[Openswan Users] Problem with a simple connection.

adstar at genis-x.com adstar at genis-x.com
Wed Dec 5 22:03:18 EST 2012 

Hi all,

I'm having an issue setting up a tunnel that I need some help with.

I have included the relevant files below


My first issue is when I start ipsec I get the following error:

 

Dec  6 13:51:30 firewall ipsec__plutorun: 023 address family inconsistency
in this connection=2 host=2/nexthop=0

Dec  6 13:51:30 firewall ipsec__plutorun: 037 attempt to load incomplete
connection

Dec  6 13:51:30 firewall ipsec__plutorun: 023 address family inconsistency
in this connection=2 host=2/nexthop=0

Dec  6 13:51:30 firewall ipsec__plutorun: 037 attempt to load incomplete
connection

 

My second issue is the right side can't connect.

packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
[f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...]

packet from 119.225.115.131:500: initial Main Mode message received on
103.29.172.40:500 but no connection has been authorized with policy=PSK

packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
[f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...]

packet from 119.225.115.131:500: initial Main Mode message received on
103.29.172.40:500 but no connection has been authorized with policy=PSK

 

Can anyone help me on where to go from here?

Cheers
Adam

 

firewall# ipsec --version

Linux Openswan 2.6.37 (klips)


firewall# cat ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration

config setup

        #plutodebug = "all"

        #klipsdebug = "all"

        plutoopts="--perpeerlog"

        dumpdir=/var/run/pluto/

        nat_traversal=yes

 
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0
.0.0/8,%v6:fd00::/8,%v6:fe80::/10

        oe=off

        protostack=klips

        plutostderrlog=/var/log/pluto.log

        interfaces="ipsec0=eth0"

        listen=103.29.172.40

# Add connections here

 

conn multi-conn1

rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,144.55.12
3.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.124.206/32}

leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.29.173.7
3/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.173.80/32,103
.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.173.84/32,103.29.173.
85/32,103.29.173.86/32,103.29.173.60/32,103.29.173.61/32,103.29.173.64/32,10
3.29.173.65/32}

also=conn1

 

conn conn1

        type = tunnel

        authby = secret

        left = 103.29.172.40

        leftnexthop = %defaultroute

        right = 119.225.115.131

        rightnexthop = %defaultroute

        ike = aes256-sha1-modp1536

        esp = aes256-sha1

        keyexchange = ike

        pfs = no

        auto = add

firewall# cat ipsec.secrets

# This file holds shared secrets or RSA private keys for inter-Pluto

# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

103.29.172.40 119.225.115.131: PSK "BLANK-BLANK-BLANK"

firewall# ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000

    link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff

    inet 103.29.172.1/24 brd 103.29.172.255 scope global eth0

    inet 103.29.173.1/24 brd 103.29.173.255 scope global eth0:0

    inet 103.29.174.1/24 brd 103.29.174.255 scope global eth0:1

    inet 103.29.175.1/24 brd 103.29.175.255 scope global eth0:2

    inet 172.16.0.100/24 brd 172.16.0.255 scope global eth0:4

    inet 103.29.172.40/24 scope global secondary eth0

    inet6 fe80::225:90ff:fe35:359e/64 scope link

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000

    link/ether 00:25:90:35:35:9f brd ff:ff:ff:ff:ff:ff

    inet 202.45.103.162/30 brd 202.45.103.163 scope global eth1

    inet6 fe80::225:90ff:fe35:359f/64 scope link

       valid_lft forever preferred_lft forever

82: ipsec0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen
10

    link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff

    inet 103.29.172.1/32 scope global ipsec0

    inet 103.29.173.1/32 scope global ipsec0

    inet 103.29.174.1/32 scope global ipsec0

    inet 103.29.175.1/32 scope global ipsec0

    inet 172.16.0.100/32 scope global ipsec0

    inet 103.29.172.40/32 scope global ipsec0

    inet6 fe80::225:90ff:fe35:359e/128 scope link

       valid_lft forever preferred_lft forever

83: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10

    link/void

 

firewall# cat daemon.log

Dec  6 13:51:29 firewall ipsec_setup: Starting Openswan IPsec 2.6.37...

Dec  6 13:51:29 firewall ipsec_setup: Using KLIPS/legacy stack

Dec  6 13:51:30 firewall ipsec_setup: KLIPS debug `none'

Dec  6 13:51:30 firewall ipsec_setup: KLIPS ipsec0 on eth0 103.29.172.1/24
broadcast  mtu 1500

Dec  6 13:51:30 firewall ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0

Dec  6 13:51:30 firewall ipsec_setup: ...Openswan IPsec started

Dec  6 13:51:30 firewall ipsec__plutorun: 023 address family inconsistency
in this connection=2 host=2/nexthop=0

Dec  6 13:51:30 firewall ipsec__plutorun: 037 attempt to load incomplete
connection

Dec  6 13:51:30 firewall ipsec__plutorun: 023 address family inconsistency
in this connection=2 host=2/nexthop=0

Dec  6 13:51:30 firewall ipsec__plutorun: 037 attempt to load incomplete
connection

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20121206/fa8dad04/attachment-0001.html>

More information about the Users mailing list