plutodebug="control klips"
and sending me the log?
Regards
Andreas
Nilesh Trivedi wrote:
Hi,
Please note that I'm having problems subscribing to the mailing list so would appreciate if you could reply back to me in person as well.
I have everything that's neccessary (including the recompiled kernel module ipsec.o) to do protocol-port selector config. however while just playing around with Automatic keying (no certificates yet) on the
freeswan-1.99, x509 patch version 0.9.34 I get the following errors; (along with the configs.)
Note: This works fine if I comment the leftprotoport and rightprotoport out...without these lines I can get both the ISAKMP as well as IPSEC SA's established fine but ofcourse I need to test the port combinations which doesn't seem to work ??
Any help would be greatly appreciated...thanks in advance!!
Regards,
Nilesh.
Config + Logs -------------------------->>>>>>>
[EMAIL PROTECTED] log]# service ipsec start ipsec_setup: Starting FreeS/WAN IPsec 1.99... [EMAIL PROTECTED] log]# ipsec verify Checking your system to see if IPsec got installed and started
correctly
Version check and ipsec on-path [OK] Checking for KLIPS support in kernel [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] DNS checks. Looking for forward key for dcm-3.cisco.com [FAILED]
Does the machine have at least one non-private address [OK] [EMAIL PROTECTED] log]# [EMAIL PROTECTED] log]# [EMAIL PROTECTED] log]# [EMAIL PROTECTED] log]# ipsec look dcm-3.cisco.com Mon Aug 18 16:07:10 EST 2003 ipsec0->eth0 mtu=16260(1500)->1500 Destination Gateway Genmask Flags MSS Window
irtt
Iface 0.0.0.0 172.18.195.1 0.0.0.0 UG 40
0 0
eth0 172.18.195.0 0.0.0.0 255.255.255.0 U 40
0 0
eth0 172.18.195.0 0.0.0.0 255.255.255.0 U 40
0 0
ipsec0 [EMAIL PROTECTED] log]# ipsec auto --up sample 104 "sample" #1: STATE_MAIN_I1: initiate 106 "sample" #1: STATE_MAIN_I2: sent MI2, expecting MR2 108 "sample" #1: STATE_MAIN_I3: sent MI3, expecting MR3 004 "sample" #1: STATE_MAIN_I4: ISAKMP SA established 112 "sample" #2: STATE_QUICK_I1: initiate 003 ERROR: "sample" #2: pfkey write() of SADB_X_ADDFLOW message 11
for
flow [EMAIL PROTECTED] failed. Errno 22: Invalid argument 032 "sample" #2: STATE_QUICK_I1: internal error 010 "sample" #2: STATE_QUICK_I1: retransmission; will wait 20s for response 003 ERROR: "sample" #2: pfkey write() of SADB_X_ADDFLOW message 20
for
flow [EMAIL PROTECTED] failed. Errno 22: Invalid argument 032 "sample" #2: STATE_QUICK_I1: internal error 010 "sample" #2: STATE_QUICK_I1: retransmission; will wait 40s for response 003 ERROR: "sample" #2: pfkey write() of SADB_X_ADDFLOW message 29
for
flow [EMAIL PROTECTED] failed. Errno 22: Invalid argument 032 "sample" #2: STATE_QUICK_I1: internal error 031 "sample" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode
message:
perhaps peer likes no proposal 000 "sample" #2: starting keying attempt 2 of an unlimited number,
but
releasing whack [EMAIL PROTECTED] log]# ipsec auto --status 000 interface ipsec0/eth0 172.18.195.217 000 000 "sample":
172.18.195.217:17/5099---172.18.195.1...172.18.195.1---172.18.195.216:17/5099
000 "sample": CAs: '%any'...'%any' 000 "sample": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s;
rekey_fuzz: 100%; keyingtries: 0 000 "sample": policy:
RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK;
interface: eth0; unrouted 000 "sample": newest ISAKMP SA: #1; newest IPsec SA: #0; eroute
owner:
#0 000 000 #3: "sample" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 27s 000 #1: "sample" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE
in 2653s; newest ISAKMP 000
===========================================================
My config looks like (I'm trying to do Auto keying first and then
verify
X.509 if this works)
conn sample # Left security gateway, subnet behind it, next hop toward
right.
left=172.18.195.217 #leftcert=/etc/ipsec.d/freeswan-cert.pem #leftsubnet=255.255.255.0/24 [EMAIL PROTECTED]
leftrsasigkey=0sAQPEYWpENMlD/Petlaq3FDdriWaZKmBC9 leftnexthop=%defaultroute # Right security gateway, subnet behind it, next hop toward
left.
right=172.18.195.216 leftprotoport=udp/5099 rightprotoport=udp/5099 #rightcert=/etc/ipsec.d/client-cert.pem [EMAIL PROTECTED]
rightrsasigkey=0sAQO4NXeNXkNG... rightnexthop=%defaultroute #rightnexthop=172.18.195.216 # To authorize this connection, but not actually start it,
at
startup, # uncomment this. auto=add
_______________________________________________ FreeS/WAN Users mailing list [EMAIL PROTECTED] https://mj2.freeswan.org/cgi-bin/mj_wwwusr
-- ======================================================================= Andreas Steffen e-mail: [EMAIL PROTECTED] strongSec GmbH home: http://www.strongsec.com Alter Z�richweg 20 phone: +41 1 730 80 64 CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65 ==========================================[strong internet security]===
_______________________________________________ FreeS/WAN Users mailing list [EMAIL PROTECTED] https://mj2.freeswan.org/cgi-bin/mj_wwwusr
