<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Paul,<br>
<br>
Some further info. I have another conn with similar symptoms but
there must be a different cause as in this case right=%any so there
is no FQDN involved.<br>
<br>
This is the working conn:<br>
<br>
<big><tt><small>conn PaulIn<br>
type=tunnel<br>
authby=secret<br>
dpdtimeout=120<br>
dpddelay=30<br>
auto=add<br>
#left=%defaultroute<br>
#leftnexthop=%defaultroute<br>
#left=howitts.poweredbyclear.com<br>
left=82.19.147.85<br>
leftsourceip=172.17.2.1<br>
leftsubnet=172.17.2.0/24<br>
leftid=@Nick<br>
right=%any<br>
rightsubnet=192.168.30.0/24<br>
salifetime=24h<br>
dpdaction=clear<br>
ikelifetime=24h<br>
ike=aes256-sha1;modp2048<br>
phase2alg=aes256-sha1<br>
rekey=no</small></tt></big><br>
<br>
and this one does not:<br>
<br>
<big><tt><small>conn PaulIn<br>
type=tunnel<br>
authby=secret<br>
dpdtimeout=120<br>
dpddelay=30<br>
auto=add<br>
left=%defaultroute<br>
leftsourceip=172.17.2.1<br>
leftsubnet=172.17.2.0/24<br>
leftid=@Nick<br>
right=%any<br>
rightsubnet=192.168.30.0/24<br>
salifetime=24h<br>
dpdaction=clear<br>
ikelifetime=24h<br>
ike=aes256-sha1;modp2048<br>
phase2alg=aes256-sha1<br>
rekey=no<br>
leftnexthop=%defaultroute</small></tt><tt><br>
</tt></big><br>
giving the error message:<br>
<br>
<tt>Sep 21 18:08:45 server pluto[26816]: packet from
88.104.27.88:500: initial Main Mode message received on
82.19.147.85:500 but no connection has been authorized with
policy=PSK</tt><tt><big><br>
</big></tt><br>
In this case "ipsec auto --status" gives:<br>
<br>
<tt>[root@server ~]# ipsec auto --status</tt><tt><br>
</tt><tt>000 using kernel interface: netkey</tt><tt><br>
</tt><tt>000 interface lo/lo 127.0.0.1</tt><tt><br>
</tt><tt>000 interface lo/lo 127.0.0.1</tt><tt><br>
</tt><tt>000 interface eth0/eth0 82.19.147.85</tt><tt><br>
</tt><tt>000 interface eth0/eth0 82.19.147.85</tt><tt><br>
</tt><tt>000 interface eth1/eth1 172.17.2.1</tt><tt><br>
</tt><tt>000 interface eth1/eth1 172.17.2.1</tt><tt><br>
</tt><tt>000 interface tun0/tun0 10.8.0.1</tt><tt><br>
</tt><tt>000 interface tun0/tun0 10.8.0.1</tt><tt><br>
</tt><tt>000 interface tun1/tun1 10.8.10.1</tt><tt><br>
</tt><tt>000 interface tun1/tun1 10.8.10.1</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 FIPS=disabled</tt><tt><br>
</tt><tt>000 SElinux=disabled</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 config setup options:</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 configdir=/etc, configfile=/etc/ipsec.conf,
secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d,
dumpdir=/var/run/pluto</tt><tt><br>
</tt><tt>000 sbindir=/usr/sbin, libdir=/usr/libexec/ipsec,
libexecdir=/usr/libexec/ipsec</tt><tt><br>
</tt><tt>000 nhelpers=-1, uniqueids=yes, retransmits=yes,
force_busy=no</tt><tt><br>
</tt><tt>000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0,
listen=<any></tt><tt><br>
</tt><tt>000 secctx_attr_value=0</tt><tt><br>
</tt><tt>000 %myid = (none)</tt><tt><br>
</tt><tt>000 debug none</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 nat_traversal=yes, keep_alive=20, nat_ikeport=4500,
disable_port_floating=no</tt><tt><br>
</tt><tt>000 virtual_private (%priv):</tt><tt><br>
</tt><tt>000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16,
172.16.0.0/12</tt><tt><br>
</tt><tt>000 - disallowed 1 subnet: 172.17.2.0/24</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 ESP algorithms supported:</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
keysizemin=64, keysizemax=64</tt><tt><br>
</tt><tt>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192</tt><tt><br>
</tt><tt>000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
