Hi, Please note that I'm having problems subscribing to the mailing list so would appreciate if you could reply back to me in person as well.
I have everything that's neccessary (including the recompiled kernel module ipsec.o) to do protocol-port selector config. however while just playing around with Automatic keying (no certificates yet) on the freeswan-1.99, x509 patch version 0.9.34 I get the following errors; (along with the configs.) Note: This works fine if I comment the leftprotoport and rightprotoport out...without these lines I can get both the ISAKMP as well as IPSEC SA's established fine but ofcourse I need to test the port combinations which doesn't seem to work ?? Any help would be greatly appreciated...thanks in advance!! Regards, Nilesh. Config + Logs -------------------------->>>>>>> > > [EMAIL PROTECTED] log]# service ipsec start > > ipsec_setup: Starting FreeS/WAN IPsec 1.99... > > [EMAIL PROTECTED] log]# ipsec verify > > Checking your system to see if IPsec got installed and started correctly > > Version check and ipsec on-path [OK] > > Checking for KLIPS support in kernel [OK] > > Checking for RSA private key (/etc/ipsec.secrets) [OK] > > Checking that pluto is running [OK] > > DNS checks. > > Looking for forward key for dcm-3.cisco.com [FAILED] > > Does the machine have at least one non-private address [OK] > > [EMAIL PROTECTED] log]# > > [EMAIL PROTECTED] log]# > > [EMAIL PROTECTED] log]# > > [EMAIL PROTECTED] log]# ipsec look > > dcm-3.cisco.com Mon Aug 18 16:07:10 EST 2003 > > ipsec0->eth0 mtu=16260(1500)->1500 > > Destination Gateway Genmask Flags MSS Window irtt > > Iface > > 0.0.0.0 172.18.195.1 0.0.0.0 UG 40 0 0 > > eth0 > > 172.18.195.0 0.0.0.0 255.255.255.0 U 40 0 0 > > eth0 > > 172.18.195.0 0.0.0.0 255.255.255.0 U 40 0 0 > > ipsec0 > > [EMAIL PROTECTED] log]# ipsec auto --up sample > > 104 "sample" #1: STATE_MAIN_I1: initiate > > 106 "sample" #1: STATE_MAIN_I2: sent MI2, expecting MR2 > > 108 "sample" #1: STATE_MAIN_I3: sent MI3, expecting MR3 > > 004 "sample" #1: STATE_MAIN_I4: ISAKMP SA established > > 112 "sample" #2: STATE_QUICK_I1: initiate > > 003 ERROR: "sample" #2: pfkey write() of SADB_X_ADDFLOW message 11 for > > flow [EMAIL PROTECTED] failed. Errno 22: Invalid argument > > 032 "sample" #2: STATE_QUICK_I1: internal error > > 010 "sample" #2: STATE_QUICK_I1: retransmission; will wait 20s for > > response > > 003 ERROR: "sample" #2: pfkey write() of SADB_X_ADDFLOW message 20 for > > flow [EMAIL PROTECTED] failed. Errno 22: Invalid argument > > 032 "sample" #2: STATE_QUICK_I1: internal error > > 010 "sample" #2: STATE_QUICK_I1: retransmission; will wait 40s for > > response > > 003 ERROR: "sample" #2: pfkey write() of SADB_X_ADDFLOW message 29 for > > flow [EMAIL PROTECTED] failed. Errno 22: Invalid argument > > 032 "sample" #2: STATE_QUICK_I1: internal error > > 031 "sample" #2: max number of retransmissions (2) reached > > STATE_QUICK_I1. No acceptable response to our first Quick Mode message: > > perhaps peer likes no proposal > > 000 "sample" #2: starting keying attempt 2 of an unlimited number, but > > releasing whack > > [EMAIL PROTECTED] log]# ipsec auto --status > > 000 interface ipsec0/eth0 172.18.195.217 > > 000 > > 000 "sample": > > 172.18.195.217:17/5099---172.18.195.1...172.18.195.1---172.18.195.216:17/5099 > > > > 000 "sample": CAs: '%any'...'%any' > > 000 "sample": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; > > rekey_fuzz: 100%; keyingtries: 0 > > 000 "sample": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; > > interface: eth0; unrouted > > 000 "sample": newest ISAKMP SA: #1; newest IPsec SA: #0; eroute owner: > > #0 > > 000 > > 000 #3: "sample" STATE_QUICK_I1 (sent QI1, expecting QR1); > > EVENT_RETRANSMIT in 27s > > 000 #1: "sample" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE > > in 2653s; newest ISAKMP > > 000 > > > > =========================================================== > > > > My config looks like (I'm trying to do Auto keying first and then verify > > X.509 if this works) > > > > conn sample > > # Left security gateway, subnet behind it, next hop toward right. > > left=172.18.195.217 > > #leftcert=/etc/ipsec.d/freeswan-cert.pem > > #leftsubnet=255.255.255.0/24 > > [EMAIL PROTECTED] > > > > leftrsasigkey=0sAQPEYWpENMlD/Petlaq3FDdriWaZKmBC9 > > leftnexthop=%defaultroute > > # Right security gateway, subnet behind it, next hop toward left. > > right=172.18.195.216 > > leftprotoport=udp/5099 > > rightprotoport=udp/5099 > > #rightcert=/etc/ipsec.d/client-cert.pem > > [EMAIL PROTECTED] > > > > rightrsasigkey=0sAQO4NXeNXkNG... > > rightnexthop=%defaultroute > > #rightnexthop=172.18.195.216 > > # To authorize this connection, but not actually start it, at > > startup, > > # uncomment this. > > auto=add _______________________________________________ FreeS/WAN Users mailing list [EMAIL PROTECTED] https://mj2.freeswan.org/cgi-bin/mj_wwwusr
