[Openswan Users] Subnets conmunication?

Peter McGill petermcgill at goco.net
Tue Jun 5 15:14:35 EDT 2007


That's what we need.
It looks like there is a problem with centralbw connecting.
Because it's dynamic ip, it doesn't know how to identify the
Connecting router, needs an id field.

Update this conn in your conf add rightid line.
conn centralbw_50_shared
 	authby=secret
 	compress=no
 	ikelifetime=240m
  	keyexchange=ike
 	keylife=60m
 	left=208.70.149.161
 	leftnexthop=208.70.149.166
        pfs=yes
 	right=%any
	rightid=@centralbw

Also add id to linksys conf, sorry don't know how to do that.

Peter McGill
 

> -----Original Message-----
> From: IT Dept. [mailto:it at technovation.com.sv] 
> Sent: June 5, 2007 3:06 PM
> To: petermcgill at goco.net
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] Subnets conmunication?
> 
> Here is auth.log
> 
> Jun  5 13:54:12 vpn pluto[1165]: "centralbw_50"[1] 66.201.165.11 #4:
> responding to Main Mode from unknown peer 66.201.165.11
> Jun  5 13:54:12 vpn pluto[1165]: "centralbw_50"[1] 66.201.165.11 #4:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jun  5 13:54:12 vpn pluto[1165]: "centralbw_50"[1] 66.201.165.11 #4:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Jun  5 13:54:12 vpn pluto[1165]: "centralbw_50"[1] 66.201.165.11 #4:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jun  5 13:54:13 vpn pluto[1165]: "centralbw_50"[1] 66.201.165.11 #4:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Jun  5 13:54:13 vpn pluto[1165]: "centralbw_50"[1] 
> 66.201.165.11 #4: Main
> mode peer ID is ID_IPV4_ADDR: '10.8.213.31'
> Jun  5 13:54:13 vpn pluto[1165]: "centralbw_50"[2] 66.201.165.11 #4:
> deleting connection "centralbw_50" instance with peer 66.201.165.11
> {isakmp=#0/ipsec=#0}
> Jun  5 13:54:13 vpn pluto[1165]: "centralbw_50"[2] 
> 66.201.165.11 #4: I did
> not send a certificate because I do not have one.
> Jun  5 13:54:13 vpn pluto[1165]: "centralbw_50"[2] 66.201.165.11 #4:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jun  5 13:54:13 vpn pluto[1165]: "centralbw_50"[2] 66.201.165.11 #4:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> Jun  5 13:54:13 vpn pluto[1165]: "centralbw_50"[2] 
> 66.201.165.11 #4: cannot
> respond to IPsec SA request because no connection is known for
> 192.168.0.0/24===208.70.149.161...66.201.165.11[10.8.213.31]==
> =192.168.50.0/
> 24
> Jun  5 13:54:13 vpn pluto[1165]: "centralbw_50"[2] 
> 66.201.165.11 #4: sending
> encrypted notification INVALID_ID_INFORMATION to 66.201.165.11:500
> Jun  5 13:54:23 vpn pluto[1165]: "centralbw_50"[2] 
> 66.201.165.11 #4: Quick
> Mode I1 message is unacceptable because it uses a previously 
> used Message ID
> 0x915afd54 (perhaps this is a duplicated packet)
> Jun  5 13:54:23 vpn pluto[1165]: "centralbw_50"[2] 
> 66.201.165.11 #4: sending
> encrypted notification INVALID_MESSAGE_ID to 66.201.165.11:500
> Jun  5 13:54:43 vpn pluto[1165]: "centralbw_50"[2] 
> 66.201.165.11 #4: Quick
> Mode I1 message is unacceptable because it uses a previously 
> used Message ID
> 0x915afd54 (perhaps this is a duplicated packet)
> Jun  5 13:54:43 vpn pluto[1165]: "centralbw_50"[2] 
> 66.201.165.11 #4: sending
> encrypted notification INVALID_MESSAGE_ID to 66.201.165.11:500
> Jun  5 13:55:24 vpn pluto[1165]: "centralbw_50"[2] 
> 66.201.165.11 #4: cannot
> respond to IPsec SA request because no connection is known for
> 192.168.0.0/24===208.70.149.161...66.201.165.11[10.8.213.31]==
> =192.168.50.0/
> 24
> Jun  5 13:55:24 vpn pluto[1165]: "centralbw_50"[2] 
> 66.201.165.11 #4: sending
> encrypted notification INVALID_ID_INFORMATION to 66.201.165.11:500
> Jun  5 13:55:27 vpn pluto[1165]: "centralbw_50"[2] 66.201.165.11 #4:
> received Delete SA payload: deleting ISAKMP State #4
> Jun  5 13:55:27 vpn pluto[1165]: "centralbw_50"[2] 
> 66.201.165.11: deleting
> connection "centralbw_50" instance with peer 66.201.165.11
> {isakmp=#0/ipsec=#0}
> Jun  5 13:55:27 vpn pluto[1165]: packet from 
> 66.201.165.11:500: received and
> ignored informational message
> Jun  5 13:55:27 vpn pluto[1165]: "centralbw_50"[3] 66.201.165.11 #5:
> responding to Main Mode from unknown peer 66.201.165.11
