[Openswan Users] How to config Static-to-Roadwarrior in different openswan version?

takanobu watanabe rreedd555 at gmail.com
Fri May 27 22:46:15 EDT 2011


Thanks Erich,Paul and Nick

When add protostack=netkey on server side ipsec.config, Error occur.

--at starting ipsec-- it is just warning.
# /usr/local/sbin/ipsec setup start
ipsec_setup: Starting Openswan IPsec 2.4.15...
ipsec_setup: WARNING: overridemtu= is ignored when using the NETKEY stack

--in log-- there is Error
May 28 11:23:40 localhost authpriv.warn pluto[2871]:   Warning: empty directory
May 28 11:23:40 localhost authpriv.warn pluto[2871]: ipsec_doi_handle_delete : false
May 28 11:23:40 localhost authpriv.info ipsec__plutorun: Unknown default RSA hostkey scheme, not generating a default hostkey
May 28 11:23:41 localhost authpriv.warn pluto[2871]: loading secrets from "/etc/ipsec.secrets"
May 28 11:23:43 localhost authpriv.warn pluto[2871]: added connection description "road"
May 28 11:23:43 localhost authpriv.warn pluto[2871]: listening for IKE messages
May 28 11:23:43 localhost authpriv.err pluto[2871]: ERROR: setsockopt IPSEC_POLICY in process_raw_ifaces(). Errno 99: Protocol not available
May 28 11:23:43 localhost authpriv.err pluto[2871]: ERROR: setsockopt IPSEC_POLICY in process_raw_ifaces(). Errno 99: Protocol not available
May 28 11:23:43 localhost authpriv.err pluto[2871]: ERROR: setsockopt IPSEC_POLICY in process_raw_ifaces(). Errno 99: Protocol not available
May 28 11:23:43 localhost authpriv.warn pluto[2871]: no public interfaces found
May 28 11:23:43 localhost authpriv.warn pluto[2871]: forgetting secrets
May 28 11:23:43 localhost authpriv.warn pluto[2871]: loading secrets from "/etc/ipsec.secrets"
May 28 11:23:43 localhost daemon.err ipsec__plutorun: 003 ERROR: setsockopt IPSEC_POLICY in process_raw_ifaces(). Errno 99: Protocol not available
May 28 11:23:43 localhost daemon.err ipsec__plutorun: 003 ERROR: setsockopt IPSEC_POLICY in process_raw_ifaces(). Errno 99: Protocol not available
May 28 11:23:43 localhost daemon.err ipsec__plutorun: 003 ERROR: setsockopt IPSEC_POLICY in process_raw_ifaces(). Errno 99: Protocol not available
May 28 11:23:43 localhost daemon.err ipsec__plutorun: 003 no public interfaces found

Is that iptables problems ?

> So the only difference is
> right=192.168.11.3 vs. right=%any
> on the server side?
Both server side ipsec.conf
Static                      v.s. RoadWarrior 
right=192.168.11.3          v.s. right=%any
rightsubnet=192.168.11.0/24 v.s. null
aggrmode=no                 v.s. aggrmode=yes
pfs=yes                     v.s. pfs=no


Please teach me simple config for Static-to-RoadWarriror IPsec at below network.
        router(192.168.11.0/24)
        /                     \
       /                       \
 IPsec router               Roadwarrior
 Static(192.168.11.11)      Dynamic(192.168.11.X)
 Openswan 2.4.15(klips)     Openswan U2.6.32
      /
     /
A-macihne:192.168.25.X

Best regard,
--
W.tknv/

On 27 May 2011 22:58, Nick Howitt <n1ck.h0w1tt at gmail.com> wrote:
> On 27/05/2011 01:48, Paul Wouters wrote:
>>
>>> typically I _believe_ you would define
>>>
>>> left=%defaultroute
>>> right=%any
>> You can not do that, as openswan in this case cannot determine if it is
>> left or right, since both ends are dynamic.
>>
>> Paul
>>
> Paul,
>
> I know you have said this before but I have used this sort of definition
> since I started using Openswan two years ago. It works with 2.4.15
> without defining protostack (therefore using netkey by default). With
> 2.6.x it works if you define protostack=netkey, but not if you do not
> define it (where it uses netkey by default :-( ). I have never tried any
> other protostack.
>
> Nick
>
> p.s  I also have "interfaces=%defaultroute" in config setup. I don't
> know if this helps.
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>



More information about the Users mailing list