How to resolve: cannot initiate connection with ID wildcards (kind=CK_TEMPLATE)

[adamgajzlerowicz]

I spent several days now trying to connect to a vpn server. I am running openswan 2.6.51.5-1 on arch linux. I followed arch linux documentation and tried various resources on the internet.

I don't understand what this error means.

Apr 18 12:56:16 archtop pluto[85545]: "foo": cannot initiate connection with ID wildcards (kind=CK_TEMPLATE)

my ipsec.conf is

version 2.0

config setup
    dumpdir=/var/run/pluto/
    nat_traversal=yes
    virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.254.253.0/24
    protostack=netkey

conn foo
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    rekey=yes
    ikelifetime=8h
    keylife=1h
    type=transport
    left=192.168.0.17
    leftprotoport=17/%any
    right=foo.com
    rightprotoport=17/1701

ipsec.secrets

192.168.0.17 foo.com : PSK "xxxxxxxxx"

xl2tpd.conf

[lac vpn-connection]
lns = foo.com
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

options.l2tpd.client

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
connect-delay 5000
name user.name
password myPassFoo

I then run this command to initiate the connection

systemctl restart openswan; systemctl restart xl2tpd; ipsec auto --add foo; sleep 2; ipsec auto --up foo

Which returns

002 "foo": deleting connection
002 adding connection: "foo"
031 "foo": cannot initiate connection with ID wildcards (kind=CK_TEMPLATE)

Any help will be appreciated. Thank you.

[Bidski]

I am also getting this error. What does it mean?

[adamgajzlerowicz]

After days of struggle I ended up installing gnome which contains NetworkManager and nmcli. I used gnome to configure the connection. I also needed to tweak the connectoin file in /etc/NetworkManager/system-connections/xxx to store password.

After that I was able to use terminal to start and stop vpn connction with nmcli c up xxx

[mcr]

I don't know what Adam did, but it appears that he setup an XL2TP server rather than a client at the beginning.

[Bidski]

This is still an issue for me, I keep getting this error and I dont know what it means or how to debug it. Should I open another issue or post to the mailing list?

031 "foo": cannot initiate connection with ID wildcards (kind=CK_TEMPLATE)

[WakkeWang]

Any updates?

[dosssman]

Hello there.

Sorry for the necrobump. I have stumble upon a similar problem and here is what made it work for me. Hopefully it can be of some use to someone else. I am using Arch Linux, with openswan 3.0.0 This is based on this article.

For the VPN, I am given:

• VPN Server IP (Public facing IP)
• Preshared Key
• Username
• Password

Regarding the wildcard ID, here is what I think makes it work: in the /etc/ipsec.conf, one needs to specificy the rightid such that righit = <vpn server private ip address on the local network> Also, this might not be necessary, but unlike original poster, I used ipsec auto --up L2TP-PSK.

Here are the config files for reference and the overall procedure I followed for further reference:

• /etc/ipsec.conf

  
  config setup
   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
   nat_traversal=yes
   protostack=netkey            # default is auto, which will try netkey first
   plutoopts="--interface=eth0" # Replace eth0 with your network interface. Using %defaultroute did not work for me.

conn L2TP-PSK authby=secret pfs=no auto=add keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear rekey=yes ikelifetime=8h keylife=1h type=transport left=%defaultroute # Replace with your local IP address (private, behind NAT IP is okay as well) leftprotoport=17/1701 right= # Put the VPN Server's IP here rightid= # Put the VPN Server's Private IP on the lo

- /etc/ipsec.secrets

0.0.0.0 : PSK "psk preshared key"

- /etc/xl2tpd/xl2tpd.conf

[lac my-vpn] ; set this to the ip address of your vpn server lns = ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd.client length bit = yes

- /etc/ppp/options.xl2tpd.client

ipcp-accept-local ipcp-accept-remote refuse-eap require-mschap-v2 noccp noauth logfile /var/log/xl2tpd.log idle 1800 mtu 1410 mru 1410 defaultroute usepeerdns debug connect-delay 5000 name password

- start or restart the required services (restart is important in case any change happened to the config files above)

systemctl start openswan && systemctl start xl2tpd ipsec auto --up L2TP-PSK # This ipsec usage depend on which version: Openswan 3.0.0 in this case.

- Connect to the vpn using

echo "c my-vpn" > /var/run/xl2tpd/l2tpd-control

Note: use the name defined in the xl2tpd.conf file earlier

- At this point, calling `ip a` or `ifconfig` should show a new interface `ppp0` forthe VPN tunnel. Also note the IP address of this interface, which we denote XXX.XXX.XXX.XXX which will be used later for routing.

- We can further make sure of the tunnel working by pinging the `rightid` address that was passed in the /etc/ipsec.conf file. There should be no response in case one tries to ping any other address on the local network the VPN leads to.

- Add routing of queries to the subnet on the other side of the VPN to pass through the tunnel:

Assume XXX.XXX.XXX.XXX is the address range of the subnet / local network, and DD the corresponding subnet mask

Let YYY.YYY.YYY.YYY be the IP of the ppp0 interface.

ip route add XXX.XXX.XXX.XXX via YYY.YYY.YYY.YYY

- Disconnecting the VPN and shutting down the related services

echo "d my-vpn" > /var/run/xl2tpd/l2tpd-control systemctl xl2tpd; systemctl openswan

Best regards.