<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16809" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hi...</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I found this thread in last month's archive and I
am experiencing virtually the same issue. I get the error</FONT></DIV>
<DIV><FONT face=Arial size=2>pluto: "vpn-conn": We cannot identify ourselves
with either end of this connection.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I have two openSuSE 11.1 boxes, one working, the
other not. I copied the whole /etc/ipsec* files from the working one to the
other, and just changed the approriate section regarding ip net and
certificate</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Both systems have the same Kernel and ipsec
version:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2># uname -a<BR>Linux kmlulx05 2.6.27.21-0.1-pae #1
SMP 2009-03-31 14:50:44 +0200 i686 athlon i386 GNU/Linux<BR></FONT></DIV>
<DIV><FONT face=Arial size=2># ipsec --version<BR>Linux Openswan
U2.6.16/K2.6.27.21-0.1-pae (netkey)<BR></FONT></DIV>
<DIV><FONT face=Arial size=2>On the non-working system I have the
following:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2># ip route<BR>217.0.118.44 dev dsl0 proto
kernel scope link src 91.17.225.140 <BR>192.168.63.0/24 dev
eth0 proto kernel scope link src 192.168.63.10
<BR>10.63.63.0/24 dev eth1 proto kernel scope link src
10.63.63.63 <BR>169.254.0.0/16 dev eth0 scope link <BR>127.0.0.0/8 dev
lo scope link <BR>default dev dsl0 scope link <BR></DIV></FONT>
<DIV><FONT face=Arial size=2># ip addr<BR>1: lo: <LOOPBACK,UP,LOWER_UP>
mtu 16436 qdisc noqueue state UNKNOWN <BR> link/loopback
00:00:00:00:00:00 brd 00:00:00:00:00:00<BR> inet 127.0.0.1/8
brd 127.255.255.255 scope host lo<BR> inet 127.0.0.2/8 brd
127.255.255.255 scope host secondary lo<BR>2: eth0:
<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen
1000<BR> link/ether 00:10:18:4e:5b:af brd
ff:ff:ff:ff:ff:ff<BR> inet 192.168.63.10/24 brd 192.168.63.255
scope global eth0<BR>3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
qdisc pfifo_fast state UP qlen 1000<BR> link/ether
00:22:19:1c:d2:64 brd ff:ff:ff:ff:ff:ff<BR> inet
10.63.63.63/24 brd 10.63.63.255 scope global eth1<BR>6: dsl0:
<POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state
UNKNOWN qlen 3<BR> link/ppp <BR> inet
91.17.225.140 peer 217.0.118.44/32 scope global dsl0<BR></FONT></DIV>
<DIV><FONT face=Arial size=2># cat /etc/ipsec.conf</DIV></FONT>
<DIV><FONT face=Arial size=2># basic configuration<BR>### Converted to version
2.0 ipsec.conf by freeswan %post<BR>version 2.0</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>config
setup<BR>
protostack=netkey<BR>
forwardcontrol=yes<BR>
klipsdebug=none<BR>
nat_traversal=yes<BR>
uniqueids=yes<BR>
plutowait=yes<BR>
plutodebug=none<BR>
plutodebug=all</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>conn
%default<BR>
keyingtries=0<BR>
compress=yes<BR>
disablearrivalcheck=no<BR>
authby=rsasig<BR>
leftrsasigkey=%cert<BR>
rightrsasigkey=%cert</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial
size=2>conn vpn-conn<BR>
right=%defaultroute<BR>
rightsourceip=192.168.63.10<BR>
rightcert=linux2.pem<BR>
rightid="C=DE, L=Local, O=My Organization,
CN=linux2"<BR> leftid="C=DE, L=Remote,
O=My Organization, CN=gateway"<BR>
leftcert=gateway.pem<BR>
left=11.12.13.14 # original has correct
address<BR>
leftsubnet=192.168.1.0/24<BR>
rightsubnet=192.168.63.0/24<BR>
auto=start</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><BR>### Added by freeswan %post<BR># Switch off
Opportunistic Encryption policies -- BEGIN<BR>conn
block<BR> auto=ignore<BR>conn
private<BR> auto=ignore<BR>conn
private-or-clear<BR>
auto=ignore<BR>conn
clear-or-private<BR>
auto=ignore<BR>conn clear<BR>
auto=ignore<BR>conn packetdefault<BR>
auto=ignore<BR>#conn OEself<BR>#
auto=ignore<BR># Switch off Opportunistic Encryption -- END<BR></DIV></FONT>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Now, if I change the %defaultroute to 91.17.225.140
(the dsl ip), the vpn connection starts and is working normally. As this is a
dynamic addres though, I have to rely on the %defaultroute entry. Where should I
look for further clues why this system acts like this, while its sister
system works as intended?</FONT></DIV>
<DIV> </DIV>
<DIV></FONT><FONT face=Arial size=2>In the syslog I noticed another strange
entry:</FONT></DIV></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> ipsec_setup: Starting Openswan
IPsec 2.6.16...<BR> ipsec_setup: No KLIPS support found while
requested, desperately falling back to netkey<BR> ipsec_setup:
NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts
to use KLIPS. Attempting to continue with NETKEY<BR></FONT></DIV>
<DIV><FONT face=Arial size=2>Since I have the appropriate entry in the config
setup section, at first I suspected the system doesn't read the config file, but
since it does read the connections, and it loads the appropriate
certificates, I am left clueless here, too.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial><FONT size=2>Any help on this issue would be
appreciated.</FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT size=2></FONT></FONT> </DIV>
<DIV><FONT face=Arial><FONT size=2></FONT></FONT> </DIV>
<DIV><FONT face=Arial><FONT size=2>So long,</FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT
size=2>
Marc...</FONT></DIV></FONT></BODY></HTML>