[Swan] dev lo route error

Nick Howitt n1ck.h0w1tt at gmail.com
Sun Jan 6 18:58:13 EET 2013 

I'm in a bit of a mess here and I cannot get the conn to load at all to 
test. Using the command below I get:

[root at server src]# /usr/libexec/ipsec/addconn --verbose MumIn
opening file: /etc/ipsec.conf
debugging mode enabled
including file '/etc/ipsec.d/ipsec.*.conf'(/etc/ipsec.d/ipsec.*.conf) 
from line /etc/ipsec.conf:36
Loading default conn
starter: case KH_NOTSET: empty
starter: case KH_NOTSET: empty
Loading conn David
starter: check what we need to do for 'howitts.poweredbyclear.com'
starter: ttoaddr_num failed, not numeric 'howitts.poweredbyclear.com'
starter: Resolved to howitts.poweredbyclear.com !
starter: check what we need to do for  '88.98.137.158'
loading named conns: MumIn(notfound)[root at server src]#

The ttoaddr error is coming from another conn (David) which I'm not 
trying to load. In that conn David if I change left to %defaultroute the 
3 "howitts.poweredbyclear.com" errors go away but I don't see why MumIn 
is not found. My ipsec.conf is:

version 2.0

# Default policy
#---------------

config setup
     interfaces=%defaultroute
     plutodebug=none
     klipsdebug=none
     oe=no
     protostack=netkey
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24


conn %default
     type=tunnel
     authby=secret

# Tunnels defined in separate files
#----------------------------------

include /etc/ipsec.d/ipsec.*.conf

And /etc/ipsec.d/ipsec.unmanaged.MumIn.conf is:

conn MumIn
  type=tunnel
  authby=secret
  dpdtimeout=120
  dpddelay=30
  auto=add
  left=%defaultroute
  leftsourceip=192.168.2.1
  leftsubnet=192.168.2.0/24
  leftid=@FromNick
  right=%any
  rightsubnet=192.168.10.0/24
  salifetime=1h
  dpdaction=restart_by_peer
  ikelifetime=8h
  ike=aes256
  phase2alg=aes256

Until I can get these errors to clear, I can't try to reproduce the dev 
lo route error.

As a separate question, the command "ipsec secrets" appears to load 
secrets as before, but I notice we now get new files in the 
installation. Are we forced to use nss now or ipsec.*.secrets still OK 
to use.

This is using your RHEL rpm. Having to roll back to the rival for the moment

Regards,

Nick

On 04/01/2013 17:26, Paul Wouters wrote:
>
> On 01/04/2013 12:13 PM, Nick Howitt wrote:
>> In Oguz' Yilmaz's case he appears to have a right specified
>> (right=RIGHT_EXT_IP) and a leftnexthop (leftnexthop=LEFT_EXT_GW) rathr
>> than right=%any and no leftnexthop. :(
>
> you can use /usr/libexec/ipsec/addconn --verbose connname to get a 
> verbose output that includes the routes we got back for making the 
> decision.
>
>> We have hit some minor odd issues - ipsec auto --status does not give
>> any info on phase2alg unless it is specified. It may also fail if it is
>> specified with the hash function e.g. aes256-sha1 but I need to test
>> further and my time for testing is very limited. But this should all be
>> for another thread......
>
> I've filed that as https://bugs.libreswan.org/show_bug.cgi?id=53 but I 
> also have not had the time yet to look into this.
>
> Paul
>

More information about the Swan mailing list