[Openswan Users] Can't ping
Paul Wouters
paul at xelerance.com
Mon Jun 6 18:29:28 CEST 2005
On Mon, 6 Jun 2005, simprix wrote:
> I am trying to setup a net-to-net connection. It worked under linux 2.4
> with openswan 1.0.7. I am using gentoo
> When i try to establish the connection with ipsec auto --up mrc-to-hope
> I get this
>
> 104 "mrc-to-hope" #15: STATE_MAIN_I1: initiate
> 106 "mrc-to-hope" #15: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "mrc-to-hope" #15: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "mrc-to-hope" #15: STATE_MAIN_I4: ISAKMP SA established
> 112 "mrc-to-hope" #16: STATE_QUICK_I1: initiate
> 010 "mrc-to-hope" #16: STATE_QUICK_I1: retransmission; will wait 20s for
> response
#
Jun 6 10:16:35 gw003 pluto[8526]: "hope-to-mrc" #1: ignoring informational payload, type INVALID_MESSAGE_ID
#
Jun 6 10:16:35 gw003 pluto[8526]: "hope-to-mrc" #1: received and ignored informational message
#
Jun 6 10:16:40 gw003 pluto[8526]: "hope-to-mrc" #1: cannot respond to IPsec SA request because no connection is known for 192.168.2.0/24===134.215.193.86[@gw003.cdsoc.org]...134.215.193.94[@gw001.cdsoc.org]===192.168.10.0/24
So something is wrong with the connection definition. Both ends do not agree. Checking your connection:
> Links to ipsec barf for sites
>
> MRC
>
> http://pastebin.ca/13540
>
> HOPE
>
> http://pastebin.ca/13542
conn mrc-to-hope
left=134.215.193.94
leftsubnet=192.168.10.0/24
leftid=@gw001.cdsoc.org
leftrsasigkey=.....
leftnexthop=%defaultroute
right=134.215.193.86
rightsubnet=192.168.2.0/24
rightid=@gw003.cdsoc.org
rightrsasigkey=...
rightnexthop=%defaultroute
authby=rsasig
auto=start
conn hope-to-mrc
left=134.215.193.86
leftsubnet=192.168.2.0/24
leftid=@gw003.cdsoc.org
leftrsasigkey=....
leftnexthop=%defaultroute
right=134.215.193.94
rightsubnet=192.168.1.0/24
rightid=@gw001.cdsoc.org
rightrsasigkey=....
rightnexthop=%defaultroute
authby=rsasig
auto=start
you can see that one end is using 192.168.2.0/24 and the other end is using 192.168.10.0/24.
Also note from the barf:
Two or more interfaces found, checking IP forwarding [FAILED]
You should edit /etc/sysctl.conf and enable forwarding (run sysctl -p once)
Paul
More information about the Users
mailing list