> Jun  5 13:55:27 vpn pluto[1165]: "centralbw_50"[3] 66.201.165.11 #5:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jun  5 13:55:27 vpn pluto[1165]: "centralbw_50"[3] 66.201.165.11 #5:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Jun  5 13:55:27 vpn pluto[1165]: "centralbw_50"[3] 66.201.165.11 #5:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jun  5 13:55:27 vpn pluto[1165]: "centralbw_50"[3] 66.201.165.11 #5:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Jun  5 13:55:37 vpn pluto[1165]: "centralbw_50"[3] 
> 66.201.165.11 #5: Main
> mode peer ID is ID_IPV4_ADDR: '10.8.213.31'
> Jun  5 13:55:37 vpn pluto[1165]: "centralbw_50"[4] 66.201.165.11 #5:
> deleting connection "centralbw_50" instance with peer 66.201.165.11
> {isakmp=#0/ipsec=#0}
> Jun  5 13:55:37 vpn pluto[1165]: "centralbw_50"[4] 
> 66.201.165.11 #5: I did
> not send a certificate because I do not have one.
> Jun  5 13:55:37 vpn pluto[1165]: "centralbw_50"[4] 66.201.165.11 #5:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jun  5 13:55:37 vpn pluto[1165]: "centralbw_50"[4] 66.201.165.11 #5:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> Jun  5 13:55:37 vpn pluto[1165]: "centralbw_50"[4] 
> 66.201.165.11 #5: cannot
> respond to IPsec SA request because no connection is known for
> 192.168.0.0/24===208.70.149.161...66.201.165.11[10.8.213.31]==
> =192.168.50.0/
> 24
> Jun  5 13:55:37 vpn pluto[1165]: "centralbw_50"[4] 
> 66.201.165.11 #5: sending
> encrypted notification INVALID_ID_INFORMATION to 66.201.165.11:500
> Jun  5 13:55:47 vpn pluto[1165]: "centralbw_50"[4] 
> 66.201.165.11 #5: Quick
> Mode I1 message is unacceptable because it uses a previously 
> used Message ID
> 0x443f23ad (perhaps this is a duplicated packet)
> Jun  5 13:55:47 vpn pluto[1165]: "centralbw_50"[4] 
> 66.201.165.11 #5: sending
> encrypted notification INVALID_MESSAGE_ID to 66.201.165.11:500
> Jun  5 13:56:07 vpn pluto[1165]: "centralbw_50"[4] 
> 66.201.165.11 #5: Quick
> Mode I1 message is unacceptable because it uses a previously 
> used Message ID
> 0x443f23ad (perhaps this is a duplicated packet)
> Jun  5 13:56:07 vpn pluto[1165]: "centralbw_50"[4] 
> 66.201.165.11 #5: sending
> encrypted notification INVALID_MESSAGE_ID to 66.201.165.11:500
> Jun  5 13:56:45 vpn sshd[1620]: Accepted password for root 
> from 190.53.0.113
> port 1869 ssh2
> Jun  5 13:56:45 vpn sshd[1622]: (pam_unix) session opened for 
> user root by
> root(uid=0)
> Jun  5 13:56:48 vpn pluto[1165]: "centralbw_50"[4] 
> 66.201.165.11 #5: cannot
> respond to IPsec SA request because no connection is known for
> 192.168.0.0/24===208.70.149.161...66.201.165.11[10.8.213.31]==
> =192.168.50.0/
> 24
> Jun  5 13:56:48 vpn pluto[1165]: "centralbw_50"[4] 
> 66.201.165.11 #5: sending
> encrypted notification INVALID_ID_INFORMATION to 66.201.165.11:500
> Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[4] 66.201.165.11 #5:
> received Delete SA payload: deleting ISAKMP State #5
> Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[4] 
> 66.201.165.11: deleting
> connection "centralbw_50" instance with peer 66.201.165.11
> {isakmp=#0/ipsec=#0}
> Jun  5 13:56:51 vpn pluto[1165]: packet from 
> 66.201.165.11:500: received and
> ignored informational message
> Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[5] 66.201.165.11 #6:
> responding to Main Mode from unknown peer 66.201.165.11
> Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[5] 66.201.165.11 #6:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[5] 66.201.165.11 #6:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[5] 66.201.165.11 #6:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[5] 66.201.165.11 #6:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[5] 
> 66.201.165.11 #6: Main
> mode peer ID is ID_IPV4_ADDR: '10.8.213.31'
> Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[6] 66.201.165.11 #6:
> deleting connection "centralbw_50" instance with peer 66.201.165.11
> {isakmp=#0/ipsec=#0}
> Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[6] 
> 66.201.165.11 #6: I did
> not send a certificate because I do not have one.
