[Openswan Users] Openswan on RH9 connecting to Openwan on FC6
Arjun Datta
arjun at greatgulfhomes.com
Fri Feb 22 11:49:10 EST 2008
I went ahead and tried installing openswan on RH9 to test it out and see if
I can connect to an FC6 machine running Openswan. It seemed to install fine
but I am getting an error when I start ipsec and try to connect.
service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.4.4/K1.0.3...
ipsec_setup: /usr/libexec/ipsec/eroute: pfkey write failed, returning -1
with errno=22.
ipsec_setup: Invalid argument, check kernel log messages for specifics.
/var/log/messages gives me:
<snip>
Feb 22 11:45:47 rhtest dhcpd: receive_packet failed on ipsec0: Network is
down
Feb 22 11:45:47 rhtest kernel: IPSEC EVENT: KLIPS device ipsec0 shut down.
Feb 22 11:45:47 rhtest ipsec_setup: ...Openswan IPsec stopped
Feb 22 11:45:47 rhtest ipsec_setup: Stopping Openswan IPsec...
Feb 22 11:45:48 rhtest ipsec_setup: KLIPS debug `none'
Feb 22 11:45:48 rhtest ipsec_setup: KLIPS ipsec0 on eth0
10.248.100.20/255.255.255.0 broadcast 10.248.100.255 mtu 1410
Feb 22 11:45:48 rhtest ipsec_setup: ...Openswan IPsec started
Feb 22 11:45:48 rhtest ipsec_setup: Starting Openswan IPsec U2.4.4/K1.0.3...
Feb 22 11:45:48 rhtest ipsec_setup: /usr/libexec/ipsec/eroute: pfkey write
failed, returning -1 with errno=22.
Feb 22 11:45:48 rhtest ipsec_setup: Invalid argument, check kernel log
messages for specifics.
Feb 22 11:45:48 rhtest ipsec__plutorun: 022 "ggh-rhtest": we cannot identify
ourselves with either end of this connection
Feb 22 11:45:48 rhtest ipsec__plutorun: ...could not route conn "ggh-rhtest"
Feb 22 11:45:48 rhtest ipsec__plutorun: 022 "ggh-rhtest": We cannot identify
ourselves with either end of this connection.
Feb 22 11:45:48 rhtest ipsec__plutorun: ...could not start conn "ggh-rhtest"
I am not sure what the 022 error means. I tried looking at pfkey but it's a
binary file. Any ideas ?
SETUP:
RH9 called rhtest
uname: 2.4.20-30.9.openswan_1.0.3_1 #1
ipsec version: Linux Openswan U2.4.4/K1.0.3 (klips)
ipsec.conf:
<snip>
interfaces="ipsec0=eth0"
# klipsdebug=all
plutodebug=all
overridemtu=1410
nat_traversal=yes
<snip>
conn ggh-rhtest
left=WAN IP of FC6 VPN server
leftsubnet=10.241.0.0/16
leftnexthop=WAN IP of Gateway for FC6 VPN Server
right=WAN IP of RH9 VPN server
rightsubnet=10.248.0.0/16
rightnexthop=WAN IP of Gateway for RH9 VPN Server
keyingtries=0
authby=secret
type=tunnel
auto=start
#forceencaps=yes
ifconfig:
eth0 is the LAN NIC with an address of 10.248.100.20
eth1 is the WAN NIC
iptables:
<snip>
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -d ! 10.0.0.0/255.0.0.0 -o eth0 -j MASQUERADE
<snip>
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 500 --syn -j ACCEPT
ipsec verfiy:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.4/K1.0.3 (klips)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
ipsec auto --status:
<snip>
000 "ggh-rhtest":
10.241.0.0/16===X.X.X.X---X.X.X.X...X.X.X.X---X.X.X.X===10.248.0.0/16;
unrouted; eroute owner: #0
000 "ggh-rhtest": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "ggh-rhtest": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "ggh-rhtest": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 16,16; interface:
;
000 "ggh-rhtest": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000
Regards,
Arjun Datta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080222/a3750e60/attachment-0001.html
More information about the Users
mailing list