[Openswan Users] Problem with a simple connection.

adstar at genis-x.com adstar at genis-x.com
Thu Dec 6 16:24:40 EST 2012


Hi all,

If I switch to protostack=mast the vpn comes up, but I don't know enough about mast, does it place a route like klips? If so I'm not seeing a route when the connection comes up.
With this config that works if I switch back to klips I get the 
packet from 119.225.115.131:500: initial Main Mode message received on 103.29.172.40:500 but no connection has been authorized with policy=PSK
packet from 119.225.115.131:500: ignoring unknown Vendor ID payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08988...]

error?

Any advise guys?

Plutorun started on Fri Dec 7 08:17:03 EDT 2012
adjusting ipsec.d to /etc/ipsec.d
bind() will be filtered for 103.29.172.40
Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:24066
LEAK_DETECTIVE support [disabled]
OCF support for IKE [disabled]
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
NSS support [disabled]
HAVE_STATSD notification support not compiled in
Setting NAT-Traversal port-4500 floating to on
   port floating activation criteria nat_t=1/port_float=1
   NAT-Traversal support  [enabled]
using /dev/urandom as source of random entropy
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
starting up 1 cryptographic helpers
started helper pid=24070 (fd:4)
Using KLIPSng (mast) IPsec interface code on 2.6.35.14-i686
using /dev/urandom as source of random entropy
Changed path to directory '/etc/ipsec.d/cacerts'
Changed path to directory '/etc/ipsec.d/aacerts'
Changed path to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
  Warning: empty directory
listening for IKE messages
| useful mast device -1
skipping interface eth1 with 202.45.103.162
ERROR: PF_KEY K_SADB_X_PLUMBIF response for configure_mast_device  included errno 17: File exists
adding interface mast0/eth0 103.29.172.40:500 (fd=10)
adding interface mast0/eth0 103.29.172.40:4500 (fd=11)
skipping interface eth0:4 with 172.16.0.100
skipping interface eth0:2 with 103.29.175.1
skipping interface eth0:1 with 103.29.174.1
skipping interface eth0:0 with 103.29.173.1
skipping interface eth0 with 103.29.172.1
| useful mast device 0
| useful mast device 0
loading secrets from "/etc/ipsec.secrets"
packet from 119.225.115.131:500: ignoring unknown Vendor ID payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c10b74...]
"multi-conn/1x1" #1: responding to Main Mode
"multi-conn/1x1" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"multi-conn/1x1" #1: STATE_MAIN_R1: sent MR1, expecting MI2
"multi-conn/1x1" #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
"multi-conn/1x1" #1: STATE_MAIN_R2: sent MR2, expecting MI3
"multi-conn/1x1" #1: Main mode peer ID is ID_IPV4_ADDR: '119.225.115.131'
"multi-conn/1x1" #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
"multi-conn/1x1" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}
"multi-conn/1x1" #1: the peer proposed: 103.29.173.70/32:0/0 -> 144.55.124.122/32:0/0
"multi-conn/1x1" #2: responding to Quick Mode proposal {msgid:ed10f5ab}
"multi-conn/1x1" #2:     us: 103.29.173.70/32===103.29.172.40<103.29.172.40>[+S=C]---202.45.103.161
"multi-conn/1x1" #2:   them: 202.45.103.161---119.225.115.131<119.225.115.131>[+S=C]===144.55.124.122/32
| mast_raw_eroute called op=4 said=tun.1002 at 103.29.172.40
"multi-conn/1x1" #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
"multi-conn/1x1" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
| mast_sag_eroute called op=1/add
| mast_raw_eroute called op=1 said=tun.1001 at 119.225.115.131
"multi-conn/1x1" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
"multi-conn/1x1" #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x2a7072ec <0x1f27e374 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
"multi-conn/1x1" #2: discarding duplicate packet; already STATE_QUICK_R2
"multi-conn/1x1" #2: discarding duplicate packet; already STATE_QUICK_R2


# bconn configuration
config setup
        # plutodebug = "all"
        # klipsdebug = "all"
        #plutoopts="--perpeerlog"
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        oe=off
        protostack=mast
        plutostderrlog=/var/log/pluto.log
#       interfaces="ipsec0=eth0"
        listen=103.29.172.40

conn multi-conn
        rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,144.55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.124.206/32}        leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.29.173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.173.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.173.84/32,103.29.173.8
        also=conn

conn conn
        type = tunnel
        authby = secret
        left = 103.29.172.40
        leftnexthop = %defaultroute
        right = 119.225.115.131
        rightnexthop = %defaultroute
        ike = aes256-sha1-modp1536
        esp = aes256-sha1
        keyexchange = ike
        pfs = no
        auto = add

-----Original Message-----
From: Elison Niven [mailto:elison.niven at elitecore.com] 
Sent: Thursday, 6 December 2012 10:41 PM
To: adstar at genis-x.com
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Problem with a simple connection.

