[Openswan Users] Openswan Xl2tpd error when connecting VPN on

Mateen Fugawala mateen.fugawala at hotmail.com
Fri Jan 21 10:41:35 EST 2011


I have configured openswan to connect from my windows client on L2TP in PSK
mode. However, when I try to connect I am unable to  get the connection.
When I do service ipsec status. I get no tunnles up. Could you please guide
me what could be the issue?


-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of users-request at openswan.org
Sent: Friday, January 21, 2011 8:11 PM
To: users at openswan.org
Subject: Users Digest, Vol 86, Issue 40

Send Users mailing list submissions to
	users at openswan.org

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
	users-request at openswan.org

You can reach the person managing the list at
	users-owner at openswan.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of Users digest..."

Today's Topics:

   1. Openswan Xl2tpd error when connecting VPN on	fedora 14.
      (Mateen Fugawala)
   2. Re: Openswan Xl2tpd error when connecting VPN on fedora 14.
      (Willie Gillespie)
   3. Re: IPsec on Ubuntu Linux Server 8.04 (Hardy) (Kaushal Shriyan)
   4. Re: ipsec newhostkey --configdir broken ??? (Michael H. Warfield)


Message: 1
Date: Fri, 21 Jan 2011 11:34:14 +0530
From: Mateen Fugawala <mateen.fugawala at hotmail.com>
Subject: [Openswan Users] Openswan Xl2tpd error when connecting VPN on
	fedora 14.
To: <users at openswan.org>
Message-ID: <SNT116-DS130286D7288B562D953052F9F80 at phx.gbl>
Content-Type: text/plain; charset="us-ascii"

I am facing an issue while configuring Open VPN on my Fedora 14 box. It is
on a VM running VMware Workstation. I am attaching the details of my  and
also ipsec verify.










Thanks & Regards,

Mateen Fugawala


-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec.conf.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec verify status.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: XL2TPD.conf.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Chap-secrests.txt


Message: 2
Date: Thu, 20 Jan 2011 23:55:57 -0700
From: Willie Gillespie <wgillespie+openswan at es2eng.com>
Subject: Re: [Openswan Users] Openswan Xl2tpd error when connecting
	VPN on fedora 14.
To: users at openswan.org
Message-ID: <4D392DFD.4060404 at es2eng.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 01/20/2011 11:04 PM, Mateen Fugawala wrote:
> I am facing an issue while configuring Open VPN on my Fedora 14 box. 
> It is on a VM running VMware Workstation. I am attaching the details 
> of my and also ipsec verify.

What's the issue?


Message: 3
Date: Fri, 21 Jan 2011 15:55:15 +0530
From: Kaushal Shriyan <kaushalshriyan at gmail.com>
Subject: Re: [Openswan Users] IPsec on Ubuntu Linux Server 8.04
To: Paul Wouters <paul at xelerance.com>
Cc: users at openswan.org
	<AANLkTik-6OiOACTV9obw0z8_sZ19PHbQRKgTq1hKSieS at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

On Tue, Jan 18, 2011 at 8:36 PM, Paul Wouters <paul at xelerance.com> wrote:

> On Tue, 18 Jan 2011, Kaushal Shriyan wrote:
>  Hi Paul
>> Please have a look at http://paste.ubuntu.com/555411/
> initiate on demand from to proto=1 state:
> fos_start because: acquire
> You did not add oe=no in your "config setup" or you removed it? please 
> put it back there.
> "sonicwall" #1: STATE_MAIN_I4: ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 
> group=modp1024}
> phase1 is up.
> "sonicwall" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel 
> mode
> {ESP=>0x4287be14 <0xc60d8692 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none 
> DPD=enabled}
> phase2 is up.
> but meanwhile you also race with another connection which ends in:
> "sonicwall" #4: Oakley Transform [OAKLEY_3DES_CBC (192), OAKLEY_SHA1, 
> OAKLEY_GROUP_MODP1024] refused due to strict flag
> So it seems the sonic wall might want esp=3des-sha1;modp1024
> Paul


Please suggest me a good tutorial to understand IPSec and openswan I am
missing the concepts.


-------------- next part --------------
An HTML attachment was scrubbed...


Message: 4
Date: Fri, 21 Jan 2011 09:40:49 -0500
From: "Michael H. Warfield" <mhw at WittsEnd.com>
Subject: Re: [Openswan Users] ipsec newhostkey --configdir broken ???
To: Greg Scott <GregScott at Infrasupport.com>
Cc: mhw at WittsEnd.com, users at openswan.org
Message-ID: <1295620849.5875.26.camel at canyon.wittsend.com>
Content-Type: text/plain; charset="utf-8"

On Wed, 2011-01-19 at 16:20 -0600, Greg Scott wrote:
> I ended up working around the problem by installing a Fedora RPM. That 
> system is running Fedora 12, and Red Hat has a 2.6.29-1 RPM for Fedora 
> 12. So that's what I ended up with. But first, I removed 2.6.32 and 
> installed 2.6.31 from source. ipsec newhostkey with --configdir switch 
> did not fail with 2.6.31, but it also finished immediately and didn't 
> generate anything. So I removed 2.6.31 and installed the Fedora RPM 
> and all worked as expected.

