[Openswan Users] Openswan configuration problems
José Antonio Olivera Ortega
jaoo62 at tid.es
Thu Oct 4 06:23:26 EDT 2007
Hello,
I am trying to set up a IPsec tunnel between two Debian boxs and I can't
achieve it.
The well know message I get is " ipsec__plutorun: ...could not start
conn "Gateway-Router".
I post some information to show my configuration and try to find out the
problem.
1.- Gateway box:
[/etc/ipsec.conf]
config setup
nat_traversal=yes
interfaces=%defaultroute
# Add connections here
include /etc/ipsec.d/local/*.conf
# sample VPN connections, see /etc/ipsec.d/examples/
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
[/etc/ipsec.d/local/Gateway-Router.conf]
conn Gateway-Router
authby=rsasig
pfs=no
auto=start
rekey=no
left=192.168.112.72
leftid=@Gateway
leftnexthop=%defaultroute
leftrsasigkey=%cert
leftcert=cert.pem
leftprotoport=17/1701
#
# The remote user.
#
right=192.168.112.71
rightid=@Router
rightnexthop=%defaultroute
rightrsasigkey=%cert
rightcert=RouterCert.pem
rightprotoport=17/1701
Also I post some /var/log/syslog information:
Oct 4 12:09:04 berglek kernel: NET: Registered protocol family 15
Oct 4 12:09:04 berglek kernel: padlock: VIA PadLock not detected.
Oct 4 12:09:04 berglek modprobe: FATAL: Error inserting padlock_aes
(/lib/modules/2.6.21-2-686/kernel/drivers/crypto/padlock-aes.ko): No
such device
Oct 4 12:09:04 berglek kernel: padlock: VIA PadLock Hash Engine not
detected.
Oct 4 12:09:04 berglek modprobe: FATAL: Error inserting padlock_sha
(/lib/modules/2.6.21-2-686/kernel/drivers/crypto/padlock-sha.ko): No
such device
Oct 4 12:09:04 berglek kernel: padlock: VIA PadLock Hash Engine not
detected.
Oct 4 12:09:04 berglek modprobe: FATAL: Error inserting padlock_sha
(/lib/modules/2.6.21-2-686/kernel/drivers/crypto/padlock-sha.ko): No
such device
Oct 4 12:09:04 berglek kernel: padlock: No VIA PadLock drivers have
been loaded.
Oct 4 12:09:04 berglek kernel: Initializing XFRM netlink socket
Oct 4 12:09:04 berglek ipsec_setup: NETKEY on eth1
192.168.112.72/255.255.255.0 broadcast 192.168.112.255
Oct 4 12:09:04 berglek ipsec_setup: ...Openswan IPsec started
Oct 4 12:09:04 berglek ipsec_setup: Starting Openswan IPsec 2.4.8...
Oct 4 12:09:05 berglek ipsec__plutorun: 104 "Gateway-Router" #1:
STATE_MAIN_I1: initiate
Oct 4 12:09:05 berglek ipsec__plutorun: ...could not start conn
"Gateway-Router"
Also I post some /var/log/auth.log information:
Oct 4 12:09:04 berglek ipsec__plutorun: Starting Pluto subsystem...
