[Fwd: RE: [Openswan Users]]

Andy Gay andy at andynet.net
Wed Aug 9 07:24:02 EDT 2006 

On Wed, 2006-08-09 at 18:10 +0200, Greg wrote:
> Thanks Andy
> 
> 	Problem with my MTA too :(
> 
> >Did your mail client do this, or does this line really not have any
> > whitespace at the start? Lines within a section must be indented.
> Yes, it's the mail client 
> 
> > Do your logs say the conn was loaded OK?
> No problem, the conn was loaded
> 
> > Does 'ipsec auto --replace roadwarrior-l2tp' work OK?
> No problem
> 
> conn roadwarrior-l2tp
>         left=192.168.0.4
>         leftcert=cert.pem
>         leftprotoport=17/1701
>         right=%any
>         rightprotoport=17/1701
>         rightsubnet=vhost:%no,%priv
>         pfs=no
>         auto=add
> 
> >Can you show us the output from 'ipsec auto --status'?
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 192.168.0.4
> 000 interface eth0/eth0 192.168.0.4
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
> keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> trans={0,0,0} attrs={0,0,0}
> 000
> 000 "roadwarrior-l2tp": 192.168.0.4[C=FR, ST=FRANCE, L=MERICOURT, O=WEF,
> OU=INFO, CN=TEST, E=root at test.com]:17/1701...%virtual:17/1701===?; unrouted;
> eroute owner: #0

Weird. It has right=?, not %any.
I'm sure that's your problem, but I've no idea what would cause that.
Anyone else seen this?

What version of Openswan is this? (ipsec --version will tell you).

> 000 "roadwarrior-l2tp":     srcip=unset; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
> 000 "roadwarrior-l2tp":   CAs: 'C=FR, ST=FRANCE, L=MERICOURT, O=WEF,
> OU=INFO, CN=TEST, E=root at test.fr'...'%any'
> 000 "roadwarrior-l2tp":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 1
> 000 "roadwarrior-l2tp":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL; prio:
> 32,32; interface: eth0;
> 000 "roadwarrior-l2tp":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
> 000
> 
> 	
> 
> > -----Message d'origine-----
> > De : Andy Gay [mailto:andy at andynet.net]
> > Envoyé : mercredi 9 août 2006 17:47
> > À : users at openswan.org
> > Cc : Greg
> > Objet : [Fwd: RE: [Openswan Users]]
> > 
> > Can someone please forward this to Greg. He seems to be ignoring
> > messages from me.
> > 
> > -------- Forwarded Message --------
> > From: Andy Gay <andy at andynet.net>
> > To: Greg <gregory.domagala at aliceadsl.fr>
> > Cc: users at openswan.org
> > Subject: RE: [Openswan Users]
> > Date: Tue, 08 Aug 2006 19:44:24 -0400
> > 
> > On Tue, 2006-08-08 at 23:40 +0200, Greg wrote:
> > 
> > > config setup
> > >       interfaces=%defaultroute
> > >       nat_traversal=yes
> > >
> > >
> > virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/24,%v4:81
> > .1
> > > 27.61.93/32
> > 
> > Did your mail client do this, or does this line really not have any
> > whitespace at the start? Lines within a section must be indented.
> > 
> > > Aug  8 23:17:01 darko pluto[4751]: packet from 90.95.19.131:500: initial
> > > Main Mode message received on 192.168.0.4:500 but no connection has been
> > > authorized
> > 
> > This sounds like the conn didn't load correctly, maybe due to the
> > whitepace issue above.
> > 
> > Do your logs say the conn was loaded OK?
> > Does 'ipsec auto --replace roadwarrior-l2tp' work OK?
> > 
> > Can you show us the output from 'ipsec auto --status'?
> > 
> > 
> > 
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> 
>

More information about the Users mailing list