Hello.<br><br>I am trying to establish four IPSEC connections between computer running Debian Stable 6.0 'squeeze' and four remote 3G routers.<br><br>Short description of the routers can be found below this link: <a href="http://www.euromobile.ru/en/proizvoditeli/novacom/3g-router-gns-ur4i-vpn.htm" target="_blank">http://www.euromobile.ru/en/proizvoditeli/novacom/3g-router-gns-ur4i-vpn.htm</a><br>
<br>These are AMRISC 20000 devices with linux. AFAIR their kernel is 2.4, and I am definitely sure it uses KLIPS and Pluto.<br><br>Linux box is running Debian Stable 6.0 'squeeze' with latest security updates, kernel 2.6.32-5-686, KLIPS module from package 'openswan-modules-dkms' and Openswan 2.6.28 (klips).<br>
<br>I have managed to pick right configuration options to make these devices connect to my linux box. SAs get established successfully, but on linux box i get this errors in syslog.conf:<br><br>Apr 7 15:03:45 internet ipsec_setup: Starting Openswan IPsec 2.6.28...<br>
Apr 7 15:03:45 internet ipsec_setup: Using KLIPS/legacy stack<br>Apr 7 15:03:45 internet kernel: [ 933.702700] padlock: VIA PadLock not detected.<br>Apr 7 15:03:45 internet kernel: [ 933.713040] padlock: VIA PadLock Hash Engine not detected.<br>
Apr 7 15:03:45 internet kernel: [ 933.729266] padlock: VIA PadLock not detected.<br>Apr 7 15:03:45 internet ipsec_setup: KLIPS debug `none'<br>Apr 7 15:03:45 internet kernel: [ 933.809834] <br>Apr 7 15:03:45 internet ipsec_setup: KLIPS ipsec0 on ppp0 <a href="http://172.16.224.1/255.255.255.255" target="_blank">172.16.224.1/255.255.255.255</a> pointopoint 10.64.64.64 <br>
Apr 7 15:03:45 internet ipsec_setup: KLIPS ipsec1 on ppp0 <a href="http://172.16.224.1/255.255.255.255" target="_blank">172.16.224.1/255.255.255.255</a> pointopoint 10.64.64.64 <br>Apr 7 15:03:45 internet ipsec_setup: KLIPS ipsec2 on ppp0 <a href="http://172.16.224.1/255.255.255.255" target="_blank">172.16.224.1/255.255.255.255</a> pointopoint 10.64.64.64 <br>
Apr 7 15:03:45 internet ipsec_setup: /usr/lib/ipsec/tncfg: Socket ioctl failed on attach -- No such device. Is the virtual device valid? Is the ipsec module linked into the kernel or loaded as a module?<br>Apr 7 15:03:46 internet ipsec_setup: SIOCSIFADDR: No such device<br>
Apr 7 15:03:46 internet ipsec_setup: ipsec2: ERROR while getting interface flags: No such device<br>Apr 7 15:03:46 internet ipsec_setup: SIOCSIFDSTADDR: No such device<br>Apr 7 15:03:46 internet ipsec_setup: ipsec2: ERROR while getting interface flags: No such device<br>
Apr 7 15:03:46 internet ipsec_setup: SIOCSIFNETMASK: No such device<br>Apr 7 15:03:46 internet ipsec_setup: KLIPS ipsec3 on ppp0 <a href="http://172.16.224.1/255.255.255.255" target="_blank">172.16.224.1/255.255.255.255</a> pointopoint 10.64.64.64 <br>
Apr 7 15:03:46 internet ipsec_setup: /usr/lib/ipsec/tncfg: Socket ioctl failed on attach -- No such device. Is the virtual device valid? Is the ipsec module linked into the kernel or loaded as a module?<br>Apr 7 15:03:46 internet ipsec_setup: SIOCSIFADDR: No such device<br>
Apr 7 15:03:46 internet ipsec_setup: ipsec3: ERROR while getting interface flags: No such device<br>Apr 7 15:03:46 internet ipsec_setup: SIOCSIFDSTADDR: No such device<br>Apr 7 15:03:46 internet ipsec_setup: ipsec3: ERROR while getting interface flags: No such device<br>
