[Openswan Users] Couldn't start up tunnel in openswan 2.6.43 (klips)

Feng Dai freedai at hotmail.com
Tue May 5 13:51:35 EDT 2015 

ipsec.conf.
version 2.0
config setup        interfaces=ipsec0=eth1        klipsdebug=none        plutodebug=none        uniqueids=yes        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.44.0/24        nat_traversal=yes        nhelpers=0
conn connection-10.50.10.129-10.50.11.95-0    right=10.50.11.95    left=10.50.10.129    #rightnexthop=10.50.0.0    #leftnexthop=10.50.0.0    authby=rsasig    rightid="xxxx"    leftid="xxxx"    leftsubnet=192.168.44.1/24    rightsubnet=192.168.164.0/24    auto=start    ikelifetime=600s    keylife=600s    dpddelay=60    dpdtimeout=180    dpdaction=restart_by_peer    leftupdown=""    pfs=no    leftcert=/etc/pki/TrustOS/identity.crt    leftca=/etc/ipsec.d/cacerts/tw-bundle.crt    ike=3des-md5;modp1536    phase2alg=3des-md5;modp1536
-Feng
From: freedai at hotmail.com
To: users at lists.openswan.org
Date: Mon, 4 May 2015 12:13:33 -0700
Subject: [Openswan Users] Couldn't start up tunnel in openswan 2.6.43 (klips)




Hello there,
I have ipsec.conf used to work with 2.6.41. After I upgraded to 2.6.43, it failed to start up tunnel. 
May  4 19:01:34 vpn-spoke-03 pluto[7434]: address family inconsistency in this connection=2 host=2/nexthop=0May  4 19:01:34 vpn-spoke-03 pluto[7434]: attempt to load incomplete connection
After I added left/rightnexthop, it could work. %defaultroute didn't work though. I have to put in specific IP.     #rightnexthop=10.50.10.129    #leftnexthop=10.50.11.95So my question is would nexthop be required from now on? Or will it be fixed in next release and when will be the release if this is a bug?
BTW, I believe there's a bug in pfkey_v2.c. 2.6.43 compile out the creation of pk_key but it still have cleanup of pk_key. So I can see kernal panic when stopping the service.---- pfkey_init ----#if 0        /* XXX - does anyone actually use this interface at all? */#ifdef CONFIG_PROC_FS        {                struct proc_dir_entry* entry;
                entry = create_proc_entry ("pf_key", 0, init_net.proc_net);                entry->read_proc = pfkey_get_info;                entry = create_proc_entry ("pf_key_supported", 0, init_net.proc_net);                entry->read_proc = pfkey_supported_get_info;                entry = create_proc_entry ("pf_key_registered", 0, init_net.proc_net);                entry->read_proc = pfkey_registered_get_info;        }#endif /* CONFIG_PROC_FS */#endif
---- pfkey_cleanup ----#ifdef CONFIG_PROC_FS        remove_proc_subtree("pf_key",            init_net.proc_net);        remove_proc_subtree("pf_key_supported",  init_net.proc_net);        remove_proc_subtree("pf_key_registered", init_net.proc_net);#endif /* CONFIG_PROC_FS */
Thanks. - Feng 		 	   		  

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150505/95cb2369/attachment.html>

More information about the Users mailing list