[Openswan Users] Tunnel not starting

Arjun Datta arjun at greatgulfhomes.com
Thu May 29 00:36:51 EDT 2008


Paul Wouters wrote:
> On Wed, 28 May 2008, Arjun Datta wrote:
>
>   
>> This is a FreeSWAN version 2.0 question concerning a pre-existing setup
>> I have been asked to maintain.  Before anyone asks, I cannot upgrade the
>> ipsec version as yet to openswan and and so am stuck using freeswan for
>> now =)  (I know, I know, it's super old)
>>     
>
> It is. I wouldnt call it secure at this point.
>
>   
>>         # (manual) base for SPI numbering; must end in 0
>>         spibase=0x520
>>     
>
> Why are you using manual keying? In fact you sort of are not.
>   
>>         # (auto) key-exchange type
>>         keyexchange=ike
>>         # (auto) key lifetime (before automatic rekeying)
>>         keylife=8h
>>         # (auto) how persistent to be in (re)keying negotiations (0
>> means very)
>>         keyingtries=0
>>         auto=start
>>     
>
> Because this says you are using automatic keying.
>
>   
>> When I try to (re)start the connection,
>> left side says:
>>     
>
>   
>> 000 #25: "corp-atlantat1" STATE_MAIN_I1 (sent MI1, expecting MR1);
>> EVENT_RETRANSMIT in 14s
>>     
>
>   
>> Is this because right is freeswan 2.0 and left is freeswan 1.0 ?
>>     
>
> Who knows with relics software like that. Normally, I would say
> this is a firewall issue. You send 1 packet, the other end receives
> 0 packets.
>
> Unless you work on the space shuttle or phoenix program though, I
> would phase out freeswan ASAP.
>
> Paul
>   

Hi Paul,

I agree but I have to work with what I have been given =)

I figured out the problem, if you are curious.

I had to comment out the 'left firewall = x.x.x.x' and 'right firewall = 
x.x.x.x' in the ipsec.conf file on the freeswan 2.06 (Linux 2.4.20-30.9) 
machine but left them on the freeswan 1.0 (Linux 2.0.36).

On the freeswan 2.0.36 machine I also had to add the following line to 
iptables
-A FORWARD -i eth1 -j ACCEPT

where eth1 is the external NIC

Regards,
 
Arjun Datta


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080529/dd5367ab/attachment-0001.html 


More information about the Users mailing list