Could you enable restricted debugging by setting

plutodebug="control klips"

and sending me the log?

Regards

Andreas

Nilesh Trivedi wrote:
Hi,

  Please note that I'm having problems subscribing to the mailing list
  so would appreciate if you could reply back to me in person as well.

  I have everything that's neccessary (including the recompiled kernel
  module ipsec.o) to do protocol-port selector config. however while
  just playing around with Automatic keying (no certificates yet) on the

  freeswan-1.99, x509 patch version 0.9.34 I get the following errors;
  (along with the configs.)

  Note: This works fine if I comment the leftprotoport and
rightprotoport
  out...without these lines I can get both the ISAKMP as well as IPSEC
  SA's established fine but ofcourse I need to test the port
combinations
  which doesn't seem to work ??

Any help would be greatly appreciated...thanks in advance!!

Regards,

Nilesh.

Config + Logs -------------------------->>>>>>>

[EMAIL PROTECTED] log]# service ipsec start
ipsec_setup: Starting FreeS/WAN IPsec 1.99...
[EMAIL PROTECTED] log]# ipsec verify
Checking your system to see if IPsec got installed and started

correctly


Version check and ipsec on-path                             [OK]
Checking for KLIPS support in kernel                        [OK]
Checking for RSA private key (/etc/ipsec.secrets)           [OK]
Checking that pluto is running                              [OK]
DNS checks.
Looking for forward key for dcm-3.cisco.com                 [FAILED]


Does the machine have at least one non-private address      [OK]
[EMAIL PROTECTED] log]#
[EMAIL PROTECTED] log]#
[EMAIL PROTECTED] log]#
[EMAIL PROTECTED] log]# ipsec look
dcm-3.cisco.com Mon Aug 18 16:07:10 EST 2003
ipsec0->eth0 mtu=16260(1500)->1500
Destination     Gateway         Genmask         Flags   MSS Window

irtt


Iface
0.0.0.0         172.18.195.1    0.0.0.0         UG       40

0 0


eth0
172.18.195.0    0.0.0.0         255.255.255.0   U        40

0 0


eth0
172.18.195.0    0.0.0.0         255.255.255.0   U        40

0 0


ipsec0
[EMAIL PROTECTED] log]# ipsec auto --up sample
104 "sample" #1: STATE_MAIN_I1: initiate
106 "sample" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "sample" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "sample" #1: STATE_MAIN_I4: ISAKMP SA established
112 "sample" #2: STATE_QUICK_I1: initiate
003 ERROR: "sample" #2: pfkey write() of SADB_X_ADDFLOW message 11

for


flow [EMAIL PROTECTED] failed. Errno 22: Invalid argument
032 "sample" #2: STATE_QUICK_I1: internal error
010 "sample" #2: STATE_QUICK_I1: retransmission; will wait 20s for
response
003 ERROR: "sample" #2: pfkey write() of SADB_X_ADDFLOW message 20

for


flow [EMAIL PROTECTED] failed. Errno 22: Invalid argument
032 "sample" #2: STATE_QUICK_I1: internal error
010 "sample" #2: STATE_QUICK_I1: retransmission; will wait 40s for
response
003 ERROR: "sample" #2: pfkey write() of SADB_X_ADDFLOW message 29

for


flow [EMAIL PROTECTED] failed. Errno 22: Invalid argument
032 "sample" #2: STATE_QUICK_I1: internal error
031 "sample" #2: max number of retransmissions (2) reached
STATE_QUICK_I1.  No acceptable response to our first Quick Mode

message:


perhaps peer likes no proposal
000 "sample" #2: starting keying attempt 2 of an unlimited number,

but


releasing whack
[EMAIL PROTECTED] log]# ipsec auto --status
000 interface ipsec0/eth0 172.18.195.217
000
000 "sample":


172.18.195.217:17/5099---172.18.195.1...172.18.195.1---172.18.195.216:17/5099



000 "sample":   CAs: '%any'...'%any'
000 "sample":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:

540s;


rekey_fuzz: 100%; keyingtries: 0
000 "sample":   policy:

RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK;


interface: eth0; unrouted
000 "sample":   newest ISAKMP SA: #1; newest IPsec SA: #0; eroute

owner:


#0
000
000 #3: "sample" STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 27s
000 #1: "sample" STATE_MAIN_I4 (ISAKMP SA established);

EVENT_SA_REPLACE


in 2653s; newest ISAKMP
000

===========================================================

My config looks like (I'm trying to do Auto keying first and then

verify


X.509 if this works)

conn sample
       # Left security gateway, subnet behind it, next hop toward

right.


       left=172.18.195.217
       #leftcert=/etc/ipsec.d/freeswan-cert.pem
       #leftsubnet=255.255.255.0/24
       [EMAIL PROTECTED]

       leftrsasigkey=0sAQPEYWpENMlD/Petlaq3FDdriWaZKmBC9
       leftnexthop=%defaultroute
       # Right security gateway, subnet behind it, next hop toward

left.


       right=172.18.195.216
       leftprotoport=udp/5099
       rightprotoport=udp/5099
       #rightcert=/etc/ipsec.d/client-cert.pem
       [EMAIL PROTECTED]

      rightrsasigkey=0sAQO4NXeNXkNG...
       rightnexthop=%defaultroute
       #rightnexthop=172.18.195.216
       # To authorize this connection, but not actually start it,

at


startup,
       # uncomment this.
       auto=add


_______________________________________________
FreeS/WAN Users mailing list
[EMAIL PROTECTED]
https://mj2.freeswan.org/cgi-bin/mj_wwwusr


--
=======================================================================
Andreas Steffen                   e-mail: [EMAIL PROTECTED]
strongSec GmbH                    home:   http://www.strongsec.com
Alter Z�richweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

_______________________________________________
FreeS/WAN Users mailing list
[EMAIL PROTECTED]
https://mj2.freeswan.org/cgi-bin/mj_wwwusr

Reply via email to