[Openswan Users] Juniper Openswan config issues

Ioannis Mavroukakis imavroukakis at gameaccount.com
Mon Dec 17 17:45:03 EST 2007 

Hello fellow listers :-) . I'm hoping to pick someones' brain about the config/connection issues I have
with openswan as a client to a Juniper ns204.

This is my setup:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable klipsdebug=all if you are a developer
        plutodebug="all"
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        #
        # enable this if you see "failed to find any available worker"
        #nhelpers=0

# Add connections here

# sample VPN connections, see /etc/ipsec.d/examples/
conn gib
        #
        #local
        #
        left=%defaultroute
        #leftsubnet=192.168.1.0/24
        #leftnexthop=%defaultroute
        leftid=@myuserid
        #
        #destination
        #
        right=195.x.x.x
        rightsubnet=10.x.x.x/16
        auto=start
        type=tunnel
        authby=secret
        ike=3des-md5
        keyexchange=ike
        pfs=no
        esp=3des-md5
        rekey=yes
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

ipsec verify gives me the following

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.6/K2.6.22-14-generic (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


Starting openswan (ipsec setup start) gives me the following


Dec 17 22:02:26 stormbringer kernel: [ 5643.674916] NET: Registered protocol family 15
Dec 17 22:02:26 stormbringer kernel: [ 5643.741055] Initializing XFRM netlink socket
Dec 17 22:02:27 stormbringer ipsec_setup: KLIPS ipsec0 on eth1 192.168.1.69/255.255.255.0 broadcast 192.168.1.255 
Dec 17 22:02:27 stormbringer ipsec_setup: ...Openswan IPsec started
Dec 17 22:02:27 stormbringer ipsec_setup: Starting Openswan IPsec 2.4.6...
Dec 17 22:02:27 stormbringer ipsec_setup: insmod /lib/modules/2.6.22-14-generic/kernel/net/key/af_key.ko 
Dec 17 22:02:27 stormbringer ipsec_setup: insmod /lib/modules/2.6.22-14-generic/kernel/net/ipv4/xfrm4_tunnel.ko 
Dec 17 22:02:27 stormbringer ipsec_setup: insmod /lib/modules/2.6.22-14-generic/kernel/net/xfrm/xfrm_user.ko 
Dec 17 22:02:28 stormbringer ipsec__plutorun: 104 "gib" #1: STATE_MAIN_I1: initiate
Dec 17 22:02:28 stormbringer ipsec__plutorun: ...could not start conn "gib"

Can anyone shed some light on this?

Thank you,

Yiannis

More information about the Users mailing list