[Openswan Users] but no connection has been authorized with policy=PSK

Thomas Schweikle tps at vr-web.de
Tue Apr 12 16:49:52 EDT 2011


Am 12.04.2011 20:57, schrieb Paul Wouters:
> On Tue, 12 Apr 2011, Neal Murphy wrote:
> 
>> I believe there's another cause for such one-way traffic (though it may not be
>> related to Thomas' trouble). I encountered the same thing when moving from
>> 2.4.15 to 2.6.2x: one way traffic even though all *looked* OK. Paul said to
>> add 'protostack=klips', despite it being the default and despite OpenSwan
>> saying it was doing just that. I did. The problem vanished.
> 
> Note the default of the stack autopick (not specifying protostack=) is:
> 
> 1) NETKEY
> 2) MAST
> 3) KLIPS
> 
> Some people were seeing some unexpected issues when they got mast instead of
> klips, perhaps because of iptables rules usng ipsecX instead of mastX.
> 
> Note that early 2.6.x version (before 2.6.31 or so?) Did not auto-pick MAST
> ever.

klips
mast

are not part of the kernel any more. Both boxes are running 2.6.38-8
as compiled by Ubuntu:
# uname -a
Linux ns3 2.6.38-8-generic-pae #42-Ubuntu SMP Mon Apr 11 05:17:09
UTC 2011 i686 i686 i386 GNU/Linux

Next finding:
If I start ipsec (or better restart) it's working, at least for the
gateways themselves. Doing nothing next few minutes, then trying
again --- doesn't work any more! I have to restart ipsec again.

I'm filing a bug now. Hopefully someone digs deep enough too make
these errors vanish!


-- 
Thomas



More information about the Users mailing list