[Openswan Users] subnet-to-subnet configuration problem, tunnel is not established, 'no TXT RR found for us'
Gbenga
stjames08 at yahoo.co.uk
Fri Mar 21 19:28:30 EDT 2008
Omar,
You want to include the following line at the end of your ipsec.conf. Without it, Openswan will look to start Opportunitistic Encryption automatically. Most of the time, that is not what you want. Unless you really want OE, in which case, you have to configure your dns for that purpose.
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.confAfter, you have the above line, re run 'ipsec auto rereadall' to make it have effect.
Rgds,
Gbenga
----- Original Message ----
From: Omar Adel <rumaih123 at gmail.com>
To: users at openswan.org
Sent: Friday, 21 March, 2008 6:33:25 PM
Subject: [Openswan Users] subnet-to-subnet configuration problem, tunnel is not established, 'no TXT RR found for us'
Hi everybody
1. First, I am new to openswan, and this my first start in using it, I
am trying to
do a simple IPSec tunnel between 2 subnets (subnet-to-subnet
connection). I am using Debian
Linux and openswan on both sides of the IPSec tunnel. The openswan is
installecd OK
on both sides, however the tunnel is not established. The log shows this error:
"can not use our IP (181.1.1.1:TXT) as identity: no TXT RR found for us"
Your help in solving the problem would be very much appreciated.
Section 2 below shows the network layout.
Section 4 below shows the content of "ipsec.conf".
Section 5 below shows the result of the command"ipsec verify".
Section 6 below shows the content of log which shows the error at the
last 5 lines.
Thanks.
2. The network layout is as follows:
-------- PC Client1
| PC | IP: 172.15.0.2
----+--- subnet mask: 255.255.0.0
| Gateway: 172.15.0.1
|
|
|
| VPN_Linux1 eth1:
| IP: 172.15.0.1
| subnet mask: 255.255.0.0
| Gateway: 181.1.1.1
----+---
| Linux |
| VPN 1 |
----+--- VPN_Linux1 eth0:
| IP: 181.1.1.1
| subnet mask: 255.255.0.0
| Gateway : 181.1.1.2
|
|
|
|
| VPN_Linux2 eth0:
| IP: 181.1.1.2
| subnet mask: 255.255.0.0
----+--- Gateway: 181.1.1.1
| Linux |
| VPN 2 |
----+--- VPN_Linux2 eth1:
| IP: 172.16.0.1
| subnet mask: 255.255.0.0
| Gateway: 181.1.1.2
|
|
| PC Client2
| IP: 172.16.0.2
| subnet mask: 255.255.0.0
----+--- Gateway: 172.16.0.1
| PC |
--------
3. The content of "ipsec.conf" is as follows:
=================
version 2.0
config setup
interfaces=%defaultroute
conn %default
authby=rsasig
conn nnn
left=181.1.1.1 # Local vitals
leftsubnet=172.15.0.0/16 #
right=181.1.1.2 # Remote vitals
rightsubnet=172.16.0.0/16
type=tunnel
leftrsasigkey=0sAQNvW5Pf...
rightrsasigkey=0sAQOItV0...
auto=start
================
4. The result of the command "ipsec verify" is as follows:
==============
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.6/K2.6.18-6-686 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: debianLeft [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 1.1.1.181.in-addr.arpa. [MISSING]
Looking for TXT in reverse dns zone: 1.0.15.172.in-addr.arpa.
[MISSING]
==============
5. The log (in /var/log/auth.log) which shows the problem is:
==============
Mar 21 13:35:39 localhost ipsec__plutorun: Starting Pluto subsystem...
