[Openswan Users] IPSec auto up error

Vuppula, Srinivas srinivas.vuppula at intel.com
Tue Oct 30 16:53:40 EDT 2007


 
I have missing libraries for iptables as my client is an embedded OS.
Does laptop has to have a DHCP configuration. Can it not work with
static IP also (both openswan nodes with static IP for Road warrior
configuration).
I tested two linux boxes with static IP and they seems to be working
well..

________________________________

From: Peter McGill [mailto:petermcgill at goco.net] 
Sent: Tuesday, October 30, 2007 6:42 AM
To: Vuppula, Srinivas
Subject: RE: [Openswan Users] IPSec auto up error


You might try cc'ing the list, as you may get more answers that way.
A quick lookup at cpan.org tells me that Getopt::Long is standard with
Perl 5.
I suggest reinstalling the latest Perl.
 
Seems to me that your server side config is also missing
leftnexthop=%defaultroute.
 
Are you starting the connection on the laptop, the connection must be
started on the laptop,
because the laptop ip is dynamic the server doesn't know what it is,
until the laptop connects.
 
Is your firewall rules configured to allow IPSec, you need to permit the
following in your firewall
rules on both sides:
ESP, ISAKMP (and optionally UDP 4500, AH) ie:
iptables -t filter -I INPUT -p 50 -j ACCEPT # ESP
iptables -t filter -I INPUT -p udp --dport 500 -j ACCEPT # ISAKMP
 
Run the following on both sides:
ipsec restart
Then show the output on both sides from:
ipsec status
I want to make sure your conn's are actually loaded and not hitting some
error.
 
Peter McGill
 


________________________________

	From: Vuppula, Srinivas [mailto:srinivas.vuppula at intel.com] 
	Sent: October 29, 2007 5:38 PM
	To: Vuppula, Srinivas; petermcgill at goco.net
	Subject: RE: [Openswan Users] IPSec auto up error
	
	
	one more thing observed. The command ipsec verify fails on my
system as
	sh-3.1# ipsec verify
	Can't locate Getopt/Long.pm in @INC (@INC contains:
/usr/lib64/perl5/site_perl/5
	.8.8/x86_64-linux-thread-multi
/usr/lib64/perl5/site_perl/5.8.7/x86_64-linux-thr
	ead-multi
/usr/lib64/perl5/site_perl/5.8.6/x86_64-linux-thread-multi /usr/lib64/
	perl5/site_perl/5.8.5/x86_64-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.8 /
	usr/lib/perl5/site_perl
/usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-m
	ulti
/usr/lib64/perl5/vendor_perl/5.8.7/x86_64-linux-thread-multi
/usr/lib64/per
	l5/vendor_perl/5.8.6/x86_64-linux-thread-multi
/usr/lib64/perl5/vendor_perl/5.8.
	5/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8
/usr/lib/perl5/vend
	or_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi
/usr/lib/perl5/5.8.8 .)
	 at /usr/local/libexec/ipsec/verify line 427.
	BEGIN failed--compilation aborted at
/usr/local/libexec/ipsec/verify line 427.
	sh-3.1# cd /usr/lib64/perl5/
	sh-3.1# ls
	5.8.5  5.8.6  5.8.7  5.8.8
	 
	I had the above versions of perl. Is any library missing. Where
is the Getopt/Long.pm found?

________________________________

	From: Vuppula, Srinivas 
	Sent: Monday, October 29, 2007 2:28 PM
	To: 'petermcgill at goco.net'
	Subject: RE: [Openswan Users] IPSec auto up error
	
	
	Peter,
	This did not changed the error. I get the same error.

________________________________

	From: Peter McGill [mailto:petermcgill at goco.net] 
	Sent: Monday, October 29, 2007 6:15 AM
	To: Vuppula, Srinivas
	Subject: RE: [Openswan Users] IPSec auto up error
	
	
	See below....
	 
	Peter McGill
	 
	
	

________________________________

		From: Vuppula, Srinivas
[mailto:srinivas.vuppula at intel.com] 
		Sent: October 26, 2007 5:40 PM
		To: petermcgill at goco.net
		Subject: [Openswan Users] IPSec auto up error
		
		
		I get the following error 
		 
		sh-3.1# ipsec auto --up net-to-net

		pluto[1349]: "net-to-net" #1: initiating Main Mode

		104 "net-to-net" #1: STATE_MAIN_I1: initiate

		pluto[1349]: "net-to-net" #1: ERROR: asynchronous
network error report on eth0 (

		sport=500) for message to 192.168.1.101 port 500,
complainant 192.168.1.102: No

		route to host [errno 113, origin ICMP type 3 code 1 (not
authenticated)]

