[Openswan Users] Juniper Openswan config issues

Peter McGill petermcgill at goco.net
Thu Dec 20 10:58:37 EST 2007 

Your firewall doesn't block or change anything, so no problems there,
And you have a good default route.

Looking back at your first post, I notice this, not sure if it's a problem.
I always use KLIPS myself, never used NETKEY so I'm not sure if this is correct.

> Dec 17 22:02:27 stormbringer ipsec_setup: KLIPS ipsec0 on eth1 192.168.1.69/255.255.255.0 broadcast 192.168.1.255 
Perhaps someone else can answer is it normal to get this KLIPS message when using NETKEY?

Also...

> Dec 17 22:02:27 stormbringer ipsec_setup: insmod /lib/modules/2.6.22-14-generic/kernel/net/key/af_key.ko 
> Dec 17 22:02:27 stormbringer ipsec_setup: insmod /lib/modules/2.6.22-14-generic/kernel/net/ipv4/xfrm4_tunnel.ko 
> Dec 17 22:02:27 stormbringer ipsec_setup: insmod /lib/modules/2.6.22-14-generic/kernel/net/xfrm/xfrm_user.ko 
Are these all the NETKEY modules, do any more need to be loaded?

Anyone else have a suggestion? I'll repeat the details so far...

Peter McGill

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Ioannis Mavroukakis
> Sent: December 17, 2007 5:45 PM
> To: users at openswan.org
> Subject: [Openswan Users] Juniper Openswan config issues
> 
> Hello fellow listers :-) . I'm hoping to pick someones' brain 
> about the config/connection issues I have
> with openswan as a client to a Juniper ns204.

ipsec.conf (I removed the blank lines and comments to shorten post):
> version 2.0
> config setup
>         interfaces=%defaultroute
>         nat_traversal=yes
> conn gib
>         left=%defaultroute
>         leftid=@myuserid
>         right=195.x.x.x
>         rightsubnet=10.x.x.x/16
>         auto=start
>         type=tunnel
>         authby=secret
>         ike=3des-md5
>         keyexchange=ike
>         pfs=no
>         esp=3des-md5
>         rekey=yes
> include /etc/ipsec.d/examples/no_oe.conf

ipsec verify:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.4.6/K2.6.22-14-generic (netkey)
> Checking for IPsec support in kernel                            [OK]
> NETKEY detected, testing for disabled ICMP send_redirects       [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
> Checking for RSA private key (/etc/ipsec.secrets)             
>   [DISABLED]
>   ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing                                  [OK]
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption Support                              
>   [DISABLED]

> auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: "databaseGib" #1: initiating Main Mode
> 
> daemon.log:Dec 18 21:54:40 stormbringer ipsec__plutorun: 104 "databaseGib" #1: STATE_MAIN_I1: initiate
> daemon.log:Dec 18 21:54:40 stormbringer ipsec__plutorun: ...could not start conn "databaseGib"

> root at stormbringer:/var/log# netstat -rn
> Kernel IP routeing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
> 192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
> 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth1
> 0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0 eth1

To summarize the iptables rules, there are none, all policies set to ACCEPT. Checked with...
> iptables -t filter -n -L -v
> iptables -t nat -n -L -v
> iptables -t mangle -n -L -v

More information about the Users mailing list