1) Fedora 12 is EOL and you should be using something more up to date.

2) You can get the 2.6.31 rpm from the F14 repos.

3) If you want to rebuild from source but want it to match the Fedora
configuration, download the source RPM and install that and then install the
newer source in the rpmbuild/SOURCES directory and update the
rpmbuild/SPECS/openswan.spec file for the new version and rebuild it that
way.  I do that routinely.  Once in a while it will get bitchy about one
patch or another but that generally just means it's a fix that got
incorporated so I just disable the patch and go again.  I don't think I ran
into that at all from 2.6.31 to 2.6.32 though.  I think that will rebuild

> Go figure.  

> This was how I built from source:

> cp openswan-2.6.32.tar.gz /usr/local/src cd /usr/local/src tar zxvf 
> openswan-2.6.32.tar.gz cd openswan-2.6.32 make USE_LIBNSS=true 
> programs install

That's probably where you are getting some mismatches between things.
Look in the source rpm spec file and how they configure and build it.
This will end up putting things in /usr/local and look for things in the
wrong directories compared to the Fedora locations. 

> I have a hunch when I built from source, I didn't get in whatever I 
> needed for that NSS database and that was the root of my troubles.

> Is there any documentation for how to use this new NSS database? I 
> still don't know how to import and export keys to/from hostkey.secrets 
> and this complicates firewall replacements and made my life more 
> stressful today.

Yeah, this pretty much sucks royally.  NSS is such a PITA that I typically
just rebuild the RPM and disable NSS and FIPS checking since I need neither
of them.  I understand the motivation behind Fedora and RH moving to this
(unified crypto and key management, FIPS compliance, etc, etc, etc) but
someone should have given some serious thought to smooth migration of
existing sites.  At one point (and I hope like hell it's not still true) you
could not "import" existing private keys into the NSS database.  At least I
never got it to work and there are articles (old at this point) that claim
it was broken scattered on the net.
Yeah, that move was poorly thought out.  Regenerating stacks and stacks of
certificates on dozens of machines just because I couldn't import their
exiting private key was NOT AN OPTION for me.  Maybe they've fixed that and
maybe it works smoother now.  I would love to be corrected on this, PLEASE.
I know, what I should do is go back and retest now with the latest nss
tools.  Maybe I'll do that today myself.

Have you read the document README.nss?


You'll find lots of good information in there.  Certainly, from the sounds
of the section on "Migrating Certificates" it would sound like you can
simply export the key and cert to a .p12 pkcs12 file and then import it into
the database, but I wasn't able to get that to work, at least not early on.
It may actually work now.

> thanks

> - Greg Scott


> From: users-bounces at openswan.org on behalf of Greg Scott
> Sent: Wed 1/19/2011 2:37 PM
> To: users at openswan.org
> Subject: [Openswan Users] ipsec newhostkey --configdir broken ???
> I'm in a world of hurt.  I am trying to setup openswan 2.6.32 on a live
system that died.  This is an install from source.  I build a new empty nss
database in /etc/ipsec.d like this:
> certutil -N -d /etc/ipsec.d
> and then try to generate a new hostkey, like this:
> ipsec newhostkey --configdir /etc/ipsec.d \  --output 
> /etc/ipsec.d/hostkey.secrets \  --verbose \  --hostname xxx-fw
> This fails with:
> /usr/local/libexec/ipsec/rsasigkey: unrecognized option '--configdir'
> So I do ipsec newhostkey without any --configdir parameter.  This runs to
completion and generates a good hostkey.secrets file.  But I have a hunch it
never populates any of the .db files in any nss database.
> Later on when I start everything up, I see this in /ver/log/secure:
> Jan 19 13:37:00 localhost pluto[13939]: "colo-hqmirror" #2: unable to 
> locate my private key for RSA Signatur
> And I'll bet that's because it's trying to read the key from that nss
database, which doesn't get populated because that --configdir parameter
seems to be broken.  This worked for at least 18 months and several
installations with different versions.  But now it breaks with 2.6.32.  Or
what am I doing wrong?
> thanks
> - Greg Scott

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part Url :


Users mailing list
Users at openswan.org

End of Users Digest, Vol 86, Issue 40

More information about the Users mailing list