[Openswan Users] openswan startup and version interoperability

Andy Gay andy at andynet.net
Mon Jul 24 03:06:44 CEST 2006


On Sun, 2006-07-23 at 22:53 -0700, Brian Sheets wrote:
> What level of debug to get the info I need to troubleshoot?

None. Debug is for developers looking for bugs in the code. It fills
your logs with huge amounts of stuff that's not relevant. Slows
everything to a crawl as well. If your problems are bad enough the
developers may ask you to enable some debugging, but I've never seen
that happen.
Turning debug off does NOT stop normal logging of connection events.

> 
> Brian
> 
> -----Original Message-----
> From: Andy Gay [mailto:andy at andynet.net] 
> Sent: Sunday, July 23, 2006 7:29 PM
> To: Brian Sheets
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] openswan startup and version
> interoperability
> 
> On Sun, 2006-07-23 at 18:09 -0700, Brian Sheets wrote:
> >  Debian linux, kernel vmlinuz-2.6.15-1-686, openswan version
> > 1:2.4.5+dfsg-
> >  0.2
> >  
> >  Trying to connect to openswan 2.2.0
> >  
> >  Config on both sides
> >  
> >  version 2.0     # conforms to second version of ipsec.conf
> > specification
> >  
> >  config setup
> >          plutodebug=all
> 
> Bad idea. Comment this out please.
> 
> >          interfaces=%defaultroute
> >  
> > 
> >
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:
> >  !10.0.0.0/24
> >  
> >  conn net-to-net
> >      left=207.7.xx.xx
> >      leftsubnet=10.1.0.0/16
> >      leftid=@l3-gateway1.xx.net       #
> >      leftrsasigkey=<the really long key>
> >      leftnexthop=%defaultroute      # correct in many situations
> >      right=198.172.xx.xx
> >      rightsubnet=10.200.0.0/16
> >      rightid=@gateway1.xx.net
> >      rightrsasigkey=<the other really long key>
> >      rightnexthop=%defaultroute     # correct in many situations
> >      auto=add                       # authorizes but doesn't start
> this
> >                                     # connection at startup
> >  # Add connections here
> >  
> >  #Disable Opportunistic Encryption
> >  include /etc/ipsec.d/examples/no_oe.conf
> > 
> >  
> >  startup on the 2.6.15 kernal box gives me
> >  
> >  l3-gateway1:/etc/init.d# sh ./ipsec restart
> >  ipsec_setup: Stopping Openswan IPsec...
> >  ipsec_setup: Starting Openswan IPsec 2.4.5...
> >  ipsec_setup: insmod
> /lib/modules/2.6.15-1-686/kernel/net/key/af_key.ko
> >  ipsec_setup: insmod /lib/modules/2.6.15-1-
> >  686/kernel/net/ipv4/xfrm4_tunnel.ko
> >  ipsec_setup: insmod
> > /lib/modules/2.6.15-1-686/kernel/net/xfrm/xfrm_user.ko
> >  ipsec_setup: insmod /lib/modules/2.6.15-1-
> >  686/kernel/drivers/char/hw_random.ko
> >  ipsec_setup: FATAL: Error inserting hw_random (/lib/modules/2.6.15-1-
> >  686/kernel/drivers/char/hw_random.ko): No such device
> >  ipsec_setup: insmod /lib/modules/2.6.15-1-
> >  686/kernel/drivers/crypto/padlock.ko
> >  ipsec_setup: FATAL: Error inserting padlock (/lib/modules/2.6.15-1-
> >  686/kernel/drivers/crypto/padlock.ko): No such device
> >  
> >  In addition, ipsec auto --up net-to-net hangs from the command line,
> > but
> >  on the other, openswan 2.2 system, there is an attempt to make a
> >  connection in the logs
> >  
> >  So, my question, are the errors bad?
> No. Just means you don't have a hardware RNG or the padlock device.
> 
> >  What could be causing it to hang?
> No idea. You'll need to post logs. PLEASE turn off plutodebug=all first!
> 
> >  
> >  Thanks
> >  
> >  Brian
> > 
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n(3155
> 
> 
> 
> 



More information about the Users mailing list