[Openswan Users] OpenSwan / Netopia R5100

Paul Wouters paul at xelerance.com
Tue Dec 20 05:27:00 CET 2005 

On Tue, 13 Dec 2005, Sumit Khanna wrote:

Sorry for the late response, I have been busy.

your barf looks mostly fine, but a few things I did notice....

> Version check and ipsec on-path                             	[OK]
> Linux Openswan U2.4.4/K2.6.14-gentoo-r2 (netkey)

You should probably try 2.4.5rc3.

> grep: /etc/ipsec.conf: No such file or directory
> cat: /etc/ipsec.conf: No such file or directory

that is our bug. Not vital but i made a bug report for it.

>         klipsdebug=all
> 	plutodebug=all

Normally I'd hate to see that, as it logs *far* too much, but....

> #> /etc/ipsec/ipsec.conf 44
>
> #< /etc/ipsec/tigertranz.conf 1
> conn tigertranz
>    left=68.60.0.8
>    leftsubnet=192.168.42.0/24
>    leftnexthop=%defaultroute
>    right=66.18.43.61
>    rightsubnet=192.168.12.0/24
>    rightnexthop=%defaultroute
>    keyexchange=ike
>    auto=start
>    authby=secret
>    pfs=yes
>    keylife=28800s
>    ikelifetime=28800s
>    compress=yes
>    esp=3des-md5-96

Can you remove the nexthops, they should not be specified as
%defaultroute. If needed, add a leftnextop=68.60.0.1 (but leave
out the rightnexthop).  Otherwise it looks good.

> + cd /proc/sys/net/ipv4/conf
> + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter tun0/rp_filter
> all/rp_filter:1
> default/rp_filter:1
> eth0/rp_filter:1
> eth1/rp_filter:1
> lo/rp_filter:0
> tun0/rp_filter:1

I recommend disabling all the rp_filter settings through sysctl.conf. Especially
since you are using NETKEY.

> Dec 13 09:07:20 [pluto] Warning: empty directory
> Dec 13 09:07:20 [ipsec_setup] ...Openswan IPsec started
> Dec 13 09:07:22 [pluto] added connection description "tigertranz"

So the conn is added.

> Dec 13 09:07:23 [pluto] "tigertranz" #1: initiating Main Mode

And initiated

> Dec 13 09:07:23 [ipsec__plutorun] 104 "tigertranz" #1: STATE_MAIN_I1: initiate
> Dec 13 09:07:23 [ipsec__plutorun] ...could not start conn "tigertranz"

but that i do not understand.

> Dec 13 09:07:28 [pluto] packet from 66.18.43.62:500: initial Main Mode message received on 68.60.0.8:500 but no connection has been authorized

This also suggest sthe conn is not loaded. What happens when you type:

	ipsec auto --add tigertranz

I got the feeling something is wrong. But that I am not seeing all the logs

Paul

More information about the Users mailing list