[Openswan Users] Subnets conmunication?

IT Dept. it at technovation.com.sv
Tue Jun 5 15:00:24 EDT 2007


Here is:


Jun  5 13:58:02 vpn syslogd 1.4.1#17ubuntu7: restart.
Jun  5 13:58:02 vpn kernel: Cannot find map file.
Jun  5 13:58:02 vpn kernel: No module symbols loaded - kernel modules not
enabled. 
Jun  5 13:58:02 vpn kernel: Bootdata ok (command line is  root=/dev/sda1 ro
3)
Jun  5 13:58:02 vpn kernel: Linux version 2.6.16.29-xen (shand at endor) (gcc
version 3.4.4 20050314 (prerelease) (Debian 3.4.3-13)) #3 SMP Sun Oct 15
13:15:34 BST 2006
Jun  5 13:58:02 vpn kernel: BIOS-provided physical RAM map:
Jun  5 13:58:02 vpn kernel:  Xen: 0000000000000000 - 000000001f000000
(usable)
Jun  5 13:58:02 vpn kernel: On node 0 totalpages: 126976
Jun  5 13:58:02 vpn kernel:   DMA zone: 126976 pages, LIFO batch:31
Jun  5 13:58:02 vpn kernel:   DMA32 zone: 0 pages, LIFO batch:0
Jun  5 13:58:02 vpn kernel:   Normal zone: 0 pages, LIFO batch:0
Jun  5 13:58:02 vpn kernel:   HighMem zone: 0 pages, LIFO batch:0
Jun  5 13:58:02 vpn kernel: No mptable found.
Jun  5 13:58:02 vpn kernel: Built 1 zonelists
Jun  5 13:58:02 vpn kernel: Kernel command line:  root=/dev/sda1 ro 3
Jun  5 13:58:02 vpn kernel: Initializing CPU#0
Jun  5 13:58:02 vpn kernel: PID hash table entries: 2048 (order: 11, 65536
bytes)
Jun  5 13:58:02 vpn kernel: Xen reported: 1795.496 MHz processor.
Jun  5 13:58:02 vpn kernel: Dentry cache hash table entries: 65536 (order:
7, 524288 bytes)
Jun  5 13:58:02 vpn kernel: Inode-cache hash table entries: 32768 (order: 6,
262144 bytes)
Jun  5 13:58:02 vpn kernel: Software IO TLB disabled
Jun  5 13:58:02 vpn kernel: Memory: 483452k/507904k available (1918k kernel
code, 15628k reserved, 809k data, 168k init)
Jun  5 13:58:02 vpn kernel: Calibrating delay using timer specific routine..
3592.77 BogoMIPS (lpj=17963870)
Jun  5 13:58:02 vpn kernel: Security Framework v1.0.0 initialized
Jun  5 13:58:02 vpn kernel: Capability LSM initialized
Jun  5 13:58:02 vpn ipsec__plutorun: 104 "branch_40_to_centralbw_50" #1:
STATE_MAIN_I1: initiate
Jun  5 13:58:02 vpn ipsec__plutorun: ...could not start conn
"branch_40_to_centralbw_50"
Jun  5 13:58:02 vpn kernel: Mount-cache hash table entries: 256
Jun  5 13:58:02 vpn kernel: CPU: L1 I Cache: 64K (64 bytes/line), D cache
64K (64 bytes/line)
Jun  5 13:58:02 vpn kernel: CPU: L2 Cache: 1024K (64 bytes/line)
Jun  5 13:58:02 vpn kernel: Brought up 1 CPUs
Jun  5 13:58:02 vpn kernel: migration_cost=0
Jun  5 13:58:02 vpn kernel: checking if image is initramfs... it is
Jun  5 13:58:02 vpn kernel: Freeing initrd memory: 1859k freed
Jun  5 13:58:02 vpn kernel: DMI not present or invalid.
Jun  5 13:58:02 vpn kernel: Grant table initialized
Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 16
Jun  5 13:58:02 vpn kernel: Initializing CPU#1
Jun  5 13:58:02 vpn kernel: migration_cost=967
Jun  5 13:58:02 vpn kernel: Brought up 2 CPUs
Jun  5 13:58:02 vpn kernel: PCI: setting up Xen PCI frontend stub
Jun  5 13:58:02 vpn kernel: ACPI: Subsystem revision 20060127
Jun  5 13:58:02 vpn kernel: ACPI: Interpreter disabled.
Jun  5 13:58:02 vpn kernel: Linux Plug and Play Support v0.97 (c) Adam Belay
Jun  5 13:58:02 vpn kernel: pnp: PnP ACPI: disabled
Jun  5 13:58:02 vpn kernel: xen_mem: Initialising balloon driver.
Jun  5 13:58:02 vpn kernel: PCI: System does not support PCI
Jun  5 13:58:02 vpn kernel: PCI: System does not support PCI
Jun  5 13:58:02 vpn kernel: pnp: the driver 'system' has been registered
Jun  5 13:58:02 vpn kernel: IA-32 Microcode Update Driver: v1.14-xen
<tigran at veritas.com>
Jun  5 13:58:02 vpn kernel: IA32 emulation $Id: sys_ia32.c,v 1.32 2002/03/24
13:02:28 ak Exp $
Jun  5 13:58:02 vpn kernel: audit: initializing netlink socket (disabled)
Jun  5 13:58:02 vpn kernel: audit(1181069856.905:1): initialized
Jun  5 13:58:02 vpn kernel: VFS: Disk quotas dquot_6.5.1
Jun  5 13:58:02 vpn kernel: Dquot-cache hash table entries: 512 (order 0,
