[Openswan Users] Differences in ipsec.conf between openswan 2.3.1 and 2.4.6
Paul Wouters
paul at xelerance.com
Tue Oct 10 23:57:40 EDT 2006
On Wed, 11 Oct 2006, Paul Freeman wrote:
> I am in the process of upgrading my openswan installation from v 2.3.1 (I
> know, it's old:-)) to 2.4.6. I have come across a problem with my
> ipsec.conf file. I have included the file below (hopefully I have not made
> any errors where I have changed names/IP's to protect the innocent).
> conn roadwarrior
> ikelifetime=8h
> keylife=3h
> keyingtries=3
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> left=%defaultroute
> leftcert=cert_1.pem
> right=%any
> pfs=no
> auto=add
It's not a good idea to use right=%any and left=%defaultroute. Can you
specify left's ip address instead.
A workaround for your problem might be leftnexthop=yourgwip, but I'm not
sure why it would suddenly break.
> Openswan is running on firewall/gateway which is running a customised
> version of IPCOP, kernel 2.4.31.
And it is not openswan-1 ??
> Oct 11 13:10:27 firewall pluto[542]: "aaa-laptop-net": cannot route
> template policy of RSASIG+ENCRYPT+DONTREKEY
This looks like a conn was attempted to start with right=%any, and we
cannot connect to "any".
> Oct 11 13:10:29 firewall pluto[542]: "aaa-laptop-net": cannot initiate
> connection without knowing peer IP address (kind=CK_TEMPLATE)
Same here.
Can you try adding a "auto=ignore" into section %default?
Do these errors appear on startup? Or when clients try to connect?
If at startup, do things still work when actual clients connect?
Paul
More information about the Users
mailing list