[Openswan Users] Lack of Logs

Paul Wouters paul at xelerance.com
Mon Feb 15 10:15:35 EST 2010


On Sun, 7 Feb 2010, Karl Page wrote:

> Im pretty new to openswan, running it on Ubuntu 9.10 the logs that I'm looking at dont appear to be nearly detailed
> enough, I must be missing something. Basically the IPSEC vpn i'm setting up and testing is failing and the logs im
> looking at aren't explicit enough, looking at syslogs, and auth.log (attached), IPSEC.conf included which looks fine
> to me. I did see a post about another set of logs under a directory called "secure" hoping to see loads of the IPSEC
> but cant find one Also looked in the folder called PLUTO, expecting a full log for that host address  as per
> 
> plutodebug="all" &
> plutoopts="--perpeerlog"

You should NOT enable debug logs, they are NOT required to fix configuration errors!
(also, your other message to the list contains several runs of openswan and a lot of
other unrelated logs. If you wish others to help you, at least show you are putting
in some effort to make it easier for those trying to help you.

>     plutodebug="all"
>     klipsdebug="all"   

disable those!

>     plutoopts="--perpeerlog"

It is unlikely you really want this.

>     nat_traversal=yes
>     # exclude networks used on server side by adding %v4:!a.b.c.0/24
>     virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%4:!192.168.1.0/255.255.255.0

Thast last netmask should be /24 not 255.255.255.0

> conn secnet
>     left=192.168.15.120
>     leftnexthop=%defaultroute
>     leftsubnet=192.168.1.0/255.255.255.0
>     right=172.16.1.1
>     ike=aes256-md5-modp1024!
>     esp=aes256-md5!

The "!" is syntax you should not use. It is obsoleted and ambiguous
syntax.  If you need to specify a limited list of proposals, then that
list automatically becomes the only allowed proposals (aka the old
'strict mode')

Also, aes256-md5 with DH group 1024 seems an unlikely proposal combining
very old small DH groups and MD5 with the newer AES (and not even aes128?)

Ask the other endpoint what they are expecting you to really configure.

Paul


More information about the Users mailing list