Oct 4 12:09:04 berglek pluto[13523]: Starting Pluto (Openswan Version
2.4.8 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE]bWX`QBruL)
Oct 4 12:09:04 berglek pluto[13523]: Setting NAT-Traversal port-4500
floating to on
Oct 4 12:09:04 berglek pluto[13523]: port floating activation
criteria nat_t=1/port_fload=1
Oct 4 12:09:04 berglek pluto[13523]: including NAT-Traversal patch
(Version 0.6c)
Oct 4 12:09:04 berglek pluto[13523]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Oct 4 12:09:04 berglek pluto[13523]: starting up 1 cryptographic helpers
Oct 4 12:09:04 berglek pluto[13523]: started helper pid=13559 (fd:6)
Oct 4 12:09:04 berglek pluto[13523]: Using NETKEY IPsec interface code
on 2.6.21-2-686
Oct 4 12:09:05 berglek pluto[13523]: Changing to directory
'/etc/ipsec.d/cacerts'
Oct 4 12:09:05 berglek pluto[13523]: loaded CA cert file 'cacert.pem'
(1257 bytes)
Oct 4 12:09:05 berglek pluto[13523]: Changing to directory
'/etc/ipsec.d/aacerts'
Oct 4 12:09:05 berglek pluto[13523]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Oct 4 12:09:05 berglek pluto[13523]: Changing to directory
'/etc/ipsec.d/crls'
Oct 4 12:09:05 berglek pluto[13523]: Warning: empty directory
Oct 4 12:09:05 berglek pluto[13523]: loaded host cert file
'/etc/ipsec.d/certs/cert.pem' (3202 bytes)
Oct 4 12:09:05 berglek pluto[13523]: no subjectAltName matches ID
'@Gateway', replaced by subject DN
Oct 4 12:09:05 berglek pluto[13523]: loaded host cert file
'/etc/ipsec.d/certs/RouterCert.pem' (3202 bytes)
Oct 4 12:09:05 berglek pluto[13523]: no subjectAltName matches ID
'@Router', replaced by subject DN
Oct 4 12:09:05 berglek pluto[13523]: added connection description
"Gateway-Router"
Oct 4 12:09:05 berglek pluto[13523]: listening for IKE messages
Oct 4 12:09:05 berglek pluto[13523]: adding interface eth1/eth1
192.168.112.72:500
Oct 4 12:09:05 berglek pluto[13523]: adding interface eth1/eth1
192.168.112.72:4500
Oct 4 12:09:05 berglek pluto[13523]: adding interface lo/lo 127.0.0.1:500
Oct 4 12:09:05 berglek pluto[13523]: adding interface lo/lo 127.0.0.1:4500
Oct 4 12:09:05 berglek pluto[13523]: adding interface lo/lo ::1:500
Oct 4 12:09:05 berglek pluto[13523]: loading secrets from
"/etc/ipsec.secrets"
Oct 4 12:09:05 berglek pluto[13523]: loaded private key file
'/etc/ipsec.d/private/sslkey.pem' (963 bytes)
Oct 4 12:09:05 berglek pluto[13523]: "Gateway-Router" #1: initiating
Main Mode
Also I post some /var/log/message information:
Oct 4 12:09:04 berglek kernel: NET: Registered protocol family 15
Oct 4 12:09:04 berglek kernel: padlock: No VIA PadLock drivers have
been loaded.
Oct 4 12:09:04 berglek kernel: Initializing XFRM netlink socket
2.- Router box:
[/etc/ipsec.conf]
The same.
[/etc/ipsec.d/local/Gateway-Router.conf]
The same.
Also I post some /var/log/syslog information:
Oct 4 14:02:27 stroustrup kernel: NET: Registered protocol family 10
Oct 4 14:02:27 stroustrup kernel: lo: Disabled Privacy Extensions
Oct 4 14:02:37 stroustrup kernel: eth0: no IPv6 routers present
Oct 4 14:08:56 stroustrup kernel: NET: Registered protocol family 15
Oct 4 14:08:56 stroustrup kernel: padlock: VIA PadLock not detected.
Oct 4 14:08:56 stroustrup modprobe: FATAL: Error inserting padlock_aes
(/lib/modules/2.6.21-2-686/kernel/drivers/crypto/padlock-aes.ko): No
such device
Oct 4 14:08:56 stroustrup kernel: padlock: VIA PadLock Hash Engine not
detected.
Oct 4 14:08:56 stroustrup modprobe: FATAL: Error inserting padlock_sha
(/lib/modules/2.6.21-2-686/kernel/drivers/crypto/padlock-sha.ko): No
such device
Oct 4 14:08:56 stroustrup kernel: padlock: VIA PadLock Hash Engine not
detected.
Oct 4 14:08:56 stroustrup modprobe: FATAL: Error inserting padlock_sha
(/lib/modules/2.6.21-2-686/kernel/drivers/crypto/padlock-sha.ko): No
such device
Oct 4 14:08:56 stroustrup kernel: padlock: No VIA PadLock drivers have
been loaded.
Oct 4 14:08:56 stroustrup kernel: Initializing XFRM netlink socket
Oct 4 14:08:56 stroustrup ipsec_setup: NETKEY on eth0
192.168.112.71/255.255.255.0 broadcast 255.255.255.0
Oct 4 14:08:57 stroustrup ipsec_setup: ...Openswan IPsec started
Oct 4 14:08:57 stroustrup ipsec_setup: Starting Openswan IPsec 2.4.8...
