[Openswan Users] Re: Re: openswan net to net configuration

Alain JUPIN ajupin at sigmapole.fr
Wed Mar 8 09:41:39 CET 2006


Paul Wouters a écrit :

>On Tue, 7 Mar 2006, Alain JUPIN wrote:
>
>  
>
>>004 "sigma" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
>>cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
>>117 "sigma" #2: STATE_QUICK_I1: initiate
>>010 "sigma" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
>>010 "sigma" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
>>    
>>
>
>This is when the other end concluded the rsa key is wrong (in your earlier email)
>
>  
>
>>Mar  7 11:32:13 meissa pluto[12418]: "sigma" #1: multiple ipsec.secrets
>>entries with distinct secrets match endpoints: first secret used
>>    
>>
>
>You have more then one RSA key in there and it is picking the wrong one?
>This happens when you use two entries like ":RSA" where no specific identifier
>is used with the particular rsa key. Easy way is to just have that one key
>in there, and comment out the other. Run 'ipsec secrets' to reread the file.
>
>Paul
>  
>
It's the same things with only one RSA key in the 
/etc/ipsec/ipsec.secrets file.
I try the two key but none work and the process stop at the same point 
with the same errors.

To generate the ipsec.secrets I've done
ipsec newhostkey --output /etc/ipsec/ipsec.secrets on each gateway (so 
the secrets file is different on each gateway)

To generate the ipsec.conf I've done
"ipsec showhostkey --left" on left side to have the leftrsasigkey line,
and
"ipsec showhostkey --right" on right side to have the rightrsasigkey line.
The ipsec.conf file is the same on both sides.

I have some difficulties to understand the following LOG line :
Mar  7 11:32:13 meissa pluto[12418]: "sigma" #2: ERROR: netlink response 
for Add SA esp.9f5ee79f at 83.206.137.225 included errno 38: Function not 
implemented

Which function is not implemented ?

I confirm you that ESP and AH transformation are activated in kernel and 
the corresponding module loaded (for your information, my kernel is 
2.6.12-gentoo-r6 on right side and 2.6.15-gentoo-r1 on left side) on 
each gateways.
OpenSWAN is in version 2.4.4 (gentoo ebuilds) on both sides.


Alain JUPIN


More information about the Users mailing list