[Openswan Users] Phase I completed,but Phase II error

李正光 xjklee at gmail.com
Thu Oct 11 03:56:14 EDT 2007


2007/10/11, Paul Wouters <paul at xelerance.com>:

> On Thu, 11 Oct 2007, ??? wrote:
>
> > my client box openswan is 2.4.9 version which runs on arm linux 2.4.19.
> >
> > the server log is as follows:
> > 2007-10-11 09:55:49   system   info  00536  IKE<61.30.115.91> Phase 2
> msg ID
> > <1870a061>: Responded to the peer's first message from user
> > <CN=IPSEC,OU=Support,O=Dawningtech,L=Taipei,ST=Taiwan,C=TW>.
> > 2007-10-11 09:55:34   system   info  00536  IKE<61.30.115.91> Phase 2
> msg ID
> > <1ec5c04a>: Responded to the peer's first message from user
> > <CN=IPSEC,OU=Support,O=Dawningtech,L=Taipei,ST=Taiwan,C=TW>.
> > 2007-10-11 09:54:58   system   info  00536  IKE<61.30.115.91> Phase 2
> msg ID
> > <1ec5c04a>: Responded to the peer's first message from user
> > <CN=IPSEC,OU=Support,O=Dawningtech,L=Taipei,ST=Taiwan,C=TW>.
> > 2007-10-11 09:54:45   system   info  00536  IKE<61.30.115.91> Phase 1:
> > Completed Main mode negotiations with a <28800>-second lifetime.
> > 2007-10-11 09:54:45   system   info  00536  IKE<61.30.115.91> Phase 1:
> > Completed for user
> > <CN=IPSEC,OU=Support,O=Dawningtech,L=Taipei,ST=Taiwan,C=TW>.
>
> I am not sure. what does the openswan end say?
>
> > conn dawn-net
> >       authby=rsasig
> >       esp=3DES-SHA1
> >       left=%defaultroute
> >       leftsubnet=192.168.1.0/24
> >       leftnexthop=%defaultroute
> >       leftcert=/etc/ipsec.d/mycert2.pem
> >       leftrsasigkey=%cert
> >       right=211.78.84.93
> >       rightid="@SSG550.sti.com.tw"
> >       rightsubnet=10.2.111.0/24
> >       rightnexthop=%defaultroute
> >       auto=add
> >       pfs=no
>
> It's very unusual to use certificates and specify a rightid= that's not a
> full DN
> while using no leftid= (and thus a DN)


If I didn't specify rightid="@...", during phase I process,it will stop and
show "invalid ID...",the same ipsec.conf can be run on x86 linux machine.

the attached file are up1.txt(while up my service log )/ping1.txt

After up the net-to-net service, the route -n is as follows
 $ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
ipsec0
10.2.111.0      192.168.1.233   255.255.255.0   UG    0      0        0
ipsec0
0.0.0.0         192.168.1.233   0.0.0.0         UG    0      0        0 eth0


> Show the output of: ipsec auto replace dawn-net ; ipsec auto --up dawn-net
> --
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071011/e488e0e2/attachment-0001.html 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: up1.TXT
Url: http://lists.openswan.org/pipermail/users/attachments/20071011/e488e0e2/attachment-0002.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ping1.TXT
Url: http://lists.openswan.org/pipermail/users/attachments/20071011/e488e0e2/attachment-0003.pl 


More information about the Users mailing list