<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.0.10">
</HEAD>
<BODY>
On Wed, 2004-12-01 at 00:50, Paul Wouters wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE><FONT COLOR="#737373"><I>On Tue, 30 Nov 2004, Albert Agusti wrote:
> I'm using openswan-2.2.0 (build from source) with last NAT-T patch on
> kernel 2.6 family.
the nat-t patch as supplied by us (or obtained by 'make nattpatch' is only
for use with KLIPS, not for use of the 2.6 NETKEY stack.
> I've two Linux boxes behind a NAT DSL router acting as tunnel ends. One
> is configured as initiator of the tunnel (auto=start) and the other as
> responder (auto=add). The problem is that EVERY TIME one of the systems
> (tunnel ends) reboots or issues stop/start of ipsec proces, the tunnel
> negotiation blocks at Main mode in "no connection has been authorized"
> and !! THE ONLY way I find to solve this is to stop ipsec at both ends,
> start the responder and start the initiator !!
If you stop one end, a Notify/Delete message is sent by that end. Do
you receive that on the remote? Is it ignored?
Can you try 2.3.0dr4 and see if the problem remains?</I></FONT></PRE>
</BLOCKQUOTE>
<BR>
Hello Paul, <BR>
<BR>
I've tested 2.3.0dr4. All the same :-( . After one end resets ipsec (stop/start), Initiator gets blocked in Main Mode an the Reponder shows :"no connection has been authorized". I'm really desesperated. My hypotesis is now : "Am I doing somethig REALLY BAD ?" could you take a look at the config below ? Is there something suspicious ? <BR>
<BR>
(only rsa skyped and real IP addresses changed)<BR>
<BR>
Thanks in advance<BR>
Albert<BR>
<BR>
Here is configuration<BR>
<BR>
<B>Side A (responder) (Left=Local)</B><BR>
<BR>
config setup<BR>
# Debug-logging controls: "none" for (almost) none, "all" for lots.<BR>
#klipsdebug=all<BR>
#plutodebug=all<BR>
myid=@santacoloma.serialnet.net<BR>
nat_traversal=yes<BR>
<BR>
conn vpn-sc-sants<BR>
keylife=48800<BR>
right=B.B.B.B<BR>
rightid=@sants.serialnet.net<BR>
rightsubnet=192.168.1.64/26<BR>
rightrsasigkey=0sAQN0c4pwgS1E6aZpjgE9b3x...<BR>
left=192.168.3.2<BR>
leftnexthop=192.168.3.1<BR>
leftid=@santacoloma.serialnet.net<BR>
leftsubnet=10.10.0.0/16<BR>
leftrsasigkey=0sAQNlZppUgueMx9p1rDrhIrU2ZTqUb/Be....<BR>
auto=add<BR>
<BR>
<BR>
<B>Side B (initiator) (Left=Local)</B><BR>
<BR>
config setup<BR>
# Debug-logging controls: "none" for (almost) none, "all" for lots.<BR>
#klipsdebug=all<BR>
#plutodebug=all<BR>
nat_traversal=yes<BR>
myid=@sants.serialnet.net<BR>
<BR>
#Definicióls extrems del tunnel de proves SantaColoma-Serveis educatius Sants<BR>
#left(sants) Sortida per ADSL 217.125.26.237 i LAN 192.168.1.64/26<BR>
#right(santaco) Sortida per ADSL 80.32.111.213 i LAN 10.10.0.0/16<BR>
<BR>
conn vpn-sc-sants<BR>
keylife=48800<BR>
left=192.168.5.2<BR>
leftnexthop=192.168.5.1<BR>
leftid=@sants.serialnet.net<BR>
leftsubnet=192.168.1.64/26<BR>
leftrsasigkey=0sAQN0c4pwgS1E6aZpjgE9....<BR>
right=A.A.A.A<BR>
rightid=@santacoloma.serialnet.net<BR>
rightsubnet=10.10.0.0/16<BR>
rightrsasigkey=0sAQNlZppUgueMx9p1rDrhIrU2ZTqUb/Beh0jSWk...<BR>
auto=start<BR>
<BR>
<BR>
<BR>
</BODY>
</HTML>