keysizemin=40, keysizemax=128</tt><tt><br>
</tt><tt>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH,
ivlen=8, keysizemin=40, keysizemax=448</tt><tt><br>
</tt><tt>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0</tt><tt><br>
</tt><tt>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256</tt><tt><br>
</tt><tt>000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR,
ivlen=8, keysizemin=128, keysizemax=256</tt><tt><br>
</tt><tt>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A,
ivlen=8, keysizemin=128, keysizemax=256</tt><tt><br>
</tt><tt>000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B,
ivlen=8, keysizemin=128, keysizemax=256</tt><tt><br>
</tt><tt>000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C,
ivlen=8, keysizemin=128, keysizemax=256</tt><tt><br>
</tt><tt>000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A,
ivlen=8, keysizemin=160, keysizemax=288</tt><tt><br>
</tt><tt>000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B,
ivlen=12, keysizemin=160, keysizemax=288</tt><tt><br>
</tt><tt>000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C,
ivlen=16, keysizemin=160, keysizemax=288</tt><tt><br>
</tt><tt>000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA,
ivlen=8, keysizemin=128, keysizemax=256</tt><tt><br>
</tt><tt>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT,
ivlen=8, keysizemin=128, keysizemax=256</tt><tt><br>
</tt><tt>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH,
ivlen=8, keysizemin=128, keysizemax=256</tt><tt><br>
</tt><tt>000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128</tt><tt><br>
</tt><tt>000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160</tt><tt><br>
</tt><tt>000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256</tt><tt><br>
</tt><tt>000 algorithm ESP auth attr: id=6,
name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384</tt><tt><br>
</tt><tt>000 algorithm ESP auth attr: id=7,
name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512</tt><tt><br>
</tt><tt>000 algorithm ESP auth attr: id=8,
name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160</tt><tt><br>
</tt><tt>000 algorithm ESP auth attr: id=9,
name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128</tt><tt><br>
</tt><tt>000 algorithm ESP auth attr: id=251,
name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 IKE algorithms supported:</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
keydeflen=131</tt><tt><br>
</tt><tt>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
blocksize=8, keydeflen=192</tt><tt><br>
</tt><tt>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
blocksize=16, keydeflen=128</tt><tt><br>
</tt><tt>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16</tt><tt><br>
</tt><tt>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20</tt><tt><br>
</tt><tt>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256,
hashsize=32</tt><tt><br>
</tt><tt>000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384,
hashsize=48</tt><tt><br>
</tt><tt>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512,
hashsize=64</tt><tt><br>
</tt><tt>000 algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024</tt><tt><br>
</tt><tt>000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536</tt><tt><br>
</tt><tt>000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048</tt><tt><br>
</tt><tt>000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072</tt><tt><br>
</tt><tt>000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096</tt><tt><br>
</tt><tt>000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144</tt><tt><br>
</tt><tt>000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192</tt><tt><br>
