[Openswan Users] need some help to configure openswan on net tonet

reza issanyr at olympecti.fr
Fri Sep 11 11:36:38 EDT 2009


OK, I have found how to create the file using urandom.

Now it seems that the tunnel doesn't establish (on client) :

Sep 11 17:31:39 octi pluto[15559]: "zola-octi" #9: the peer proposed: 192.168.2.0/24:0/0 -> 192.168.2.0/24:0/0
Sep 11 17:31:39 octi pluto[15559]: "zola-octi" #10: responding to Quick Mode proposal {msgid:3e2a1b41}
Sep 11 17:31:39 octi pluto[15559]: "zola-octi" #10:     us: 192.168.2.0/24===88.191.110.149<88.191.110.149>[+S=C]
Sep 11 17:31:39 octi pluto[15559]: "zola-octi" #10:   them: 88.191.89.113<88.191.89.113>[+S=C]===192.168.2.0/24
Sep 11 17:31:39 octi pluto[15559]: "zola-octi" #10: ERROR: netlink response for Add SA comp.2340 at 88.191.89.113 included errno 22: Invalid argument
Sep 11 17:31:39 octi pluto[15559]: | add_sa ipcomp failed
Sep 11 17:31:39 octi pluto[15559]: | failed to install outgoing SA: 0
Sep 11 17:31:49 octi pluto[15559]: "zola-octi" #10: discarding duplicate packet; already STATE_QUICK_R0

My conf :
conn zola-octi
	left=88.191.89.113
	leftsubnet=192.168.2.0/24
	leftrsasigkey=.......
	#
	right=88.191.110.149
	rightsubnet=192.168.2.0/24
	rightrsasigkey=0s.......
	auto=start

In exemple file linux-linux, I have seen that thereis a leftid an righted. Where are they define ? Can I put anything, but same on each server ?

azer.


-----Message d'origine-----
De : users-bounces at openswan.org [mailto:users-bounces at openswan.org] De la part de reza
Envoyé : vendredi 11 septembre 2009 15:35
À : Paul Wouters
Cc : users at openswan.org
Objet : Re: [Openswan Users] need some help to configure openswan on net tonet

What is entropy/randomness ?

I have a lot of linux servers, but, I don't know on which I can generate the file ?

azer.


-----Message d'origine-----
De : Paul Wouters [mailto:paul at xelerance.com] 
Envoyé : vendredi 11 septembre 2009 15:19
À : reza
Cc : users at openswan.org
Objet : Re: [Openswan Users] need some help to configure openswan on net to net

On Fri, 11 Sep 2009, reza wrote:

> I’m trying to configure two linux server on net-to-net ipsec. Each server has the same subnet :
> 192.168.2.0/24

You cannot connect those. A subnet can only live at one place.

> I tried to use the newhostkey without any success. The tool stay blocked to “Wait Pid”.

It needs entropy/randomness to generate the key. If your device is some embedded device,
then generate the key on another machine and copy the secrets file onto the embedded
device.

> So I’d like to create key and cert file on Linux A to permit to Linux B to establish the tunnel.
> Do you have an exemple of configuration to do that please ?

I would not use X.09 for linux-linux connections. But you can find configuration
examples in /etc/ipsec.d/examples/

Paul
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list