[Openswan Users] IPSec auto up error

Peter McGill petermcgill at goco.net
Tue Oct 30 17:39:22 EDT 2007 

Show us your ifconfig and route -n outputs for both hosts.
How does the 192.168.1.102 address/host fit in, is it the "road warrior" or gateway?
 
Openswan doesn't really care how the host get's it's IP address, so long as...
a) The IP address is available before the Openswan pluto daemon is started and
b) If the IP address is changed the Openswan pluto daemon is immediately restarted.
 
It does however matter when writing your conf.
If you have static addresses then put them in left and right.
If you have a dynamic address on one end then in it's ipsec.conf put left=%defaultroute,
and in the other ipsec.conf put right=%any to handle the unknown/changing address.
In this case you also must start the connection from the side with the dynamic address.
This is true anytime you write your conf files this way even if both sides have static IPs,
if for example your using a dynamic IP configuration but testing it with a static IP.
 
When Openswan documentation and the people on this list talk about road warrior, we mean
one side of the tunnel has a dynamic IP, if you have static IP's then it's a normal tunnel not road warrior.
(Althouth the configs are identical except for the above mentions of left=%defaultroute and right=%any.)
 
Peter McGill
 



  _____  

From: Vuppula, Srinivas [mailto:srinivas.vuppula at intel.com] 
Sent: October 30, 2007 4:54 PM
To: petermcgill at goco.net
Cc: users at openswan.org
Subject: RE: [Openswan Users] IPSec auto up error


 
I have missing libraries for iptables as my client is an embedded OS.
Does laptop has to have a DHCP configuration. Can it not work with static IP also (both openswan nodes with static IP for Road
warrior configuration).
I tested two linux boxes with static IP and they seems to be working well..

  _____  

From: Peter McGill [mailto:petermcgill at goco.net] 
Sent: Tuesday, October 30, 2007 6:42 AM
To: Vuppula, Srinivas
Subject: RE: [Openswan Users] IPSec auto up error


You might try cc'ing the list, as you may get more answers that way.
A quick lookup at cpan.org tells me that Getopt::Long is standard with Perl 5.
I suggest reinstalling the latest Perl.
 
Seems to me that your server side config is also missing leftnexthop=%defaultroute.
 
Are you starting the connection on the laptop, the connection must be started on the laptop,
because the laptop ip is dynamic the server doesn't know what it is, until the laptop connects.
 
Is your firewall rules configured to allow IPSec, you need to permit the following in your firewall
rules on both sides:
ESP, ISAKMP (and optionally UDP 4500, AH) ie:
iptables -t filter -I INPUT -p 50 -j ACCEPT # ESP
iptables -t filter -I INPUT -p udp --dport 500 -j ACCEPT # ISAKMP
 
Run the following on both sides:
ipsec restart
Then show the output on both sides from:
ipsec status
I want to make sure your conn's are actually loaded and not hitting some error.
 
Peter McGill
 


  _____  

From: Vuppula, Srinivas [mailto:srinivas.vuppula at intel.com] 
Sent: October 29, 2007 5:38 PM
To: Vuppula, Srinivas; petermcgill at goco.net
Subject: RE: [Openswan Users] IPSec auto up error


one more thing observed. The command ipsec verify fails on my system as
sh-3.1# ipsec verify
Can't locate Getopt/Long.pm in @INC (@INC contains: /usr/lib64/perl5/site_perl/5
.8.8/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.7/x86_64-linux-thr
ead-multi /usr/lib64/perl5/site_perl/5.8.6/x86_64-linux-thread-multi /usr/lib64/
perl5/site_perl/5.8.5/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /
usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-m
ulti /usr/lib64/perl5/vendor_perl/5.8.7/x86_64-linux-thread-multi /usr/lib64/per
l5/vendor_perl/5.8.6/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.
5/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vend
or_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 .)
 at /usr/local/libexec/ipsec/verify line 427.
BEGIN failed--compilation aborted at /usr/local/libexec/ipsec/verify line 427.
sh-3.1# cd /usr/lib64/perl5/
sh-3.1# ls
5.8.5  5.8.6  5.8.7  5.8.8
 
I had the above versions of perl. Is any library missing. Where is the Getopt/Long.pm found?

  _____  

From: Vuppula, Srinivas 
Sent: Monday, October 29, 2007 2:28 PM
To: 'petermcgill at goco.net'
Subject: RE: [Openswan Users] IPSec auto up error


Peter,
This did not changed the error. I get the same error.

  _____  

From: Peter McGill [mailto:petermcgill at goco.net] 
Sent: Monday, October 29, 2007 6:15 AM
To: Vuppula, Srinivas
Subject: RE: [Openswan Users] IPSec auto up error


See below....
 