> Jun  5 13:56:52 vpn pluto[1165]: "centralbw_50"[6] 66.201.165.11 #6:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jun  5 13:56:52 vpn pluto[1165]: "centralbw_50"[6] 66.201.165.11 #6:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> Jun  5 13:56:52 vpn pluto[1165]: "centralbw_50"[6] 
> 66.201.165.11 #6: cannot
> respond to IPsec SA request because no connection is known for
> 192.168.0.0/24===208.70.149.161...66.201.165.11[10.8.213.31]==
> =192.168.50.0/
> 24
> Jun  5 13:56:52 vpn pluto[1165]: "centralbw_50"[6] 
> 66.201.165.11 #6: sending
> encrypted notification INVALID_ID_INFORMATION to 66.201.165.11:500
> Jun  5 13:57:01 vpn pluto[1165]: "centralbw_50"[6] 
> 66.201.165.11 #6: Quick
> Mode I1 message is unacceptable because it uses a previously 
> used Message ID
> 0x6791a7cd (perhaps this is a duplicated packet)
> Jun  5 13:57:01 vpn pluto[1165]: "centralbw_50"[6] 
> 66.201.165.11 #6: sending
> encrypted notification INVALID_MESSAGE_ID to 66.201.165.11:500
> Jun  5 13:57:19 vpn sshd[1482]: Received signal 15; terminating.
> Jun  5 13:57:19 vpn pluto[1165]: shutting down
> Jun  5 13:57:19 vpn pluto[1165]: forgetting secrets
> Jun  5 13:57:20 vpn pluto[1165]: "centralbw_50"[6] 
> 66.201.165.11: deleting
> connection "centralbw_50" instance with peer 66.201.165.11
> {isakmp=#6/ipsec=#0}
> Jun  5 13:57:20 vpn pluto[1165]: "centralbw_50" #6: deleting state
> (STATE_MAIN_R3)
> Jun  5 13:57:20 vpn pluto[1165]: "centralbw_50_to_branch_40": deleting
> connection
> Jun  5 13:57:20 vpn pluto[1165]: "branch_40": deleting connection
> Jun  5 13:57:20 vpn pluto[1165]: "branch_40" #2: deleting state
> (STATE_QUICK_I2)
> Jun  5 13:57:20 vpn pluto[1165]: "branch_40_to_centralbw_50": deleting
> connection
> Jun  5 13:57:20 vpn pluto[1165]: "branch_40_to_centralbw_50" 
> #3: deleting
> state (STATE_QUICK_I2)
> Jun  5 13:57:20 vpn pluto[1165]: "branch_40_to_centralbw_50" 
> #1: deleting
> state (STATE_MAIN_I4)
> Jun  5 13:57:20 vpn pluto[1165]: "centralbw_50": deleting connection
> Jun  5 13:57:20 vpn pluto[1165]: shutting down interface lo/lo ::1:500
> Jun  5 13:57:20 vpn pluto[1165]: shutting down interface lo/lo
> 127.0.0.1:4500
> Jun  5 13:57:20 vpn pluto[1165]: shutting down interface 
> lo/lo 127.0.0.1:500
> Jun  5 13:57:20 vpn pluto[1165]: shutting down interface eth0/eth0
> 208.70.149.161:4500
> Jun  5 13:57:20 vpn pluto[1165]: shutting down interface eth0/eth0
> 208.70.149.161:500
> Jun  5 13:57:20 vpn pluto[1165]: shutting down interface eth0:0/eth0:0
> 208.70.149.162:4500
> Jun  5 13:57:20 vpn pluto[1165]: shutting down interface eth0:0/eth0:0
> 208.70.149.162:500
> Jun  5 13:57:20 vpn pluto[1165]: shutting down interface eth0:1/eth0:1
> 208.70.149.163:4500
> Jun  5 13:57:20 vpn pluto[1165]: shutting down interface eth0:1/eth0:1
> 208.70.149.163:500
> Jun  5 13:57:20 vpn pluto[1165]: shutting down interface eth0:2/eth0:2
> 208.70.149.164:4500
> Jun  5 13:57:20 vpn pluto[1165]: shutting down interface eth0:2/eth0:2
> 208.70.149.164:500
> Jun  5 13:57:20 vpn pluto[1165]: shutting down interface eth0:3/eth0:3
> 208.70.149.165:4500
> Jun  5 13:57:20 vpn pluto[1165]: shutting down interface eth0:3/eth0:3
> 208.70.149.165:500
> Jun  5 13:58:02 vpn pluto[1164]: "branch_40_to_centralbw_50" 
> #1: initiating
> Main Mode
> Jun  5 13:58:02 vpn pluto[1164]: "centralbw_50_to_branch_40": cannot
> initiate connection without knowing peer IP address (kind=CK_TEMPLATE)
> Jun  5 13:58:02 vpn sshd[1490]: Server listening on :: port 22.
