[Openswan Users] Upgrading ClarkConnect from v4.3 to 5.0 gives errors in OPenswan
Nick Howitt
n1ck.h0w1tt at gmail.com
Fri Jul 31 13:19:28 EDT 2009
I've done a bit more troubleshooting.
With my dial-in conn, if right=%any, I am having to set left="IP
address". If I set left=myFQDN or left=%defaultroute I get
022 connection must specify host IP address for our side
037 attempt to load incomplete connection
With my dial-out conn, if left=%defaultroute then, if right=farFQDN or
right=FarIPAddress, I get
022 "MumOut": We cannot identify ourselves with either end of this
connection.
Nick
On 30/07/2009 19:49, Nick Howitt wrote:
> Any more thoughts or things I can look at?
>
> On 28/07/2009 10:50, Nick Howitt wrote:
>
>> This is a repost. The lists scrubbed the last one as it interpreted
>> formatting as an html attachment.
>>
>> On 26/07/2009 21:01, Paul Wouters wrote:
>>
>>
>>> On Sun, 26 Jul 2009, Nick Howitt wrote:
>>>
>>>
>>>
>>>> I have now moved it to each conn and it works the same irrespective
>>>> of where it is.
>>>> With left=%defaultroute in my default conn and right=%any
>>>> in conn Mark
>>>> (in ipsec.conf) in /var/log/secure I get:
>>>>
>>>>
>>>> You cannot use both in the same conn, as pluto would not be
>>>> able to deduct
>>>> if it should be left= or right=, as both are dynamic.
>>>>
>>>> It used to work with CC4.3 and openswan 2.4.15 and 2.6.15.
>>>>
>>>>
>>> Are you sure about that? It has never been a supported method.
>>>
>>>
>>>
>> 100% positive. After the CC upgrade I reused the same conf files. I
>> started with the original files but I had to set oe=no instead of an
>> include statement. Also the upgrade moved my conf files (from /etc to
>> /etc/ipsec.d) so I copied them back rather than change my include
>> statement. I then hit this issue which I can only solve using FQDN's (or
>> IP's, presumably)
>>
>>
>>>> I have now put left in the conn and with left=myFQDN, right=%any, in
>>>> /var/log/messages I still get:
>>>>
>>>> Jul 26 19:12:07 server ipsec__plutorun: 022 connection must specify
>>>> host IP address for our side
>>>> Jul 26 19:12:07 server ipsec__plutorun: 037 attempt to load
>>>> incomplete connection
>>>>
>>>>
>>> Do you have a reachable DNS server before the tunnel is up that can
>>> resolve myFQDN?
>>>
>>>
>>>
>> Yes. The server has been running continuously since yesterday. I got the
>> latest logs doing a "service ipsec restart" today. I think the error
>> message is misleading as it clears when I set right=farFQDN. The tunnel
>> is then OK.
>>
>>
>>>> and, similarly, in /var/log/secure:
>>>>
>>>> Jul 26 19:12:07 server pluto[19800]: connection must specify host IP
>>>> address for our side
>>>> Jul 26 19:12:07 server pluto[19800]: attempt to load incomplete
>>>> connection
>>>>
>>>> The error messages clear and the tunnel comes up only if I define
>>>> right=farFQDN. right=%any does not
>>>> work.
>>>>
>>>>
>>> right=%any should work find if you use auto=add and let the connection
>>> be a responder. But
>>> I think you want both ends to try to initiate to the other. That on
>>> dynamic IP will always
>>> be a challenge, and you will need to use DNS servers to resolve the
>>> dyndns hostnames.
>>>
>>>
>>>
>> This is the conn:
>>
>> conn %default
>> type=tunnel
>> authby=secret
>> keyingtries=%forever
>> leftsubnet=192.168.2.0/24
>> leftsourceip=192.168.2.1
>> leftnexthop=%defaultroute
>> rightnexthop=%defaultroute
>>
>> conn Mark
>> auto=add
>> rekey=no
>> left=myFQDN # works in default conn as well and used to work as
>> %defaultroute in default conn
>> # right=%any # no longer works
>> right=farFQDN
>> rightsubnet=192.168.20.0/24
>> rightsourceip=192.168.20.1
>> rightid=@FromMark # This must also be in the Local ID field in
>> the DrayTek
>>
>> To be honest, I would suspect something during the CC4.3 -> 5.0 upgrade
>> has messed up as everything was OK before and the errors are not
>> normally expected, but I am hoping we can pinpoint the source of the
>> error here. I have tried uninstalling Openswan then re-installing the CC
>> version (2.6.14) , but it shows the same errors. Upgrading to 2.6.22
>> again did nothing.
>>
>>
>>> Paul
>>>
>>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list