[Openswan Users] Tunnel fails to start, but nothing logged....

Matthew Claridge mclaridge at rwa-net.co.uk
Fri Aug 4 07:53:40 EDT 2006


ok, I've got it logging, but then I get really strange results......

/var/log/secure shows:

Aug  4 12:47:24 vpn1 pluto[3116]: | inserting event EVENT_SA_REPLACE, 
timeout in 28084 seconds for #2
Aug  4 12:47:24 vpn1 pluto[3116]: "amextunnel" #2: STATE_QUICK_I2: sent 
QI2, IPsec SA established {ESP=>0x8db87503 <0xf5b66251 
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
Aug  4 12:47:24 vpn1 pluto[3116]: | modecfg pull: noquirk policy:push 
not-client
Aug  4 12:47:24 vpn1 pluto[3116]: | phase 1 is done, looking for phase 1 
to unpend
Aug  4 12:47:24 vpn1 pluto[3116]: | next event EVENT_PENDING_PHASE2 in 
111 seconds

Now, to my understanding, "IPSec SA established" means it thinks its 
brought the tunnel up successfully.....the remote Cisco logs also show 
the tunnel being established......however, /var/log/messages shows:

Aug  4 12:47:18 vpn1 ipsec__plutorun: 104 "amextunnel" #1: 
STATE_MAIN_I1: initiate
Aug  4 12:47:18 vpn1 ipsec__plutorun: ...could not start conn "amextunnel"

In addition to that, the route is being set up completely wrongly:

192.168.201.0   0.0.0.0         255.255.255.0   U         0 0          0 
eth0

Basically its setting up a route to the remote network, but through my 
default gateway, NOT through the ipsec interface, or even the ipsec IP 
address...

Anyone have any ideas whats going wrong?

cheers
Matt


on 03/08/2006 15:18 Andy Gay said the following:

>On Thu, 2006-08-03 at 09:53 +0100, Matthew Claridge wrote:
>  
>
>>Hi,
>>
>>I'm setting up a vpn tunnel to one of our customers' Cisco Pix 
>>firewalls, from a Fedora Core5 system, using OpenSwan-2.4.4-1.1.2.1
>>
>>The tunnel is failing to start, but nothing useful is logged:
>>    
>>
>
>Where are you looking for the logs? They should be in /var/log/secure on
>FC systems.
>BTW - you really don't want to set klips/plutodebug=all. You'll get so
>much in your logs that you'll probably never find the important stuff.
>Comment out or remove those debug lines please.
>
>  
>
>>     Jul 24 00:12:44 vpn1 ipsec_setup: KLIPS ipsec0 on eth0 
>>62.189.139.60/255.255.255.0 broadcast 62.189.139.255
>>     Jul 24 00:12:44 vpn1 ipsec_setup: ...Openswan IPsec started
>>     Jul 24 00:12:47 vpn1 ipsec__plutorun: 104 "amextunnel" #1: 
>>STATE_MAIN_I1: initiate
>>     Jul 24 00:12:47 vpn1 ipsec__plutorun: ...could not start conn 
>>"amextunnel"
>>
>>This is my ipsec.conf:
>>
>>config setup
>>        interfaces=%defaultroute
>>        klipsdebug=all
>>        plutodebug=all
>>        nat_traversal=yes
>>
>>conn amextunnel
>>        type=           tunnel
>>        left=           62.189.139.60
>>        leftnexthop=    62.189.139.5
>>        leftsubnet=     192.168.5.0/24
>>        right=          89.234.17.132
>>        rightnexthop=
>>        rightsubnet=    192.168.201.0/24
>>        esp=            3des-sha1-96
>>        keyexchange=    ike
>>        pfs=            no
>>        auto=           start
>>
>>
>>The log entries and results are identical whether I use OE or not.
>>
>>Anyone have any ideas what might be going on, where to start looking or 
>>how to get more information out of it?
>>
>>Thanks in advance,
>>Matt
>>_______________________________________________
>>Users at openswan.org
>>http://lists.openswan.org/mailman/listinfo/users
>>Building and Integrating Virtual Private Networks with Openswan: 
>>http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>    
>>
>
>
>_____________________________________________________________________
>This e-mail has been scanned for viruses by Verizon Business Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com
>  
>

-- 
Matthew Claridge
Product Support Engineer
RWA Limited

Tel: 02920 815 054
Email: mclaridge at rwa-net.co.uk
Web: www.rwa-net.co.uk



More information about the Users mailing list