FreeS/WAN setup problems
This is a discussion on FreeS/WAN setup problems within the Linux Networking forums, part of the Linux Forums category; Hello! I'm setting up an VPN tunnel with FreeS/WAN 2.06 and Linux Kernel 2.4.25. But ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-29-2004
|
|||
|
|||
FreeS/WAN setup problems
Hello!
I'm setting up an VPN tunnel with FreeS/WAN 2.06 and Linux Kernel 2.4.25. But i'm a little bit in trouble with the connection establishing. ipsec auto --up S2I: 104 "S2I" #1: STATE_MAIN_I1: initiate 106 "S2I" #1: STATE_MAIN_I2: sent MI2, expecting MR2 108 "S2I" #1: STATE_MAIN_I3: sent MI3, expecting MR3 004 "S2I" #1: STATE_MAIN_I4: ISAKMP SA established 112 "S2I" #2: STATE_QUICK_I1: initiate 003 "S2I" #2: prepare-client command exited with status 127 003 "S2I" #2: route-client command exited with status 127 032 "S2I" #2: STATE_QUICK_I1: internal error 010 "S2I" #2: STATE_QUICK_I1: retransmission; will wait 20s for response 003 "S2I" #2: prepare-client command exited with status 127 003 "S2I" #2: route-client command exited with status 127 032 "S2I" #2: STATE_QUICK_I1: internal error 010 "S2I" #2: STATE_QUICK_I1: retransmission; will wait 40s for response 003 "S2I" #2: prepare-client command exited with status 127 003 "S2I" #2: route-client command exited with status 127 032 "S2I" #2: STATE_QUICK_I1: internal error 031 "S2I" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal 000 "S2I" #2: starting keying attempt 2 of an unlimited number, but releasing whack As you could see he could exchange the keys (we're using RSA private keys). The command errors prepare-client/route-client is caused by a missing command (ip route but i've only route - is this the same?). ipsec auto --status: 000 interface ipsec0/eth0 192.168.2.2 000 interface ipsec1/eth1 192.168.1.200 000 %myid = (none) 000 debug raw+crypt+parsing+emitting+control+lifecycle+klips +dns+oppo+controlmo re 000 000 "S2I": 192.168.1.0/24===192.168.2.2[@invoices.ems-wuensche.com]...192.168.2.1 [@services.ems-wuensche.com]===192.168.0.0/24; unrouted; eroute owner: #0 000 "S2I": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "S2I": policy: RSASIG+ENCRYPT+COMPRESS+PFS+UP; prio: 24,24; interface: eth0; 000 "S2I": newest ISAKMP SA: #1; newest IPsec SA: #0; 000 000 #5: "S2I" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 33s 000 #1: "S2I" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2654s; newest ISAKMP 000 He hangs in phase IPSEC SA establishing. Network setup: Left net VPN gateway 1 VPN gateway 2 Right net 192.168.0.0 <--> 192.168.2.1 <--> 192.168.2.2 <--> 192.168.1.0 Settings gateway 1: Interfaces: eth0 - 192.168.2.1 eth1 - 192.168.0.200 route says: 192.168.0.0 eth1 192.168.2.0 eth0 default dev eth0 Settings gateway 2: Interfaces: eth0 - 192.168.2.2 eth1 - 192.168.1.200 and route says: 192.168.1.0 eth1 192.168.2.0 eth0 default dev eth0 ipsec.conf: config setup interfaces="ipsec0=eth0 ipsec1=eth1" klipsdebug=all plutodebug=all pluto=yes rp_filter=0 conn %default keyingtries=0 keylife=8h compress=yes conn S2I # Left security gateway, subnet behind it, next hop toward right. left=192.168.2.1 leftsubnet=192.168.0.0/24 leftnexthop= leftid=@service.ems-wuensche.com leftrsasigkey=... # Right security gateway, subnet behind it, next hop toward left. right=192.168.2.2 rightsubnet=192.168.1.0/24 rightnexthop= rightid=@invoices.ems-wuensche.com rightrsasigkey=... auto=add Any help would be very appreciated. -- Mit freundlichen Grüßen / Best Regards Sebastian Haas 
|
Linear Mode