4096 bytes)
Jun  5 13:58:02 vpn kernel: Initializing Cryptographic API
Jun  5 13:58:02 vpn kernel: io scheduler noop registered
Jun  5 13:58:02 vpn kernel: io scheduler anticipatory registered
Jun  5 13:58:02 vpn kernel: io scheduler deadline registered
Jun  5 13:58:02 vpn kernel: io scheduler cfq registered (default)
Jun  5 13:58:02 vpn kernel: rtc: IRQ 8 is not free.
Jun  5 13:58:02 vpn kernel: Non-volatile memory driver v1.2
Jun  5 13:58:02 vpn kernel: pnp: the driver 'i8042 kbd' has been registered
Jun  5 13:58:02 vpn kernel: pnp: the driver 'i8042 aux' has been registered
Jun  5 13:58:02 vpn kernel: pnp: the driver 'i8042 kbd' has been
unregistered
Jun  5 13:58:02 vpn kernel: pnp: the driver 'i8042 aux' has been
unregistered
Jun  5 13:58:02 vpn kernel: PNP: No PS/2 controller found. Probing ports
directly.
Jun  5 13:58:02 vpn kernel: i8042.c: No controller found.
Jun  5 13:58:02 vpn kernel: RAMDISK driver initialized: 16 RAM disks of
16384K size 1024 blocksize
Jun  5 13:58:02 vpn kernel: loop: loaded (max 8 devices)
Jun  5 13:58:02 vpn kernel: Xen virtual console successfully installed as
tty1
Jun  5 13:58:02 vpn kernel: Event-channel device installed.
Jun  5 13:58:02 vpn kernel: netfront: Initialising virtual ethernet driver.
Jun  5 13:58:02 vpn kernel: Uniform Multi-Platform E-IDE driver Revision:
7.00alpha2
Jun  5 13:58:02 vpn kernel: ide: Assuming 50MHz system bus speed for PIO
modes; override with idebus=xx
Jun  5 13:58:02 vpn kernel: pnp: the driver 'ide' has been registered
Jun  5 13:58:02 vpn kernel: mice: PS/2 mouse device common for all mice
Jun  5 13:58:02 vpn kernel: md: md driver 0.90.3 MAX_MD_DEVS=256,
MD_SB_DISKS=27
Jun  5 13:58:02 vpn kernel: md: bitmap version 4.39
Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 2
Jun  5 13:58:02 vpn kernel: netfront: device eth0 has flipping receive path.
Jun  5 13:58:02 vpn kernel: IP route cache hash table entries: 4096 (order:
3, 32768 bytes)
Jun  5 13:58:02 vpn kernel: TCP established hash table entries: 16384
(order: 6, 262144 bytes)
Jun  5 13:58:02 vpn kernel: TCP bind hash table entries: 16384 (order: 6,
262144 bytes)
Jun  5 13:58:02 vpn kernel: TCP: Hash tables configured (established 16384
bind 16384)
Jun  5 13:58:02 vpn kernel: TCP reno registered
Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 1
Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 17
Jun  5 13:58:02 vpn kernel: Registering block device major 8
Jun  5 13:58:02 vpn kernel: kjournald starting.  Commit interval 5 seconds
Jun  5 13:58:02 vpn kernel: EXT3-fs: mounted filesystem with ordered data
mode.
Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 10
Jun  5 13:58:02 vpn kernel: lo: Disabled Privacy Extensions
Jun  5 13:58:02 vpn kernel: IPv6 over IPv4 tunneling driver
Jun  5 13:58:02 vpn kernel: pnp: the driver 'parport_pc' has been registered
Jun  5 13:58:02 vpn kernel: lp: driver loaded but no devices found
Jun  5 13:58:02 vpn kernel: Adding 999416k swap on /dev/sda2.  Priority:-1
extents:1 across:999416k
Jun  5 13:58:02 vpn kernel: EXT3 FS on sda1, internal journal
Jun  5 13:58:02 vpn kernel: device-mapper: 4.5.0-ioctl (2005-10-04)
initialised: dm-devel at redhat.com
Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 15
Jun  5 13:58:02 vpn kernel: Initializing IPsec netlink socket
Jun  5 13:58:02 vpn ipsec__plutorun: 029 "centralbw_50_to_branch_40": cannot
initiate connection without knowing peer IP address (kind=CK_TEMPLATE)
Jun  5 13:58:02 vpn ipsec__plutorun: ...could not start conn
"centralbw_50_to_branch_40"
Jun  5 13:58:03 vpn kernel: eth0: no IPv6 routers present
Jun  5 13:58:03 vpn ipsec_setup: Openswan IPsec apparently already running,
start aborted
Jun  5 13:58:03 vpn /usr/sbin/cron[1554]: (CRON) INFO (pidfile fd = 3)
Jun  5 13:58:03 vpn /usr/sbin/cron[1555]: (CRON) STARTUP (fork ok)
Jun  5 13:58:03 vpn /usr/sbin/cron[1555]: (CRON) INFO (Running @reboot jobs)

