[Openswan Users] KLIPS on CentOS 5.1

Mon Dec 1 13:42:16 EST 2008

I've tried to use  leftsouceip= and rightsourceip= , and I get these erors:

[root at dinamico38 ~]$ ipsec auto --verbose --up net-to-net
002 "net-to-net" #1: initiating Main Mode
104 "net-to-net" #1: STATE_MAIN_I1: initiate
003 "net-to-net" #1: received Vendor ID payload [Openswan (this version)
2.6.18 ]
003 "net-to-net" #1: received Vendor ID payload [Dead Peer Detection]
002 "net-to-net" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
002 "net-to-net" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "net-to-net" #1: received Vendor ID payload [CAN-IKEv2]
002 "net-to-net" #1: Main mode peer ID is ID_FQDN: '@left.digitro.com.br'
002 "net-to-net" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
002 "net-to-net" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:7d3747bd
proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP2048}
117 "net-to-net" #2: STATE_QUICK_I1: initiate
*002 "net-to-net" #2: up-client output: /usr/libexec/ipsec/_updown.klips:
changesource `ip route change 14.14.14.0/24 dev ipsec0 src 15.15.15.15'
failed (RTNETLINK answers: No such file or directory)*
002 "net-to-net" #2: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0xe4b4c312 <0x09db97a3 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none
DPD=none}
[root at dinamico38 ~]$ ipsec auto --verbose --down net-to-net
002 "net-to-net": terminating SAs using this connection
002 "net-to-net" #2: deleting state (STATE_QUICK_I2)
*002 "net-to-net" #2: down-client output: /usr/libexec/ipsec/_updown.klips:
dorule `ip rule delete from 15.15.15.0/24 to 14.14.14.0/24 ' failed
(RTNETLINK answers: No such file or directory)*
002 "net-to-net" #1: deleting state (STATE_MAIN_I4)
[root at dinamico38 ~]$

---
Sérgio Cioban Filho - LPIC1
------------------------------------------------------------
| Linux - Servidores - Firewall - VPN
| Virtualização - VoIP - ShellScript - C - PHP
| http://cioban.googlepages.com
| +55 48 9989-8733
------------------------------------------------------------
..:: Seja livre, use LiNuX!! ::..

On Mon, Dec 1, 2008 at 4:30 PM, Sergio Cioban Filho <cioban at gmail.com>wrote:

> I'm using ping -I . I will try with leftsourceip= and rightsourceip= ...
> This configuration works fine on version 2.4.13 running on CentOS 5.1
>
> I've tried to use many other versions: 2.6.16 , 2.6.14 , 2.5.17 , 2.5.16
> and 2.4.13 but only the version 2.4.13 worked fine.
>
> On version 2.6.16: same error, tx error count in ipsec0 interface is
> increased.
> Version 2.6.14: The KLIPS module (ipsec) have compiled with no errors,  but
> iget this message on modprobe: Unknown symbol ipsec_nat_encap
> Versions 2.5.x: Many errors in compilation. I could not compile any version
>
> Thanks,
> Regards,
> ---
> Sérgio Cioban Filho - LPIC1
> ------------------------------------------------------------
> | Linux - Servidores - Firewall - VPN
> | Virtualização - VoIP - ShellScript - C - PHP
> | http://cioban.googlepages.com
> | +55 48 9989-8733
> ------------------------------------------------------------
> ..:: Seja livre, use LiNuX!! ::..
>
>
> On Mon, Dec 1, 2008 at 3:38 PM, Paul Wouters <paul at xelerance.com> wrote:
>
>> On Mon, 1 Dec 2008, Sergio Cioban Filho wrote:
>>
>>  Thanks for yor answer.
>>> I've tried to use version 2.6.19, but same error has ocurred.
>>> The SELinux has disabled.
>>> The output of ipsec barf is attached.
>>>
>>
>> I don't see anything wrong. Are you using ping -I ? since you did not
>> add leftsourceip= and rightsourceip= ?
>>
>> Paul
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081201/dfea02ea/attachment.html 