There's a typo. It should be left=103.29.172.40.
You have put left = 103.29.173.140

On Thursday 06 December 2012 05:09:11 PM IST, adstar at genis-x.com wrote:
> Hi Elison,
>
> Sorry I totally forgot to cc the list..
> I made the changes to my config but still have the issues with PSK
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
> version 2.0     # conforms to second version of ipsec.conf specification
> # bconn configuration
> config setup
>          dumpdir=/var/run/pluto/
>          nat_traversal=yes
>          virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>          oe=off
>          protostack=auto
>          plutostderrlog=/var/log/pluto.log
>          interfaces="ipsec0=eth0"
>
> conn multi-conn
>          rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,144.55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.124.206/32}        leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.29.173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.173.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.173.84/32,103.29.173.8
>          also=conn
>
> conn conn
>          type = tunnel
>          authby = secret
>          left = 103.29.173.140
>          right = 119.225.115.131
>          rightnexthop = %defaultroute
>          ike = aes256-sha1-modp1536
>          esp = aes256-sha1
>          keyexchange = ike
>          pfs = no
>          auto = add
>
> My Pluto log
> Plutorun started on Thu Dec 6 22:36:06 EDT 2012 adjusting ipsec.d to 
> /etc/ipsec.d Starting Pluto (Openswan Version 2.6.37; Vendor ID 
> OEu\134d\134jy\134\134ap) pid:9770 LEAK_DETECTIVE support [disabled] 
> OCF support for IKE [disabled] SAref support [disabled]: Protocol not 
> available SAbind support [disabled]: Protocol not available NSS 
> support [disabled] HAVE_STATSD notification support not compiled in 
> Setting NAT-Traversal port-4500 floating to on
>     port floating activation criteria nat_t=1/port_float=1
>     NAT-Traversal support  [enabled]
> using /dev/urandom as source of random entropy
> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
> ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) 
> starting up 1 cryptographic helpers started helper pid=9773 (fd:4) 
> Kernel interface auto-pick No Kernel NETKEY interface detected Using 
> KLIPS IPsec interface code on 2.6.35.14-i686 using /dev/urandom as 
> source of random entropy Changed path to directory 
> '/etc/ipsec.d/cacerts'
> Changed path to directory '/etc/ipsec.d/aacerts'
> Changed path to directory '/etc/ipsec.d/ocspcerts'
> Changing to directory '/etc/ipsec.d/crls'
>    Warning: empty directory
> address family inconsistency in this connection=2 host=2/nexthop=0 
> attempt to load incomplete connection address family inconsistency in 
> this connection=2 host=2/nexthop=0 attempt to load incomplete 
> connection listening for IKE messages adding interface ipsec0/eth0 
> 103.29.172.40:500 adding interface ipsec0/eth0 103.29.172.40:4500 
> adding interface ipsec0/eth0:4 172.16.0.100:500 adding interface 
> ipsec0/eth0:4 172.16.0.100:4500 adding interface ipsec0/eth0:2 
> 103.29.175.1:500 adding interface ipsec0/eth0:2 103.29.175.1:4500 
> adding interface ipsec0/eth0:1 103.29.174.1:500 adding interface 
> ipsec0/eth0:1 103.29.174.1:4500 adding interface ipsec0/eth0:0 
> 103.29.173.1:500 adding interface ipsec0/eth0:0 103.29.173.1:4500 
> adding interface ipsec0/eth0 103.29.172.1:500 adding interface 
> ipsec0/eth0 103.29.172.1:4500 loading secrets from 
> "/etc/ipsec.secrets"
> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload 
> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08322...]
> packet from 119.225.115.131:500: initial Main Mode message received on 
> 103.29.172.40:500 but no connection has been authorized with 