Hector


-----Mensaje original-----
De: Peter McGill [mailto:petermcgill at goco.net] 
Enviado el: Martes, 05 de Junio de 2007 12:55 p.m.
Para: 'IT Dept.'
CC: users at openswan.org
Asunto: RE: [Openswan Users] Subnets conmunication?

> -----Original Message-----
> From: IT Dept. [mailto:it at technovation.com.sv] 
> Sent: June 5, 2007 2:43 PM
> To: petermcgill at goco.net
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] Subnets conmunication?
> 
> root at vpn:~# ipsec version
> Linux Openswan U2.4.4/K2.6.16.29-xen (netkey)
> See `ipsec --copyright' for copyright information.
> root at vpn:~#
> 
> root at vpn:~# ipsec verify
> Checking your system to see if IPsec got installed and 
> started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.4.4/K2.6.16.29-xen (netkey)
> Checking for IPsec support in kernel                            [OK]
> Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing                                  [N/A]
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
> Opportunistic Encryption Support                              
>   [DISABLED]
> root at vpn:~#
> 
> root at vpn:~# ipsec eroute
> /usr/lib/ipsec/eroute: NETKEY does not support eroute table.
> root at vpn:~#

The above look ok, we don't need eroute it's just a easy way to check
Tunnel status. But I will need some log info to determine where error is.

egrep -e 'pluto' /var/log/*
Filter by date/time to only get the recent restart and connections.

