[Openswan Users] Juniper Openswan config issues

Peter McGill petermcgill at goco.net
Tue Dec 18 10:59:42 EST 2007 

First comment out your plutodebug line, the extra debugging logs usually only get in the way.
Then restart and attempt to connect again. There should be an error indication in the logs.
There should be more information in the logs, sometimes the logs go into different files.
On my system the logs you're seeing are in /var/log/syslog, but most of the useful logs go into
/var/log/secure.
Try grep 'pluto' /var/log/*
Also try checking the Juniper's logs if possible.

Peter McGill
 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Ioannis Mavroukakis
> Sent: December 17, 2007 5:45 PM
> To: users at openswan.org
> Subject: [Openswan Users] Juniper Openswan config issues
> 
> Hello fellow listers :-) . I'm hoping to pick someones' brain 
> about the config/connection issues I have
> with openswan as a client to a Juniper ns204.
> 
> This is my setup:
> 
> version 2.0     # conforms to second version of ipsec.conf 
> specification
> 
> # basic configuration
> config setup
>         interfaces=%defaultroute
>         # plutodebug / klipsdebug = "all", "none" or a 
> combation from below:
>         # "raw crypt parsing emitting control klips pfkey 
> natt x509 private"
>         # eg:
>         # plutodebug="control parsing"
>         #
>         # Only enable klipsdebug=all if you are a developer
>         plutodebug="all"
>         #
>         # NAT-TRAVERSAL support, see README.NAT-Traversal
>         nat_traversal=yes
>         
> #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>         #
>         # enable this if you see "failed to find any available worker"
>         #nhelpers=0
> 
> # Add connections here
> 
> # sample VPN connections, see /etc/ipsec.d/examples/
> conn gib
>         #
>         #local
>         #
>         left=%defaultroute
>         #leftsubnet=192.168.1.0/24
>         #leftnexthop=%defaultroute
>         leftid=@myuserid
>         #
>         #destination
>         #
>         right=195.x.x.x
>         rightsubnet=10.x.x.x/16
>         auto=start
>         type=tunnel
>         authby=secret
>         ike=3des-md5
>         keyexchange=ike
>         pfs=no
>         esp=3des-md5
>         rekey=yes
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> ipsec verify gives me the following
> 
> Checking your system to see if IPsec got installed and 
> started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.4.6/K2.6.22-14-generic (netkey)
> Checking for IPsec support in kernel                            [OK]
> NETKEY detected, testing for disabled ICMP send_redirects       [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
> Checking for RSA private key (/etc/ipsec.secrets)             
>   [DISABLED]
>   ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing                                  [OK]
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption Support                              
>   [DISABLED]
> 
> 
> Starting openswan (ipsec setup start) gives me the following
> 
> 
> Dec 17 22:02:26 stormbringer kernel: [ 5643.674916] NET: 
> Registered protocol family 15
> Dec 17 22:02:26 stormbringer kernel: [ 5643.741055] 
> Initializing XFRM netlink socket
> Dec 17 22:02:27 stormbringer ipsec_setup: KLIPS ipsec0 on 
> eth1 192.168.1.69/255.255.255.0 broadcast 192.168.1.255 
> Dec 17 22:02:27 stormbringer ipsec_setup: ...Openswan IPsec started
> Dec 17 22:02:27 stormbringer ipsec_setup: Starting Openswan 
> IPsec 2.4.6...
> Dec 17 22:02:27 stormbringer ipsec_setup: insmod 
> /lib/modules/2.6.22-14-generic/kernel/net/key/af_key.ko 
> Dec 17 22:02:27 stormbringer ipsec_setup: insmod 
> /lib/modules/2.6.22-14-generic/kernel/net/ipv4/xfrm4_tunnel.ko 
> Dec 17 22:02:27 stormbringer ipsec_setup: insmod 
> /lib/modules/2.6.22-14-generic/kernel/net/xfrm/xfrm_user.ko 
> Dec 17 22:02:28 stormbringer ipsec__plutorun: 104 "gib" #1: 
> STATE_MAIN_I1: initiate
> Dec 17 22:02:28 stormbringer ipsec__plutorun: ...could not 
> start conn "gib"
> 
> Can anyone shed some light on this?
> 
> Thank you,
> 
> Yiannis
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list