[Openswan Users] Juniper Openswan config issues

Ioannis Mavroukakis imavroukakis at gameaccount.com
Fri Dec 21 19:13:35 EST 2007 

Ok there is one more piece missing from the puzzle, the Juniper insists on aggressive mode. Having set that, I now get this in the logs

Dec 21 23:56:22 stormbringer pluto[10968]: "databaseGib" #1: multiple transforms were set in aggressive mode. Only first one used.
Dec 21 23:56:22 stormbringer pluto[10968]: "databaseGib" #1: transform (5,1,2,0) ignored.
Dec 21 23:56:22 stormbringer pluto[10968]: "databaseGib" #1: initiating Aggressive Mode #1, connection "databaseGib"
Dec 21 23:56:22 stormbringer pluto[10968]: "databaseGib" #1: multiple transforms were set in aggressive mode. Only first one used.
Dec 21 23:56:22 stormbringer pluto[10968]: "databaseGib" #1: transform (5,1,2,0) ignored.
Dec 21 23:56:22 stormbringer pluto[10968]: packet from 195.x.x.x:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN




On Thu, 20 Dec 2007 10:58:37 -0500, "Peter McGill" <petermcgill at goco.net> wrote:
> Your firewall doesn't block or change anything, so no problems there,
> And you have a good default route.
> 
> Looking back at your first post, I notice this, not sure if it's a
> problem.
> I always use KLIPS myself, never used NETKEY so I'm not sure if this is
> correct.
> 
>> Dec 17 22:02:27 stormbringer ipsec_setup: KLIPS ipsec0 on eth1
> 192.168.1.69/255.255.255.0 broadcast 192.168.1.255
> Perhaps someone else can answer is it normal to get this KLIPS message
> when using NETKEY?
> 
> Also...
> 
>> Dec 17 22:02:27 stormbringer ipsec_setup: insmod
> /lib/modules/2.6.22-14-generic/kernel/net/key/af_key.ko
>> Dec 17 22:02:27 stormbringer ipsec_setup: insmod
> /lib/modules/2.6.22-14-generic/kernel/net/ipv4/xfrm4_tunnel.ko
>> Dec 17 22:02:27 stormbringer ipsec_setup: insmod
> /lib/modules/2.6.22-14-generic/kernel/net/xfrm/xfrm_user.ko
> Are these all the NETKEY modules, do any more need to be loaded?
> 
> Anyone else have a suggestion? I'll repeat the details so far...
> 
> Peter McGill
> 
>> -----Original Message-----
>> From: users-bounces at openswan.org
>> [mailto:users-bounces at openswan.org] On Behalf Of Ioannis Mavroukakis
>> Sent: December 17, 2007 5:45 PM
>> To: users at openswan.org
>> Subject: [Openswan Users] Juniper Openswan config issues
>>
>> Hello fellow listers :-) . I'm hoping to pick someones' brain
>> about the config/connection issues I have
>> with openswan as a client to a Juniper ns204.
> 
> ipsec.conf (I removed the blank lines and comments to shorten post):
>> version 2.0
>> config setup
>>         interfaces=%defaultroute
>>         nat_traversal=yes
>> conn gib
>>         left=%defaultroute
>>         leftid=@myuserid
>>         right=195.x.x.x
>>         rightsubnet=10.x.x.x/16
>>         auto=start
>>         type=tunnel
>>         authby=secret
>>         ike=3des-md5
>>         keyexchange=ike
>>         pfs=no
>>         esp=3des-md5
>>         rekey=yes
>> include /etc/ipsec.d/examples/no_oe.conf
> 
> ipsec verify:
>> Version check and ipsec on-path                                 [OK]
>> Linux Openswan U2.4.6/K2.6.22-14-generic (netkey)
>> Checking for IPsec support in kernel                            [OK]
>> NETKEY detected, testing for disabled ICMP send_redirects       [OK]
>> NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
>> Checking for RSA private key (/etc/ipsec.secrets)
>>   [DISABLED]
>>   ipsec showhostkey: no default key in "/etc/ipsec.secrets"
>> Checking that pluto is running                                  [OK]
>> Two or more interfaces found, checking IP forwarding            [OK]
>> Checking NAT and MASQUERADEing                                  [OK]
>> Checking for 'ip' command                                       [OK]
>> Checking for 'iptables' command                                 [OK]
>> Opportunistic Encryption Support
>>   [DISABLED]
> 
>> auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: "databaseGib" #1:
> initiating Main Mode
>>
>> daemon.log:Dec 18 21:54:40 stormbringer ipsec__plutorun: 104
> "databaseGib" #1: STATE_MAIN_I1: initiate
>> daemon.log:Dec 18 21:54:40 stormbringer ipsec__plutorun: ...could not
> start conn "databaseGib"
> 
>> root at stormbringer:/var/log# netstat -rn
>> Kernel IP routeing table
>> Destination     Gateway         Genmask         Flags   MSS Window  irtt
> Iface
>> 192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0
> eth1
>> 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0
> eth1
>> 0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0
> eth1
> 
> To summarize the iptables rules, there are none, all policies set to
> ACCEPT. Checked with...
>> iptables -t filter -n -L -v
>> iptables -t nat -n -L -v
>> iptables -t mangle -n -L -v

More information about the Users mailing list