[Openswan Users] Differences in ipsec.conf between openswan 2.3.1 and 2.4.6

Paul Freeman paul.freeman at eml.com.au
Tue Oct 10 23:32:28 EDT 2006 

Hi
Apologies for the long post.

I am in the process of upgrading my openswan installation from v 2.3.1 (I
know, it's old:-)) to 2.4.6.  I have come across a problem with my
ipsec.conf file.  I have included the file below (hopefully I have not made
any errors where I have changed names/IP's to protect the innocent).

/etc/ipsec.conf

version 2

# basic configuration
config setup
	# THIS SETTING MUST BE CORRECT or almost nothing will work;
	# %defaultroute is okay for most simple cases.
	interfaces=%defaultroute
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	klipsdebug=none
	plutodebug=none
	# Use auto= parameters in conn descriptions to control startup
actions.
	# Close down old connection when new one using same ID shows up.
	uniqueids=no
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%
v4:!192.168.10.0/24,%v4:!192.168.2.0/24

# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
	#compress=yes
	disablearrivalcheck=no

conn block
	auto=ignore

conn private
	auto=ignore

conn private-or-clear
	auto=ignore

conn clear-or-private
	auto=ignore

conn clear
	auto=ignore

conn packetdefault
	auto=ignore

conn AAA-BBB-net
	type=tunnel
	authby=rsasig
	keyingtries=3
	left=ip_of_left_openswan
	leftsubnet=192.168.10.0/24
	leftrsasigkey=%cert
	leftcert=cert_1.pem
	right=ip_of_right_openswan
	rightsubnet=192.168.15.0/24
	rightrsasigkey=%cert
	rightcert=cert_2.pem
	auto=add

conn aaa-laptop-net
	rightcert=cert_3.pem
	leftprotoport=17/1701
	rightprotoport=17/1701
	rekey=no
	type=transport
	also=roadwarrior

conn bbb
	rightcert=cert_4.pem
	leftsubnet=192.168.2.2/32
	rightsubnet=vhost:%no,%priv
	also=roadwarrior

conn bbb-net
	rightcert=cert_4.pem
	rightsubnet=vhost:%no,%priv
	also=roadwarrior

  # roadwarrior connection holds the parameters common to other
connections.
conn roadwarrior
	ikelifetime=8h
	keylife=3h
	keyingtries=3
	authby=rsasig
	leftrsasigkey=%cert
	rightrsasigkey=%cert
	left=%defaultroute
	leftcert=cert_1.pem
	right=%any
	pfs=no
	auto=add

Notes:
	Openswan is running on firewall/gateway which is running a customised
	version of IPCOP, kernel 2.4.31.

	Connection AAA-BBB-net connection is a site-to-site openswan vpn
	connection

	Connection aaa-laptop-net is for a windows xp sp2 l2tp/ipsec nat
	roadwarrior connection.

	Connections bbb and bbb-net are for a straight ipsec nat connection
	(host to host) between a natted w2k3 server box running Marcus
	Mueller's ipsec tool

	All connections are using X509 certs.

This file works fine with v 2.3.1 but with v 2.4.6 I get lots of errors
such as:

