From: Geoff Silver (gmsilver_at_uslinux.net)
Date: Tue Oct 29 2002 - 23:57:58 CET
Hi,
I just subscribed to the list today, so I hope it will help :-) I'm
trying to get FreeSWAN working - Debian Linux 3.0 with FreeSWAN version
1.96 (Debian package). The network is set up as follows:
Left Subnet Left Left Next Right Right Right Subnet
Gateway Hop Next Hop Gateway
--------------- -------------- -------------
10.10.1.0/24--|10.10.1.252 | | 10.10.3.1|--|10.10.3.2 |
| | 10.10.201.2|---|10.10.201.1 | | 10.1.29.1|--10.1.29.0/24
| | | | |10.10.1.1 | | |
| --------------- | -------------- -------------
--------------- |
| 10.10.1.241 | |
| (Router) |---------------|
---------------
Yes, I know the left and right "next hops" are on the same device - just
assume for a minute they aren't :-) 10.10.201.1 and 10.10.1.1 are
actually the same NIC. 10.10.201.0/24 was simply created to try and ease
the VPN configuration,so I wouldn't try to route the subnet the left
gateway was on.
Originally the Left Subnet was 10.10.201.0/24 and the Left Gateway IPs
were swapped. This worked fine. However, there are a number of hosts on
the 10.10.1.0/24 network, so what I *really* want is to VPN *that*
network. Thus, I swapped the configuration and the DNS KEY entries to the
new host name/IP. However, the VPN won't connect now. The obvious error
I see is when Irun 'ipsec look' and get:
10.1.29.0/24 -> 10.10.1.0/24 => %trap (0)
Which I *know* is wrong (since I've seen the output when this is working).
If I turn up the debugging levels, the only messages which seem useful to
me are:
Oct 29 17:31:51 vpn-test ipsec__plutorun: whack: read() failed (104
Connection reset by peer)
Oct 29 17:31:51 vpn-test kernel: klips_debug:pfkey_destroy_socket: .
Oct 29 17:31:51 vpn-test ipsec__plutorun: ...could not add conn "remote-gw"
Oct 29 17:31:51 vpn-test kernel: klips_debug:pfkey_remove_socket: .
Oct 29 17:31:51 vpn-test ipsec__plutorun: whack: Pluto is not running (no
"/var/run/pluto.ctl")
Oct 29 17:31:51 vpn-test kernel: klips_debug:pfkey_remove_socket: succeeded.
Oct 29 17:31:51 vpn-test ipsec__plutorun: whack: Pluto is not running (no
"/var/run/pluto.ctl")
Oct 29 17:31:51 vpn-test kernel: klips_debug:pfkey_destroy_socket:
pfkey_remove_socket called.
Oct 29 17:31:51 vpn-test ipsec__plutorun: ...could not route conn "remote-gw"
"remote-gw" is the name of the ipsec.conf connection. My ipsec.conf file
is:
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
#interfaces=%defaultroute
interfaces="ipsec0=eth1"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
forwardcontrol=yes
syslog=daemon.debug
# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly chosen)
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%dns
rightrsasigkey=%dns
# vpn-test config
conn remote-gw
keylife=1h
rekey=no
type=tunnel
# Left security gateway, subnet behind it, next hop toward right.
left=10.10.201.2
leftsubnet=10.10.1.0/24
leftnexthop=10.10.201.1
# Right security gateway, subnet behind it, next hop toward left.
right=10.10.3.2
rightsubnet=10.1.29.0/24
rightnexthop=10.10.3.1
auto=start
Thanks for *any* help someone might be able to offer. I've been beating
my head against a wall over this for the last two weeks without any luck!
-- Geoff Silver <geoff at uslinux dot net> "If Bill Gates had a nickel for every time Windows crashed... Oh wait, he does" _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Wed Oct 30 2002 - 05:20:34 CET