[Openswan Users] OpenSwan difficulties

Paul Wouters paul at xelerance.com
Fri Jun 5 17:59:02 EDT 2009


On Fri, 5 Jun 2009, João Kuchnier wrote:

>         right=192.168.1.224
>         #rightnexthop=
>         rightsubnet=192.168.1.224/32
>         #rightid=
>         left=200.x.x.x
>         #leftnexthop=
>         leftsubnet=192.168.102.0/24
>         keyexchange=ike
>         ike=3des-md5-modp1024
>         esp=3des-md5
>         #ah=3des-md5
>         ikelifetime=28800s
>         #keylife=28800s
>         pfs=no
>         compress=no
>         authby=secret
>         auto=start
>         aggrmode=no

If both ends are openswan, use pfs=yes

> conn 2
>         right=192.168.1.224
>         #rightnexthop=
>         rightsubnet=192.168.1.224/32
>         #rightid=
>         left=200.x.x.x
>         #leftnexthop=
>         leftsubnet=10.201.136.0/21

> "conn1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> "conn1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
> {ESP=>0x0d243b91 <0x964680c9 xfrm=3DES_0-HMAC_MD5 NATD=200.x.x.x:4500
> DPD=none}
> "conn2" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> "conn2" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
> {ESP=>0x09bf8953 <0xea5fc696 xfrm=3DES_0-HMAC_MD5 NATD=200.x.x.x:4500
> DPD=none}

Both tunnels establish, so my guess is this is a firewalling or
routing issues. Are you excluding packets that are going to be
tunneled from getting NAT'ed?

> Jun  5 16:03:43 conn2 ipsec_setup: Starting Openswan IPsec 2.4.9...

Could use an update to openswan 2.4.14.

> Jun  5 16:03:44 conn2 ipsec__plutorun: 104 "conn2" #1: STATE_MAIN_I1:
> initiate
> Jun  5 16:03:44 conn2 ipsec__plutorun: ...could not start conn "conn2"

That's an oddness where at first it does not start, but on the second
attempt it does. you can ignore that for now.

What does 'ipsec verify' say?

Paul


More information about the Users mailing list