[Openswan Users] Subnet-to-subnet configuration problem

Julien GROSJEAN - Proxiad j.grosjean at proxiad.com
Wed Jun 13 11:58:07 EDT 2007


Hello,

I modify my ipsec.conf files :

######### START #########
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        nat_traversal=yes
        #virtual_private=%v4:10.1.11.0/24,%v4:192.168.10.0/24
        interfaces="ipsec0=eth1"
        #plutoload=%search

conn net-to-net
    type=tunnel
    authby=secret
    left=10.1.11.39
    leftsubnet=10.1.11.0/24
    leftnexthop=10.1.11.21
    right=217.x.x.xx
    rightsubnet=192.168.10.0/24
    keyexchange=ike
    esp=3des-md5
    auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

#########END############



Here are new logs :

on first side :

#### LOGS####
Jun 13 17:49:27 vpnagence pluto[13035]: "net-to-net" #1: Main mode peer 
ID is ID_IPV4_ADDR: '192.168.10.55'
Jun 13 17:49:27 vpnagence pluto[13035]: "net-to-net" #1: no suitable 
connection for peer '192.168.10.55'
Jun 13 17:49:27 vpnagence pluto[13035]: "net-to-net" #1: sending 
encrypted notification INVALID_ID_INFORMATION to 217.x.x.x:500
Jun 13 17:49:29 vpnagence pluto[13035]: "net-to-net" #2: discarding 
duplicate packet; already STATE_MAIN_I3
Jun 13 17:49:29 vpnagence pluto[13035]: "net-to-net" #2: ignoring 
informational payload, type INVALID_ID_INFORMATION
Jun 13 17:49:29 vpnagence pluto[13035]: "net-to-net" #2: received and 
ignored informational message
#### END LOGS ####


on second side :

#########
Jun 13 17:49:30 vpnannexe pluto[9372]: "net-to-net" #4: Main mode peer 
ID is ID_IPV4_ADDR: '10.1.11.39'
Jun 13 17:49:30 vpnannexe pluto[9372]: "net-to-net" #4: no suitable 
connection for peer '10.1.11.39'
Jun 13 17:49:30 vpnannexe pluto[9372]: "net-to-net" #4: sending 
encrypted notification INVALID_ID_INFORMATION to 193.x.x.x:500
Jun 13 17:49:34 vpnannexe pluto[9372]: "net-to-net" #3: ignoring 
informational payload, type INVALID_ID_INFORMATION
Jun 13 17:49:34 vpnannexe pluto[9372]: "net-to-net" #3: received and 
ignored informational message
Jun 13 17:49:35 vpnannexe pluto[9372]: "net-to-net" #3: discarding 
duplicate packet; already STATE_MAIN_I3
########


What about this "no suitable connection for peer" ?

Can you help me.

Thanks.




Julien GROSJEAN - Proxiad a écrit :
> Hello,
>
> I modify my configuration after reading again and i found my mistakes...
>
> I enable NAT-TRAVERSAL
> It seems to trying to connect, but... here are logs exactly the sames 
> on both boxes:
>
>
> ### STARTING LOGS ###
>
> 104 "net-to-net" #1: STATE_MAIN_I1: initiate
> 003 "net-to-net" #1: received Vendor ID payload [Openswan (this 
> version) 2.4.4  X.509-1.5.4 PLUTO_SENDS_VENDORID 
> PLUTO_USES              _KEYRR]
> 003 "net-to-net" #1: received Vendor ID payload [Dead Peer Detection]
> 003 "net-to-net" #1: received Vendor ID payload [RFC 3947] method set 
> to=109
> 106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "net-to-net" #1: NAT-Traversal: Result using 3: both are NATed
> 108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "net-to-net" #1: ignoring informational payload, type 
> INVALID_ID_INFORMATION
> 003 "net-to-net" #1: received and ignored informational message
>
> 010 "net-to-net" #1: STATE_MAIN_I3: retransmission; will wait 20s for 
> response
> 003 "net-to-net" #1: ignoring informational payload, type 
> INVALID_ID_INFORMATION
> 003 "net-to-net" #1: received and ignored informational message
> 003 "net-to-net" #1: discarding duplicate packet; already STATE_MAIN_I3
>
> ...
> ### ENDING LOGS ###
>
>
> And always the same message.
> Can you tell me where is the problem ?
>
> Here is are my conf files :
>
> ##### FIRST CONF FILE ######
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
> # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>         # NAT-TRAVERSAL support, see README.NAT-Traversal
>          nat_traversal=yes
>         # 
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>          interfaces="ipsec0=eth0"
>         # plutoload=%search
>
> conn net-to-net
>     left=192.168.10.55
>     leftsubnet=192.169.10.0/24
>     leftid=@192.168.10.55
>     leftrsasigkey=0sAQPSJVkiFSp5E7VR6u+RGs...
>     leftnexthop=192.168.10.1
>     right=193.x.x.x
>     rightsubnet=10.1.11.0/24
>     rightrsasigkey=0sAQPAXKfwyOzCtzo2DoGwhh...
>     auto=add
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> ##### END OF FIRST CONF FILE #####
>
> #### SECOND CONF FILE #####
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
> # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
> version 2.0     # conforms to second version of ipsec.conf specification
> # basic configuration
> config setup
>         # NAT-TRAVERSAL support, see README.NAT-Traversal
>          nat_traversal=yes
>         # 
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>          interfaces="ipsec0=eth1"
>         # plutoload=%search
>
> conn net-to-net
>     left=10.1.11.39
>     leftsubnet=10.1.11.0/24
>     leftid=@10.1.11.39
>     leftrsasigkey=0sAQPAXKfw....
>     leftnexthop=10.1.11.21
>     right=217.x.x.x
>     rightsubnet=192.168.10.0/24
>     rightrsasigkey=0sAQPSJVkiFSp5E7VR6u+....
>     auto=add
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> ### END OF SECOND CONF FILE ###
>
>
> Perhaps wrong leftid and rightid ?
> What about these parameters ?
> Can you help me ? :-)
>
> Thx in advance.
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: j.grosjean.vcf
Type: text/x-vcard
Size: 237 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20070613/3ad6aa62/attachment.vcf 


More information about the Users mailing list