</tt><tt>000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22,
bits=1024</tt><tt><br>
</tt><tt>000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23,
bits=2048</tt><tt><br>
</tt><tt>000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24,
bits=2048</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 stats db_ops: {curr_cnt, total_cnt, maxsz}
:context={0,0,0} trans={0,0,0} attrs={0,0,0}</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 Connection list:</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 "MumIn":
172.17.2.0/24===82.19.147.85[@Nick]---82.19.147.1...82.30.103.217<82.30.103.217>===192.168.10.0/24;
erouted; eroute owner: #4</tt><tt><br>
</tt><tt>000 "MumIn": oriented; my_ip=172.17.2.1;
their_ip=unset;</tt><tt><br>
</tt><tt>000 "MumIn": xauth info: us:none, them:none,
my_xauthuser=[any]; their_xauthuser=[any]; ;</tt><tt><br>
</tt><tt>000 "MumIn": modecfg info: us:none, them:none, modecfg
policy:push, dns1:unset, dns2:unset;</tt><tt><br>
</tt><tt>000 "MumIn": labeled_ipsec:no, loopback:no;</tt><tt><br>
</tt><tt>000 "MumIn": policy_label:unset;</tt><tt><br>
</tt><tt>000 "MumIn": ike_life: 86400s; ipsec_life: 86400s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;</tt><tt><br>
</tt><tt>000 "MumIn": sha2_truncbug:no; initial_contact:no;
cisco_unity:no;</tt><tt><br>
</tt><tt>000 "MumIn": policy:
PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;</tt><tt><br>
</tt><tt>000 "MumIn": prio: 24,24; interface: eth0; metric: 0,
mtu: unset;</tt><tt><br>
</tt><tt>000 "MumIn": dpd: action:clear; delay:30; timeout:120;
nat-t: force_encaps:no; nat_keepalive:yes;</tt><tt><br>
</tt><tt>000 "MumIn": newest ISAKMP SA: #3; newest IPsec SA: #4;</tt><tt><br>
</tt><tt>000 "MumIn": IKE algorithms wanted:
AES_CBC(7)_256-SHA1(2)_000-MODP2048(14)</tt><tt><br>
</tt><tt>000 "MumIn": IKE algorithms found:
AES_CBC(7)_256-SHA1(2)_160-MODP2048(14)</tt><tt><br>
</tt><tt>000 "MumIn": IKE algorithm newest:
AES_CBC_256-SHA1-MODP2048</tt><tt><br>
</tt><tt>000 "MumIn": ESP algorithms wanted:
AES(12)_256-MD5(1)_000, AES(12)_256-SHA1(2)_000</tt><tt><br>
</tt><tt>000 "MumIn": ESP algorithms loaded:
AES(12)_256-MD5(1)_128, AES(12)_256-SHA1(2)_160</tt><tt><br>
</tt><tt>000 "MumIn": ESP algorithm newest: AES_256-HMAC_SHA1;
pfsgroup=<Phase1></tt><tt><br>
</tt><tt>000 "PaulIn":
172.17.2.0/24===82.19.147.85<82.19.147.85>[@Nick]...%any===192.168.30.0/24;
unrouted; eroute owner: #0</tt><tt><br>
</tt><tt>000 "PaulIn": oriented; my_ip=172.17.2.1;
their_ip=unset;</tt><tt><br>
</tt><tt>000 "PaulIn": xauth info: us:none, them:none,
my_xauthuser=[any]; their_xauthuser=[any]; ;</tt><tt><br>
</tt><tt>000 "PaulIn": modecfg info: us:none, them:none, modecfg
policy:push, dns1:unset, dns2:unset;</tt><tt><br>
</tt><tt>000 "PaulIn": labeled_ipsec:no, loopback:no;</tt><tt><br>
</tt><tt>000 "PaulIn": policy_label:unset;</tt><tt><br>
</tt><tt>000 "PaulIn": ike_life: 86400s; ipsec_life: 86400s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;</tt><tt><br>
</tt><tt>000 "PaulIn": sha2_truncbug:no; initial_contact:no;
cisco_unity:no;</tt><tt><br>
</tt><tt>000 "PaulIn": policy:
PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;</tt><tt><br>
</tt><tt>000 "PaulIn": prio: 24,24; interface: eth0; metric: 0,
mtu: unset;</tt><tt><br>
</tt><tt>000 "PaulIn": dpd: action:clear; delay:30; timeout:120;
nat-t: force_encaps:no; nat_keepalive:yes;</tt><tt><br>
</tt><tt>000 "PaulIn": newest ISAKMP SA: #0; newest IPsec SA: #0;</tt><tt><br>
</tt><tt>000 "PaulIn": IKE algorithms wanted:
AES_CBC(7)_256-SHA1(2)_000-MODP2048(14)</tt><tt><br>
</tt><tt>000 "PaulIn": IKE algorithms found:
AES_CBC(7)_256-SHA1(2)_160-MODP2048(14)</tt><tt><br>
