[Openswan Users] Problem with not specifying protostack=netkey
Nick Howitt
n1ck.h0w1tt at gmail.com
Thu Mar 24 17:30:37 EDT 2011
Hi,
In my ipsec.conf I have the following:
config setup
interfaces=%defaultroute
plutodebug=none # plutodebug="all crypt"
klipsdebug=none
oe=no
protostack=netkey # 2.6.x only
conn %default
type=tunnel
authby=secret
keyingtries=%forever
# left=howitts.pointclark.net
left=%defaultroute
leftsubnet=192.168.2.0/24
leftsourceip=192.168.2.1
# leftnexthop=%defaultroute # not necessary but cuts down on
error messagees
# rightnexthop=%defaultroute # Made no difference
# rekey=no # Made no difference, moved to conn files
# Tunnels defined in separate files
#----------------------------------
include /etc/ipsec.d/ipsec.*.conf
And everything works fine. If I remove the line "protostack=netkey" as I
used to with v2.4.x the tunnel fails to start.
Starting ipsec gives:
service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.6.33...
ipsec_setup: No KLIPS support found while requested, desperately falling
back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in
/etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue
with NETKEY
but in /var/log secure I get:
Mar 24 21:19:24 server pluto[19463]: packet from 86.14.149.139:500:
received Vendor ID payload [Dead Peer Detection]
Mar 24 21:19:24 server pluto[19463]: packet from 86.14.149.139:500:
initial Main Mode message received on 82.20.251.132:500 but no
connection has been authorized with policy=PSK
repeating followed by:
Mar 24 21:19:26 server pluto[19463]: connection must specify host IP
address for our side
Mar 24 21:19:26 server pluto[19463]: attempt to load incomplete connection
Why does it fail when not explicitly specifying netkey which it then
falls back to using when it works if you explicitly set it to use netkey?
Regards,
Nick
More information about the Users
mailing list