[Openswan Users] service ipsec status - "No tunnels up" but they working

piotr.1234 at interia.pl piotr.1234 at interia.pl
Wed Feb 4 05:46:33 EST 2009 

I have openswan and 2 tunnels between Linux Openswan U2.6.14/K2.6.18.3 (netkey) and Cisco ASA.
Tunnels working. My systems: centos 5.1 kernel 2.6.18.3 


But: 
service ipsec status
IPsec running  - pluto pid: 8331
pluto pid 8331
No tunnels up


my kernel conf:

CONFIG_INET_AH=y
CONFIG_INET_ESP=y
CONFIG_INET_IPCOMP=y
CONFIG_INET_XFRM_TUNNEL=y
CONFIG_INET_TUNNEL=y
CONFIG_INET_XFRM_MODE_TRANSPORT=y
CONFIG_INET_XFRM_MODE_TUNNEL=y
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y


my ipsec.conf:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
   
        protostack=netkey
        #nat_traversal=yes
        interfaces=%defaultroute
        #plutodebug=control
        #crlcheckinterval=180
        #strictcrlpolicy=no
        nat_traversal=no
        uniqueids=yes

conn %default
        type=tunnel
        authby=secret
        #ikelifetime=480m
        #keylife=480m
        keyingtries=3
        auto=start
        keyexchange=ike
        pfs=no
        auth=esp
        #esp=3des-md5
        esp=3des-md5
        #ike=3des-md5
        #ike=3des-sha-modp1536,3des-sha-modp1536,3des-md5-modp1024,3des-sha-modp1024
        #ike=3des-sha1-modp1536
        #ike=3des-sha1-modp1536!
        #dpdaction=hold
        #dpddelay=60
        #dpdtimeout=500
        compress=no
        aggrmode=no

conn 01
        right=a.a.a.a
        rightsubnet=b.b.b.0/24
        rightnexthop=c.c.c.c
        left=d.d.d.d
        leftsubnet=e.e.e.192/26
        leftnexthop=f.f.f.f
        leftsourceip=g.g.g.g


logs are fine:

STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x0d991b91 <0x58600107 xfrm=3DES_0-HMAC_MD5 NATOA=<invalid> NATD=<invalid>:500 DPD=enabled}

 Starting Openswan IPsec U2.6.14/K2.6.18.3...
002 added connection description "erwin01"
002 added connection description "erwin02"
request to add a prospective erouted policy with netkey kernel --- experimental
request to add a prospective erouted policy with netkey kernel --- experimental
STATE_MAIN_I1: initiate


ipsec auto status shows me that all is ok, there is some bug in openswan ?

thx for help
regards
peter



----------------------------------------------------------------------
Strzelec, Byk, a moze Panna? Wszystkich 12 znakow zodiaku!
Sprawdź swoj horoskop na dzis >> http://link.interia.pl/f2051

More information about the Users mailing list