Topic: IPsec

[Lloyd Keen]

Hi all,
I'm having a bit of a nightmare with Freeswan since upgrading to 5.5 (as are a few others I think). I dunno what the problem is. It appears that Darrell's RPM is based around ipsec being in /usr/lib/ipsec but under 5.5 it is in /usr/local/lib/ipsec. Is this whats causing the problem. I've tried uninstalling 1.97-07 and switching back to 1.91, I've tried re-installing 1.97 in /usr/lib/ipsec (wouldn't let me). One thing I notice is that the format of the conf files is different, the connection names have a different format, could this be a problem?
site 1 conn net.192.168.20.0-net.local
site 2 conn net.local-net.192.168.30.0

This is where I'm up to anyway if anyone has any ideas.

Aug 12 22:20:31 qh ipsec__plutorun: 112 "net.local-net.192.168.30.0" #22: STATE_QUICK_I1: initiate
Aug 12 22:20:31 qh ipsec__plutorun: 010 "net.local-net.192.168.30.0" #22: STATE_QUICK_I1: retransmission; will wait 20s for response
Aug 12 22:20:31 qh ipsec__plutorun: 010 "net.local-net.192.168.30.0" #22: STATE_QUICK_I1: retransmission; will wait 40s for response
Aug 12 22:20:31 qh ipsec__plutorun: 031 "net.local-net.192.168.30.0" #22: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Aug 12 22:20:31 qh ipsec__plutorun: 000 "net.local-net.192.168.30.0" #22: starting keying attempt 2 of an unlimited number, but releasing whack
Aug 12 22:20:31 qh ipsec__plutorun: ...could not start conn "net.local-net.192.168.30.0"

[Lloyd Keen]

Sorry I pasted the wrong section of the log file:

Aug 12 22:17:01 qh ipsec__plutorun: 104 "gate.local-net.192.168.30.0" #1: STATE_MAIN_I1: initiate
Aug 12 22:17:01 qh ipsec__plutorun: 106 "gate.local-net.192.168.30.0" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 12 22:17:01 qh ipsec__plutorun: 108 "gate.local-net.192.168.30.0" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 12 22:17:01 qh ipsec__plutorun: 004 "gate.local-net.192.168.30.0" #1: STATE_MAIN_I4: ISAKMP SA established
Aug 12 22:17:01 qh ipsec__plutorun: 112 "gate.local-net.192.168.30.0" #2: STATE_QUICK_I1: initiate
Aug 12 22:17:01 qh ipsec__plutorun: 010 "gate.local-net.192.168.30.0" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
Aug 12 22:17:01 qh ipsec__plutorun: 010 "gate.local-net.192.168.30.0" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
Aug 12 22:17:01 qh ipsec__plutorun: 031 "gate.local-net.192.168.30.0" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Aug 12 22:17:01 qh ipsec__plutorun: 000 "gate.local-net.192.168.30.0" #2: starting keying attempt 2 of an unlimited number, but releasing whack
Aug 12 22:17:01 qh ipsec__plutorun: ...could not start conn "gate.local-net.192.168.30.0"

[Rod]

Quick 'bandaid' in the short term to get you progressing.
edit /etc/e-smith/templates/etc/ipsec.secrets/10RSAKey
look for
        @args = ("/usr/lib/ipsec/ipsec", "rsasigkey", "2048");
        $result .= /usr/lib/ipsec/ipsec rsasigkey 2048;
and change them to read
        @args = ("/usr/local/lib/ipsec/ipsec", "rsasigkey", "2048");
        $result .= /usr/local/lib/ipsec/ipsec rsasigkey 2048;


then run /sbin/e-smith/signal-events ipsec-install

this will resolve the path issue.

I'm still working on the connection so not 100% sure if this is the only problem.
My isp kills routing from a backup dial in account to local adsl accounts, not impressed.
Rod

[Lloyd Keen]

Thanks Rod,
I'd worked out how to mod the 10RSAkeysig file but didn't know to do the signal-event ipsec-install. That appeared to copy the key directly into the e-smith configuration file but still no luck connecting. I seem to recall messages about pluto not running?? Also when I manually run the _updown script I the following error message.
[root@sme root]# /usr/local/lib/ipsec/_updown
/usr/local/lib/ipsec/_updown: unknown interface version '