[Openswan Users] WinXP Behind Nat to Openswan Server Behind NAT

Meron Lavie lavie at netvision.net.il
Mon Jul 17 10:32:43 CEST 2006 

Hi Paul,

Not true - I did. I can only assume that the rightsubnet=vhost:%no,%priv
option is causing Pluto to fail shortly after starting via "service ipsec
start".

I also had this problem when I tried the parameter from a 2.4.4 binary RPM,
but assumed it was caused by 2.4.4 not being the latest version - so I
expected this to disappear when using 2.4.5 (built from sources).

BTW - why is " rightsubnet=vhost:%no,%priv" not documented in the ipsec.conf
man page? In fact, rightsubnet doesn't appear at all.

Please find below the output of /var/log.messages:
=======================================================
Jul 17 09:26:56 lavie010 ipsec_setup: ...Openswan IPsec started
Jul 17 09:26:57 lavie010 ipsec_setup: Restarting Openswan IPsec 2.4.5...
Jul 17 09:26:57 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/net/key/af_key.ko 
Jul 17 09:26:57 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/net/ipv4/xfrm4_tunnel.ko 
Jul 17 09:26:57 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/char/hw_random.ko 
Jul 17 09:26:57 lavie010 ipsec_setup: FATAL: Error inserting hw_random
(/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/char/hw_random.ko): No such
device
Jul 17 09:26:57 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/crypto/padlock.ko 
Jul 17 09:26:57 lavie010 ipsec_setup: FATAL: Error inserting padlock
(/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/crypto/padlock.ko): No such
device
Jul 17 09:26:58 lavie010 ipsec__plutorun: /usr/local/lib/ipsec/_plutorun:
line 211: 10237 Aborted                 /usr/local/libexec/ipsec/pluto
--nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d
--debug-control --debug-parsing --use-auto --uniqueids --nat_traversal
--virtual_private
%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24
Jul 17 09:26:58 lavie010 ipsec__plutorun: 003 ASSERTION FAILED at
connections.c:1382: isanyaddr(&c->spd.that.host_addr)
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 %myid = (none)
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 debug parsing+control
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000  
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP encrypt: id=2,
name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP encrypt: id=3,
name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP encrypt: id=7,
name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP encrypt: id=11,
name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP encrypt: id=12,
name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP encrypt: id=252,
name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP encrypt: id=253,
name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP auth attr:
id=251, name=(null), keysizemin=0, keysizemax=0
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000  
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE encrypt: id=5,
name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE encrypt: id=7,
name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE hash: id=1,
name=OAKLEY_MD5, hashsize=16
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE hash: id=2,
name=OAKLEY_SHA1, hashsize=20
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000  
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 stats db_ops.c: {curr_cnt,
total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000  
Jul 17 09:26:59 lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL":
%any[@myhost.myworkdomain.com]:17/%any...10.0.0.138---10.0.0.1:17/%any;
unrouted; eroute owner: #0
Jul 17 09:26:59 lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL":
srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
Jul 17 09:26:59 lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL":
ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 3
Jul 17 09:26:59 lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL":   policy:
PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,32; interface: ; 
Jul 17 09:26:59 lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL":   newest
ISAKMP SA: #0; newest IPsec SA: #0; 
Jul 17 09:26:59 lavie010 ipsec__plutorun: 000  
Jul 17 09:26:59 lavie010 ipsec__plutorun: 000  
Jul 17 09:26:59 lavie010 ipsec__plutorun: ...could not add conn
"L2TP-PSK-EXTERNAL"
Jul 17 09:26:59 lavie010 ipsec__plutorun: whack: is Pluto running?
connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused)
Jul 17 09:26:59 lavie010 ipsec__plutorun: ...could not add conn
"L2TP-PSK-INTERNAL"
Jul 17 09:26:59 lavie010 ipsec__plutorun: whack: is Pluto running?
connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused)
Jul 17 09:26:59 lavie010 ipsec__plutorun: !pluto failure!:  exited with
error status 134 (signal 6)
Jul 17 09:26:59 lavie010 ipsec__plutorun: restarting IPsec after pause...
Jul 17 09:27:09 lavie010 kernel: NET: Unregistered protocol family 15
Jul 17 09:27:09 lavie010 ipsec_setup: ...Openswan IPsec stopped
Jul 17 09:27:09 lavie010 ipsec_setup: Stopping Openswan IPsec...
Jul 17 09:27:09 lavie010 ipsec_setup: Removing orphaned
/var/run/pluto/pluto.pid:
Jul 17 09:27:09 lavie010 kernel: NET: Registered protocol family 15
Jul 17 09:27:10 lavie010 kernel: padlock: VIA PadLock not detected.
Jul 17 09:27:10 lavie010 ipsec_setup: KLIPS ipsec0 on eth0
10.0.0.1/255.0.0.0 broadcast 10.255.255.255 
Jul 17 09:27:10 lavie010 ipsec_setup: ...Openswan IPsec started
Jul 17 09:27:11 lavie010 ipsec_setup: Restarting Openswan IPsec 2.4.5...
Jul 17 09:27:11 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/net/key/af_key.ko 
Jul 17 09:27:11 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/net/ipv4/xfrm4_tunnel.ko 
Jul 17 09:27:11 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/char/hw_random.ko 
Jul 17 09:27:11 lavie010 ipsec_setup: FATAL: Error inserting hw_random
(/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/char/hw_random.ko): No such
device
Jul 17 09:27:11 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/crypto/padlock.ko 
Jul 17 09:27:11 lavie010 ipsec_setup: FATAL: Error inserting padlock
(/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/crypto/padlock.ko): No such
device

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Monday, July 17, 2006 7:56 AM
To: Meron Lavie
Cc: users at openswan.org
Subject: RE: [Openswan Users] WinXP Behind Nat to Openswan Server Behind NAT

On Mon, 17 Jul 2006, Meron Lavie wrote:

> Checking that pluto is running                                  [FAILED]
>   whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl"
failed
> (111 Connection refused)

You did not start openswan before running 'ipvery verify'

Paul

More information about the Users mailing list