[Openswan Users] Not passing the "STATE_QUICK_I1: initiate"
Andy
fs at globalnetit.com
Tue Nov 8 14:58:55 CET 2005
On Tue, 2005-11-08 at 12:45 -0300, Oliver Schulze L. wrote:
> Hi,
> I think there can be a problem this this config.
>
> The Cisco Guy(tm) is telling me that he only allows me to go to 1
> internal host
> and not to the whole internal network. In the Cisco, only host
> 10.1.254.63/32
> is "published" in the ipsec
>
> I, in ipsec.conf, configure his internal network as:
> rightsubnet=10.1.254.0/24
Your policy and his must match exactly. If his access list specifies
10.1.254.63/32, that's what you need to set for your rightsubnet.
Likewise for the internal network your side (leftsubnet).
>
> Another thing, don't know if this matters, but ipsec verify returns:
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan Ucvs2002Mar11_19:19:03/K2.1.2rc3 (klips)
> Checking for IPsec support in kernel [OK]
> Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
> ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> Checking that pluto is running [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing [OK]
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support [DISABLED]
>
> I'm not using RSA, just a PreSharedSecret, and
> authby=secret
> in ipsec.conf
You don't need an RSA then.
> Will post more info in a few hours.
>
> Many thanks
> Oliver
>
> Andy wrote:
>
> >To debug it further, you'll need some help from the Cisco end - get the
> >Cisco config and post it here, along with your config, we may be able to
> >help. Also, try to enable debug for ipsec on the Cisco and see what that
> >tells us.
> >
> >
--
Andy <fs at globalnetit.com>
More information about the Users
mailing list