> policy=PSK packet from 119.225.115.131:500: ignoring unknown Vendor ID 
> payload 
> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08322...]
> packet from 119.225.115.131:500: initial Main Mode message received on 
> 103.29.172.40:500 but no connection has been authorized with 
> policy=PSK
>
> Cheers
> Adam
>
>
>
> -----Original Message-----
> From: Elison Niven [mailto:elison.niven at elitecore.com]
> Sent: Thursday, 6 December 2012 10:08 PM
> To: adstar at genis-x.com
> Cc: users at lists.openswan.org
> Subject: Re: [Openswan Users] Problem with a simple connection.
>
>> Ok so my external interface is  eth1 internal eth0
> You are receiving the main mode request on eth0.
>
> You are receiving packets on this interface :
>> packet from 119.225.115.131:500: initial Main Mode message received 
>> on
>> 103.29.172.40:500 but no connection has been authorized with 
>> policy=PSK
> Therefore you should have left=103.29.172.40 in your config. You can omit leftnexthop in the config.
>
> Restart your ipsec service or do ipsec auto --rereadall after doing the changes.
> Kindly do not take the discussion off-list.
>
> On Thursday 06 December 2012 04:26:57 PM IST, adstar at genis-x.com wrote:
>> Hi Elison,
>>
>> Ok so my external interface is  eth1 internal eth0
>>
>> I'm not sure what to put as the left/leftnexthop.
>> I have tried
>> conn conn
>>           type = tunnel
>>           authby = secret
>>           left = 202.45.103.162
>>           leftnexthop = 202.45.103.161
>>           right = 119.225.115.131
>>           rightnexthop = %defaultroute
>>           ike = aes256-sha1-modp1536
>>           esp = aes256-sha1
>>           keyexchange = ike
>>           pfs = no
>>           auto = add
>>
>> but still get the error
>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload 
>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c0798a...]
>> packet from 119.225.115.131:500: initial Main Mode message received 
>> on
>> 103.29.172.40:500 but no connection has been authorized with 
>> policy=PSK packet from 119.225.115.131:500: ignoring unknown Vendor 
>> ID payload 
>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c0798a...]
>> packet from 119.225.115.131:500: initial Main Mode message received 
>> on
>> 103.29.172.40:500 but no connection has been authorized with 
>> policy=PSK
>>
>> Also do you mean all IPV6 on all interfaces?
>>
>> Thanks for you help
>> Cheers
>> Adam
>>
>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
>>       link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>>       inet 103.29.172.1/24 brd 103.29.172.255 scope global eth0
>>       inet 103.29.173.1/24 brd 103.29.173.255 scope global eth0:0
>>       inet 103.29.174.1/24 brd 103.29.174.255 scope global eth0:1
>>       inet 103.29.175.1/24 brd 103.29.175.255 scope global eth0:2
>>       inet 172.16.0.100/24 brd 172.16.0.255 scope global eth0:4
>>       inet 103.29.172.40/24 scope global secondary eth0
>>       inet6 fe80::225:90ff:fe35:359e/64 scope link
>>          valid_lft forever preferred_lft forever
>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
>>       link/ether 00:25:90:35:35:9f brd ff:ff:ff:ff:ff:ff
>>       inet 202.45.103.162/30 brd 202.45.103.163 scope global eth1
>>       inet6 fe80::225:90ff:fe35:359f/64 scope link
>>          valid_lft forever preferred_lft forever
>>
>>
>> I would like my external clients to connect to the IP 172.29.172.40
>>
>> firewall# ip route
>> 202.45.103.160/30 dev eth1  proto kernel  scope link  src
>> 202.45.103.162
>> 172.16.0.0/24 dev eth0  proto kernel  scope link  src 172.16.0.100
>> 103.29.174.0/24 dev eth0  proto kernel  scope link  src 103.29.174.1
>> 103.29.175.0/24 dev eth0  proto kernel  scope link  src 103.29.175.1
>> 103.29.172.0/24 dev eth0  proto kernel  scope link  src 103.29.172.1