Oct 11 13:10:27 firewall pluto[542]: "aaa-laptop-net": cannot route
template policy of RSASIG+ENCRYPT+DONTREKEY
Oct 11 13:10:27 firewall ipsec__plutorun: 025 "aaa-laptop-net": cannot
route template policy of RSASIG+ENCRYPT+DONTREKEY
Oct 11 13:10:27 firewall ipsec__plutorun: 025 "aaa-laptop-net": could not
route
Oct 11 13:10:27 firewall ipsec__plutorun: ...could not route conn "aaa-
laptop-net"
Oct 11 13:10:28 firewall pluto[542]: "bbb-net": cannot route connection
without knowing our nexthop
Oct 11 13:10:28 firewall ipsec__plutorun: 025 "bbb-net": cannot route
connection without knowing our nexthop
Oct 11 13:10:28 firewall ipsec__plutorun: 025 "bbb-net": could not route
Oct 11 13:10:28 firewall ipsec__plutorun: ...could not route conn "bbb-net"
Oct 11 13:10:28 firewall pluto[542]: "roadwarrior": cannot route template
policy of RSASIG+ENCRYPT+TUNNEL
Oct 11 13:10:28 firewall ipsec__plutorun: 025 "roadwarrior": cannot route
template policy of RSASIG+ENCRYPT+TUNNEL
Oct 11 13:10:28 firewall ipsec__plutorun: 025 "roadwarrior": could not
route
Oct 11 13:10:28 firewall ipsec__plutorun: ...could not route conn
"roadwarrior"
Oct 11 13:10:29 firewall pluto[542]: "bbb": cannot route connection without
knowing our nexthop
Oct 11 13:10:29 firewall ipsec__plutorun: 025 "bbb": could not route
Oct 11 13:10:29 firewall ipsec__plutorun: ...could not route conn "bbb"
Oct 11 13:10:29 firewall login[646]: ROOT LOGIN  on `tty1'
Oct 11 13:10:29 firewall pluto[542]: "aaa-laptop-net": cannot initiate
connection without knowing peer IP address (kind=CK_TEMPLATE)
Oct 11 13:10:29 firewall ipsec__plutorun: 029 "aaa-laptop-net": cannot
initiate connection without knowing peer IP address (kind=CK_TEMPLATE)
Oct 11 13:10:29 firewall ipsec__plutorun: ...could not start conn "aaa-
laptop-net"
Oct 11 13:10:29 firewall pluto[542]: "bbb-net": cannot initiate connection
without knowing peer IP address (kind=CK_TEMPLATE)
Oct 11 13:10:29 firewall ipsec__plutorun: 029 "bbb-net": cannot initiate
connection without knowing peer IP address (kind=CK_TEMPLATE)
Oct 11 13:10:29 firewall ipsec__plutorun: ...could not start conn "bbb-net"
Oct 11 13:10:29 firewall pluto[542]: "AAA-BBB-net" #1: initiating Main Mode
Oct 11 13:10:29 firewall ipsec__plutorun: 104 "AAA-BBB-net" #1:
STATE_MAIN_I1: initiate
Oct 11 13:10:29 firewall ipsec__plutorun: ...could not start conn "AAA-BBB-
net"
Oct 11 13:10:30 firewall pluto[542]: "roadwarrior": cannot initiate
connection without knowing peer IP address (kind=CK_TEMPLATE)
Oct 11 13:10:30 firewall ipsec__plutorun: 029 "roadwarrior": cannot
initiate connection without knowing peer IP address (kind=CK_TEMPLATE)
Oct 11 13:10:30 firewall ipsec__plutorun: ...could not start conn
"roadwarrior"
Oct 11 13:10:30 firewall pluto[542]: "bbb": cannot initiate connection
without knowing peer IP address (kind=CK_TEMPLATE)
Oct 11 13:10:30 firewall ipsec__plutorun: 029 "bbb": cannot initiate
connection without knowing peer IP address (kind=CK_TEMPLATE)
Oct 11 13:10:30 firewall ipsec__plutorun: ...could not start conn "bbb"

I seem to recall reading somewhere regarding some differences between the
versions but I cannot remember where and my searches have proved
unsuccessful.  I have checked a number of web sites (including the openswan
wiki) and tried a number of variations in the connections but have not been
successful.  I am certain the issue is simple but I have not been able to
work it out yet.

I have ordered the Openswan book " Openswan: Building and Integrating
Virtual Private Networks" by Paul Wouters and Ken Bantoft hoping this might
help, but delivery is still a couple of weeks away.

Thanks in advance for any help.

Regards

Paul Freeman
+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++
EML Consulting Services Pty Ltd            Telephone: +61 3 9836 1999
417-431 Canterbury Road                    Facsimile: +61 3 9836 0517
SURREY HILLS, VICTORIA 3127            Email: Paul.Freeman at eml.com.au
+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++

More information about the Users mailing list