[Openswan Users] Openswan IPsec help please

[Paul Wouters]

On Wed, 28 Dec 2005, Michael Jeffries wrote:

> I am using Linux Openswan U2.3.0/K2.6.9-11.EL on a Centos linux machine.

If this is centos3 (aka RHEL3) then the kernel is just too buggy to use. Use
a newer stock kernel or a centos4 kernel.

> Any little bit of help will be appreciated for me to get this tunnel up, as the system keeps on complain when I start it up about "ipsec__plutorun: ...could not start conn "tunnelipsec"
>
> my /var/log/messages looks as follows when I start up the service
> Dec 28 17:11:31 bb kernel: NET: Unregistered protocol family 15
> Dec 28 17:11:31 bb ipsec_setup: ...Openswan IPsec stopped
> Dec 28 17:11:31 bb ipsec_setup: Stopping Openswan IPsec...
> Dec 28 17:11:32 bb kernel: NET: Registered protocol family 15
> Dec 28 17:11:32 bb ipsec_setup: KLIPS ipsec0 on eth0 10.3.1.9/255.255.255.0 broadcast 10.3.1.255
> Dec 28 17:11:32 bb ipsec_setup: ...Openswan IPsec started
> Dec 28 17:11:32 bb ipsec_setup: Starting Openswan IPsec 2.3.0...
> Dec 28 17:11:32 bb ipsec_setup: insmod /lib/modules/2.6.9-11.EL/kernel/net/key/af_key.ko
> Dec 28 17:11:32 bb ipsec_setup: insmod /lib/modules/2.6.9-11.EL/kernel/net/ipv4/xfrm4_tunnel.ko
> Dec 28 17:11:33 bb ipsec__plutorun: 104 "tunnelipsec" #1: STATE_MAIN_I1: initiate
> Dec 28 17:11:33 bb ipsec__plutorun: ...could not start conn "tunnelipsec"

It doesnot say why. Can you run: ipsec auto --add tunnelipsec and ipsec auto --up tunnelipsec
and get a more elaborate error message for us?

> conn tunnelipsec
>          type=tunnel
>         left=10.3.1.9                              # Local ip
>         leftsubnet=10.1.1.0/24	 #Local network
>         leftnexthop=10.3.1.1
>         right=10.100.10.101		#Remote ip address
>         rightsubnet=155.236.47.0/24         # Remote network
>         rightnexthop=10.100.10.1
>         esp=            des-md5-96

don't use 1des. It is not compiled in per default since it is too weak.
Use 3des or aes instead.

Paul