> Jun  5 13:58:03 vpn pluto[1164]: "branch_40_to_centralbw_50" 
> #1: transition
> from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Jun  5 13:58:03 vpn pluto[1164]: "branch_40_to_centralbw_50" #1:
> STATE_MAIN_I2: sent MI2, expecting MR2
> Jun  5 13:58:04 vpn webmin[1574]: Webmin starting 
> Jun  5 13:58:05 vpn pluto[1164]: "branch_40_to_centralbw_50" 
> #1: I did not
> send a certificate because I do not have one.
> Jun  5 13:58:05 vpn pluto[1164]: "branch_40_to_centralbw_50" 
> #1: transition
> from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Jun  5 13:58:05 vpn pluto[1164]: "branch_40_to_centralbw_50" #1:
> STATE_MAIN_I3: sent MI3, expecting MR3
> Jun  5 13:58:05 vpn pluto[1164]: "branch_40_to_centralbw_50" 
> #1: Main mode
> peer ID is ID_IPV4_ADDR: '190.53.0.113'
> Jun  5 13:58:05 vpn pluto[1164]: "branch_40_to_centralbw_50" 
> #1: transition
> from state STATE_MAIN_I3 to state STATE_MAIN_I4
> Jun  5 13:58:05 vpn pluto[1164]: "branch_40_to_centralbw_50" #1:
> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> Jun  5 13:58:05 vpn pluto[1164]: "branch_40" #2: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> Jun  5 13:58:05 vpn pluto[1164]: "branch_40_to_centralbw_50" 
> #3: initiating
> Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> Jun  5 13:58:08 vpn pluto[1164]: "branch_40" #2: transition from state
> STATE_QUICK_I1 to state STATE_QUICK_I2
> Jun  5 13:58:08 vpn pluto[1164]: "branch_40" #2: 
> STATE_QUICK_I2: sent QI2,
> IPsec SA established {ESP=>0xc3ad781f <0xf5001af0 xfrm=3DES_0-HMAC_MD5
> NATD=none DPD=none}
> Jun  5 13:58:12 vpn sshd[1586]: Accepted password for root 
> from 190.53.0.113
> port 1881 ssh2
> Jun  5 13:58:13 vpn sshd[1588]: (pam_unix) session opened for 
> user root by
> root(uid=0)
> Jun  5 13:58:18 vpn pluto[1164]: "branch_40_to_centralbw_50" 
> #3: transition
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jun  5 13:58:18 vpn pluto[1164]: "branch_40_to_centralbw_50" #3:
> STATE_QUICK_I2: sent QI2, IPsec SA established 
> {ESP=>0x433730c7 <0xe3efe176
> xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
> Jun  5 13:58:19 vpn sshd[1605]: Accepted password for root 
> from 190.53.0.113
> port 1882 ssh2
> Jun  5 13:58:35 vpn sshd[1605]: subsystem request for sftp
> Jun  5 13:58:35 vpn sshd[1607]: (pam_unix) session opened for 
> user root by
> (uid=0)
> Jun  5 14:00:01 vpn CRON[1608]: (pam_unix) session opened for 
> user root by
> (uid=0)
> 
> -----Mensaje original-----
> De: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] En nombre
> de IT Dept.
> Enviado el: Martes, 05 de Junio de 2007 01:00 p.m.
