[Openswan Users]

Paul Wouters paul at xelerance.com
Wed Jan 5 13:46:14 CET 2005 

On Wed, 5 Jan 2005, Fabian Aichele wrote:

> I am trying to connect two OpenSwan IPSec gateways (where both gateways
> use a DSL connection with a dynamic IP address) in a gateway-to-gateway
> setup. Both are Debian Linux machines with a patched 2.4.20 kernel and
> OpenSwan 1.0.8rc2 compiled from source.

If you are going to use X.509 openswan-openswan, I strongly recommend
switching to openswan-2. If debian contains the NETKEY ipsec stack, this
will not work on openswan-1.

> - if I bring up the connection from the left gateway, STATE_QUICK_I1
> times out after two retransmissions, and the error message is "No
> acceptable response to our first Quick Mode message: perhaps peer likes
> no proposal"

Normally this means both ends do not agree on what kind of tunnel they
want. Verify your ipsec.conf files.

> - if I bring up the connection from the right gateway, the error message
> "route-host command exited with status 7" (appearing totally three

Try filling in the nexthop= to point to your default gateway ip.

> ipsec.conf on both gateways:
> config setup
>        interfaces=%defaultroute

interfaces=%defaultroute seems to work better when the local end is on
the 'left'. Can you try and see what hapens if you flip the left/right on
the machine that is 'right' in this file?

> conn %default
>        keyingtries=1
>        compress=yes
>        disablearrivalcheck=no
>        authby=rsasig
>        leftrsasigkey=%cert
>        rightrsasigkey=%cert
>        auto=add

I would not put auto= commands in the default section.

> conn meintranet
>        left=nexus-hv.homelinux.com
>        #left=84.130.70.250
>        leftnexthop=%defaultroute

Try changing this to the ip address of your gateway.

>        #right=80.138.171.210
>        right=me-intranet.homelinux.com
>        #rightnexthop=217.5.98.157
>        rightcert="/etc/ipsec.d/certs/comstation_ipsec_cert.pem"
>        rightid="C=DE, ST=Baden-Wuerttemberg, L=Stuttgart, O=M+E
> Architekten, OU=Buero Stuttgart,
> CN=me-intranet.homelinux.com/emailAddress=root at hilarenhaus.hilaritas.de"
>        #rightsubnet=192.168.2.0/25
>        x_rightdynamic=yes
>        auto=add

Do the same for rightnexthop= here.

In general it seems determining the nexthop setting to deduce to interface
when using KLIPS seems to work better when the local machine is left= instead
of right=. I am not sure why this is.

Paul
-- 

"At best it is a theory, at worst a fantasy" -- Michael Crichton

More information about the Users mailing list