[Openswan Users] Thanks for setkey - now I have a new quirk

Ken Bantoft ken at xelerance.com
Fri Apr 16 06:48:56 CEST 2004 

On Thu, 15 Apr 2004, Geoffrey wrote:

> Okay, I'm trying to migrate my FreeSWAN 1.99 gateways over to OpenSWAN 
> 2.1.1 with very little luck. My connection file on the gateway looks 
> like this:
> 
> ----- START homeuser.conf -----------------------------------------------
> 
> conn homeuser
>         right=%any
>         rightsubnet=192.168.1.0/24
>         rightid=@home.domain.com
>         rightrsasigkey=<long key data deleted here.>
>         left=<external IP address of gateway here.>
>         leftsubnet=192.168.0.0/24
>         leftid=@gateway.domain.com
>         leftrsasigkey=<long key data deleted here.>
>         authby=rsasig
>         pfs=yes
>         ikelifetime=8h
>         keylife=1h
>         rekey=yes
>         keyingtries=0
>         auto=add
> 
> -------- END homeuser.conf ---------------------------------------------
> 
> I placed all of the connection information to the company FreeSWAN
> gateway in the client machine's ipsec.conf file. However, when I try
> starting ipsec it complains like this:
> 
> ipsec_setup: (/etc/ipsec/ipsec.conf, line 40) parameter is not within a 
> section
> 
> Line 40 is the entry for "right=". The client systems ipsec.conf file
> looks like this:
> 
> --------- START ipsec.conf ---------------------------------------------
> 
> version 2.0     # conforms to second version of ipsec.conf specification
>  
> # basic configuration
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for 
> lots.
>         # klipsdebug=all
>         # plutodebug=dns
>         interfaces="ipsec0=d"
>         plutodebug=all
>         myid=@home.domain.com
>         uniqueids=yes
>         #nat_traversal=yes
>  
> # Add connections here.
> conn office
>         left=%defaultroute
>         leftsubnet=192.168.1.0/24
>         leftid=%myid
> #       leftfirewall=yes
> #       lefttrsasigkey=<long key data deleted here.>
>         right=<external IP address of gateway here.>
>         rightsubnet=192.168.0.0/24
>         rightid=@gateway.domain.com
> #       rightrsasigkey=<long key data deleted here.>
>         authby=rsasigkey
>         pfs=yes
>         ikelifetime=8h
>         keylife=1h
>         rekey=yes
>         keyingtries=0
>         auto=start


Remove the #commented lines entirely, or put them all at the bottom of the 
conn.


> 
> --------------- END ipsec.conf -----------------------------------------
> 
> What does that error message mean? I commented out the *rsasigkey
> entries when ipsec complained about not liking them in the same way it
> is complaining here - "parameter is not within a section". The left and
> leftid entries are valid IP adress in the wild and hostname
> respectively. The client system fqdn has been inserted in our DNS
> zonefile for forward lookup requests with a valid TXT record holding the
> key. The home user has a gateway running 2.6.5 and OpenSWAN 2.1.1 and
> the gateway machine is running 2.4.x and FreeSWAN 1.99. So, what have I
> done wrong or missed? Thanks for any help, and thanks again to all who
> pointed me to the ipsec-tools package on sourceforge.net.
> 
> geoffrey
> 

-- 
Ken Bantoft			VP Business Development
ken at xelerance.com		Xelerance Corporation
sip://toronto.xelerance.com	http://www.xelerance.com

The future is here. It's just not evenly distributed yet. 
        -- William Gibson

More information about the Users mailing list