</tt><tt>000 "PaulIn": ESP algorithms wanted:
AES(12)_256-SHA1(2)_000</tt><tt><br>
</tt><tt>000 "PaulIn": ESP algorithms loaded:
AES(12)_256-SHA1(2)_160</tt><tt><br>
</tt><tt>000 "PaulIn"[1]:
172.17.2.0/24===82.19.147.85<82.19.147.85>[@Nick]...88.104.27.88===192.168.30.0/24;
erouted; eroute owner: #2</tt><tt><br>
</tt><tt>000 "PaulIn"[1]: oriented; my_ip=172.17.2.1;
their_ip=unset;</tt><tt><br>
</tt><tt>000 "PaulIn"[1]: xauth info: us:none, them:none,
my_xauthuser=[any]; their_xauthuser=[any]; ;</tt><tt><br>
</tt><tt>000 "PaulIn"[1]: modecfg info: us:none, them:none,
modecfg policy:push, dns1:unset, dns2:unset;</tt><tt><br>
</tt><tt>000 "PaulIn"[1]: labeled_ipsec:no, loopback:no;</tt><tt><br>
</tt><tt>000 "PaulIn"[1]: policy_label:unset;</tt><tt><br>
</tt><tt>000 "PaulIn"[1]: ike_life: 86400s; ipsec_life: 86400s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;</tt><tt><br>
</tt><tt>000 "PaulIn"[1]: sha2_truncbug:no; initial_contact:no;
cisco_unity:no;</tt><tt><br>
</tt><tt>000 "PaulIn"[1]: policy:
PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;</tt><tt><br>
</tt><tt>000 "PaulIn"[1]: prio: 24,24; interface: eth0; metric: 0,
mtu: unset;</tt><tt><br>
</tt><tt>000 "PaulIn"[1]: dpd: action:clear; delay:30;
timeout:120; nat-t: force_encaps:no; nat_keepalive:yes;</tt><tt><br>
</tt><tt>000 "PaulIn"[1]: newest ISAKMP SA: #1; newest IPsec SA:
#2;</tt><tt><br>
</tt><tt>000 "PaulIn"[1]: IKE algorithms wanted:
AES_CBC(7)_256-SHA1(2)_000-MODP2048(14)</tt><tt><br>
</tt><tt>000 "PaulIn"[1]: IKE algorithms found:
AES_CBC(7)_256-SHA1(2)_160-MODP2048(14)</tt><tt><br>
</tt><tt>000 "PaulIn"[1]: IKE algorithm newest:
AES_CBC_256-SHA1-MODP2048</tt><tt><br>
</tt><tt>000 "PaulIn"[1]: ESP algorithms wanted:
AES(12)_256-SHA1(2)_000</tt><tt><br>
</tt><tt>000 "PaulIn"[1]: ESP algorithms loaded:
AES(12)_256-SHA1(2)_160</tt><tt><br>
</tt><tt>000 "PaulIn"[1]: ESP algorithm newest: AES_256-HMAC_SHA1;
pfsgroup=<Phase1></tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 Total IPsec connections: loaded 3, active 2</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 State list:</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 #4: "MumIn":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_EXPIRE in 3375s; newest IPSEC; eroute owner; isakmp#3;
idle; import:not set</tt><tt><br>
</tt><tt>000 #4: "MumIn" <a class="moz-txt-link-abbreviated" href="mailto:esp.33658550@82.30.103.217">esp.33658550@82.30.103.217</a>
<a class="moz-txt-link-abbreviated" href="mailto:esp.1754e4e5@82.19.147.85">esp.1754e4e5@82.19.147.85</a> <a class="moz-txt-link-abbreviated" href="mailto:tun.0@82.30.103.217">tun.0@82.30.103.217</a> <a class="moz-txt-link-abbreviated" href="mailto:tun.0@82.19.147.85">tun.0@82.19.147.85</a>
ref=0 refhim=4294901761 Traffic: ESPin=470B ESPout=32B!
ESPmax=4194303B</tt><tt><br>
</tt><tt>000 #3: "MumIn":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_EXPIRE in 28575s; newest ISAKMP;
lastdpd=0s(seq in:5591 out:0); idle; import:not set</tt><tt><br>
</tt><tt>000 #2: "PaulIn"[1] 88.104.27.88:500 STATE_QUICK_R2 (IPsec
SA established); EVENT_SA_EXPIRE in 3374s; newest IPSEC; eroute
owner; isakmp#1; idle; import:not set</tt><tt><br>
</tt><tt>000 #2: "PaulIn"[1] 88.104.27.88 <a class="moz-txt-link-abbreviated" href="mailto:esp.d719bc1e@88.104.27.88">esp.d719bc1e@88.104.27.88</a>
<a class="moz-txt-link-abbreviated" href="mailto:esp.284d6cf6@82.19.147.85">esp.284d6cf6@82.19.147.85</a> <a class="moz-txt-link-abbreviated" href="mailto:tun.0@88.104.27.88">tun.0@88.104.27.88</a> <a class="moz-txt-link-abbreviated" href="mailto:tun.0@82.19.147.85">tun.0@82.19.147.85</a>
ref=0 refhim=4294901761 Traffic: ESPin=235B ESPout=32B!
