[Openswan Users] Still lacking a cigar on x.509 OpenSWAN tunnels
geoffrey
geoffrey at ticom.com
Sun Apr 10 20:17:43 CEST 2005
Okay, I noticed from the barf in my last posting that the cacert.pem
file had expired, and so OpenSWAN treated that as a fatal problem. I
guessed that was a large part of my tunnel establishment problems. It
seems to be true. I reestablished my PKI setup, reissued my certs all
around and things seem happier now. I can establish an IPSEC SA and even
ping the NAT'ed laptop from my OpenSWAN gateway. However, the laptop
never gets a tunnel setup into the other network; I cannot ping any
systems beyond the gateway machine. I used the instructions at Nate
Carlson's website as my guide. I get as far as "ipsec auto --up
roadwarrior" which is the IPSEC SA that gets established, but then when
I try "ipsec auto --up roadwarrior-net" I get error messages:
Apr 10 18:57:44 aphasia pluto[10076]: "roadwarrior" #1: ignoring
informational payload, type INVALID_MESSAGE_ID
Apr 10 18:57:44 aphasia pluto[10076]: "roadwarrior" #1: received and
ignored informational message
Apr 10 18:58:24 aphasia pluto[10076]: "roadwarrior-net" #4: max number
of retransmissions (2) reached STATE_QUICK_I1. No acceptable response
to our first Quick Mode message: perhaps peer likes no proposal
I can place a barf file on the web if someone is willing to look it over
and give me some advice. I'm using Gentoo systems running 2.6.10/2.6.11
kernels with ipsec-tools and OpenSWAN v2.3.0 on both sides. Thanks everyone.
geoffrey
--
++++++++++++++++++++++++++
This space intentionally
left non-blank
++++++++++++++++++++++++++
More information about the Users
mailing list