[Openswan Users] Status of Openswan 2.3.2

Yiannis Mavroukakis yiannis at jaguarfreight.com
Wed Jul 13 10:15:07 CEST 2005


I'm facing a problem setting up OpenSwan 2.3.1. The machine that is
running OpenSwan
has two public facing IP's (one DNAT'ed to a Win2k server and the other
used as the masquerade IP
for all other traffic) and one internal IP. 
In the past I've managed to setup OpenSwan successfully and connect
using a host behind NAT to
OpenSwan. However, I am trying to replicate the exact same thing here,
but the connection
fails. Here is a snip from the logs.

 
pluto[12768]: "roadwarrior-l2tp"[1] 83.x.x.x #1: responding to Main Mode
from unknown peer 83.x.x.x
pluto[12768]: "roadwarrior-l2tp"[1] 83.x.x.x #1: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[12768]: "roadwarrior-l2tp"[1] 83.x.x.x #1: NAT-Traversal: Result
using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
pluto[12768]: "roadwarrior-l2tp"[1] 83.x.x.x #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[12768]: "roadwarrior-l2tp"[1] 83.x.x.x #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=UK, ST=London, L=London, [snip]
pluto[12768]: "roadwarrior-l2tp"[2] 83.x.x.x #1: deleting connection
"roadwarrior-l2tp" instance with peer 83.x.x.x [snip]
pluto[12768]: "roadwarrior-l2tp"[2] 83.x.x.x #1: I am sending my cert
pluto[12768]: "roadwarrior-l2tp"[2] 83.x.x.x #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[12768]: | NAT-T: new mapping 83.x.x.x:500/4500)
pluto[12768]: "roadwarrior-l2tp"[2] 83.x.x.x:4500 #1: sent MR3, ISAKMP
SA established
pluto[12768]: ERROR: "roadwarrior-l2tp"[2] 83.x.x.x:4500 #2: netlink
write() of XFRM_MSG_ALLOCSPI message for Get SPI esp.0 at 217.x.x.83
failed. Errno 111: Connection refused
pluto[12768]: "roadwarrior-l2tp"[2] 83.x.x.x:4500 #2: responding to
Quick Mode
pluto[12768]: ERROR: "roadwarrior-l2tp"[2] 83.x.x.x:4500 #2: netlink
write() of XFRM_MSG_UPDSA message for Add SA esp.0 at 217.x.x.83 failed.
Errno 111: Connection refused
pluto[12768]: "roadwarrior-l2tp"[2] 83.x.x.x:4500 #2: ASSERTION FAILED
at demux.c:1799: STATE_IKE_FLOOR <= from_state && from_state <=
STATE_IKE_ROOF
pluto[12768]: "roadwarrior-l2tp"[2] 83.x.x.x:4500 #2: interface
eth0/eth0 217.x.x.83
pluto[12768]: "roadwarrior-l2tp"[2] 83.x.x.x:4500 #2: interface
eth0/eth0 217.x.x.83
pluto[12768]: "roadwarrior-l2tp"[2] 83.x.x.x:4500 #2: interface
eth0:0/eth0:0 217.x.x.82
pluto[12768]: "roadwarrior-l2tp"[2] 83.x.x.x:4500 #2: interface
eth0:0/eth0:0 217.x.x.82
pluto[12768]: "roadwarrior-l2tp"[2] 83.x.x.x:4500 #2: interface
eth1/eth1 192.168.5.1
pluto[12768]: "roadwarrior-l2tp"[2] 83.x.x.x:4500 #2: interface
eth1/eth1 192.168.5.1
pluto[12768]: "roadwarrior-l2tp"[2] 83.x.x.x:4500 #2: interface lo/lo
127.0.0.1
pluto[12768]: "roadwarrior-l2tp"[2] 83.x.x.x:4500 #2: interface lo/lo
127.0.0.1

Much appreciate your help,

Yiannis.

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Paul Wouters
Sent: 13 July 2005 00:50
To: Sandor Geller
Cc: Openswan Users mailing list
Subject: Re: [Openswan Users] Status of Openswan 2.3.2

On Tue, 12 Jul 2005, Sandor Geller wrote:

> Good news! I recently started testing the 2.4.0dr2 version. Is there 
> any chance that the checkv199install rule will be removed from the 
> toplevel Makefile before the final 2.4.0 release? It is annoying that 
> this check is broken and it renames the freshly installed ipsec 
> directory to
> ipsec.v1 so I have to rename it manually.

We want to keep the check in to allow easy upgrade from (super)freeswan
1.9x to openswan-2. The problem seems to be that somewhere 'make
install' is called twice, so we all end up with two sets of "old" and
new binaries.

I made a bug entry for this on bugs.openswan.org.

Paul
-- 

   "I am not even supposed to be here today!"  -- Clerk
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users

________________________________________________________________________
This e-mail has been scanned for all known viruses.

Note:__________________________________________________________________
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please immediately delete it and
all copies of it from your system, destroy any hard copies of it and
notify the sender. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the
intended recipient. Jaguar Freight Services and any of its subsidiaries
each reserve the right to monitor all e-mail communications through its
networks.
Any views expressed in this message are those of the individual sender,
except where the message states otherwise and the sender is authorized
to state them to be the views of any such entity.
________________________________________________________________________
This e-mail has been scanned for all known viruses.


More information about the Users mailing list