[Openswan Users] Problem with a simple connection.

Elison Niven elison.niven at elitecore.com
Thu Dec 6 05:27:08 EST 2012 

The address type of your host address (left) does not match with the 
address type of your nexthop (leftnexthop).
You can try removing leftnexthop=%defaultroute and put in the actual 
IPv4 gateway, and do the same for rightnexthop.
You can also try disabling IPv6.

On Thursday 06 December 2012 08:48:45 AM IST, adstar at genis-x.com wrote:
> Hi all,
>
> I’m having an issue setting up a tunnel that I need some help with.
>
> I have included the relevant files below
>
>
> My first issue is when I start ipsec I get the following error:
>
> Dec  6 13:51:30 firewall ipsec__plutorun: 023 address family
> inconsistency in this connection=2 host=2/nexthop=0
>
> Dec  6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
> incomplete connection
>
> Dec  6 13:51:30 firewall ipsec__plutorun: 023 address family
> inconsistency in this connection=2 host=2/nexthop=0
>
> Dec  6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
> incomplete connection
>
> My second issue is the right side can’t connect.
>
> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...]
>
> packet from 119.225.115.131:500: initial Main Mode message received on
> 103.29.172.40:500 but no connection has been authorized with policy=PSK
>
> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...]
>
> packet from 119.225.115.131:500: initial Main Mode message received on
> 103.29.172.40:500 but no connection has been authorized with policy=PSK
>
> Can anyone help me on where to go from here?
>
> Cheers
> Adam
>
> firewall# ipsec --version
>
> Linux Openswan 2.6.37 (klips)
>
>
> firewall# cat ipsec.conf
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
>
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
>
> config setup
>
>         #plutodebug = "all"
>
>         #klipsdebug = "all"
>
>         plutoopts="--perpeerlog"
>
>         dumpdir=/var/run/pluto/
>
>         nat_traversal=yes
>
>
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>
>         oe=off
>
>         protostack=klips
>
>         plutostderrlog=/var/log/pluto.log
>
>         interfaces="ipsec0=eth0"
>
>         listen=103.29.172.40
>
> # Add connections here
>
> conn multi-conn1
>
> rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,144.55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.124.206/32}
>
> leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.29.173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.173.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.173.84/32,103.29.173.85/32,103.29.173.86/32,103.29.173.60/32,103.29.173.61/32,103.29.173.64/32,103.29.173.65/32}
>
> also=conn1
>
> conn conn1
>
>         type = tunnel
>
>         authby = secret
>
>         left = 103.29.172.40
>
>         leftnexthop = %defaultroute
>
>         right = 119.225.115.131
>
>         rightnexthop = %defaultroute
>
>         ike = aes256-sha1-modp1536
>
>         esp = aes256-sha1
>
>         keyexchange = ike
>
>         pfs = no
>
>         auto = add
>
> firewall# cat ipsec.secrets
>
> # This file holds shared secrets or RSA private keys for inter-Pluto
>
> # authentication.  See ipsec_pluto(8) manpage, and HTML documentation.
>
> 103.29.172.40 119.225.115.131: PSK "BLANK-BLANK-BLANK"
>
> firewall# ip addr
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>
>     inet 127.0.0.1/8 scope host lo
>
>     inet6 ::1/128 scope host
>
>        valid_lft forever preferred_lft forever
>
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
>
>     link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>
>     inet 103.29.172.1/24 brd 103.29.172.255 scope global eth0
>
>     inet 103.29.173.1/24 brd 103.29.173.255 scope global eth0:0
>
>     inet 103.29.174.1/24 brd 103.29.174.255 scope global eth0:1
>
>     inet 103.29.175.1/24 brd 103.29.175.255 scope global eth0:2
>
>     inet 172.16.0.100/24 brd 172.16.0.255 scope global eth0:4
>
>     inet 103.29.172.40/24 scope global secondary eth0
>
>     inet6 fe80::225:90ff:fe35:359e/64 scope link
>
>        valid_lft forever preferred_lft forever
>
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
>
>     link/ether 00:25:90:35:35:9f brd ff:ff:ff:ff:ff:ff
>
>     inet 202.45.103.162/30 brd 202.45.103.163 scope global eth1
>
>     inet6 fe80::225:90ff:fe35:359f/64 scope link
>
>        valid_lft forever preferred_lft forever
>
> 82: ipsec0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 10
>
>     link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>
>     inet 103.29.172.1/32 scope global ipsec0
>
>     inet 103.29.173.1/32 scope global ipsec0
>
>     inet 103.29.174.1/32 scope global ipsec0
>
>     inet 103.29.175.1/32 scope global ipsec0
>
>     inet 172.16.0.100/32 scope global ipsec0
>
>     inet 103.29.172.40/32 scope global ipsec0
>
>     inet6 fe80::225:90ff:fe35:359e/128 scope link
>
>        valid_lft forever preferred_lft forever
>
> 83: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
>
>     link/void
>
> firewall# cat daemon.log
>
> Dec  6 13:51:29 firewall ipsec_setup: Starting Openswan IPsec 2.6.37...
>
> Dec  6 13:51:29 firewall ipsec_setup: Using KLIPS/legacy stack
>
> Dec  6 13:51:30 firewall ipsec_setup: KLIPS debug `none'
>
> Dec  6 13:51:30 firewall ipsec_setup: KLIPS ipsec0 on eth0
> 103.29.172.1/24 broadcast  mtu 1500
>
> Dec  6 13:51:30 firewall ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0
>
> Dec  6 13:51:30 firewall ipsec_setup: ...Openswan IPsec started
>
> Dec  6 13:51:30 firewall ipsec__plutorun: 023 address family
> inconsistency in this connection=2 host=2/nexthop=0
>
> Dec  6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
> incomplete connection
>
> Dec  6 13:51:30 firewall ipsec__plutorun: 023 address family
> inconsistency in this connection=2 host=2/nexthop=0
>
> Dec  6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
> incomplete connection
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

--
Best Regards,
Elison Niven

More information about the Users mailing list