Hi Friends,
My router is a small device with linux OS (monta vista linux)
so iwe can't install any new software on tht.
i chked up openssl and ipsec modules are installed.

then i tried to create VPN connection for my router.

I got this error when start ipsec service (that is vpn start)

Jul 1 21:25:05 (none) pluto[5358]: listening for IKE messages
Jul 1 21:25:05 (none) pluto[5358]: adding interface ipsec0/ppp1000 222.228.172.225:500
Jul 1 21:25:05 (none) pluto[5358]: loading secrets from "/etc/ipsec.secrets"
Jul 1 21:25:05 (none) pluto[5358]: loaded private key file '/etc/ipsec.d/private/hostkey.pem' (887 bytes)
Jul 1 21:25:05 (none) pluto[5358]: "roadwarrior": cannot route template policy of RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS
Jul 1 21:25:05 (none) pluto[5358]: "roadwarrior-net": cannot route template policy of RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS
Jul 1 21:25:06 (none) pluto[5358]: "roadwarrior": cannot initiate connection without knowing peer IP address (kind=CK_TEMPLATE)
Jul 1 21:25:06 (none) pluto[5358]: "roadwarrior-net": cannot initiate connection without knowing peer IP address (kind=CK_TEMPLATE)

what wil be the error would be, i can't find where the error has rised.

How to fix this error,
"roadwarrior-net": cannot initiate connection without knowing peer IP address (kind=CK_TEMPLATE)

help me please...


this is my configuration IPSEC.conf
==========================
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
leftsubnet=192.168.1.0/24
also=roadwarrior
conn roadwarrior
left=%defaultroute
leftcert=hostcert.pem
right=%any
rightcert=CLIENTcert.pem
auto=start
pfs=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore

Regards
govind.

Can you please post your network diagram which describes your default route, router's IP address, your network addresses and subnet masks as well as router's configurations. Also, how users are trying to connect to you?

Regards,
Tayyab

network like this..
(my LAN network) -> router --> Internet -->my laptop


router IP address :222.228.172.225(ppp1000)
LAN local IP for router 192.168.1.1(eth1)

still now, nobody connect to router thru vpn.

i tried to start(ipsec auto --up roadwarrior) vpn connection in my router thn i got the abv error .

please help me,i am so much frustrated with this vpn concept.

if U need any more detail please reply me.

regards
Govind.


this is my ipconfig result:
-----------------------
eth0 Link encap:Ethernet HWaddr 00:30:13:46:11:56
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:948451 errors:0 dropped:0 overruns:0 frame:0
TX packets:952953 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:89821438 (85.6 MiB) TX bytes:91916910 (87.6 MiB)
Interrupt:72 Base address:0x1400
eth1 Link encap:Ethernet HWaddr 00:30:13:46:11:57
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:10680 errors:0 dropped:0 overruns:0 frame:0
TX packets:8952 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2616344 (2.4 MiB) TX bytes:1329642 (1.2 MiB)
Interrupt:73 Base address:0x1700
ipsec0 Link encap:Point-Point Protocol
inet addr:222.228.172.225 Mask:255.255.255.255
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ipsec1 Link encap:UNSPEC HWaddr D4-2A-24-DC-46-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ipsec2 Link encap:UNSPEC HWaddr D4-2A-24-DC-46-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ipsec3 Link encap:UNSPEC HWaddr D4-2A-24-DC-46-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:100 (100.0 B) TX bytes:100 (100.0 B)
ppp1000 Link encap:Point-Point Protocol
inet addr:222.228.172.225 P-t-P:163.139.127.55 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1454 Metric:1
RX packets:948285 errors:0 dropped:0 overruns:0 frame:0
TX packets:952789 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:68948528 (65.7 MiB) TX bytes:67133829 (64.0 MiB)


ipsec verify output is:
--------------------
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.3.1 (klips)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
hostname: guardian24: Unknown host
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

Could you pls post here your /etc/ipsec.secrets file. And also why you want an IPSec VPN connection i.e. which services on your LAN you want to access thru your roadworrier connection, as well as your FQDN(Fully Qualified Domain Name) so that I can send you all the steps needed to generate shared keys and the configurations of your ipsec.conf file.

Lemme tell you that, you'll have to work hard to get your IPSec VPN connection, since its not a very easy thing to configure without basic concepts, but if you are able to provide me all the above details I might help you to accomplish what you need.

Regards,
Tayyab

Hi Tayyab,

Thankx for ur nice replys...,

I want to use VPN to access internal(LAN) servers of router from remote place(internet).

Our DNS server is apollon.artemis-it.com
router's FQDN - guardian24.artemis-it.com

this is contents of ipsec.secrets file.
--------------------------------------
: RSA hostkey.pem
# do not change the indenting of that "}"


I created my own CA certificate with following setting of openssl.conf:

# req_extensions = v3_req
[ root_ca_distinguished_name ]
commonName = MDA-VPN
countryName = JP
stateOrProvinceName = Ikebukuro
localityName = Tokyo
0.organizationName = Artemis
emailAddress = govindaraj@security24.jp


used cmds to create Certificates.
--------------------------------
CA:
openssl req -x509 -nodes -days 365 -newkey rsa -keyout /etc/sslca/private/cakey.pem -out /etc/sslca/ca/cacert.pem -config /etc/openssl.conf

host:
openssl req -nodes -newkey rsa -keyout /etc/sslca/private/hostkey.pem -out /etc/sslca/certs/hostreq.pem -config /etc/openssl.conf
openssl ca -days 365 -batch -notext -in /etc/sslca/certs/hostreq.pem -out /etc/sslca/certs/hostcert.pem -config /etc/openssl.conf



bye
govind.