>> 103.29.173.0/24 dev eth0  proto kernel  scope link  src 103.29.173.1 
>> default via 202.45.103.161 dev eth1
>>
>>
>>
>>
>> -----Original Message-----
>> From: Elison Niven [mailto:elison.niven at elitecore.com]
>> Sent: Thursday, 6 December 2012 9:27 PM
>> To: adstar at genis-x.com
>> Cc: users at lists.openswan.org
>> Subject: Re: [Openswan Users] Problem with a simple connection.
>>
>> The address type of your host address (left) does not match with the address type of your nexthop (leftnexthop).
>> You can try removing leftnexthop=%defaultroute and put in the actual
>> IPv4 gateway, and do the same for rightnexthop.
>> You can also try disabling IPv6.
>>
>> On Thursday 06 December 2012 08:48:45 AM IST, adstar at genis-x.com wrote:
>>> Hi all,
>>>
>>> I’m having an issue setting up a tunnel that I need some help with.
>>>
>>> I have included the relevant files below
>>>
>>>
>>> My first issue is when I start ipsec I get the following error:
>>>
>>> Dec  6 13:51:30 firewall ipsec__plutorun: 023 address family 
>>> inconsistency in this connection=2 host=2/nexthop=0
>>>
>>> Dec  6 13:51:30 firewall ipsec__plutorun: 037 attempt to load 
>>> incomplete connection
>>>
>>> Dec  6 13:51:30 firewall ipsec__plutorun: 023 address family 
>>> inconsistency in this connection=2 host=2/nexthop=0
>>>
>>> Dec  6 13:51:30 firewall ipsec__plutorun: 037 attempt to load 
>>> incomplete connection
>>>
>>> My second issue is the right side can’t connect.
>>>
>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload 
>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...
>>> ]
>>>
>>> packet from 119.225.115.131:500: initial Main Mode message received 
>>> on
>>> 103.29.172.40:500 but no connection has been authorized with 
>>> policy=PSK
>>>
>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload 
>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...
>>> ]
>>>
>>> packet from 119.225.115.131:500: initial Main Mode message received 
>>> on
>>> 103.29.172.40:500 but no connection has been authorized with 
>>> policy=PSK
>>>
>>> Can anyone help me on where to go from here?
>>>
>>> Cheers
>>> Adam
>>>
>>> firewall# ipsec --version
>>>
>>> Linux Openswan 2.6.37 (klips)
>>>
>>>
>>> firewall# cat ipsec.conf
>>>
>>> # /etc/ipsec.conf - Openswan IPsec configuration file
>>>
>>> version 2.0     # conforms to second version of ipsec.conf specification
>>>
>>> # bconn configuration
>>>
>>> config setup
>>>
>>>           #plutodebug = "all"
>>>
>>>           #klipsdebug = "all"
>>>
>>>           plutoopts="--perpeerlog"
>>>
>>>           dumpdir=/var/run/pluto/
>>>
>>>           nat_traversal=yes
>>>
>>>
>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,
>>> %
>>> v
>>> 4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>>>
>>>           oe=off
>>>
>>>           protostack=klips
>>>
>>>           plutostderrlog=/var/log/pluto.log
>>>
>>>           interfaces="ipsec0=eth0"
>>>
>>>           listen=103.29.172.40
>>>
>>> # Add connections here
>>>
>>> conn multi-conn1
>>>
>>> rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,1
>>> 4
>>> 4
>>> .55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.
>>> 124.206/32}
>>>
>>> leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.
>>> 2
>>> 9
>>> .173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.
>>> 1
>>> 73.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.1
>>> 7
>>> 3
>>> .84/32,103.29.173.85/32,103.29.173.86/32,103.29.173.60/32,103.29.173.
>>> 6 1/32,103.29.173.64/32,103.29.173.65/32}
>>>
>>> also=conn1
>>>
>>> conn conn1
>>>
>>>           type = tunnel
>>>
>>>           authby = secret
>>>
>>>           left = 103.29.172.40
>>>
>>>           leftnexthop = %defaultroute
>>>
>>>           right = 119.225.115.131
>>>
>>>           rightnexthop = %defaultroute
>>>
>>>           ike = aes256-sha1-modp1536
