[Openswan Users] kernel 2.6.23 + saref + centos 5

Ronald loloski at yahoo.com
Mon Jan 18 04:59:05 EST 2010


I already modified those configs and here is what ipsec barf will say thanks in advance



Jan 18 17:58:33 sti-fw2 pluto[14946]: | NAT-OA: 32 tunnel: 1
Jan 18 17:58:33 sti-fw2 pluto[14946]: "roadwarrior-l2tp"[1] 124.106.205.249 #2: pfkey_lib_debug:pfkey_sa_parse: SAref=196612 must be (SAref == IPSEC_SAREF_NULL(0) || SAref < IPSEC_SA_REF_TABLE_NUM_ENTRIES(32768)).
Jan 18 17:58:33 sti-fw2 pluto[14946]: "roadwarrior-l2tp"[1] 124.106.205.249 #2: pfkey_lib_debug:pfkey_msg_parse: extension parsing for type 1(security-association) failed with error -22.
Jan 18 17:58:33 sti-fw2 pluto[14946]: "roadwarrior-l2tp"[1] 124.106.205.249 #2: pfkey_lib_debug:pfkey_sa_parse: SAref=196612 must be (SAref == IPSEC_SAREF_NULL(0) || SAref < IPSEC_SA_REF_TABLE_NUM_ENTRIES(32768)).
Jan 18 17:58:33 sti-fw2 pluto[14946]: "roadwarrior-l2tp"[1] 124.106.205.249 #2: pfkey_lib_debug:pfkey_msg_parse: extension parsing for type 1(security-association) failed with error -22.
Jan 18 17:58:33 sti-fw2 pluto[14946]: "roadwarrior-l2tp"[1] 124.106.205.249 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 18 17:58:33 sti-fw2 pluto[14946]: "roadwarrior-l2tp"[1] 124.106.205.249 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 18 17:58:33 sti-fw2 pluto[14946]: "roadwarrior-l2tp"[1] 124.106.205.249 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 18 17:58:33 sti-fw2 pluto[14946]: "roadwarrior-l2tp"[1] 124.106.205.249 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xbc38cb24 <0x53846cb9 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.2.254 NATD=124.106.205.249:36866 DPD=none}
Jan 18 17:59:08 sti-fw2 pluto[14946]: "roadwarrior-net"[2] 124.106.205.249 #1: received Delete SA(0xbc38cb24) payload: deleting IPSEC State #2
Jan 18 17:59:08 sti-fw2 pluto[14946]: "roadwarrior-net"[2] 124.106.205.249 #1: deleting connection "roadwarrior-l2tp" instance with peer 124.106.205.249 {isakmp=#0/ipsec=#0}
Jan 18 17:59:08 sti-fw2 pluto[14946]: "roadwarrior-net"[2] 124.106.205.249 #1: received and ignored informational message
Jan 18 17:59:08 sti-fw2 pluto[14946]: "roadwarrior-net"[2] 124.106.205.249 #1: received Delete SA payload: deleting ISAKMP State #1
Jan 18 17:59:08 sti-fw2 pluto[14946]: "roadwarrior-net"[2] 124.106.205.249: deleting connection "roadwarrior-net" instance with peer 124.106.205.249 {isakmp=#0/ipsec=#0}
Jan 18 17:59:08 sti-fw2 pluto[14946]: packet from 124.106.205.249:36866: received and ignored informational message



________________________________
From: Paul Wouters <paul at xelerance.com>
To: Ronald <loloski at yahoo.com>
Cc: users at openswan.org
Sent: Mon, January 18, 2010 6:51:30 AM
Subject: Re: [Openswan Users] kernel 2.6.23 + saref + centos 5

On Sun, 17 Jan 2010, Paul Wouters wrote:

>> Do i need to enable something on make menuconfig to enable saref feature?
> 
> No. There is no config option for it. Note that with openswan, you must
> use protostack=mast and have overlapip=yes in your l2tp conn section.

Also double check your installed _updown.mast. You will see this:

        # note "fwmarkmask" is an (obsolete) Openswan patch to "ip" command.
        # note2: iproute2-2.6.22-070710 supports mask via /mask notation instead
        # ip rule add fwmark 0x80000000 fwmarkmask 0x80000000 table 50
        ip rule add fwmark 0x80000000/0x80000000 table 50
        ip route add 0.0.0.0/0 dev $PLUTO_INTERFACE table 50

For the 2.6.23 version you need to use the line with "fwmarkmask". With
2.6.32 you need to use the line with 0x80000000/0x80000000.

Paul



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100118/f311fcc6/attachment-0001.html 


More information about the Users mailing list