[Openswan Users] Trouble after chaning wan ipaddress
Jesper Langkjær
jl at MINISOFT.DK
Fri May 27 04:37:12 EDT 2011
Hi.
We got a new ipaddress from our ISP.
Then I've changede the ip in ipsec.conf
And now I'm stuck in:
ipsec auto --up xxxxxx_XX
117 "xxxxxx_XX" #50: STATE_QUICK_I1: initiate
010 "xxxxxx_XX" #50: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "xxxxxx_XX" #50: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "xxxxxx_XX" #50: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "xxxxxx_XX" #50: starting keying attempt 2 of an unlimited number, but releasing whack
The only thing that change was the IP.
The old one: (this config worked)
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
forwardcontrol=yes
klipsdebug=none
nat_traversal=no
plutodebug=none
# nat_traversal=no
# interfaces="ipsec0=eth0"
#conn %default
# authby=rsasig
# leftrsasigkey=
# rightrsasigkey =
# left=%defaultroute
# keyingtries=1
#keylife=1200s
#ikelifetime=1200s
conn xxxxxx_XX
auth=esp
authby=secret
auto=start
compress=no
esp=3des-sha1-1024
ike=3des-sha1
keyexchange=ike
keylife=2h
left=83.xx.xxx.14
leftnexthop=83.xx.xxx.13
leftsubnet=10.27.0.0/16
leftsourceip=10.27.1.28
pfs=no
right=91.xxx.xxx.2
rightsubnet=192.168.37.34/32
include /etc/ipsec.d/*.conf
The new one:
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
forwardcontrol=yes
klipsdebug=none
nat_traversal=no
plutodebug=none
# nat_traversal=no
interfaces="ipsec0=eth0"
#conn %default
# authby=rsasig
# leftrsasigkey=
# rightrsasigkey =
# left=%defaultroute
# keyingtries=1
#keylife=1200s
#ikelifetime=1200s
conn xxxxxx_XX
auth=esp
authby=secret
auto=start
compress=no
esp=3des-sha1-1024
ike=3des-sha1
keyexchange=ike
keylife=2h
left=92.xxx.xx.246
leftnexthop=92.xxx.xx.193
leftsubnet=10.27.0.0/16
leftsourceip=10.27.1.28
pfs=no
right=91.xxx.xxx.2
rightsubnet=192.168.37.34/32
And the old ipsec.secrets:
: RSA {
# RSA 32 bits xxxxxx.dk Tue Sep 16 15:17:08 2008
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQOm0nwL
Modulus: 0xa6d27c0b
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x1bcd79cb
Prime1: 0xed6b
Prime2: 0xb3e1
Exponent1: 0x9e47
Exponent2: 0x77eb
Coefficient: 0xdb07
}
# do not change the indenting of that "}"
83.xx.xxx.14 91.xxx.xxx.2 : PSK "VERYSECRETKEY"
And the new one
: RSA {
# RSA 32 bits xxxxxx.dk Tue Sep 16 15:17:08 2008
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQOm0nwL
Modulus: 0xa6d27c0b
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x1bcd79cb
Prime1: 0xed6b
Prime2: 0xb3e1
Exponent1: 0x9e47
Exponent2: 0x77eb
Coefficient: 0xdb07
}
# do not change the indenting of that "}"
92.xxx.xx.246 91.xxx.xxx.2 : PSK "VERYSECRETKEY"
Kind regards
Jesper Langkjær
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110527/c31da458/attachment-0001.html
More information about the Users
mailing list