> Ill be wait for your help....my boss wanna hang me...LOL
> 
> Regards
> 
> 	Hector
> 
> -----Mensaje original-----
> De: Peter McGill [mailto:petermcgill at goco.net] 
> Enviado el: Martes, 05 de Junio de 2007 12:37 p.m.
> Para: 'IT Dept.'
> CC: users at openswan.org
> Asunto: RE: [Openswan Users] Subnets conmunication?
> 
> > -----Original Message-----
> > From: IT Dept. [mailto:it at technovation.com.sv] 
> > Sent: June 5, 2007 2:00 PM
> > To: petermcgill at goco.net
> > Cc: users at openswan.org
> > Subject: RE: [Openswan Users] Subnets conmunication?
> > Importance: High
> > 
> > Hi again...
> > 
> > 	Thanks for the your help....i cant get communication yet.
> > 
> > 	Here is my last conf...im only using two branches to 
> > make it more
> > simple...
> > 
> > 	# /etc/ipsec.conf - Openswan IPsec configuration file
> > # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
> > 
> > # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> > #
> > # Manual:     ipsec.conf.5
> > 
> > 
> > version	2.0	# conforms to second version of 
> > ipsec.conf specification
> > 
> > # basic configuration
> > config setup
> > 	forwardcontrol=yes
> > 	nat_traversal=yes
> > 	# plutodebug / klipsdebug = "all", "none" or a 
> > combation from below:
> > 	# "raw crypt parsing emitting control klips pfkey natt 
> > x509 private"
> > 	# eg:
> > 	# plutodebug="control parsing"
> > 	#
> > 	# Only enable klipsdebug=all if you are a developer
> > 	#
> > 	# NAT-TRAVERSAL support, see README.NAT-Traversal
> > 	# nat_traversal=yes
> > 	# 
> > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> > 
> > #Disable Opportunistic Encryption
> > include /etc/ipsec.d/examples/no_oe.conf
> > 
> > conn branch_40
> > 	also=branch_40_shared
> > 	rightsubnet=192.168.40.0/24
> > 	auto=start
> > 
> > conn centralbw_50
> > 	also=centralbw_50_shared
> >  	rightsubnet=192.168.50.0/24
> >  	auto=add
> > 
> > conn branch_40_to_centralbw_50
> > 	also=branch_40_shared
> >  	leftsubnet=192.168.50.0/24
> > 	rightsubnet=192.168.40.0/24
> > 	auto=start
> > 
> > conn centralbw_50_to_branch_40
> > 	also=centralbw_50_shared
> > 	leftsubnet=192.168.40.0/24
> >  	rightsubnet=192.168.50.0/24
> >  	auto=add
> > 
> > conn branch_40_shared
> >  	authby=secret
> >  	compress=no
> >  	ikelifetime=240m
> >  	keyexchange=ike
> >  	keylife=60m
> >  	left=208.70.149.161
> >  	leftnexthop=208.70.149.166
> >  	pfs=yes
> >  	right=190.53.0.113
> >  	rightnexthop=190.53.0.1
> > 
> > conn centralbw_50_shared
> >  	authby=secret
> >  	compress=no
> >  	ikelifetime=240m
> >  	keyexchange=ike
> >  	keylife=60m
> >  	left=208.70.149.161
> >  	leftnexthop=208.70.149.166
> >         pfs=yes
> >  	right=%any
> > 
> > 
> > in auth.log I get that conn branch_40_shared starts fine, but 
> > I need to
> > manually start conn centralbw_50_shared from the linksys 
> > router, and them
> > the conn´s between dosent start...
> 
> First off the shared conn's should never be started, they're not
> Real conn's just shared information used by other conn's.
> Also it would be easier to test with the static ip sites, rather than
> Centralbw. With centralbw linksys must initiate the 
> connection for it to
> work.
> 
> Show us these outputs.
> ipsec version
> ipsec verify
> ipsec eroute
> 
> Lastly, restart openswan, and reconnect the linksys tunnels.
> Get the restart and connect logs by...
> egrep -e 'pluto' /var/log/*
> Filter by date/time to only get the recent restart and connections.



-- 
No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.472 / Virus Database: 269.8.9/832 - Release Date: 04/06/2007
06:43 p.m.




More information about the Users mailing list