Peter McGill
 



  _____  

From: Vuppula, Srinivas [mailto:srinivas.vuppula at intel.com] 
Sent: October 26, 2007 5:40 PM
To: petermcgill at goco.net
Subject: [Openswan Users] IPSec auto up error


I get the following error 
 
sh-3.1# ipsec auto --up net-to-net

pluto[1349]: "net-to-net" #1: initiating Main Mode

104 "net-to-net" #1: STATE_MAIN_I1: initiate

pluto[1349]: "net-to-net" #1: ERROR: asynchronous network error report on eth0 (

sport=500) for message to 192.168.1.101 port 500, complainant 192.168.1.102: No

route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 20s for response

pluto[1349]: "net-to-net" #1: ERROR: asynchronous network error report on eth0 (

sport=500) for message to 192.168.1.101 port 500, complainant 192.168.1.102: No

route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)] 

 

Here are the conf files.

ipsec.conf for left system (laptop)

conn net-to-net

left=%defaultroute

leftid=@left.com

leftrsasigkey=0sAQNtMrIb5/4YLj17/Id4AcXSdeVXYVMVn5xtBxSde8qihvGPovfxOprKALsHHUw2aQizCz9aKZjYZHhtXmOzrhSb4G7PbPGkzQjNy8uI/rifGi7SpTJK
hiknh9hTJa30HGBRb6mkxOfJZf6BMTsiGvZk/2mtpeRCj94hIFVBfd5sjIRJMkbEjEcBfvtfHuIq2+9K2ZY9YRjtlLNv63yZqb/TMexVc+nfyPf+0zvq50fKtZcopyV9+Ir8
WK/PnF6dszLEubZlnGO4GrLCyzooL8xBeuXx1peePLupDa2+m0IRN+BSXO9zDBzxse1jSoGszD6XdjxXqa2KbExHLamcXlBSfpCrUO3dd/lEJJlhJCIZ+Ptp

right=192.168.1.101

rightid=@right.com

rightrsasigkey=0sAQN8O4IdR8iTX7C5r38mkS/Lgy3UbkuirD624dei/HbmfrhanH4fwIdNGZu++IbfC5lr1fJH5+XVhAI5yYljj6I1KW+p+X3y+qL78jiWCJAfQhSdePq
rP1uvTOFJ89RcFCn8gQexcGSr2cq2hFW7Bny8+L1Az/YxEskhNO47dDoRn739WtrYS3eE/B/NJyFrucrZf8wtKm7FF2cOIknWJ1s4YlRvXZ1kokvDa3gPAugL9I1KGJ8KuFK
R0p1gdwWXWfWVPDktpSVV6MxmyDt2IYJSWBrLzDEFEI9OgB9R4PWgC38w5bf7uxkJXxC+K47EX9yr1F5JMWbh4jvefStlQSKY2SgygQ6BO/Ua70MoIAxyy76N

auto=add 

 

ipsec.conf for right system (one with statis IP configured)

conn net-to-net

left=192.168.1.101

leftid=@right.com

leftrsasigkey=0sAQN8O4IdR8iTX7C5r38mkS/Lgy3UbkuirD624dei/HbmfrhanH4fwIdNGZu++IbfC5lr1fJH5+XVhAI5yYljj6I1KW+p+X3y+qL78jiWCJAfQhSdePqr
P1uvTOFJ89RcFCn8gQexcGSr2cq2hFW7Bny8+L1Az/YxEskhNO47dDoRn739WtrYS3eE/B/NJyFrucrZf8wtKm7FF2cOIknWJ1s4YlRvXZ1kokvDa3gPAugL9I1KGJ8KuFKR
0p1gdwWXWfWVPDktpSVV6MxmyDt2IYJSWBrLzDEFEI9OgB9R4PWgC38w5bf7uxkJXxC+K47EX9yr1F5JMWbh4jvefStlQSKY2SgygQ6BO/Ua70MoIAxyy76N

rightnexthop=%defaultroute

right=%defaultroute 

This needs to be right=%any for road warrior connections from dynamic (any) address. Peter 

rightid=@left.com

rightrsasigkey=0sAQNtMrIb5/4YLj17/Id4AcXSdeVXYVMVn5xtBxSde8qihvGPovfxOprKALsHHUw2aQizCz9aKZjYZHhtXmOzrhSb4G7PbPGkzQjNy8uI/rifGi7SpTJ
Khiknh9hTJa30HGBRb6mkxOfJZf6BMTsiGvZk/2mtpeRCj94hIFVBfd5sjIRJMkbEjEcBfvtfHuIq2+9K2ZY9YRjtlLNv63yZqb/TMexVc+nfyPf+0zvq50fKtZcopyV9+Ir
8WK/PnF6dszLEubZlnGO4GrLCyzooL8xBeuXx1peePLupDa2+m0IRN+BSXO9zDBzxse1jSoGszD6XdjxXqa2KbExHLamcXlBSfpCrUO3dd/lEJJlhJCIZ+Ptp

auto=add

 

 

Any idea what could be wrong?

Before starting ipsec, i could ping both systems from each other. I am trying to use Roadwarior configuration.  

 

Thanks alot,

 

Srinivas 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071030/86caee7d/attachment-0001.html

More information about the Users mailing list