[Openswan Users] need help with openswan

Paul Wouters paul at xelerance.com
Fri Jun 4 11:31:49 EDT 2010 

On Fri, 4 Jun 2010, pual wrote:

> version 2.0     # conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
>         plutoopts="--perpeerlog"

remove that line

>         nat_traversal=yes
>         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

This is not the line causing the errors below. So your config and your logs do not match. Be sure to
attempt with the configuration file you send us.

>         nhelpers=0

not needed.

>         uniqueids=yes
>         oe=off
>         protostack=netkey
> 
> conn west-pual
>         left=x.x.x.x
>         leftprotoport=17/%any

17/%any should be 17/1701 (assuming this is to use l2tp)

>         leftid=vpn-server
>         right=%any
>         rightid=@mac-pual

You prob dont want that rightid= line

>         rightprotoport=17/%any
>         rightsubnet=vhost:%no,%priv
>         authby=secret
>         auto=add
>         pfs=no
>         type=transport

Add rekey=no  (you cannot initiate or rekey to %any)

> Jun  4 16:27:14 vpn-server pluto[2973]: fixup for bad virtual_private entry '%4:91.200.17.23/24', please fix your
> virtual_private line!
> Jun  4 16:27:14 vpn-server pluto[2973]: fixup for bad virtual_private entry '%4:91.200.17.23/24', please fix your
> virtual_private line!

This is why i can see your logs and config do not match.

> Jun  4 16:28:50 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #1: max number of retransmissions (2) reached STATE_MAIN_R1
> Jun  4 16:28:53 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #2: max number of retransmissions (2) reached STATE_MAIN_R1
> Jun  4 16:28:56 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #3: max number of retransmissions (2) reached STATE_MAIN_R1
> Jun  4 16:28:59 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #4: max number of retransmissions (2) reached STATE_MAIN_R1
> Jun  4 16:28:59 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y: deleting connection "west-pual" instance with peer y.y.y.y

Your first response packet seems to never make it out to the other side? Check firewall rules on both ends.

> log on linux when try to bring the connection up from the Mac OS:

> Jun  4 16:27:49 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jun  4 16:27:49 vpn-server pluto[2973]: "west-pual"[1] y.y.y.y #4: STATE_MAIN_R1: sent MR1, expecting MI2

Same here. your first reply packet never seems to be received by the other end.

Paul

More information about the Users mailing list