[Openswan Users] After reboot openswan quits

Tejas Jin txjin at intelliepi.com
Tue Oct 23 14:20:23 EDT 2007 

I found the problem.  I forgot how to check the status and when I ran 
ipsec auto --status  I could see that the routing was wrong on my server.
I changed this and everything seems to be working fine.

Tejas Jin wrote:
> Paul Wouters wrote:
>> On Mon, 22 Oct 2007, Tejas Jin wrote:
>>
>>   
>>> I have had this system up and running for a month.  It got rebooted and
>>> now none of the road warriors can connect to it.  I think I'm blinded by
>>> it worked before and it should be working now.   Maybe somebody else can
>>> see the problem.  It's not even making the first step key exchange
>>> correctly.
>>>     
>>
>>   
>>> --------------------------------------------------------------------------------------------------------------
>>> roadwarrior ipsec.conf
>>> ------------------------------------------------------------------------------------------------------------
>>>     
>>
>>   
>>> conn office
>>>         keyexchange=ike
>>>         esp=3des-md5
>>>         ike=3des-md5
>>>         authby=secret
>>>         pfs=yes
>>>         keylife=3600
>>>         right=66.211.219.100
>>>         rightsubnet=192.168.5.0/24
>>>     
>>
>> This does not match with your server end, that is using 192.168.1.0/24
>>   
>>>         #rightsourceip=
>>>         rightnexthop=%defaultroute
>>>         rightid=@firewall
>>>         left=%defaultroute
>>>         #leftsubnet=vhost:%priv,%no
>>>     
>>
>> If the roadwarrior is behind NAT, you need to enable that leftsubnet line.
>>
>>   
>     I corrected the other issues, but when I add this line to the road 
> warrior, I get
> root at warrior #  ipsec auto --up office
> 022 "office": We cannot identify ourselves with either end of this 
> connection.
>
>>> include /etc/ipsec.d/*.conf
>>> -----------------------------------------------
>>> ipsec.conf openswan server
>>> -------------------------------------------------
>>> config setup
>>>         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>>>         # klipsdebug=none
>>>         # plutodebug="control parsing"
>>>         virtual_private=%v4:192.168.5.0/24
>>>     
>>
>> You should list all RFC1918 address space here EXCEPT the one assigned to the server,
>> so: virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.18.1.0/24,%v4:!192.168.1.0/24
>>
>>   
>>>         nat_traversal=yes
>>>
>>>
>>> conn office
>>>         keyexchange=ike
>>>         esp=3des-md5
>>>         ike=3des-md5
>>>         authby=secret
>>>         pfs=yes
>>>         keylife=3600
>>>         left=66.211.219.100
>>>         leftsubnet=192.168.1.0/24
>>>         leftsourceip=192.168.1.177
>>>         leftnexthop=%defaultroute
>>>         leftid=@firewall
>>>         right=%any
>>>         #rightsubnet=192.168.5.0/24
>>>         rightsubnet=vhost:%priv,%no
>>>         rightnexthop=%defaultroute
>>>         rightid=@warrior
>>>     
>>
>> Paul
>>
>>   
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list