[Openswan Users]

Brian Sheets brians at fl240.com
Tue Aug 8 14:36:01 EDT 2006 

It's at 1300 right now, would the MTU problems cause the packets to get
routed out the default gateway just like any other packet? 

v-monitor1:~# ping 192.168.21.11
PING 192.168.21.11 (192.168.21.11) 56(84) bytes of data.
>From 130.94.88.145 icmp_seq=1 Destination Net Unreachable
>From 130.94.88.145 icmp_seq=2 Destination Net Unreachable

>You still have mtu issues I think. Try lowering the MTU on the machine
>you did NOT upgrade. Or try switching
/proc/sys/net/ipv4/ip_no_pmtu_disc

>MTU's are handled differently between KLIPS and NETKEY. Did you just
>upgrade from 2.6.8 NETKEY to 2.6.16 NETKEY, or did you go from KLIPS
>to NETKEY.?

I did, still running NETKEY, we are working on get KLIPS going.

> I'm getting these errors in the daemon.log
>
> Aug  9 00:06:38 gateway1 ipsec__plutorun: 104 "netscreen-office" #1:
> STATE_MAIN_I1: initiate
> Aug  9 00:06:38 gateway1 ipsec__plutorun: ...could not start conn
> "netscreen-office"
>
> But I can't find a reason why.

>Run ipsec auto --add netscreen-office and it will tell you the error.

I changed the auto=start to auto=add and the messages went away, no
error messages now, bringing the vpn up by hand

gateway1:/etc/init.d# ipsec auto --up netscreen-office
104 "netscreen-office" #1: STATE_MAIN_I1: initiate
003 "netscreen-office" #1: ignoring unknown Vendor ID payload
[166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000]
003 "netscreen-office" #1: received Vendor ID payload [Dead Peer
Detection]
003 "netscreen-office" #1: ignoring Vendor ID payload [HeartBeat Notify
386b0100]
106 "netscreen-office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "netscreen-office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "netscreen-office" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
117 "netscreen-office" #2: STATE_QUICK_I1: initiate
004 "netscreen-office" #2: STATE_QUICK_I2: sent QI2, IPsec SA
established {ESP=>0x224dd0fa <0xd15c52b4 xfrm=3DES_0-HMAC_MD5 NATD=none
DPD=none}

More information about the Users mailing list