[Openswan Users] Openswan on RH9 connecting to Openwan on FC6

Arjun Datta arjun at greatgulfhomes.com
Fri Feb 22 11:49:10 EST 2008


I went ahead and tried installing openswan on RH9 to test it out and see if
I can connect to an FC6 machine running Openswan.  It seemed to install fine
but I am getting an error when I start ipsec and try to connect.

service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.4.4/K1.0.3...
ipsec_setup: /usr/libexec/ipsec/eroute: pfkey write failed, returning -1
with errno=22.
ipsec_setup: Invalid argument, check kernel log messages for specifics.

/var/log/messages gives me:
<snip>
Feb 22 11:45:47 rhtest dhcpd: receive_packet failed on ipsec0: Network is
down
Feb 22 11:45:47 rhtest kernel: IPSEC EVENT: KLIPS device ipsec0 shut down.
Feb 22 11:45:47 rhtest ipsec_setup: ...Openswan IPsec stopped
Feb 22 11:45:47 rhtest ipsec_setup: Stopping Openswan IPsec...
Feb 22 11:45:48 rhtest ipsec_setup: KLIPS debug `none'
Feb 22 11:45:48 rhtest ipsec_setup: KLIPS ipsec0 on eth0
10.248.100.20/255.255.255.0 broadcast 10.248.100.255 mtu 1410
Feb 22 11:45:48 rhtest ipsec_setup: ...Openswan IPsec started
Feb 22 11:45:48 rhtest ipsec_setup: Starting Openswan IPsec U2.4.4/K1.0.3...
Feb 22 11:45:48 rhtest ipsec_setup: /usr/libexec/ipsec/eroute: pfkey write
failed, returning -1 with errno=22.
Feb 22 11:45:48 rhtest ipsec_setup: Invalid argument, check kernel log
messages for specifics.
Feb 22 11:45:48 rhtest ipsec__plutorun: 022 "ggh-rhtest": we cannot identify
ourselves with either end of this connection
Feb 22 11:45:48 rhtest ipsec__plutorun: ...could not route conn "ggh-rhtest"
Feb 22 11:45:48 rhtest ipsec__plutorun: 022 "ggh-rhtest": We cannot identify
ourselves with either end of this connection.
Feb 22 11:45:48 rhtest ipsec__plutorun: ...could not start conn "ggh-rhtest"

I am not sure what the 022 error means.  I tried looking at pfkey but it's a
binary file.  Any ideas ?

SETUP:
RH9 called rhtest
uname:              2.4.20-30.9.openswan_1.0.3_1 #1
ipsec version:     Linux Openswan U2.4.4/K1.0.3 (klips)

ipsec.conf:
<snip>
        interfaces="ipsec0=eth0"
        # klipsdebug=all
        plutodebug=all
        overridemtu=1410
        nat_traversal=yes
<snip>
conn ggh-rhtest

         left=WAN IP of FC6 VPN server
         leftsubnet=10.241.0.0/16
         leftnexthop=WAN IP of Gateway for FC6 VPN Server

         right=WAN IP of RH9 VPN server
         rightsubnet=10.248.0.0/16
         rightnexthop=WAN IP of Gateway for RH9 VPN Server

         keyingtries=0
         authby=secret
         type=tunnel
         auto=start
         #forceencaps=yes

ifconfig:
eth0 is the LAN NIC with an address of 10.248.100.20
eth1 is the WAN NIC

iptables:
<snip>
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -d ! 10.0.0.0/255.0.0.0 -o eth0 -j MASQUERADE
<snip>
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 500 --syn -j ACCEPT

ipsec verfiy:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.4/K1.0.3 (klips)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

ipsec auto --status:
<snip>
000 "ggh-rhtest":
10.241.0.0/16===X.X.X.X---X.X.X.X...X.X.X.X---X.X.X.X===10.248.0.0/16;
unrouted; eroute owner: #0
000 "ggh-rhtest":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "ggh-rhtest":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "ggh-rhtest":   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 16,16; interface:
;
000 "ggh-rhtest":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000


Regards,

Arjun Datta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080222/a3750e60/attachment-0001.html 


More information about the Users mailing list