Hi everyone, now it's almost working (after changing the connection to be added only and starting it manually). Everything seems O.K., no more errors, a route to the private LAN on the other side gets set up via external interface, but when I ping an address in that LAN, then it's routed over the internet and naturally some router tells me "destination host unreachable". As I've read there is no interface ipsec0 in 2.6 any more - is there a way to find out, if a connection is up or not? Besides that - are there any good alternatives to freeswan? In my opinion the configuration and the log-entries of freeswan are infeasable (like: "...could not start conn "VPN_Server" " without giving any reasons even in the highest debug-level). Greetings, Ralf Ralf Ronneburger wrote:
Hi Engelbert,
engelbert.gruber@ssg.co.at wrote:
add leftnexthop and rightnexthop even if they are the default gateway.
thanks, this helped, although I don't understand why it's needed (as both IPs are public and I never had to use left/rightnexthop before on any connection). But I still get an error, that the connection can't be started (line 4):
Oct 7 15:45:43 vpn_clnt pluto[23040]: loading secrets from "/etc/ipsec.secrets" Oct 7 15:45:43 vpn_clnt pluto[23040]: "VPN_Server" #1: initiating Main Mode Oct 7 15:45:43 vpn_clnt ipsec__plutorun: 104 "VPN_Server" #1: STATE_MAIN_I1: initiate Oct 7 15:45:43 vpn_clnt ipsec__plutorun: ...could not start conn "VPN_Server" Oct 7 15:45:44 vpn_clnt pluto[23040]: "VPN_Server" #1: Peer ID is ID_IPV4_ADDR: '217.0.1.1' Oct 7 15:45:44 vpn_clnt pluto[23040]: "VPN_Server" #1: ISAKMP SA established Oct 7 15:45:44 vpn_clnt pluto[23040]: "VPN_Server" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} Oct 7 15:45:44 vpn_clnt pluto[23040]: "VPN_Server" #2: sent QI2, IPsec SA established {ESP=>0x8c4050ec <0x7f0b7342} Oct 7 15:45:50 vpn_clnt pluto[23040]: "VPN_Server" #3: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION Oct 7 15:45:50 vpn_clnt pluto[23040]: "VPN_Server" #3: sending encrypted notification NO_PROPOSAL_CHOSEN to 217.0.1.1:500
Any ideas about that?
Greetings,
Ralf