Oct 4 14:08:57 stroustrup ipsec__plutorun: 104 "Gateway-Router" #1:
STATE_MAIN_I1: initiate
Oct 4 14:08:57 stroustrup ipsec__plutorun: ...could not start conn
"Gateway-Router"
Also I post some /var/log/auth.log information:
Oct 4 14:08:56 stroustrup pluto[5860]: Starting Pluto (Openswan Version
2.4.8 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE]bWX`QBruL)
Oct 4 14:08:56 stroustrup pluto[5860]: Setting NAT-Traversal port-4500
floating to on
Oct 4 14:08:56 stroustrup pluto[5860]: port floating activation
criteria nat_t=1/port_fload=1
Oct 4 14:08:56 stroustrup pluto[5860]: including NAT-Traversal patch
(Version 0.6c)
Oct 4 14:08:56 stroustrup pluto[5860]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Oct 4 14:08:56 stroustrup pluto[5860]: no helpers will be started, all
cryptographic operations will be done inline
Oct 4 14:08:56 stroustrup pluto[5860]: Using NETKEY IPsec interface
code on 2.6.21-2-686
Oct 4 14:08:57 stroustrup pluto[5860]: Changing to directory
'/etc/ipsec.d/cacerts'
Oct 4 14:08:57 stroustrup pluto[5860]: loaded CA cert file
'cacert.pem' (1257 bytes)
Oct 4 14:08:57 stroustrup pluto[5860]: Changing to directory
'/etc/ipsec.d/aacerts'
Oct 4 14:08:57 stroustrup pluto[5860]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Oct 4 14:08:57 stroustrup pluto[5860]: Changing to directory
'/etc/ipsec.d/crls'
Oct 4 14:08:57 stroustrup pluto[5860]: Warning: empty directory
Oct 4 14:08:57 stroustrup pluto[5860]: loaded host cert file
'/etc/ipsec.d/certs/cert.pem' (3202 bytes)
Oct 4 14:08:57 stroustrup pluto[5860]: no subjectAltName matches ID
'@Gateway', replaced by subject DN
Oct 4 14:08:57 stroustrup pluto[5860]: loaded host cert file
'/etc/ipsec.d/certs/RouterCert.pem' (3202 bytes)
Oct 4 14:08:57 stroustrup pluto[5860]: no subjectAltName matches ID
'@Router', replaced by subject DN
Oct 4 14:08:57 stroustrup pluto[5860]: added connection description
"Gateway-Router"
Oct 4 14:08:57 stroustrup pluto[5860]: listening for IKE messages
Oct 4 14:08:57 stroustrup pluto[5860]: adding interface eth0/eth0
192.168.112.71:500
Oct 4 14:08:57 stroustrup pluto[5860]: adding interface eth0/eth0
192.168.112.71:4500
Oct 4 14:08:57 stroustrup pluto[5860]: adding interface lo/lo 127.0.0.1:500
Oct 4 14:08:57 stroustrup pluto[5860]: adding interface lo/lo
127.0.0.1:4500
Oct 4 14:08:57 stroustrup pluto[5860]: adding interface lo/lo ::1:500
Oct 4 14:08:57 stroustrup pluto[5860]: loading secrets from
"/etc/ipsec.secrets"
Oct 4 14:08:57 stroustrup pluto[5860]: loaded private key file
'/etc/ipsec.d/private/sslkey.pem' (951 bytes)
Oct 4 14:08:57 stroustrup pluto[5860]: "Gateway-Router" #1: initiating
Main Mode
Also I post some /var/log/message information:
Oct 4 14:08:56 stroustrup kernel: NET: Registered protocol family 15
Oct 4 14:08:56 stroustrup kernel: padlock: No VIA PadLock drivers have
been loaded.
Oct 4 14:08:56 stroustrup kernel: Initializing XFRM netlink socket
The file /etc/ipsec.d/cacerts/cacert.pem is the same in both box.
The files /etc/ipsec.d/private/sslkey.pem are different in each box.
The files /etc/ipsec.d/certs/cert.pem and
/etc/ipsec.d/certs/RouterCert.pem are different, of course.
Can anybody help me?
Thanks in advance.
Respectfully,
Jose A. Olivera.
--
José Antonio Olivera Ortega
Automóvil Conectado - Telefónica I+D
Teléfono: 913340330 Ext. 1000
Email: jaoo62 at tid.es
--
More information about the Users
mailing list