[Openswan Users] Auto Negotiation is not happening

Peter McGill petermcgill at goco.net
Mon Nov 24 09:03:03 EST 2008 

Ravi,

This is explained in the man page.

Use auto=route.
With auto=route the tunnel configuration will be "added", but the tunnel 
will not connect until there is some traffic which is destined for the 
remote end.

When auto=start the tunnel configuration is "added" and the tunnel is 
"started" (connected) right away.

When auto=add the tunnel configuration is "added" but does not connect 
until the other end requests a connection or the admin manually 
initiates a connection with ipsec auto --up ...

Note, unless you really need the connection only up when you use it, I 
suggest using auto=start for an always on connection, in my experience 
this works much better than auto=route.

Turn off klipsdebug= and plutodebug= they do not help 99.9% of the time 
they only drown your hard disk with logs. Only turn them on when asked 
by a developer. The normal logs are usually sufficient for troubleshooting.

You configuration says your using des (single des), I hope this is a 
typo, single des is not secure (and openswan will not use it by 
default), use 3des or aes.

Peter

PVG Ravi Kumar wrote:
> Hello All,
> 
>  
> 
> I am using 2.4.13 with Fedora core 4 system.
> 
>  
> 
> Auto negotiation is not happening, when I initiate the traffic from my 
> left or right subnet.
> 
>  
> 
> Here is my config file
> 
> config setup
> 
>             interfaces=%defaultroute
> 
>             nat_traversal=yes
> 
>             # Debug-logging controls:  "none" for (almost) none, "all" 
> for lots.
> 
>             klipsdebug=all
> 
>      plutodebug=all
> 
>  
> 
> conn Remote
> 
>             type=tunnel
> 
>             authby=secret
> 
>             left=%defaultroute
> 
>             leftid=10.1.1.253
> 
>             leftsubnet=192.168.200.173/24
> 
>             right=192.168.10.183
> 
>             rightid=10.1.1.254
> 
>             rightsubnet=192.168.100.183/24
> 
>             ike=des-md5-modp1536
> 
>             ikelifetime=28800
> 
>             keylife=14400
> 
>             auto=add
> 
>  
> 
> If I do “ipsec auto –-up Remote” and “ipsec auto –-down Remote”, and 
> initiate traffic from the left or right subnet then the negotiation was 
> happening.
> 
> With this, if I do “ipsec auto –-delete Remote” and “ipsec auto –-add 
> Remote”, and initiate traffic from the left or right subnet then the 
> negotiation was *not *happening.
> 
>  
> 
> Please tell me what to add in my config file to have auto negotiation
> 
>  
> 
> Thanks in advance
> 
> Ravi
> 
>  
> 
> DISCLAIMER: This message is proprietary to D-Link (India) Limited and is 
> intended solely for the use of the individual to whom it is addressed. 
> It may contain privileged or confidential information and should not be 
> circulated or used for any purpose other than for what it is intended. 
> If you have received this message in error, please notify the originator 
> immediately. If you are not the intended recipient, you are notified 
> that you are strictly prohibited from using, copying, altering, or 
> disclosing the contents of this message. D-Link (India) Limited accepts 
> no responsibility for loss or damage arising from the use of the 
> information transmitted by this email including damage from virus.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list