Discussion:
[Openswan Users] Site-2-site vpn "No KLIPS support"
Jakub Sobczak
2012-10-05 13:49:02 UTC
Permalink
Hi,

I hit the wall with finding a solution to a sudden problem which came up
several minutes ago. The tunnel was working and when I did:

"service ipsec restart"

it suddenly crashed and shows this:

*service ipsec restart*
*ipsec_setup: Stopping Openswan IPsec...*
*ipsec_setup: Starting Openswan IPsec 2.6.23...*
*ipsec_setup: No KLIPS support found while requested, desperately falling
back to netkey*
*ipsec_setup: NETKEY support found. Use protostack=netkey in
/etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with
NETKEY*
I really need KLIPS. I tried reinstalling (apt-get install
openswan-modules-*) and.. nothing.

Any help will be appreciated! Thanks in advance!

Regards
Jakub
Jakub Sobczak
2012-10-05 14:38:39 UTC
Permalink
Hi,

I just enabled netkey and everything seems fine, but I now have different
problem...

Gateway of the other company is behind nat and openswan shows:

003 "company" #5: we require peer to have ID 'PUBLIC_IP_ADDRESS', but peer
declares 'PRIVATE_IP_ADDRESS'

how to get over this problem?


Regards
Jakub
Post by Jakub Sobczak
Hi,
I hit the wall with finding a solution to a sudden problem which came up
"service ipsec restart"
*service ipsec restart*
*ipsec_setup: Stopping Openswan IPsec...*
*ipsec_setup: Starting Openswan IPsec 2.6.23...*
*ipsec_setup: No KLIPS support found while requested, desperately
falling back to netkey*
*ipsec_setup: NETKEY support found. Use protostack=netkey in
/etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with
NETKEY*
I really need KLIPS. I tried reinstalling (apt-get install
openswan-modules-*) and.. nothing.
Any help will be appreciated! Thanks in advance!
Regards
Jakub
Jakub Sobczak
2012-10-05 16:38:20 UTC
Permalink
Thanks,

I added rightid=PUBLIC_IP_ADDRESS and it seems to be working.
I also did "ipsec auto --rereadsecrets" because I put new keys, but still
the tunnel has failed to setup.

I am supposed to use DH group 2, so I figured I have to set modp1024, is
that correct?
They told me to set it that way: ike phase 1

conn abc
#General
keyingtries=1
auto=start
#IKE Params
authby=secret
keyexchange=ike
ikelifetime=8h
ike=aes256-sha1-modp1024
#IPSec Params
type=tunnel
auth=esp
pfs=yes
compress=no
keylife=60m
esp=aes256-sha1
left=my-gw-ip
leftsubnet=my-subnet
leftnexthop=my-next-hop-ip
rightid=public-ip
right=remote-gw-ip
rightsubnet=some-remote-subnet
rightnexthop=%defaultroute


Regards
Jakub
Post by Jakub Sobczak
003 "company" #5: we require peer to have ID 'PUBLIC_IP_ADDRESS', but
peer declares 'PRIVATE_IP_ADDRESS'
On the unit behind nat, assuming in that config file they are "left",
add leftid=publicip.
Loading...