Mar 30 20:17:47 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1: no
suitable connection for peer 'C=DE, ST=Saxony, O=Enrico Gusek bIT, OU=WAN,
CN=eGusek'
Mar 30 20:17:47 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
sending encrypted notification INVALID_ID_INFORMATION to 10.254.254.155:500
Mar 30 20:17:48 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Saxony, O=Enrico Gusek bIT,
OU=WAN, CN=eGusek'
Mar 30 20:17:48 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1: no
suitable connection for peer 'C=DE, ST=Saxony, O=Enrico Gusek bIT, OU=WAN,
CN=eGusek'
Mar 30 20:17:48 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
sending encrypted notification INVALID_ID_INFORMATION to 10.254.254.155:500
Mar 30 20:17:50 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Saxony, O=Enrico Gusek bIT,
OU=WAN, CN=eGusek'
Mar 30 20:17:50 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1: no
suitable connection for peer 'C=DE, ST=Saxony, O=Enrico Gusek bIT, OU=WAN,
CN=eGusek'
Mar 30 20:17:50 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
sending encrypted notification INVALID_ID_INFORMATION to 10.254.254.155:500
Mar 30 20:17:54 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Saxony, O=Enrico Gusek bIT,
OU=WAN, CN=eGusek'
Mar 30 20:17:54 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1: no
suitable connection for peer 'C=DE, ST=Saxony, O=Enrico Gusek bIT, OU=WAN,
CN=eGusek'
Mar 30 20:17:54 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
sending encrypted notification INVALID_ID_INFORMATION to 10.254.254.155:500
Mar 30 20:18:02 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Saxony, O=Enrico Gusek bIT,
OU=WAN, CN=eGusek'
Mar 30 20:18:02 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1: no
suitable connection for peer 'C=DE, ST=Saxony, O=Enrico Gusek bIT, OU=WAN,
CN=eGusek'
Mar 30 20:18:02 svrvpn pluto[11639]: "Roadwarrior"[1] 10.254.254.155 #1:
sending encrypted notification INVALID_ID_INFORMATION to 10.254.254.155:500