[Openswan Users] OS 2.1.2rc5: cannot identify ourselves with either end of this connection.

Anatoly Ershov age at hotbox.ru
Thu Jun 10 14:04:02 CEST 2004


When establishing a direct conn, everything goes right. The problem 
appears when I (172.16.122.188) am sitting behind natting ISP 
(213.251.198.222 is his public IP) and trying to initiate a host-host 
connection to my security gw (212.12.66.230, same OpenSwan 2.1.2rc5 with 
nat-t enabled). On my client side, I can't explain to ipsec who he is:


ipsec whack --name test1 --host 213.251.198.222 --id 'C=RU, ST=Russian 
Federation, O=TTC Ostankino, OU=IPSec, CN=phantom.telecenter.ru' --cert 
/etc/ipsec.d/certs/my --client 172.16.122.188/32 --to --host 
212.12.66.230 --ca 'C=RU, ST=Russian Federation, L=Moscow, O=TTC 
Ostankino, OU=Certificate Authority, CN=TTC Ostankino Root 
CA/emailAddress=ca at ca.telecenter.ru' --encrypt --tunnel --compress 
--rsasig --psk
002   loaded host cert file '/etc/ipsec.d/certs/my' (10612 bytes)
002 added connection description "test1"

ipsec whack --status
000 interface ipsec0/ppp0 172.16.122.188
000 interface ipsec0/ppp0 172.16.122.188
000 %myid = C=RU, ST=Russian Federation, O=TTC Ostankino, OU=IPSec, 
CN=phantom.telecenter.ru
000 debug 
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal
000
000 "test1": 172.16.122.188/32===213.251.198.222[C=RU, ST=Russian 
Federation, O=TTC Ostankino, OU=IPSec, 
CN=phantom.telecenter.ru]...212.12.66.230; unrouted; eroute owner: #0
000 "test1":   CAs: 'C=RU, ST=Russian Federation, L=Moscow, O=TTC 
Ostankino, OU=Certificate Authority, CN=TTC Ostankino Root CA, 
E=ca at ca.telecenter.ru'...'C=RU, ST=Russian Federation, L=Moscow, O=TTC 
Ostankino, OU=Certificate Authority, CN=TTC Ostankino Root CA, 
E=ca at ca.telecenter.ru'
000 "test1":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 3
000 "test1":   policy: PSK+RSASIG+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32; 
interface: ;
000 "test1":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000

ipsec whack --initiate --name test1
022 "test1": We cannot identify ourselves with either end of this 
connection.


===============
Neither local ip (172.16.122.188), nor hostname == CN 
(phantom.telecenter.ru), nor my isp's public ip (213.251.198.222) as a 
value of "myid" would help.


Here is my barf output: http://age.pp.ru/barf.phantom.os2.1.2rc5.bz2
I guess, I should upgrade to the release 2.1.2 version? :-)

Sincerely,
Anatoly


More information about the Users mailing list