[Openswan Users] KIPS broken, NETKEY works

Turbo Fredriksson turbo at bayour.com
Sun Nov 5 17:51:16 EST 2006 

Quoting Paul Wouters <paul at xelerance.com>:

> On Sat, 4 Nov 2006, Turbo Fredriksson wrote:
>
>> >> I also noticed that my Internet connection didn't
>> >> work any more (i.e., I couldn't "surf the web").
>> >> Doing a trace to any IP on the Internet stops
>> >> at workfw VLAN IP (ppp0:192.168.100.254).
>> >
>> > include /etc/ipsec.d/examples/no_oe.conf
>>
>> It IS included... Or do you mean that's the problem?
>> No, without it it doesn't work at all. The link comes
>> up, but I can't ping the other end of the VPN link.
>>
>> ----- s n i p -----
>> Nov  4 11:42:16 workfw pluto[2750]: ignoring duplicate netlink acquire event for <WORKFW_IP> to 128.8.10.90
>> Nov  4 11:42:17 workfw pluto[2750]: Can not opportunistically initiate for 192.168.1.2 to 192.12.94.30: KEY record for hostname as %myid (no good TXT): failure querying DNS for KEY of workfw.: Host name lookup failure
>
> This shows an opportunistic attempt. It also shows a netlink acquire. So you ARE
> running NETKEY wtih opportunistic encryption enabled. So the include is not
> working or not there or you added it without restartin?

ipsec barf:
----- s n i p -----
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor

#< /etc/ipsec.conf 1
version 2.0

config setup
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24
        #plutodebug="control parsing"
        #klipsdebug=""

conn %default
        keyingtries=1
        # Windows doesn't support compress, although there
        # is rumors of a reghack that MIGHT solve this
        # - Is not applicable to Win2k+
        #compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        pfs=no

conn roadwarrior
        left=%defaultroute
        leftcert=gudrun.prisma-ob.com.pem
        leftrsasigkey=%cert
        right=%any
        rightca=%same
        rightrsasigkey=%cert
        rightsubnet=vhost:%no,%priv
        auto=add

conn roadwarrior-net
        leftsubnet=192.168.1.0/24
        also=roadwarrior

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

# Make sure that SP2 is installed on XP
# and/or Q818043 update on Win 2000 and XP pre-SP2.
conn roadwarrior-l2tp
        type=transport
        left=%defaultroute
        leftcert=gudrun.prisma-ob.com.pem
        leftprotoport=17/1701
        right=%any
        rightca=%same
        rightrsasigkey=%cert
        rightprotoport=17/%any
        #rightsubnet=vhost:%no,%priv
        rightsubnet=vhost:%priv,%no
        rekey=no
        auto=add

# Disable Opportunistic Encryption

#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

#> /etc/ipsec.conf 58
----- s n i p -----

So it IS included (and have been al along) and it's read.

More information about the Users mailing list