[Openswan Users] Tunnel fails to start, but nothing logged....

Andy Gay andy at andynet.net
Fri Aug 4 05:32:55 EDT 2006 

On Fri, 2006-08-04 at 12:53 +0100, Matthew Claridge wrote:
> ok, I've got it logging, but then I get really strange results......
> 
> /var/log/secure shows:
> 
> Aug  4 12:47:24 vpn1 pluto[3116]: | inserting event EVENT_SA_REPLACE, 
> timeout in 28084 seconds for #2

Hmm. You don't want to turn off plutodebug, eh? :)

> Aug  4 12:47:24 vpn1 pluto[3116]: "amextunnel" #2: STATE_QUICK_I2: sent 
> QI2, IPsec SA established {ESP=>0x8db87503 <0xf5b66251 
> xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
> Aug  4 12:47:24 vpn1 pluto[3116]: | modecfg pull: noquirk policy:push 
> not-client
> Aug  4 12:47:24 vpn1 pluto[3116]: | phase 1 is done, looking for phase 1 
> to unpend
> Aug  4 12:47:24 vpn1 pluto[3116]: | next event EVENT_PENDING_PHASE2 in 
> 111 seconds
> 
> Now, to my understanding, "IPSec SA established" means it thinks its 
> brought the tunnel up successfully.....the remote Cisco logs also show 
> the tunnel being established

Yup

> ......however, /var/log/messages shows:
> 
> Aug  4 12:47:18 vpn1 ipsec__plutorun: 104 "amextunnel" #1: 
> STATE_MAIN_I1: initiate
> Aug  4 12:47:18 vpn1 ipsec__plutorun: ...could not start conn "amextunnel"
> 
That's normal - you always get those after restarting Openswan for conns
with auto=start. I've no idea why, but you can just ignore it.

> In addition to that, the route is being set up completely wrongly:
> 
> 192.168.201.0   0.0.0.0         255.255.255.0   U         0 0          0 
> eth0
> 
That's OK, if you're using netkey. BTW - use 'ip route' to look at your
routing table.

> Basically its setting up a route to the remote network, but through my 
> default gateway, NOT through the ipsec interface, or even the ipsec IP 
> address...
> 
Oh. Do you have an ipsec0 interface then? So you're using KLIPS?

> Anyone have any ideas whats going wrong?

Actually, this all looks OK. What problem are you actually having?

> 
> cheers
> Matt
> 
> 
> on 03/08/2006 15:18 Andy Gay said the following:
> 
> >On Thu, 2006-08-03 at 09:53 +0100, Matthew Claridge wrote:
> >  
> >
> >>Hi,
> >>
> >>I'm setting up a vpn tunnel to one of our customers' Cisco Pix 
> >>firewalls, from a Fedora Core5 system, using OpenSwan-2.4.4-1.1.2.1
> >>
> >>The tunnel is failing to start, but nothing useful is logged:
> >>    
> >>
> >
> >Where are you looking for the logs? They should be in /var/log/secure on
> >FC systems.
> >BTW - you really don't want to set klips/plutodebug=all. You'll get so
> >much in your logs that you'll probably never find the important stuff.
> >Comment out or remove those debug lines please.
> >
> >  
> >
> >>     Jul 24 00:12:44 vpn1 ipsec_setup: KLIPS ipsec0 on eth0 
> >>62.189.139.60/255.255.255.0 broadcast 62.189.139.255
> >>     Jul 24 00:12:44 vpn1 ipsec_setup: ...Openswan IPsec started
> >>     Jul 24 00:12:47 vpn1 ipsec__plutorun: 104 "amextunnel" #1: 
> >>STATE_MAIN_I1: initiate
> >>     Jul 24 00:12:47 vpn1 ipsec__plutorun: ...could not start conn 
> >>"amextunnel"
> >>
> >>This is my ipsec.conf:
> >>
> >>config setup
> >>        interfaces=%defaultroute
> >>        klipsdebug=all
> >>        plutodebug=all
> >>        nat_traversal=yes
> >>
> >>conn amextunnel
> >>        type=           tunnel
> >>        left=           62.189.139.60
> >>        leftnexthop=    62.189.139.5
> >>        leftsubnet=     192.168.5.0/24
> >>        right=          89.234.17.132
> >>        rightnexthop=
> >>        rightsubnet=    192.168.201.0/24
> >>        esp=            3des-sha1-96
> >>        keyexchange=    ike
> >>        pfs=            no
> >>        auto=           start
> >>
> >>
> >>The log entries and results are identical whether I use OE or not.
> >>
> >>Anyone have any ideas what might be going on, where to start looking or 
> >>how to get more information out of it?
> >>
> >>Thanks in advance,
> >>Matt
> >>_______________________________________________
> >>Users at openswan.org
> >>http://lists.openswan.org/mailman/listinfo/users
> >>Building and Integrating Virtual Private Networks with Openswan: 
> >>http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >>
> >>    
> >>
> >
> >
> >_____________________________________________________________________
> >This e-mail has been scanned for viruses by Verizon Business Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com
> >  
> >
> 
> -- 
> Matthew Claridge
> Product Support Engineer
> RWA Limited
> 
> Tel: 02920 815 054
> Email: mclaridge at rwa-net.co.uk
> Web: www.rwa-net.co.uk
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>

More information about the Users mailing list