> Para: petermcgill at goco.net
> CC: users at openswan.org
> Asunto: Re: [Openswan Users] Subnets conmunication?
> 
> Here is:
> 
> 
> Jun  5 13:58:02 vpn syslogd 1.4.1#17ubuntu7: restart.
> Jun  5 13:58:02 vpn kernel: Cannot find map file.
> Jun  5 13:58:02 vpn kernel: No module symbols loaded - kernel 
> modules not
> enabled. 
> Jun  5 13:58:02 vpn kernel: Bootdata ok (command line is  
> root=/dev/sda1 ro
> 3)
> Jun  5 13:58:02 vpn kernel: Linux version 2.6.16.29-xen 
> (shand at endor) (gcc
> version 3.4.4 20050314 (prerelease) (Debian 3.4.3-13)) #3 SMP 
> Sun Oct 15
> 13:15:34 BST 2006
> Jun  5 13:58:02 vpn kernel: BIOS-provided physical RAM map:
> Jun  5 13:58:02 vpn kernel:  Xen: 0000000000000000 - 000000001f000000
> (usable)
> Jun  5 13:58:02 vpn kernel: On node 0 totalpages: 126976
> Jun  5 13:58:02 vpn kernel:   DMA zone: 126976 pages, LIFO batch:31
> Jun  5 13:58:02 vpn kernel:   DMA32 zone: 0 pages, LIFO batch:0
> Jun  5 13:58:02 vpn kernel:   Normal zone: 0 pages, LIFO batch:0
> Jun  5 13:58:02 vpn kernel:   HighMem zone: 0 pages, LIFO batch:0
> Jun  5 13:58:02 vpn kernel: No mptable found.
> Jun  5 13:58:02 vpn kernel: Built 1 zonelists
> Jun  5 13:58:02 vpn kernel: Kernel command line:  root=/dev/sda1 ro 3
> Jun  5 13:58:02 vpn kernel: Initializing CPU#0
> Jun  5 13:58:02 vpn kernel: PID hash table entries: 2048 
> (order: 11, 65536
> bytes)
> Jun  5 13:58:02 vpn kernel: Xen reported: 1795.496 MHz processor.
> Jun  5 13:58:02 vpn kernel: Dentry cache hash table entries: 
> 65536 (order:
> 7, 524288 bytes)
> Jun  5 13:58:02 vpn kernel: Inode-cache hash table entries: 
> 32768 (order: 6,
> 262144 bytes)
> Jun  5 13:58:02 vpn kernel: Software IO TLB disabled
> Jun  5 13:58:02 vpn kernel: Memory: 483452k/507904k available 
> (1918k kernel
> code, 15628k reserved, 809k data, 168k init)
> Jun  5 13:58:02 vpn kernel: Calibrating delay using timer 
> specific routine..
> 3592.77 BogoMIPS (lpj=17963870)
> Jun  5 13:58:02 vpn kernel: Security Framework v1.0.0 initialized
> Jun  5 13:58:02 vpn kernel: Capability LSM initialized
> Jun  5 13:58:02 vpn ipsec__plutorun: 104 
> "branch_40_to_centralbw_50" #1:
> STATE_MAIN_I1: initiate
> Jun  5 13:58:02 vpn ipsec__plutorun: ...could not start conn
> "branch_40_to_centralbw_50"
> Jun  5 13:58:02 vpn kernel: Mount-cache hash table entries: 256
> Jun  5 13:58:02 vpn kernel: CPU: L1 I Cache: 64K (64 
> bytes/line), D cache
> 64K (64 bytes/line)
> Jun  5 13:58:02 vpn kernel: CPU: L2 Cache: 1024K (64 bytes/line)
> Jun  5 13:58:02 vpn kernel: Brought up 1 CPUs
> Jun  5 13:58:02 vpn kernel: migration_cost=0
> Jun  5 13:58:02 vpn kernel: checking if image is initramfs... it is
> Jun  5 13:58:02 vpn kernel: Freeing initrd memory: 1859k freed
> Jun  5 13:58:02 vpn kernel: DMI not present or invalid.
> Jun  5 13:58:02 vpn kernel: Grant table initialized
> Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 16
> Jun  5 13:58:02 vpn kernel: Initializing CPU#1
> Jun  5 13:58:02 vpn kernel: migration_cost=967
> Jun  5 13:58:02 vpn kernel: Brought up 2 CPUs
> Jun  5 13:58:02 vpn kernel: PCI: setting up Xen PCI frontend stub
> Jun  5 13:58:02 vpn kernel: ACPI: Subsystem revision 20060127
> Jun  5 13:58:02 vpn kernel: ACPI: Interpreter disabled.
