Hi guys,
I know this should go to the openswan list, but no one seems to want to help
or respond. I was hoping one of you guys might be able to help me out.
I'm having an issue setting up a tunnel that I need some help with.
I have included the relevant files below
My first issue is when I start ipsec I get the following error:
Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family inconsistency
in this connection=2 host=2/nexthop=0
Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load incomplete
connection
Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family inconsistency
in this connection=2 host=2/nexthop=0
Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load incomplete
connection
My second issue is the right side can't connect.
packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
[f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...]
packet from 119.225.115.131:500: initial Main Mode message received on
103.29.172.40:500 but no connection has been authorized with policy=PSK
packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
[f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...]
packet from 119.225.115.131:500: initial Main Mode message received on
103.29.172.40:500 but no connection has been authorized with policy=PSK
Can anyone help me on where to go from here?
Cheers
Adam
firewall# ipsec --version
Linux Openswan 2.6.37 (klips)
firewall# cat ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
#plutodebug = "all"
#klipsdebug = "all"
plutoopts="--perpeerlog"
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0
.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=klips
plutostderrlog=/var/log/pluto.log
interfaces="ipsec0=eth0"
listen=103.29.172.40
# Add connections here
conn multi-conn1
rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,144.55.12
3.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.124.206/32}
leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.29.173.7
3/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.173.80/32,103
.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.173.84/32,103.29.173.
85/32,103.29.173.86/32,103.29.173.60/32,103.29.173.61/32,103.29.173.64/32,10
3.29.173.65/32}
also=conn1
conn conn1
type = tunnel
authby = secret
left = 103.29.172.40
leftnexthop = %defaultroute
right = 119.225.115.131
rightnexthop = %defaultroute
ike = aes256-sha1-modp1536
esp = aes256-sha1
keyexchange = ike
pfs = no
auto = add
firewall# cat ipsec.secrets
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
103.29.172.40 119.225.115.131: PSK "BLANK-BLANK-BLANK"
firewall# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
inet 103.29.172.1/24 brd 103.29.172.255 scope global eth0
inet 103.29.173.1/24 brd 103.29.173.255 scope global eth0:0
inet 103.29.174.1/24 brd 103.29.174.255 scope global eth0:1
inet 103.29.175.1/24 brd 103.29.175.255 scope global eth0:2
inet 172.16.0.100/24 brd 172.16.0.255 scope global eth0:4
inet 103.29.172.40/24 scope global secondary eth0
inet6 fe80::225:90ff:fe35:359e/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
link/ether 00:25:90:35:35:9f brd ff:ff:ff:ff:ff:ff
inet 202.45.103.162/30 brd 202.45.103.163 scope global eth1
inet6 fe80::225:90ff:fe35:359f/64 scope link
valid_lft forever preferred_lft forever
82: ipsec0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen
10
link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
inet 103.29.172.1/32 scope global ipsec0
inet 103.29.173.1/32 scope global ipsec0
inet 103.29.174.1/32 scope global ipsec0
inet 103.29.175.1/32 scope global ipsec0
inet 172.16.0.100/32 scope global ipsec0
inet 103.29.172.40/32 scope global ipsec0
inet6 fe80::225:90ff:fe35:359e/128 scope link
valid_lft forever preferred_lft forever
83: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
link/void
firewall# cat daemon.log
Dec 6 13:51:29 firewall ipsec_setup: Starting Openswan IPsec 2.6.37...
Dec 6 13:51:29 firewall ipsec_setup: Using KLIPS/legacy stack
Dec 6 13:51:30 firewall ipsec_setup: KLIPS debug `none'
Dec 6 13:51:30 firewall ipsec_setup: KLIPS ipsec0 on eth0 103.29.172.1/24
broadcast mtu 1500
Dec 6 13:51:30 firewall ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0
Dec 6 13:51:30 firewall ipsec_setup: ...Openswan IPsec started
Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family inconsistency
in this connection=2 host=2/nexthop=0
Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load incomplete
connection
Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family inconsistency
in this connection=2 host=2/nexthop=0
Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load incomplete
connection
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
