Thread: Can not start conn with FreeS/WAN U2.04/K2.2.0 (kernel 2.4.26) afterUpdate from 1.96
View Single Post

  #1 (permalink)  
Old 07-12-2005
Natanael Mignon
 
Posts: n/a
Default Can not start conn with FreeS/WAN U2.04/K2.2.0 (kernel 2.4.26) afterUpdate from 1.96
Hello newsgroups,

the story goes like this:

Two gateways running Debian Stable handle a site-to-site VPN with
FreeS/WAN 1.96 on kernel 2.4.18 with FreeS/WAN patches (everything deb).
Fine.

Now we're testing the updated versions as Sarge has become stable
meanwhile. This means: FreeS/WAN 2.04 and kernel patches 2.2.0 on kernel
2.4.26 (because from 2.4.27 on the kernel has the backported ipsec stuff
from 2.6). The config file is not fully compliant, the changes applied
can be seen in the comments below, but should not matter (should...) I
think. Secrets and everything stayed the same.

Pluto is not very talkative although I set plutodebug to "all".
Klipsdebug=all does not show anything suspicious so far, but I can
supply a blarf if needed, of course.

So here's what happens:

-+-+-+-+<syslog>-+-+-+-+-
Jul 12 07:50:46 lnx-fw2 ipsec_setup: Starting FreeS/WAN IPsec
U2.04/K2.2.0...
Jul 12 07:50:46 lnx-fw2 ipsec_setup: KLIPS debug `none'
Jul 12 07:50:46 lnx-fw2 kernel:
Jul 12 07:50:46 lnx-fw2 ipsec_setup: KLIPS ipsec0 on eth1
212.86.147.194/255.255.255.252 broadcast 212.86.147.195
Jul 12 07:50:47 lnx-fw2 ipsec_setup: ...FreeS/WAN IPsec started
Jul 12 07:50:51 lnx-fw2 ipsec__plutorun: 104 "H1" #1: STATE_MAIN_I1:
initiate
Jul 12 07:50:51 lnx-fw2 ipsec__plutorun: ...could not start conn "H1"

Jul 12 08:44:27 lnx-fw2 ipsec_setup: Stopping FreeS/WAN IPsec...
Jul 12 08:44:29 lnx-fw2 kernel: IPSEC EVENT: KLIPS device ipsec0 shut down.
Jul 12 08:44:29 lnx-fw2 kernel:
Jul 12 08:44:29 lnx-fw2 ipsec_setup: ...FreeS/WAN IPsec stopped
Jul 12 08:44:29 lnx-fw2 ipsec_setup: Starting FreeS/WAN IPsec
U2.04/K2.2.0...
Jul 12 08:44:29 lnx-fw2 ipsec_setup: KLIPS debug `none'
Jul 12 08:44:29 lnx-fw2 kernel:
Jul 12 08:44:29 lnx-fw2 ipsec_setup: KLIPS ipsec0 on eth1
212.86.147.194/255.255.255.252 broadcast 212.86.147.195
Jul 12 08:44:29 lnx-fw2 ipsec_setup: ...FreeS/WAN IPsec started
Jul 12 08:44:31 lnx-fw2 ipsec__plutorun: 104 "H1" #1: STATE_MAIN_I1:
initiate
Jul 12 08:44:31 lnx-fw2 ipsec__plutorun: ...could not start conn "H1"
-+-+-+-+</syslog>-+-+-+-+-

-+-+-+-+<ipsec.conf>-+-+-+-+-
version 2

# basic configuration
config setup
# default in v2
#interfaces=%defaultroute
klipsdebug=none
plutodebug=all
# default in v2
#plutoload=%search
#plutostart=%search
# default in v2
#uniqueids=yes


conn %default
keyingtries=0
authby=secret
# new for version 2 (overwrite new defaults)
disablearrivalcheck=yes
leftrsasigkey=%none
rightrsasigkey=%none



# Tunnel 1
conn H1
# Left security gateway, subnet behind it, next hop toward right.
left=212.86.147.58
leftsubnet=10.10.1.0/24
leftnexthop=212.86.147.57
# Right security gateway, subnet behind it, next hop toward left.
right=212.86.147.194
rightsubnet=192.168.115.0/24
rightnexthop=212.86.147.193
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
auto=start


conn block
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear-or-private
auto=ignore

conn clear
auto=ignore

conn packetdefault
auto=ignore
-+-+-+-+</ipsec.conf>-+-+-+-+-

eth0 Link encap:Ethernet HWaddr 00:02:B3:D3:7A:02
inet addr:192.168.115.250 Bcast:192.168.115.255
Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:1 dropped:0 overruns:0 carrier:1
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:42 (42.0 b)
Interrupt:10 Base address:0x8400 Memory:dd000000-dd000038

eth1 Link encap:Ethernet HWaddr 00:0E:0C:60:28:26
inet addr:212.86.147.194 Bcast:212.86.147.195
Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1569 errors:0 dropped:0 overruns:0 frame:0
TX packets:871 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:110832 (108.2 KiB) TX bytes:65112 (63.5 KiB)
Interrupt:4 Base address:0x8000 Memory:dc000000-dc000038

ipsec0 Link encap:Ethernet HWaddr 00:0E:0C:60:28:26
inet addr:212.86.147.194 Mask:255.255.255.252
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
212.86.147.192 0.0.0.0 255.255.255.252 U 0 0 0 eth1
212.86.147.192 0.0.0.0 255.255.255.252 U 0 0 0
ipsec0
10.10.1.0 212.86.147.193 255.255.255.0 UG 0 0 0
ipsec0
192.168.115.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 212.86.147.193 0.0.0.0 UG 0 0 0 eth1

netfilter rules have been set to nothing and all policies to ACCEPT
without change of behaviour of course.

Any help or hints are highly appreciated! Thanks in advance.

Best regards
--
- Nat

Metal headquarters @ http://bleeding.4metal.net
Technology of the 4Metal.net : http://tech.4metal.net
Reply With Quote