> Jun  5 13:58:02 vpn kernel: Linux Plug and Play Support v0.97 
> (c) Adam Belay
> Jun  5 13:58:02 vpn kernel: pnp: PnP ACPI: disabled
> Jun  5 13:58:02 vpn kernel: xen_mem: Initialising balloon driver.
> Jun  5 13:58:02 vpn kernel: PCI: System does not support PCI
> Jun  5 13:58:02 vpn kernel: PCI: System does not support PCI
> Jun  5 13:58:02 vpn kernel: pnp: the driver 'system' has been 
> registered
> Jun  5 13:58:02 vpn kernel: IA-32 Microcode Update Driver: v1.14-xen
> <tigran at veritas.com>
> Jun  5 13:58:02 vpn kernel: IA32 emulation $Id: sys_ia32.c,v 
> 1.32 2002/03/24
> 13:02:28 ak Exp $
> Jun  5 13:58:02 vpn kernel: audit: initializing netlink 
> socket (disabled)
> Jun  5 13:58:02 vpn kernel: audit(1181069856.905:1): initialized
> Jun  5 13:58:02 vpn kernel: VFS: Disk quotas dquot_6.5.1
> Jun  5 13:58:02 vpn kernel: Dquot-cache hash table entries: 
> 512 (order 0,
> 4096 bytes)
> Jun  5 13:58:02 vpn kernel: Initializing Cryptographic API
> Jun  5 13:58:02 vpn kernel: io scheduler noop registered
> Jun  5 13:58:02 vpn kernel: io scheduler anticipatory registered
> Jun  5 13:58:02 vpn kernel: io scheduler deadline registered
> Jun  5 13:58:02 vpn kernel: io scheduler cfq registered (default)
> Jun  5 13:58:02 vpn kernel: rtc: IRQ 8 is not free.
> Jun  5 13:58:02 vpn kernel: Non-volatile memory driver v1.2
> Jun  5 13:58:02 vpn kernel: pnp: the driver 'i8042 kbd' has 
> been registered
> Jun  5 13:58:02 vpn kernel: pnp: the driver 'i8042 aux' has 
> been registered
> Jun  5 13:58:02 vpn kernel: pnp: the driver 'i8042 kbd' has been
> unregistered
> Jun  5 13:58:02 vpn kernel: pnp: the driver 'i8042 aux' has been
> unregistered
> Jun  5 13:58:02 vpn kernel: PNP: No PS/2 controller found. 
> Probing ports
> directly.
> Jun  5 13:58:02 vpn kernel: i8042.c: No controller found.
> Jun  5 13:58:02 vpn kernel: RAMDISK driver initialized: 16 
> RAM disks of
> 16384K size 1024 blocksize
> Jun  5 13:58:02 vpn kernel: loop: loaded (max 8 devices)
> Jun  5 13:58:02 vpn kernel: Xen virtual console successfully 
> installed as
> tty1
> Jun  5 13:58:02 vpn kernel: Event-channel device installed.
> Jun  5 13:58:02 vpn kernel: netfront: Initialising virtual 
> ethernet driver.
> Jun  5 13:58:02 vpn kernel: Uniform Multi-Platform E-IDE 
> driver Revision:
> 7.00alpha2
> Jun  5 13:58:02 vpn kernel: ide: Assuming 50MHz system bus 
> speed for PIO
> modes; override with idebus=xx
> Jun  5 13:58:02 vpn kernel: pnp: the driver 'ide' has been registered
> Jun  5 13:58:02 vpn kernel: mice: PS/2 mouse device common 
> for all mice
> Jun  5 13:58:02 vpn kernel: md: md driver 0.90.3 MAX_MD_DEVS=256,
> MD_SB_DISKS=27
> Jun  5 13:58:02 vpn kernel: md: bitmap version 4.39
> Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 2
> Jun  5 13:58:02 vpn kernel: netfront: device eth0 has 
> flipping receive path.
> Jun  5 13:58:02 vpn kernel: IP route cache hash table 
> entries: 4096 (order:
> 3, 32768 bytes)
> Jun  5 13:58:02 vpn kernel: TCP established hash table entries: 16384
> (order: 6, 262144 bytes)
> Jun  5 13:58:02 vpn kernel: TCP bind hash table entries: 
> 16384 (order: 6,
> 262144 bytes)
> Jun  5 13:58:02 vpn kernel: TCP: Hash tables configured 
> (established 16384
> bind 16384)
> Jun  5 13:58:02 vpn kernel: TCP reno registered
> Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 1
> Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 17
> Jun  5 13:58:02 vpn kernel: Registering block device major 8
> Jun  5 13:58:02 vpn kernel: kjournald starting.  Commit 
> interval 5 seconds
> Jun  5 13:58:02 vpn kernel: EXT3-fs: mounted filesystem with 
> ordered data
> mode.
> Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 10
> Jun  5 13:58:02 vpn kernel: lo: Disabled Privacy Extensions
> Jun  5 13:58:02 vpn kernel: IPv6 over IPv4 tunneling driver
> Jun  5 13:58:02 vpn kernel: pnp: the driver 'parport_pc' has 
> been registered
> Jun  5 13:58:02 vpn kernel: lp: driver loaded but no devices found
> Jun  5 13:58:02 vpn kernel: Adding 999416k swap on /dev/sda2. 
>  Priority:-1
> extents:1 across:999416k
> Jun  5 13:58:02 vpn kernel: EXT3 FS on sda1, internal journal
> Jun  5 13:58:02 vpn kernel: device-mapper: 4.5.0-ioctl (2005-10-04)
> initialised: dm-devel at redhat.com
> Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 15
> Jun  5 13:58:02 vpn kernel: Initializing IPsec netlink socket
> Jun  5 13:58:02 vpn ipsec__plutorun: 029 
> "centralbw_50_to_branch_40": cannot
> initiate connection without knowing peer IP address (kind=CK_TEMPLATE)
> Jun  5 13:58:02 vpn ipsec__plutorun: ...could not start conn
> "centralbw_50_to_branch_40"
> Jun  5 13:58:03 vpn kernel: eth0: no IPv6 routers present
> Jun  5 13:58:03 vpn ipsec_setup: Openswan IPsec apparently 
> already running,
> start aborted
> Jun  5 13:58:03 vpn /usr/sbin/cron[1554]: (CRON) INFO (pidfile fd = 3)
> Jun  5 13:58:03 vpn /usr/sbin/cron[1555]: (CRON) STARTUP (fork ok)
> Jun  5 13:58:03 vpn /usr/sbin/cron[1555]: (CRON) INFO 
> (Running @reboot jobs)
> 
> Hector
> 
> 
> -----Mensaje original-----
> De: Peter McGill [mailto:petermcgill at goco.net] 
> Enviado el: Martes, 05 de Junio de 2007 12:55 p.m.
> Para: 'IT Dept.'
> CC: users at openswan.org
> Asunto: RE: [Openswan Users] Subnets conmunication?
> 
> > -----Original Message-----
> > From: IT Dept. [mailto:it at technovation.com.sv] 
> > Sent: June 5, 2007 2:43 PM
> > To: petermcgill at goco.net
> > Cc: users at openswan.org
> > Subject: RE: [Openswan Users] Subnets conmunication?
> > 
> > root at vpn:~# ipsec version
> > Linux Openswan U2.4.4/K2.6.16.29-xen (netkey)
> > See `ipsec --copyright' for copyright information.
> > root at vpn:~#
> > 
> > root at vpn:~# ipsec verify
> > Checking your system to see if IPsec got installed and 
> > started correctly:
> > Version check and ipsec on-path                                 [OK]
> > Linux Openswan U2.4.4/K2.6.16.29-xen (netkey)
> > Checking for IPsec support in kernel                            [OK]
> > Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> > Checking that pluto is running                                  [OK]
> > Two or more interfaces found, checking IP forwarding            [OK]
> > Checking NAT and MASQUERADEing                              
>     [N/A]
> > Checking for 'ip' command                                       [OK]
> > Checking for 'iptables' command                                 [OK]
> > Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
> > Opportunistic Encryption Support                              
> >   [DISABLED]
> > root at vpn:~#
> > 
> > root at vpn:~# ipsec eroute
> > /usr/lib/ipsec/eroute: NETKEY does not support eroute table.
> > root at vpn:~#
> 
> The above look ok, we don't need eroute it's just a easy way to check
> Tunnel status. But I will need some log info to determine 
> where error is.
> 
> egrep -e 'pluto' /var/log/*
> Filter by date/time to only get the recent restart and connections.
> 
> > Ill be wait for your help....my boss wanna hang me...LOL
> > 
> > Regards
> > 
> > 	Hector
> > 
> > -----Mensaje original-----
> > De: Peter McGill [mailto:petermcgill at goco.net] 
> > Enviado el: Martes, 05 de Junio de 2007 12:37 p.m.
