[Openswan Users] Differences in ipsec.conf between openswan2.3.1 and 2.4.6

Paul Freeman paul.freeman at eml.com.au
Thu Oct 12 23:32:17 EDT 2006


Update,
Apologies for replying to my own email.

I changed the left directive in the roadwarrior conn and also changed all
auto=start directives to auto=add as these are connections that are not
always up so it does not really make sense to start them.

The errors which I reported during pluto startup have now stopped.  I believe
the key factor was changing to auto=add.

Openswan v 2.3.1 did not give the errors v 2.4.6 does in this scenario.
Perhaps it should have.

All appears to be working OK now.

Thanks

Paul
+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++
EML Consulting Services Pty Ltd Telephone: +61 3 9836 1999
417-431 Canterbury Road Facsimile: +61 3 9836 0517
SURREY HILLS, VICTORIA 3127 Email: Paul.Freeman at eml.com.au
+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++

>-----Original Message-----
>From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
>Behalf Of Paul Freeman
>Sent: Wednesday, October 11, 2006 2:18 PM
>To: Paul Wouters
>Cc: users at openswan.org
>Subject: Re: [Openswan Users] Differences in ipsec.conf between
>openswan2.3.1 and 2.4.6
>
>Paul
>Thanks for the prompt response.  I appreciate it.
>
>My comments are below.
>
>Regards
>
>Paul
>
>+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++
>EML Consulting Services Pty Ltd Telephone: +61 3 9836 1999
>417-431 Canterbury Road Facsimile: +61 3 9836 0517
>SURREY HILLS, VICTORIA 3127 Email: Paul.Freeman at eml.com.au
>+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++
>
>>-----Original Message-----
>>From: Paul Wouters [mailto:paul at xelerance.com]
>>Sent: Wednesday, October 11, 2006 1:58 PM
>>To: Paul Freeman
>>Cc: users at openswan.org
>>Subject: Re: [Openswan Users] Differences in ipsec.conf between openswan
>>2.3.1 and 2.4.6
>>
>>On Wed, 11 Oct 2006, Paul Freeman wrote:
>>
>>> I am in the process of upgrading my openswan installation from v 2.3.1
>(I
>>> know, it's old:-)) to 2.4.6.  I have come across a problem with my
>>> ipsec.conf file.  I have included the file below (hopefully I have not
>>made
>>> any errors where I have changed names/IP's to protect the innocent).
>>
>>> conn roadwarrior
>>> 	ikelifetime=8h
>>> 	keylife=3h
>>> 	keyingtries=3
>>> 	authby=rsasig
>>> 	leftrsasigkey=%cert
>>> 	rightrsasigkey=%cert
>>> 	left=%defaultroute
>>> 	leftcert=cert_1.pem
>>> 	right=%any
>>> 	pfs=no
>>> 	auto=add
>>
>>It's not a good idea to use right=%any and left=%defaultroute. Can you
>>specify left's ip address instead.
>Yes, I could do that.  I presume this is the ip of the openswan gateway?
>
>>A workaround for your problem might be leftnexthop=yourgwip, but I'm not
>>sure why it would suddenly break.
>>
>>> 	Openswan is running on firewall/gateway which is running a customised
>>> 	version of IPCOP, kernel 2.4.31.
>>
>>And it is not openswan-1 ??
>Correct, I have created a custom ipcop install using their source - it uses
>openswan 2.3.1.  I have finally found the time to create a new version
>using
>openswan 2.4.6.
>
>>
>>> Oct 11 13:10:27 firewall pluto[542]: "aaa-laptop-net": cannot route
>>> template policy of RSASIG+ENCRYPT+DONTREKEY
>>
>>This looks like a conn was attempted to start with right=%any, and we
>>cannot connect to "any".
>>
>>> Oct 11 13:10:29 firewall pluto[542]: "aaa-laptop-net": cannot initiate
>>> connection without knowing peer IP address (kind=CK_TEMPLATE)
>>
>>Same here.
>>
>>Can you try adding a "auto=ignore" into section %default?
>I will try this.
>
>>
>>Do these errors appear on startup? Or when clients try to connect?
>Errors occur on startup.
>
>>If at startup, do things still work when actual clients connect?
>>
>Not sure, I have not got to that point yet as when I saw the errors I
>decided
>I should back-grade to my earlier version as I could not quickly resolve
>the
>issue and this is "live" gateway used by our external staff.  Unfortunately
>I
>do not have a complete test environment to perform testing in:-(
>
>>Paul
>_______________________________________________
>Users at openswan.org
>http://lists.openswan.org/mailman/listinfo/users
>Building and Integrating Virtual Private Networks with Openswan:
>http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list