[Openswan Users] Unknown parameter name "ike"

Peter McGill petermcgill at goco.net
Wed Apr 25 11:28:29 EDT 2007 

> -----Original Message-----
> From: steve.morard at epfl.ch [mailto:steve.morard at epfl.ch] 
> Sent: April 25, 2007 11:05 AM
> To: petermcgill at goco.net
> Subject: RE: [Openswan Users] Unknown parameter name "ike"
> 
> 
> I solved the problem concerning the "ike=" by upgrading to 
> Openswan 2.5.4. Now,

I assume you mean 2.4.5, since 2.4.7 is the latest stable version.

> the first part of the negotiation completes but then I have 
> an issue. My whole
> configuration file is :
> 
> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.12 2004/01/20 19:37:13 sam Exp $
> version 2.0
> 
> 
> config setup
> 	#interfaces=%defaultroute
> 	nat_traversal=yes
> 
> #include /etc/ipsec.d/examples/no_oe.conf
> 
> conn try
> 	# Left security gateway, subnet behind it, next hop 
> toward right.
> 	left=172.18.112.7 #IP of my PC in the LAN
> 	#left=212.215.1.67
> 	leftsubnet=172.25.8.8/29 #pool that was allocated to me to
> 	#leftnexthop=%defaultroute
> 	# Right security gateway, subnet behind it, next hop 
> toward left.
> 	right=x.x.x.x
> 	rightsubnet=172.20.210.48/29
> 	#rightnexthop=%defaultroute
> 	# To authorize this connection, but not actually start 
> it, at startup,
> 	# uncomment this.
> 	auto=add
> 	aggrmode=no
> 	#rightxauthserver=yes
> 	pfs=no
> 	authby=secret
> 	keyexchange=ike
> 	ikelifetime=1d
> 	keylife=1h
> 	#esp=aes128-md5,aes128-sha1
> 	ike=aes128-sha1,aes128-md5
> 	esp=aes128-md5,aes128-sha1
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> And the message in the log of the gatesway is:
> 
> IKE<Public IP of my LAN> Phase 2: No policy exists for the 
> proxy ID received:
> local ID (<172.25.8.8>/<255.255.255.248>, <0>, <0>) remote ID
> (<172.18.112.7>/<255.255.255.255>, <0>, <0>). (2007-04-25 15:46:29)
> Apr 25 15:39
> 
> If I try to put
> 
> left=<Public IP of my LAN>, I get the message
> 
> 022 "toFT": We cannot identify ourselves with either end of 
> this connection
> 
> So it seems like I would need to have left=172.18.112.7 (the 
> IP of my PC on my
> LAN) for the first phase and then left=<Public IP of my LAN> 
> for the seconde
> phase.
> 
> Do you know what I should change in my configuration file in 
> order to solve this
> problem ?

I see what is going on now, they are assigning you an address pool,
That's what the 3rd set of private addresses is for.

Do you know what vpn software the other side is using?

You should use left=212.215.1.67 or your public ip if that isn't it.
If the other side doesn't like it they need to change their settings to match.

You will also need to setup a NAT to convert your private lan traffic
172.18.112.0/20 To 172.25.8.8/29 before it is sent to 172.20.210.48/29.

I've never actually got this to work myself, but I'd imagine it could be done
By: iptables -t nat -A PREROUTING -s 172.18.112.0/20 -d 172.20.210.48/29 -j SNAT --to 172.25.8.9-172.25.8.14

Peter

More information about the Users mailing list