[Openswan Users] Openswan and Netgear SRXN3205

JT Edwards tstrike34 at gmail.com
Fri Aug 28 02:29:10 EDT 2009 

Paul,

I am still having issues with  "no (wildcard) connection has been configured 
with policy=PSK". I followed your advice, but I think I am going to try to 
use a hybrid of one of your examples. I need the Netgear router for SSL VPN 
for customers, so I am going to try a Linux to Linux connection going thru 
the Netgear router...

What this means is that I have is that the connection I am attempting is a 
Openswan server with a public IP  connecting to another Openswan server 
sitting behind a NAT. I saw in the Openswan documentation it may be possible 
to do this. I will give this a try in a few hours (me needs some sleep man).

I am new to VPN but trying really hard to learn, if you want I can send you 
both my ipsec.conf and ipsec.secrets for your examination.

I am going to try to rebuild everything from scratch and seeing how it work.

Thanks for your cotinuned assistance... This is really an exciting project!

JT

--------------------------------------------------
From: "Paul Wouters" <paul at xelerance.com>
Sent: Thursday, August 27, 2009 7:09 PM
To: "JT Edwards" <tstrike34 at gmail.com>
Cc: <users at openswan.org>
Subject: Re: [Openswan Users] Openswan and Netgear SRXN3205

> On Thu, 27 Aug 2009, JT Edwards wrote:
>
>> 15:17:46 wizzer8 pluto[12887]: packet from 22.210.33.11:500: ignoring 
>> unknown Vendor ID payload [810fa565f8ab14369105d706fbd57279]
>> Aug 27 15:17:46 wizzer8 pluto[12887]: packet from 22.210.33.11:500: 
>> ignoring unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
>> Aug 27 15:17:46 wizzer8 pluto[12887]: packet from 22.210.33.11:500: 
>> initial Aggressive Mode message from 22.210.33.11 but no (wildcard) 
>> connection has been configured with policy=PSK
>>
>> Both sides have the PSK identified
>
> But apparently you do not have aggressive mode enabled and the other end 
> is
> asking for it.
>
>> conn net-to-net
>>   left=11.231.29.12
>>   leftsubnet=192.168.1.0/24
>>   leftnexthop=%defaultroute
>>   right=22.210.33.11
>>   rightsubnet=192.168.122.0/24
>>   rightnexthop=%defaultroute
>>   auto=add                       # authorizes but doesn't start this
>>                                  # connection at startup
>>   authby=secret
>
> Do NOT put blanc comment lines in the middle of a secion, it will mean the
> section ended. So now your authby=secret is not part of "conn net-to-net".
> So remove the "# connection at startup" line.
>
> And add aggrmode=yes as the other end apparently is expecting that.
>
> Paul

More information about the Users mailing list