Mar 21 13:35:39 localhost pluto[10713]: Starting Pluto (Openswan
Version 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR; Vendor ID OElLO]RdWNRD)
Mar 21 13:35:39 localhost pluto[10713]: Setting NAT-Traversal
port-4500 floating to off
Mar 21 13:35:39 localhost pluto[10713]: port floating activation
criteria nat_t=0/port_fload=1
Mar 21 13:35:39 localhost pluto[10713]: including NAT-Traversal
patch (Version 0.6c) [disabled]
Mar 21 13:35:39 localhost pluto[10713]: WARNING: Open of
/dev/hw_random failed in init_rnd_pool(), trying alternate sources of
random
Mar 21 13:35:39 localhost pluto[10713]: WARNING: Using /dev/urandom as
the source of random
Mar 21 13:35:39 localhost pluto[10713]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Mar 21 13:35:39 localhost pluto[10713]: starting up 1 cryptographic helpers
Mar 21 13:35:39 localhost pluto[10720]: WARNING: Open of
/dev/hw_random failed in init_rnd_pool(), trying alternate sources of
random
Mar 21 13:35:39 localhost pluto[10720]: WARNING: Using /dev/urandom as
the source of random
Mar 21 13:35:39 localhost pluto[10713]: started helper pid=10720 (fd:6)
Mar 21 13:35:39 localhost pluto[10713]: Using Linux 2.6 IPsec
interface code on 2.6.18-6-686
Mar 21 13:35:40 localhost pluto[10713]: Changing to directory
'/etc/ipsec.d/cacerts'
Mar 21 13:35:40 localhost pluto[10713]: Changing to directory
'/etc/ipsec.d/aacerts'
Mar 21 13:35:40 localhost pluto[10713]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Mar 21 13:35:40 localhost pluto[10713]: Changing to directory
'/etc/ipsec.d/crls'
Mar 21 13:35:40 localhost pluto[10713]: Warning: empty directory
Mar 21 13:35:40 localhost pluto[10713]: added connection description "block"
Mar 21 13:35:40 localhost pluto[10713]: added connection description
"clear-or-private"
Mar 21 13:35:40 localhost pluto[10713]: added connection description
"packetdefault"
Mar 21 13:35:40 localhost pluto[10713]: added connection description "private"
Mar 21 13:35:40 localhost pluto[10713]: added connection description "clear"
Mar 21 13:35:40 localhost pluto[10713]: added connection description
"private-or-clear"
Mar 21 13:35:40 localhost pluto[10713]: listening for IKE messages
Mar 21 13:35:40 localhost pluto[10713]: adding interface eth1/eth1
172.15.0.1:500
Mar 21 13:35:40 localhost pluto[10713]: adding interface eth0/eth0 181.1.1.1:500
Mar 21 13:35:40 localhost pluto[10713]: adding interface lo/lo 127.0.0.1:500
Mar 21 13:35:40 localhost pluto[10713]: adding interface lo/lo ::1:500
Mar 21 13:35:40 localhost pluto[10713]: loading secrets from
"/etc/ipsec.secrets"
Mar 21 13:35:40 localhost pluto[10713]: loading group
"/etc/ipsec.d/policies/private-or-clear"
Mar 21 13:35:40 localhost pluto[10713]: loading group
"/etc/ipsec.d/policies/clear"
Mar 21 13:35:40 localhost pluto[10713]: loading group
"/etc/ipsec.d/policies/private"
Mar 21 13:35:40 localhost pluto[10713]: loading group
"/etc/ipsec.d/policies/clear-or-private"
Mar 21 13:35:40 localhost pluto[10713]: loading group
"/etc/ipsec.d/policies/block"
Mar 21 13:35:49 localhost pluto[10713]: can not use our IP
(181.1.1.1:TXT) as identity: no TXT RR found for us
Mar 21 13:35:49 localhost pluto[10713]: can not use our hostname
(@debianLeft:TXT) as identity: no TXT RR found for us
Mar 21 13:35:49 localhost pluto[10713]: can not use our IP
(181.1.1.1:KEY) as identity: no KEY RR found for us
Mar 21 13:35:49 localhost pluto[10713]: Can not opportunistically
initiate for 172.15.0.2 to 216.49.94.13: KEY record for hostname as
%myid (no good TXT): failure querying DNS for KEY of debianLeft.: Host
name lookup failure
Mar 21 13:37:00 localhost pluto[10713]: Can not opportunistically
initiate for 181.1.1.2 to 172.15.0.2: KEY record for hostname as %myid
(no good TXT): failure querying DNS for KEY of debianLeft.: Host name
lookup failure
==============
Your help in solving the problem would be very much appreciated.
Thanks for your help in advanced.
Omar Adel
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
__________________________________________________________
Sent from Yahoo! Mail.
More Ways to Keep in Touch. http://uk.docs.yahoo.com/nowyoucan.html
More information about the Users
mailing list