[Openswan Users]

Brian Candler B.Candler at pobox.com
Fri Apr 7 13:53:11 CEST 2006 

On Fri, Apr 07, 2006 at 11:08:34AM +0100, Brian Candler wrote:
>             openswan B
>                 | 172.17.0.193
>                 |
>                 | 172.17.0.145
>              firewall              ^
>              (FreeBSD)             |  NAT
>                 | 10.71.32.14
>                 |
>                 | 10.71.32.1
>             openswan A

Sorry, I think I messed up my Openswan configs here, since it also didn't
work when I downgraded both sides to 2.4.4.

I noticed that on A, `ipsec auto --status` showed

    000 "TEST": 10.71.32.1:17/1701---10.71.32.14...172.17.0.193:17/1701; unrouted; eroute owner: #0

whereas on B, `ipsec auto --status` showed

    000 "TEST": 172.17.0.193:17/1701...%any:17/1701; unrouted; eroute owner: #0

So I put both sides back to 2.4.5, and on B I added the following:

        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
...
        leftsubnet=vhost:%no,%priv

Now `ipsec auto --status` shows:

    000 "TEST": 172.17.0.193:17/1701...%virtual:17/1701===?; unrouted; eroute owner: #0

and I can establish the SA:

root at OpenWrt:~# ipsec auto --verbose --up TEST
...
117 "TEST" #2: STATE_QUICK_I1: initiate
002 "TEST" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "TEST" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x022592bf <0x1b6b28ef xfrm=3DES_0-HMAC_SHA1 NATD=172.17.0.193:4500 DPD=none}

Once I've done this, I can no longer ping 172.17.0.193 from either
172.17.0.145 or 10.71.32.1 (on openswan A, tcpdump ipsec0 shows the pings,
but tcpdump on the external interface doesn't). But if I start an l2tp
session between the two hosts, it works, hooray!

But this hasn't helped me get the Cisco connection working. I tried:

conn L2TP
        authby=secret
        ike=3des-sha
        esp=3des-sha1
        pfs=no
        left=%defaultroute
        leftsubnet=vhost:%no,%priv
        leftprotoport=17/1701
        right=Y.Y.Y.Y
        rightprotoport=17/1701
        type=transport
        auto=add

This gives the error:

Apr  7 12:45:52 (none) daemon.err ipsec__plutorun: 023 virtual IP must only be used with %any and without client
Apr  7 12:45:52 (none) daemon.err ipsec__plutorun: 037 attempt to load incomplete connection
Apr  7 12:45:52 (none) daemon.err ipsec__plutorun: ...could not add conn "L2TP"

However if I change it to 'left=%any' I get

root at OpenWrt:~# ipsec auto --verbose --up L2TP
022 "L2TP": We cannot identify ourselves with either end of this connection.

So I'm still stuck in the position where I can open an L2TP/IPSEC connection
to a Cisco IOS server using 2.4.4, but not 2.4.5 :-(

Regards,

Brian.

More information about the Users mailing list