> > Para: 'IT Dept.'
> > CC: users at openswan.org
> > Asunto: RE: [Openswan Users] Subnets conmunication?
> > 
> > > -----Original Message-----
> > > From: IT Dept. [mailto:it at technovation.com.sv] 
> > > Sent: June 5, 2007 2:00 PM
> > > To: petermcgill at goco.net
> > > Cc: users at openswan.org
> > > Subject: RE: [Openswan Users] Subnets conmunication?
> > > Importance: High
> > > 
> > > Hi again...
> > > 
> > > 	Thanks for the your help....i cant get communication yet.
> > > 
> > > 	Here is my last conf...im only using two branches to 
> > > make it more
> > > simple...
> > > 
> > > 	# /etc/ipsec.conf - Openswan IPsec configuration file
> > > # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 
> paul Exp $
> > > 
> > > # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> > > #
> > > # Manual:     ipsec.conf.5
> > > 
> > > 
> > > version	2.0	# conforms to second version of 
> > > ipsec.conf specification
> > > 
> > > # basic configuration
> > > config setup
> > > 	forwardcontrol=yes
> > > 	nat_traversal=yes
> > > 	# plutodebug / klipsdebug = "all", "none" or a 
> > > combation from below:
> > > 	# "raw crypt parsing emitting control klips pfkey natt 
> > > x509 private"
> > > 	# eg:
> > > 	# plutodebug="control parsing"
> > > 	#
> > > 	# Only enable klipsdebug=all if you are a developer
> > > 	#
> > > 	# NAT-TRAVERSAL support, see README.NAT-Traversal
> > > 	# nat_traversal=yes
> > > 	# 
> > > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> > > 
> > > #Disable Opportunistic Encryption
> > > include /etc/ipsec.d/examples/no_oe.conf
> > > 
> > > conn branch_40
> > > 	also=branch_40_shared
> > > 	rightsubnet=192.168.40.0/24
> > > 	auto=start
> > > 
> > > conn centralbw_50
> > > 	also=centralbw_50_shared
> > >  	rightsubnet=192.168.50.0/24
> > >  	auto=add
> > > 
> > > conn branch_40_to_centralbw_50
> > > 	also=branch_40_shared
> > >  	leftsubnet=192.168.50.0/24
> > > 	rightsubnet=192.168.40.0/24
> > > 	auto=start
> > > 
> > > conn centralbw_50_to_branch_40
> > > 	also=centralbw_50_shared
> > > 	leftsubnet=192.168.40.0/24
> > >  	rightsubnet=192.168.50.0/24
> > >  	auto=add
> > > 
> > > conn branch_40_shared
> > >  	authby=secret
> > >  	compress=no
> > >  	ikelifetime=240m
> > >  	keyexchange=ike
> > >  	keylife=60m
> > >  	left=208.70.149.161
> > >  	leftnexthop=208.70.149.166
> > >  	pfs=yes
> > >  	right=190.53.0.113
> > >  	rightnexthop=190.53.0.1
> > > 
> > > conn centralbw_50_shared
> > >  	authby=secret
> > >  	compress=no
> > >  	ikelifetime=240m
> > >  	keyexchange=ike
> > >  	keylife=60m
> > >  	left=208.70.149.161
> > >  	leftnexthop=208.70.149.166
> > >         pfs=yes
> > >  	right=%any
> > > 
> > > 
> > > in auth.log I get that conn branch_40_shared starts fine, but 
> > > I need to
> > > manually start conn centralbw_50_shared from the linksys 
> > > router, and them
> > > the conn´s between dosent start...
> > 
> > First off the shared conn's should never be started, they're not
> > Real conn's just shared information used by other conn's.
> > Also it would be easier to test with the static ip sites, 
> rather than
> > Centralbw. With centralbw linksys must initiate the 
> > connection for it to
> > work.
> > 
> > Show us these outputs.
> > ipsec version
> > ipsec verify
> > ipsec eroute
> > 
> > Lastly, restart openswan, and reconnect the linksys tunnels.
> > Get the restart and connect logs by...
> > egrep -e 'pluto' /var/log/*
> > Filter by date/time to only get the recent restart and connections.
> 
> 
> 
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition. 
> Version: 7.5.472 / Virus Database: 269.8.9/832 - Release 
> Date: 04/06/2007
> 06:43 p.m.
> 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155
> 
> 
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition. 
> Version: 7.5.472 / Virus Database: 269.8.9/832 - Release 
> Date: 04/06/2007
> 06:43 p.m.
> 
> 



More information about the Users mailing list