This is a flat out bug in OpenSwan. Although I found a post (quoted below) claiming this was fixed around 2.4.10 (my Debian lenny system has openswan based on 2.4.12 judging by the Version: 1:2.4.12+dfsg-1.3+lenny2) I still have the problem.
http://webcache.googleusercontent.com/search?q=cache:FHTtaZzuKRUJ:https://gsoc.xelerance.com/issues/849+ipsec+openswan+pluto+assertion+failed&cd=4&hl=en&ct=clnk&gl=uk (google cache because the page seems down... still takes a while to load on this URL) says: "This is a bug, where we think the conn define is NOT an instance because right != %any... but it's NOT permadent, since rightprotoport=17/%any. There are a few ways to fix this, but simplest is to tell the config reader that yes, this is a CK_INSTANCE." and further claims: "It's a bug. It has been fixed in CVS and will be in 2.4.10 which we hope to release in 1-2 days" but obviously either that fix didn't make it in or was incomplete. The page says that was 'about 1 year ago' (at the time google last cached it presumably). The only workaround I found was to have 'right=%any' in the 'conn' section. I guess if you really need to restrict it to certain IPs you could use IPtables instead ? -- - Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/ Finger athan(at)fysh.org for PGP key "And it's me who is my enemy. Me who beats me up. Me who makes the monsters. Me who strips my confidence." Paula Cole - ME -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org