[Openswan Users] Cisco Concentrator Stumped

Paul Wouters paul at xelerance.com
Thu Feb 3 02:25:20 CET 2005


On Wed, 2 Feb 2005, Eaton, Andy wrote:

> 	1.  If I rmmod af_key esp4 ah4 ipcomp, ipsec --version shows I
> am using klips but as soon as I start a tunnel or delete a tunnel
> I go directly back to netkey.  Documentation says it is unstable in
> everything before 2.6.9.

Comment out this line in /usr/local/lib/ipsec/_realsetup:

lsmod 2>&1 | grep "^ipsec" > /dev/null && rmmod ipsec'

I think the next version of openswan will no longer remove any modules upon
stopping, since this is giving is too many problems, and the implicite
switch back to netkey because klips got unloaded.

> 	2.  No matter what I set the debug levels to in ipsec.conf, I
> never get any logs in messages or syslog
> or anywhere else.

Check your syslogd.conf then. All messages are logged through syslog
unless explicitely set different in ipsec.conf.

> Debian-Gateway:/# ipsec auto --delete conc
> 003 "conc" #1: ASSERTION FAILED at state.c:308: st->st_suspended_md->st
> == st

Can you provide us with a gdb backtrace of this? add dumpdir=/tmp to
config setup in ipsec.conf to allow core dumps.
Is this happening with 2.3.0?

> conn conc
>        left=24.107.189.229
>        leftsubnet=192.168.5.0/24
>        leftnexthop=24.107.176.1
>        leftid=@24.107.189.229

do you have this @ip at the other end too? Normaly you specify either the
IP address, a host name, or a literal string. the latter has the "@" prefix.
So "@ipaddress" is rather unusual. But if that is the case for the core,
then I'd love to hear that.

> I will say that if I change leftid to something other than what the
> concentrator has for this connection it will complain that
> there is no peer group for the session.  Otherwise, I don't see any logs
> there at all.

I think you want to configure xauthclient and xauthserver and add the
net group psk in /etc/ipsec.secrets. See README.xauthclient

> I would have thought this was going to be a little more straight forward
> but maybe not.

xauth support, especially to cisco and their proprietary ike extensions is
always interesting :)

Paul
-- 

"At best it is a theory, at worst a fantasy" -- Michael Crichton



More information about the Users mailing list