All,
I have a problem where I cannot initiate a connection from a Freeswan box
to an IBM AS/400 system. The AS/400 can initiate the connection to my
Freeswan box, but it will not work the other way. Each time I reboot the
machine and/or restart ipsec in any way... I'm forced to email or call the
remote end and have them re-initiate the connection. This is used in a live
environment for a backend VPN tunnel to an order fulfillment center.
I've searched the web for countless hours now, and can't seem to find
anything related to this. I did find a couple messages regarding it... but
they all turned out to be people that were mistaken and not a real solution.
I've tried all possible combinations in the config file. I'm using shared
secret and transport, here is my current config...
conn worldpac
type=transport
keyexchange=ike
auth=esp
authby=secret
pfs=no
# right and left are prettymuch interchangeable, but no reason to
# try to switch them. "right" is the ip of THIS machine.
# "rightnexthop" is the ip of the gateway machine between
# "right" and the rest of the internet
right=63.78.141.251
rightnexthop=63.78.141.1
left=63.89.49.214
keylife=24h
keyingtries=1
lifetime=8h
esp=3des-md5-96
ikelifetime=8h
rekey=yes
rekeymargin=3h
rekeyfuzz=0%
auto=add
I have the keyingtries temporarily set that way so that it does not sit
there and keep trying to re-initiate the connection if it goes down. For
some reason, it cannot initiate the connection to the AS/400. The AS/400 must
always initiate the connection. The guys at IBM are pretty certain the
"Proposal" is what is preventing Freeswan from initiating the connection. I've
gotten an email back from the guys at IBM... they had this to say...
-------- Original Message --------
Subject: Re: VPN conundrum
Date: Tue, 31 Jul 2001 07:38:51 -0400
From: "Frank Paxhia" <paxhia_at_us.ibm.com>
To: Tom Harding <tomh_at_thinlink.com>
Yes, sorry I haven't gotten back to you since then. I've analyzed the
traces and the problem is definitely caused by freeS/WAN sending
(initiating) the first proposal with proposal number "0". According
to my IKE expert, this was brought up at one of the town meetings at the
VPN bakeoffs. The recommendation from the IKE authors was to not use or
start with this value. We have this hardcoded resulting in the error
message you see. Starting in V5R1 we've added additional logic to
tolerate certain situations like this, but, they are predicated on other
conditions - mostly security related.
Cheers,
Pax
aka Frank V. Paxhia
(607)752-5525, tl 852-5525, fax ext. 5421
paxhia_at_us.ibm.com, paxman_at_vnet.ibm.com, paxhia_at_IBMUSM07
So, with that in mind... any help as to how the proposal number is set in
the actual Freeswan code would be much appreciated. I've done some looking,
but the code is huge... and each try requires a kernel rebuild which takes a
good 30 minutes for each "maybe this". Help!
NOTE: (Please email me directly with any response... I'm not signed up on
this list and will not receive the replies for that reason. jmyner_at_gsite.com)
Joshua Myner : MCP, MMCP
Systems Administrator / Application Developer
jmyner_at_gsite.com : (616)324-8231 Ext. 17
Granite Solutions http://www.gsite.com
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:58 CEST