		010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will
wait 20s for response

		pluto[1349]: "net-to-net" #1: ERROR: asynchronous
network error report on eth0 (

		sport=500) for message to 192.168.1.101 port 500,
complainant 192.168.1.102: No

		route to host [errno 113, origin ICMP type 3 code 1 (not
authenticated)] 

		 

		Here are the conf files.

		ipsec.conf for left system (laptop)

		conn net-to-net

		left=%defaultroute

		leftid=@left.com

	
leftrsasigkey=0sAQNtMrIb5/4YLj17/Id4AcXSdeVXYVMVn5xtBxSde8qihvGPovfxOprK
ALsHHUw2aQizCz9aKZjYZHhtXmOzrhSb4G7PbPGkzQjNy8uI/rifGi7SpTJKhiknh9hTJa30
HGBRb6mkxOfJZf6BMTsiGvZk/2mtpeRCj94hIFVBfd5sjIRJMkbEjEcBfvtfHuIq2+9K2ZY9
YRjtlLNv63yZqb/TMexVc+nfyPf+0zvq50fKtZcopyV9+Ir8WK/PnF6dszLEubZlnGO4GrLC
yzooL8xBeuXx1peePLupDa2+m0IRN+BSXO9zDBzxse1jSoGszD6XdjxXqa2KbExHLamcXlBS
fpCrUO3dd/lEJJlhJCIZ+Ptp

		right=192.168.1.101

		rightid=@right.com

	
rightrsasigkey=0sAQN8O4IdR8iTX7C5r38mkS/Lgy3UbkuirD624dei/HbmfrhanH4fwId
NGZu++IbfC5lr1fJH5+XVhAI5yYljj6I1KW+p+X3y+qL78jiWCJAfQhSdePqrP1uvTOFJ89R
cFCn8gQexcGSr2cq2hFW7Bny8+L1Az/YxEskhNO47dDoRn739WtrYS3eE/B/NJyFrucrZf8w
tKm7FF2cOIknWJ1s4YlRvXZ1kokvDa3gPAugL9I1KGJ8KuFKR0p1gdwWXWfWVPDktpSVV6Mx
myDt2IYJSWBrLzDEFEI9OgB9R4PWgC38w5bf7uxkJXxC+K47EX9yr1F5JMWbh4jvefStlQSK
Y2SgygQ6BO/Ua70MoIAxyy76N

		auto=add 

		 

		ipsec.conf for right system (one with statis IP
configured)

		conn net-to-net

		left=192.168.1.101

		leftid=@right.com

	
leftrsasigkey=0sAQN8O4IdR8iTX7C5r38mkS/Lgy3UbkuirD624dei/HbmfrhanH4fwIdN
GZu++IbfC5lr1fJH5+XVhAI5yYljj6I1KW+p+X3y+qL78jiWCJAfQhSdePqrP1uvTOFJ89Rc
FCn8gQexcGSr2cq2hFW7Bny8+L1Az/YxEskhNO47dDoRn739WtrYS3eE/B/NJyFrucrZf8wt
Km7FF2cOIknWJ1s4YlRvXZ1kokvDa3gPAugL9I1KGJ8KuFKR0p1gdwWXWfWVPDktpSVV6Mxm
yDt2IYJSWBrLzDEFEI9OgB9R4PWgC38w5bf7uxkJXxC+K47EX9yr1F5JMWbh4jvefStlQSKY
2SgygQ6BO/Ua70MoIAxyy76N

		rightnexthop=%defaultroute

		right=%defaultroute 

		This needs to be right=%any for road warrior connections
from dynamic (any) address. Peter 

		rightid=@left.com

	
rightrsasigkey=0sAQNtMrIb5/4YLj17/Id4AcXSdeVXYVMVn5xtBxSde8qihvGPovfxOpr
KALsHHUw2aQizCz9aKZjYZHhtXmOzrhSb4G7PbPGkzQjNy8uI/rifGi7SpTJKhiknh9hTJa3
0HGBRb6mkxOfJZf6BMTsiGvZk/2mtpeRCj94hIFVBfd5sjIRJMkbEjEcBfvtfHuIq2+9K2ZY
9YRjtlLNv63yZqb/TMexVc+nfyPf+0zvq50fKtZcopyV9+Ir8WK/PnF6dszLEubZlnGO4GrL
CyzooL8xBeuXx1peePLupDa2+m0IRN+BSXO9zDBzxse1jSoGszD6XdjxXqa2KbExHLamcXlB
SfpCrUO3dd/lEJJlhJCIZ+Ptp

		auto=add

		 

		 

		Any idea what could be wrong?

		Before starting ipsec, i could ping both systems from
each other. I am trying to use Roadwarior configuration.  

		 

		Thanks alot,

		 

		Srinivas 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071030/c223acbd/attachment-0001.html 


More information about the Users mailing list