[Openswan Users] Differences in ipsec.conf between openswan 2.3.1 and 2.4.6

Paul Freeman paul.freeman at eml.com.au
Wed Oct 11 00:18:17 EDT 2006 

Paul
Thanks for the prompt response.  I appreciate it.

My comments are below.

Regards

Paul

+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++
EML Consulting Services Pty Ltd Telephone: +61 3 9836 1999
417-431 Canterbury Road Facsimile: +61 3 9836 0517
SURREY HILLS, VICTORIA 3127 Email: Paul.Freeman at eml.com.au
+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++

>-----Original Message-----
>From: Paul Wouters [mailto:paul at xelerance.com]
>Sent: Wednesday, October 11, 2006 1:58 PM
>To: Paul Freeman
>Cc: users at openswan.org
>Subject: Re: [Openswan Users] Differences in ipsec.conf between openswan
>2.3.1 and 2.4.6
>
>On Wed, 11 Oct 2006, Paul Freeman wrote:
>
>> I am in the process of upgrading my openswan installation from v 2.3.1 (I
>> know, it's old:-)) to 2.4.6.  I have come across a problem with my
>> ipsec.conf file.  I have included the file below (hopefully I have not
>made
>> any errors where I have changed names/IP's to protect the innocent).
>
>> conn roadwarrior
>> 	ikelifetime=8h
>> 	keylife=3h
>> 	keyingtries=3
>> 	authby=rsasig
>> 	leftrsasigkey=%cert
>> 	rightrsasigkey=%cert
>> 	left=%defaultroute
>> 	leftcert=cert_1.pem
>> 	right=%any
>> 	pfs=no
>> 	auto=add
>
>It's not a good idea to use right=%any and left=%defaultroute. Can you
>specify left's ip address instead.
Yes, I could do that.  I presume this is the ip of the openswan gateway? 

>A workaround for your problem might be leftnexthop=yourgwip, but I'm not
>sure why it would suddenly break.
>
>> 	Openswan is running on firewall/gateway which is running a customised
>> 	version of IPCOP, kernel 2.4.31.
>
>And it is not openswan-1 ??
Correct, I have created a custom ipcop install using their source - it uses
openswan 2.3.1.  I have finally found the time to create a new version using
openswan 2.4.6.

>
>> Oct 11 13:10:27 firewall pluto[542]: "aaa-laptop-net": cannot route
>> template policy of RSASIG+ENCRYPT+DONTREKEY
>
>This looks like a conn was attempted to start with right=%any, and we
>cannot connect to "any".
>
>> Oct 11 13:10:29 firewall pluto[542]: "aaa-laptop-net": cannot initiate
>> connection without knowing peer IP address (kind=CK_TEMPLATE)
>
>Same here.
>
>Can you try adding a "auto=ignore" into section %default?
I will try this.

>
>Do these errors appear on startup? Or when clients try to connect?
Errors occur on startup.

>If at startup, do things still work when actual clients connect?
>
Not sure, I have not got to that point yet as when I saw the errors I decided
I should back-grade to my earlier version as I could not quickly resolve the
issue and this is "live" gateway used by our external staff.  Unfortunately I
do not have a complete test environment to perform testing in:-(

>Paul

More information about the Users mailing list