ESPmax=4194303B</tt><tt><br>
</tt><tt>000 #1: "PaulIn"[1] 88.104.27.88:500 STATE_MAIN_R3 (sent
MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28573s; newest
ISAKMP; lastdpd=0s(seq in:0 out:0); idle; import:not set</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 Shunt list:</tt><tt><br>
</tt><tt>000</tt><br>
<br>
and FWIW, "service ipsec status" always gives:<br>
<br>
<tt>[root@server ~]# service ipsec status</tt><tt><br>
</tt><tt>ipsec: pluto is stopped</tt><tt><br>
</tt><br>
I thought we'd seen this one before and fixed it.<br>
<br>
Regards,<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 21/09/2013 16:20, Nick Howitt wrote:<br>
</div>
<blockquote cite="mid:523DB954.1070104@gmail.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Hi Paul,<br>
<br>
<div class="moz-cite-prefix">On 21/09/2013 14:59, Paul Wouters
wrote:<br>
</div>
<blockquote
cite="mid:alpine.LFD.2.10.1309210957180.3895@bofh.nohats.ca"
type="cite"> <br>
On Sat, 21 Sep 2013, Nick Howitt wrote: <br>
<br>
<blockquote type="cite">I have compiled 3.6rc1 without
FIPSCHECK, whatever that is and I am struggling with a conn. <br>
<br>
Because of bug 86 I use a conn like: <br>
conn MumIn <br>
type=tunnel <br>
authby=secret <br>
dpdtimeout=120 <br>
dpddelay=30 <br>
auto=add <br>
#left=%defaultroute <br>
#leftnexthop=%defaultroute <br>
#left=howitts.poweredbyclear.com <br>
left=82.19.147.85 <br>
leftsourceip=172.17.2.1 <br>
leftsubnet=172.17.2.0/24 <br>
leftid=@Nick <br>
right=damim.dtdns.net <br>
rightsubnet=192.168.10.0/24 <br>
salifetime=24h <br>
dpdaction=clear <br>
ikelifetime=24h <br>
ike=aes256-sha1;modp2048 <br>
phase2alg=aes256 <br>
rekey=no <br>
</blockquote>
<br>
Could you put an ip for right= instead of damim.dtdns.net and
see if it <br>
matters? Also change ipsec.secrets so the PSK is found? <br>
</blockquote>
With right=IP it works. ipsec.secrets does not matter as I use
%any.<br>
<blockquote
cite="mid:alpine.LFD.2.10.1309210957180.3895@bofh.nohats.ca"
type="cite"> <br>
Can you show me ipsec auto --status when the conn is loaded and
giving: <br>
<br>
<blockquote type="cite">Sep 21 12:14:49 server pluto[20435]:
packet from 82.30.103.217:500: initial Main Mode message
received on 82.19.147.85:500 but no <br>
connection has been authorized with policy=PSK <br>
</blockquote>
</blockquote>
Do you still want "ipsec auto --status"? Or do you want it with
right=FQDN?
<blockquote
cite="mid:alpine.LFD.2.10.1309210957180.3895@bofh.nohats.ca"
type="cite"> <br>
<blockquote type="cite">I've also thrown up another bug. In
ipsec.conf I have the usual "include
/etc/ipsec.d/ipsec.*.conf", but this loads <br>
ipsec.unmanaged.MumIn.conf and ipsec.unmanaged.MumIn.conf1 (I
usually append 1 so something to a file name to temporarily
remove it from <br>
the equation). If correctly does not load
ipsec.unmanaged.MumIn.con1. <br>
</blockquote>
<br>
Odd. I'll try and reproduce. <br>
</blockquote>
Thinking about it, scrub this one. I think I know why I'm seeing
it. It may be a bug in our webconfig code.<br>
<blockquote
cite="mid:alpine.LFD.2.10.1309210957180.3895@bofh.nohats.ca"
type="cite"> <br>
Paul <br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>