[Openswan Users] Still lacking a cigar on x.509 OpenSWAN tunnels

geoffrey geoffrey at ticom.com
Sun Apr 10 20:17:43 CEST 2005


Okay, I noticed from the barf in my last posting that the cacert.pem 
file had expired, and so OpenSWAN treated that as a fatal problem. I 
guessed that was a large part of my tunnel establishment problems. It 
seems to be true. I reestablished my PKI setup, reissued my certs all 
around and things seem happier now. I can establish an IPSEC SA and even 
ping the NAT'ed laptop from my OpenSWAN gateway. However, the laptop 
never gets a tunnel setup into the other network; I cannot ping any 
systems beyond the gateway machine. I used the instructions at Nate 
Carlson's website as my guide. I get as far as "ipsec auto --up 
roadwarrior" which is the IPSEC SA that gets established, but then when 
I try "ipsec auto --up roadwarrior-net" I get error messages:

Apr 10 18:57:44 aphasia pluto[10076]: "roadwarrior" #1: ignoring 
informational payload, type INVALID_MESSAGE_ID
Apr 10 18:57:44 aphasia pluto[10076]: "roadwarrior" #1: received and 
ignored informational message
Apr 10 18:58:24 aphasia pluto[10076]: "roadwarrior-net" #4: max number 
of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response 
to our first Quick Mode message: perhaps peer likes no proposal

I can place a barf file on the web if someone is willing to look it over 
and give me some advice. I'm using Gentoo systems running 2.6.10/2.6.11 
kernels with ipsec-tools and OpenSWAN v2.3.0 on both sides. Thanks everyone.

geoffrey
-- 
++++++++++++++++++++++++++

This space intentionally
left non-blank

++++++++++++++++++++++++++


More information about the Users mailing list