[Openswan Users] Good old "cannot identify ourselves" and %defaultroute issue...

fbc flexbumpchest at gmail.com
Thu Jun 11 14:50:52 EDT 2009 

On Thu, Jun 11, 2009 at 1:40 PM, fbc <flexbumpchest at gmail.com> wrote:

> On Tue, Jun 9, 2009 at 7:51 PM, Paul Wouters <paul at xelerance.com> wrote:
>
>> On Tue, 9 Jun 2009, fbc wrote:
>>
>>  CentOS 5.3 x64, Linux Openswan U2.6.14/K2.6.18-128.1.10.el5 (netkey)
>>> I searched google and couldn't really come up with an answer.  It works
>>> great when I put
>>> my IP from eth0 as "left=" in the config, but when I put
>>> left=%defaultroute like I'm
>>> supposed to be able to do, it throws the error:
>>>
>>> [root at testing ipsec.d]# ipsec whack --initiate --name testtun1
>>> 022 "testtun1": We cannot identify ourselves with either end of this
>>> connection.
>>>
>>
>> Then you probably do not have a default route? It's no problem to use the
>> ip from eth0
>> in the config, if it is a static ip.
>
>
>>
>>  ipsec.conf just has the default stuff, and my tunnel of
>>> /etc/ipsec.d/testtun1.conf was
>>> fully working when I used my real IP address.  I want to be able to use
>>> %defaultroute for
>>> a dynamic IP.
>>>
>>
>> Perhaps you are starting ipsec before you have an ip and default route?
>>
>> Paul
>>
> I've got a default route:
> [root at testing ~]# route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> xxx.245.xxx.224 *               255.255.255.248 U     0      0        0
> eth0
> 10.1.12.0       *               255.255.255.0   U     0      0        0
> eth0
> 169.254.0.0     *               255.255.0.0     U     0      0        0
> eth0
> default         225-xxx-245-xxx 0.0.0.0         UG    0      0        0
> eth0
>
> Where the x's are my real, publicly accessible IP bound to eth0.
> I started IPsec (and have subsequently restarted, many times) way after
> boot.  Any other ideas?
> I've tried setting leftid in the conf & secrets file, no leftid and no left
> side in the secrets file, etc, nothing seems to work.
> Thanks for your time/assistance.
>
Just in case:
[root at testing ~]# cat /etc/ipsec.d/test.conf
conn testtun1
     also=testtun
     rightsubnet=172.23.24.0/24

conn testtun
     type=tunnel
     auto=add
     auth=esp
     pfs=yes
     authby=secret
     keyingtries=0
     left=%defaultroute
     leftsubnet=10.1.12.0/24
     right=63.223.114.59
     aggrmode=no
     esp=aes256-sha1
     keyexchange=ike
     ike=aes256-sha1
     keylife="28800"
     ikelifetime="86400"

[root at testing ~]# cat /etc/ipsec.d/test.secrets
%defaultroute 63.223.114.59 : PSK "test123"

Thanks anybody/everybody.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090611/84f161a8/attachment.html

More information about the Users mailing list