[Openswan Users] but no connection has been authorized with policy=PSK
Thomas Schweikle
tps at vr-web.de
Tue Apr 12 16:49:52 EDT 2011
Am 12.04.2011 20:57, schrieb Paul Wouters:
> On Tue, 12 Apr 2011, Neal Murphy wrote:
>
>> I believe there's another cause for such one-way traffic (though it may not be
>> related to Thomas' trouble). I encountered the same thing when moving from
>> 2.4.15 to 2.6.2x: one way traffic even though all *looked* OK. Paul said to
>> add 'protostack=klips', despite it being the default and despite OpenSwan
>> saying it was doing just that. I did. The problem vanished.
>
> Note the default of the stack autopick (not specifying protostack=) is:
>
> 1) NETKEY
> 2) MAST
> 3) KLIPS
>
> Some people were seeing some unexpected issues when they got mast instead of
> klips, perhaps because of iptables rules usng ipsecX instead of mastX.
>
> Note that early 2.6.x version (before 2.6.31 or so?) Did not auto-pick MAST
> ever.
klips
mast
are not part of the kernel any more. Both boxes are running 2.6.38-8
as compiled by Ubuntu:
# uname -a
Linux ns3 2.6.38-8-generic-pae #42-Ubuntu SMP Mon Apr 11 05:17:09
UTC 2011 i686 i686 i386 GNU/Linux
Next finding:
If I start ipsec (or better restart) it's working, at least for the
gateways themselves. Doing nothing next few minutes, then trying
again --- doesn't work any more! I have to restart ipsec again.
I'm filing a bug now. Hopefully someone digs deep enough too make
these errors vanish!
--
Thomas
More information about the Users
mailing list