>>>
>>>           esp = aes256-sha1
>>>
>>>           keyexchange = ike
>>>
>>>           pfs = no
>>>
>>>           auto = add
>>>
>>> firewall# cat ipsec.secrets
>>>
>>> # This file holds shared secrets or RSA private keys for inter-Pluto
>>>
>>> # authentication.  See ipsec_pluto(8) manpage, and HTML documentation.
>>>
>>> 103.29.172.40 119.225.115.131: PSK "BLANK-BLANK-BLANK"
>>>
>>> firewall# ip addr
>>>
>>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>>>
>>>       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>>
>>>       inet 127.0.0.1/8 scope host lo
>>>
>>>       inet6 ::1/128 scope host
>>>
>>>          valid_lft forever preferred_lft forever
>>>
>>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
>>> state UP qlen 1000
>>>
>>>       link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>>>
>>>       inet 103.29.172.1/24 brd 103.29.172.255 scope global eth0
>>>
>>>       inet 103.29.173.1/24 brd 103.29.173.255 scope global eth0:0
>>>
>>>       inet 103.29.174.1/24 brd 103.29.174.255 scope global eth0:1
>>>
>>>       inet 103.29.175.1/24 brd 103.29.175.255 scope global eth0:2
>>>
>>>       inet 172.16.0.100/24 brd 172.16.0.255 scope global eth0:4
>>>
>>>       inet 103.29.172.40/24 scope global secondary eth0
>>>
>>>       inet6 fe80::225:90ff:fe35:359e/64 scope link
>>>
>>>          valid_lft forever preferred_lft forever
>>>
>>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
>>> state UP qlen 1000
>>>
>>>       link/ether 00:25:90:35:35:9f brd ff:ff:ff:ff:ff:ff
>>>
>>>       inet 202.45.103.162/30 brd 202.45.103.163 scope global eth1
>>>
>>>       inet6 fe80::225:90ff:fe35:359f/64 scope link
>>>
>>>          valid_lft forever preferred_lft forever
>>>
>>> 82: ipsec0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state 
>>> UNKNOWN qlen 10
>>>
>>>       link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>>>
>>>       inet 103.29.172.1/32 scope global ipsec0
>>>
>>>       inet 103.29.173.1/32 scope global ipsec0
>>>
>>>       inet 103.29.174.1/32 scope global ipsec0
>>>
>>>       inet 103.29.175.1/32 scope global ipsec0
>>>
>>>       inet 172.16.0.100/32 scope global ipsec0
>>>
>>>       inet 103.29.172.40/32 scope global ipsec0
>>>
>>>       inet6 fe80::225:90ff:fe35:359e/128 scope link
>>>
>>>          valid_lft forever preferred_lft forever
>>>
>>> 83: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
>>>
>>>       link/void
>>>
>>> firewall# cat daemon.log
>>>
>>> Dec  6 13:51:29 firewall ipsec_setup: Starting Openswan IPsec 2.6.37...
>>>
>>> Dec  6 13:51:29 firewall ipsec_setup: Using KLIPS/legacy stack
>>>
>>> Dec  6 13:51:30 firewall ipsec_setup: KLIPS debug `none'
>>>
>>> Dec  6 13:51:30 firewall ipsec_setup: KLIPS ipsec0 on eth0
>>> 103.29.172.1/24 broadcast  mtu 1500
>>>
>>> Dec  6 13:51:30 firewall ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0
>>>
>>> Dec  6 13:51:30 firewall ipsec_setup: ...Openswan IPsec started
>>>
>>> Dec  6 13:51:30 firewall ipsec__plutorun: 023 address family 
>>> inconsistency in this connection=2 host=2/nexthop=0
>>>
>>> Dec  6 13:51:30 firewall ipsec__plutorun: 037 attempt to load 
>>> incomplete connection
>>>
>>> Dec  6 13:51:30 firewall ipsec__plutorun: 023 address family 
>>> inconsistency in this connection=2 host=2/nexthop=0
>>>
>>> Dec  6 13:51:30 firewall ipsec__plutorun: 037 attempt to load 
>>> incomplete connection
>>>
>>>
>>>
>>> _______________________________________________
>>> Users at lists.openswan.org
>>> https://lists.openswan.org/mailman/listinfo/users
>>> Micropayments:
>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=28
>>> 3
>>> 1
>>> 55
>>
>> --
>> Best Regards,
>> Elison Niven
>>
>>
>>
>
> --
> Best Regards,
> Elison Niven
>
>
>

--
Best Regards,
Elison Niven



More information about the Users mailing list