Hi, Right, it was a version mismatch and I figured out where to get the matching package version from: http://leaf.cvs.sourceforge.net/leaf/bin/packages/uclibc-0.9/20/2.4.31/
But now I keep getting this in the log files. I fixed this before but now it's come back with the new package (but using my original config files obviously) ignoring Vendor ID payload [FRAGMENTATION] ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819] initial Main Mode message received on 1.2.3.4:500 but no connection has been authorized with policy=PSK Here are my ipsec.conf and ipsec.secrets files: Thanks, James. **ipsec.conf** # /etc/ipsec.conf - Openswan IPsec configuration file # More elaborate and more varied sample configurations can be found # in Openswan's doc/examples file, in the HTML documentation, and online # at http://www.openswan.org/docs/ # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Don't wait for pluto to complete every plutostart before continuing plutowait=no # Close down old connection when new one using same ID shows up. uniqueids=yes nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4: !192.168.27.0/24,%v4:!192.168.17.0/24 # Defaults for all connection descriptions conn %default keyingtries=0 disablearrivalcheck=no leftrsasigkey=%dnsondemand rightrsasigkey=%dnsondemand authby=secret auto=add # Example VPN connection for the following scenario: # # leftsubnet # 172.16.0.0/24---([172.16.0.1]left[10.0.0.10])---([10.0.0.1]router)------ -\ # | # rightsubnet | # 192.168.0.0/24--([192.168.0.1]right[10.12.12.10])---([10.12.12.1]router) -/ # #conn sample # # Left security gateway, subnet behind it, next hop toward right. # left=10.0.0.10 # leftnexthop=10.0.0.1 # leftsubnet=172.16.0.0/24 # # Right security gateway, subnet behind it, next hop toward left. # right=10.12.12.10 # rightnexthop=10.12.12.1 # rightsubnet=192.168.0.0/24 # # To initiate this connection automatically at startup, # # uncomment this: # #auto=start # Configuration supporting multiple users with any type of # IPsec/L2TP client. This includes the updated Windows 2000/XP # (MS KB Q818043), Vista and Mac OS X 10.3+ but excludes the # non-updated Windows 2000/XP. # # Authenticates through a Pre-Shared Key. Supports clients that # are not behind NAT. Does not support clients that are behind NAT. conn L2TP-PSK # authby=secret pfs=no rekey=no keyingtries=3 # # ---------------------------------------------------------- # The VPN server. # # Allow incoming connections on the external network interface. # If you want to use a different interface or if there is no # defaultroute, you can use: left=your.ip.addr.ess # left=%defaultroute # leftprotoport=17/1701 # If you insist on supporting non-updated Windows clients, # you can use: leftprotoport=17/%any # # ---------------------------------------------------------- # The remote user(s). # # Allow incoming connections only from this IP address. #right=234.234.234.234 # If you want to allow multiple connections from any IP address, # you can use: right=%any # rightprotoport=17/%any # # ---------------------------------------------------------- # Change 'ignore' to 'add' to enable this configuration. # auto=add left=1.2.3.4 rightsubnet=vhost:%no,%priv **ipsec.secrets** # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "ipsec showhostkey". : RSA { # -- Create your own RSA key with "ipsec rsasigkey" } # do not change the indenting of that "}" # # Sample /etc/ipsec.secrets file # The Openswan server has an IP address of 123.123.123.123 # # Preshared Keys for two clients with fixed IP addresses: #123.123.123.123 234.234.234.234: PSK "keyforoneclient" #123.123.123.123 111.222.111.222: PSK "keyforanotherclient" # Preshared Key for clients connecting from any IP address: 193.175.198.98 %any: PSK " MySecretKey " # (Line above only works on recent versions of Openswan). # There is a subtle difference with the following # (see also 'man ipsec.secrets') which affects NATed # clients that use a PSK: 193.175.198.98 : PSK "MySecretKey" > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:leaf-user- > [EMAIL PROTECTED] On Behalf Of James Neave > Sent: 30 March 2007 12:55 > To: leaf-user@lists.sourceforge.net > Subject: [leaf-user] IPSec errors, kernel/userland version mismatch? > > Hi, > > I've been asked to add VPN capabilities to our router here at work. > It's currently Bering-uClibc 2.3.1. > > I keep getting this error in the /var/secure log when starting up or > connecting to the VPN: > > Connecting: > ERROR: "L2TP-PSK"[2] 5.6.7.8 #3: pfkey write() of SADB_ADD message 5 for > Add SA [EMAIL PROTECTED] failed. Errno 22: Invalid argument > > Starting the service: > ipsec_setup: /usr/lib/ipsec/eroute: pfkey write failed, returning -1 > with errno=22. > ipsec_setup: Invalid argument, check kernel log messages for specifics. > > All I can find with Google is that this suggests a kernel > module/userland tools version mismatch. > > gateway# uname -r > 2.4.31 > gateway# ipsec --version > Linux Openswan U2.4.5/K1.0.9 (klips) > See `ipsec --copyright' for copyright information. > > Erm, I *guess* that's a version mismatch. If it is, where can I grab > ipsec.lrp version 2.4.31? > > Or is the version of the kernel not the same as the version of its > modules? > > Regards, > > James. > > The information in this email is confidential and may be legally > privileged. It is intended solely for the addressee. Access to this > email by anyone else is unauthorised. > > If you are not the intended recipient, any disclosure, copying, > distribution or any action taken or omitted to be taken in reliance on it > is prohibited and may be unlawful. > > The contents of an attachment to this email may contain software viruses > that could damage your own computer systems. Whilst The Spur Group of > Companies has taken every precaution to minimise the risk, we cannot > accept liability for any damage that you sustain as a result of software > viruses. > > > ------------------------------------------------------------------------ - > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE V > ------------------------------------------------------------------------ > leaf-user mailing list: leaf-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-user > Support Request -- http://leaf-project.org/ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
