[Openswan Users] Tunnel fails to start, but nothing logged....

Matthew Claridge mclaridge at rwa-net.co.uk
Fri Aug 4 07:53:40 EDT 2006

ok, I've got it logging, but then I get really strange results......

/var/log/secure shows:

Aug  4 12:47:24 vpn1 pluto[3116]: | inserting event EVENT_SA_REPLACE, 
timeout in 28084 seconds for #2
Aug  4 12:47:24 vpn1 pluto[3116]: "amextunnel" #2: STATE_QUICK_I2: sent 
QI2, IPsec SA established {ESP=>0x8db87503 <0xf5b66251 
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
Aug  4 12:47:24 vpn1 pluto[3116]: | modecfg pull: noquirk policy:push 
Aug  4 12:47:24 vpn1 pluto[3116]: | phase 1 is done, looking for phase 1 
to unpend
Aug  4 12:47:24 vpn1 pluto[3116]: | next event EVENT_PENDING_PHASE2 in 
111 seconds

Now, to my understanding, "IPSec SA established" means it thinks its 
brought the tunnel up successfully.....the remote Cisco logs also show 
the tunnel being established......however, /var/log/messages shows:

Aug  4 12:47:18 vpn1 ipsec__plutorun: 104 "amextunnel" #1: 
STATE_MAIN_I1: initiate
Aug  4 12:47:18 vpn1 ipsec__plutorun: ...could not start conn "amextunnel"

In addition to that, the route is being set up completely wrongly:   U         0 0          0 

Basically its setting up a route to the remote network, but through my 
default gateway, NOT through the ipsec interface, or even the ipsec IP 

Anyone have any ideas whats going wrong?


on 03/08/2006 15:18 Andy Gay said the following:

>On Thu, 2006-08-03 at 09:53 +0100, Matthew Claridge wrote:
>>I'm setting up a vpn tunnel to one of our customers' Cisco Pix 
>>firewalls, from a Fedora Core5 system, using OpenSwan-2.4.4-
>>The tunnel is failing to start, but nothing useful is logged:
>Where are you looking for the logs? They should be in /var/log/secure on
>FC systems.
>BTW - you really don't want to set klips/plutodebug=all. You'll get so
>much in your logs that you'll probably never find the important stuff.
>Comment out or remove those debug lines please.
>>     Jul 24 00:12:44 vpn1 ipsec_setup: KLIPS ipsec0 on eth0 
>> broadcast
>>     Jul 24 00:12:44 vpn1 ipsec_setup: ...Openswan IPsec started
>>     Jul 24 00:12:47 vpn1 ipsec__plutorun: 104 "amextunnel" #1: 
>>STATE_MAIN_I1: initiate
>>     Jul 24 00:12:47 vpn1 ipsec__plutorun: ...could not start conn 
>>This is my ipsec.conf:
>>config setup
>>        interfaces=%defaultroute
>>        klipsdebug=all
>>        plutodebug=all
>>        nat_traversal=yes
>>conn amextunnel
>>        type=           tunnel
>>        left= 
>>        leftnexthop=
>>        leftsubnet=
>>        right=
>>        rightnexthop=
>>        rightsubnet=
>>        esp=            3des-sha1-96
>>        keyexchange=    ike
>>        pfs=            no
>>        auto=           start
>>The log entries and results are identical whether I use OE or not.
>>Anyone have any ideas what might be going on, where to start looking or 
>>how to get more information out of it?
>>Thanks in advance,
>>Users at openswan.org
>>Building and Integrating Virtual Private Networks with Openswan: 
>This e-mail has been scanned for viruses by Verizon Business Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com

Matthew Claridge
Product Support Engineer
RWA Limited

Tel: 02920 815 054
Email: mclaridge at rwa-net.co.uk
Web: www.rwa-net.co.uk

More information about the Users mailing list