[Openswan Users] freeswan-1.99: cannot respond to IPsec SA

Wolfman BulletinCatcher at web.de
Tue Mar 30 11:32:40 CEST 2004 

At 23:15 29.03.2004, you wrote:
>Wolfman schrieb:
>
>>Hi,
>>I got a very similar Problem, if not the same:
>>I have the NAT-T patch installed and working (finally), but it didn't 
>>help. Some TIP: Kompile Kernel without patches, apply patch fox x.509, 
>>compile it again, apply NAT-T patch, compile it again. It really takes 
>>time, but whenever I tried it on another way, it failed. So this are 
>>nearly 5 compiler runs.
>
>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ God, damn it! That is exactely the 
>procedure I tried to avoid for the system is a productive one. :-((

As I said, I tried it in hundrets of test. If you won't compile it between 
the patches, the NAT-T Patch will erase the openswan patch or leave the 
kernel broken. other way round, just the same. In the documentation of 
Openswan, theres a switch to patch openswan and NAT-T together, it didn't 
work for me. Openswan worked, but the NAT-T was missing. I had to do the 
NAT-T patch seperatly.



>>Ok, back to the Problem, as I said, my NAT-T is working:
>>Mar 29 21:17:29 Linuxserver pluto[2218]: Starting Pluto (Openswan Version 
>>2.1.0 X.509-1.4.8 PLUTO_USES_KEYRR)
>>Mar 29 21:17:29 Linuxserver pluto[2218]:   including NAT-Traversal patch 
>>(Version 0.6c)
>
>Which version are You currently using?

Its Openswan 2.1.1



>>I found something in the google groups, that told me to write down the 
>>remote IP into my ipsec.conf. I did so, nothing changed
>>I pasted my ipsec.conf and my auth.log. If someone knows how to help, 
>>would be great.
>>
>>psec.conf:
>>config setup
>>         nat_traversal=yes
>>
>># Add connections here.
>>
>>conn %default
>>         keyingtries=0
>>         disablearrivalcheck=no
>>         authby=rsasig
>>         rightrsasigkey=%cert
>>         auto=add
>>         left=%defaultroute
>>         leftrsasigkey=%cert
>>         leftcert=VPN-Gateway-Cert.pem
>>         leftid="<Certificate ID>"
>
>Why that? I encountered a problem when leftid is given.
>I don't remember the error message, but it said: when leftid is given, 
>rightid must be given as well.

Can't verify that, didn't had that error. He accepts and finds the right 
certificate for the remote side, that worked well.


>>         leftupdown=/usr/lib/ipsec/_updown_x509
>>
>>conn p2n
>>         right=%any
>>         leftsubnet=192.168.107.0/24
>>         rightsubnet=192.168.107.123/32
>
>Shot in the dark: You may use:
>leftprotoport=17/0
>rightprotoport=17/01

Yeah thought so too, and already used the ports, nothing changed. :-(


>Good luck
>
>_______________________________________________
>Users mailing list
>Users at lists.openswan.org
>http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list