[Openswan Users] What is PLUTO_PEER_REF and how does OpenSwan define it?

Paul Wouters paul at xelerance.com
Wed Nov 17 22:42:01 EST 2010


On Wed, 17 Nov 2010, Danilo Godec wrote:

> Anyway, we  assumed that there is no reason why this wouldn't work with
> CheckPoint so we rolled out our first 'production' server with OpenSuSE
> 11.2 and OpenSwan 2.6.29 (at that time), but we weren't able to
> establish a VPN tunnel with CheckPoint, so we changed the setup to MAST
> on the spot.
> 
> Now as to the problem with KLIPS - I now have a working configuration
> for MAST. As far as I understand, the only thing I really need to change
> is 'protostack'. When I do that and start 'ipsec', it 'hangs' there:
> 
> 000 #1: "mercator-all":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
> EVENT_RETRANSMIT in 11s; nodpd; idle; import:admin initiate
> 000 #1: pending Phase 2 for "mercator-all" replacing #0

Try recompiling openswan klips without USE_MAST support?

I think you might be seeing both ipsecX and mastX devices, which I've
seen happening, and though it should not matter, seems to interfere
somehow. We're looking at making a module parameter to tell it
which virtual interface to initialise.

> I guess some 'debug' options would help, but which?

you could try: ipsec klipsdebug --all and run the test, then run dmesg.

If there is NAT involved, things might be moving to a different port,
wich might be causing firewall issues, but those should not be different
between klips and mast....

Paul


More information about the Users mailing list