Apr 7 15:03:46 internet ipsec_setup: SIOCSIFNETMASK: No such device<br>Apr 7 15:03:46 internet ipsec_setup: ...Openswan IPsec started<br>Apr 7 15:03:46 internet ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d<br>Apr 7 15:03:46 internet pluto: adjusting ipsec.d to /etc/ipsec.d<br>
Apr 7 15:03:46 internet ipsec__plutorun: 002 added connection description "UPPNG"<br>Apr 7 15:03:46 internet ipsec__plutorun: 002 added connection description "PPPON"<br>Apr 7 15:03:46 internet ipsec__plutorun: 002 added connection description "BPO"<br>
Apr 7 15:03:46 internet ipsec__plutorun: 002 added connection description "UPN230"<br>Apr 7 15:03:46 internet ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T<br>Apr 7 15:03:46 internet ipsec__plutorun: 104 "UPPNG" #1: STATE_MAIN_I1: initiate<br>
Apr 7 15:03:46 internet ipsec__plutorun: 104 "PPPON" #2: STATE_MAIN_I1: initiate<br>Apr 7 15:03:46 internet ipsec__plutorun: 104 "BPO" #3: STATE_MAIN_I1: initiate<br>Apr 7 15:03:46 internet ipsec__plutorun: 104 "UPN230" #4: STATE_MAIN_I1: initiate<br>
<br>I have found discussion on similar problem here: <a href="http://tinyurl.com/3u7o5gd" target="_blank">http://tinyurl.com/3u7o5gd</a><br><br>On that discussion an assumption was stated: 'perhaps this is an interfaces="ipsec0=ppp0" and the ppp0 interface is currently not present?'<br>
I have double-checked presence of ppp0 interface - it is up and running. I start it manually and check it by reviewing WEB interfaces of remote devices just before starting /etc/init.d/ipsec. So it is not an issue.<br><br>
I have also checked version of openswan userland. Just in case. <br>ipsec --version says:<br>'Linux Openswan 2.6.28 (klips)<br>See `ipsec --copyright' for copyright information.'<br>Seems to fit well.<br><br>
Well in fact the east and west sides get connected. SAs get associated properly. <br>
<br>ipsec auto --satatus says<br><br>'000 #5: "BPO":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27886s; newest IPSEC; eroute owner; isakmp#3; idle; import:admin initiate<br>000 #5: "BPO" <a href="mailto:esp.18b3bf6@172.16.224.4" target="_blank">esp.18b3bf6@172.16.224.4</a> <a href="mailto:esp.b646d75a@172.16.224.1" target="_blank">esp.b646d75a@172.16.224.1</a> <a href="mailto:tun.1001@172.16.224.4" target="_blank">tun.1001@172.16.224.4</a> <a href="mailto:tun.1002@172.16.224.1" target="_blank">tun.1002@172.16.224.1</a> ref=15 refhim=13<br>
000 #3: "BPO":500 STATE_MAIN_I4 (ISAKMP SA established); '<br><br>on each connection.<br><br>But /usr/lib/ipsec/tncfg is complaining and no packets get to destination behind IPSEC tunnels.<br><br>ip xfrm show<br>
shows nothing.<br><br>I am new to IPSEC so my explanations are probably awful. Maybe ipsec barf would explain the symptoms better. It is here:<br><a href="http://pastebin.com/6yLYnr2n" target="_blank">http://pastebin.com/6yLYnr2n</a><br>
You may notice that one of four SAs is not associated. One of remote devices is down, so it's OK.<br><br>I was unable to google any clues on this case. Help would be much appreciated. Thank you in advance.<br><br>WBR <br>