[Swan] dev lo route error
Philippe Vouters
philippe.vouters at laposte.net
Sun Jan 6 21:24:03 EET 2013
Nick,
I do not know if this intentional from but I am used to type in:
*/usr/local/sbin/ipsec**addconn* --verbose connname
You typed in:
*/usr/libexec/ipsec/addconn* --verbose MumIn
I do not know if this will make an actual difference, but in my case, I
have not yet incurred any problem.
Here my attempt to best match your auto=ignore case:
[philippe at victor ~]$ sudo /usr/local/sbin/ipsec addconn --verbose
Philippe_PSK opening file: /etc/ipsec.conf
debugging mode enabled
including file '/etc/ipsec.d/*.conf'(/etc/ipsec.d/*.conf) from line
/etc/ipsec.conf:26
Loading conn Philippe_RSA_Fixed_IP
while loading conn 'Philippe_RSA_Fixed_IP' also including
'FIXED_RIGHT_IP'
starter: case KH_DEFAULTROUTE: empty
Loading conn Vladimir_RSA_Fixed_IP
while loading conn 'Vladimir_RSA_Fixed_IP' also including
'FIXED_RIGHT_IP'
starter: case KH_DEFAULTROUTE: empty
Loading conn Philippe_PSK
while loading conn 'Philippe_PSK' also including 'FIXED_RIGHT_IP'
starter: case KH_DEFAULTROUTE: empty
Loading conn DHCP_RIGHT_IP
starter: case KH_DEFAULTROUTE: empty
Loading conn FIXED_RIGHT_IP
starter: case KH_DEFAULTROUTE: empty
loading named conns: Philippe_PSK
parse_src = 0, parse_gateway = 1, has_dst = 0
dst via 192.168.1.1 dev eth0 src
set nexthop: 192.168.1.1
dst 169.254.0.0 via dev eth0 src
dst 192.168.1.0 via dev eth0 src 192.168.1.2
dst 127.0.0.0 via dev lo src 127.0.0.1
dst 127.0.0.0 via dev lo src 127.0.0.1
dst 127.0.0.1 via dev lo src 127.0.0.1
dst 127.255.255.255 via dev lo src 127.0.0.1
dst 192.168.1.0 via dev eth0 src 192.168.1.2
dst 192.168.1.2 via dev eth0 src 192.168.1.2
dst 192.168.1.255 via dev eth0 src 192.168.1.2
parse_src = 1, parse_gateway = 0, has_dst = 1
dst 192.168.1.1 via dev eth0 src 192.168.1.2
set addr: 192.168.1.2
002 "Philippe_PSK": deleting connection
002 added connection description "Philippe_PSK"
Here is my current complete /etc/ipsec.d/vouters.conf
[philippe at victor ~]$ sudo cat
/etc/ipsec.d/vouters.conf # Mutual RSA + XAuth +
DHCP
#conn Vladimir_RSA_XAuth_DHCP
# rightcert="Vladimir - Vouters Illimited"
# also=Philippe_XAUTH_RSA_DHCP
# Mutual RSA + XAuth + DHCP
#conn Philippe_RSA_XAuth_DHCP
# rightcert="Philippe - Vouters Illimited"
# also=Philippe_XAUTH_RSA_DHCP
# Mutual RSA + XAuth
#conn Vladimir_RSA_XAuth
# rightcert="Vladimir - Vouters Illimited"
# also=Philippe_XAUTH_RSA
# Mutual RSA + XAuth
#conn Philippe_RSA_XAuth
# rightcert="Philippe - Vouters Illimited"
# also=Philippe_XAUTH_RSA
# Mutual RSA + Fixed IP
conn Philippe_RSA_Fixed_IP
rightcert="Philippe - Vouters Illimited"
leftcert="victor.vouters.dyndns.org - Vouters Illimited"
also=FIXED_RIGHT_IP
# Mutual RSA + Fixed IP
conn Vladimir_RSA_Fixed_IP
rightcert="Vladimir - Vouters Illimited"
leftcert="victor.vouters.dyndns.org - Vouters Illimited"
also=FIXED_RIGHT_IP
# Mutual PSK
conn Philippe_PSK
authby=secret
# leftsourceip=192.168.1.2
also=FIXED_RIGHT_IP
# Mutual PSK + DHCP
#conn Philippe_PSK_DHCP
# authby=secret
# also=DHCP_RIGHT_IP
# Mutual PSK + XAuth + Fixed IP
#conn Philippe_XAUTH_PSK
# authby=secret
# aggrmode=yes
# leftxauthserver=yes
# rightxauthclient=yes
# rightid=@[GroupVPN]
# xauthby=pam
# also=FIXED_RIGHT_IP
# Mutual RSA + XAuth + Fixed IP
#conn Philippe_XAUTH_RSA
# authby=rsasig
# aggrmode=yes
# leftxauthserver=yes
# rightxauthclient=yes
# leftcert="victor.vouters.dyndns.org - Vouters Illimited"
# xauthby=pam
# also=FIXED_RIGHT_IP
# Mutual PSK + XAuth + DHCP
#conn Philippe_XAUTH_PSK_DHCP
# authby=secret
# aggrmode=yes
# leftxauthserver=yes
# rightxauthclient=yes
# rightid=@[GroupVPN]
# xauthby=pam
# also=DHCP_RIGHT_IP
# Mutual RSA + XAuth + DHCP
#conn Philippe_XAUTH_RSA_DHCP
# authby=rsasig
# aggrmode=yes
# leftxauthserver=yes
# rightxauthclient=yes
# leftcert="victor.vouters.dyndns.org - Vouters Illimited"
# xauthby=pam
# also=DHCP_RIGHT_IP
conn DHCP_RIGHT_IP
type=tunnel
pfs=yes
dpddelay=30
dpdtimeout=120
dpdaction=restart
left=%defaultroute
leftnexthop=%defaultroute
leftprotoport=udp/bootps
leftupdown="ipsec _updown --route yes"
right=%any
rightsubnetwithin=192.168.1.0/24
rightprotoport=udp/bootps
rekey=no
auto=ignore
# auto=add
conn FIXED_RIGHT_IP
type=tunnel
pfs=yes
dpddelay=30
dpdtimeout=120
dpdaction=restart
left=%defaultroute
leftnexthop=%defaultroute
leftsubnet=0.0.0.0/0
leftupdown="ipsec _updown --route yes"
right=%any
rightsubnet=vhost:%no,%priv
rekey=no
auto=add
[philippe at victor ~]$
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
Le 06/01/2013 17:58, Nick Howitt a écrit :
> I'm in a bit of a mess here and I cannot get the conn to load at all
> to test. Using the command below I get:
>
> [root at server src]# /usr/libexec/ipsec/addconn --verbose MumIn
> opening file: /etc/ipsec.conf
> debugging mode enabled
> including file '/etc/ipsec.d/ipsec.*.conf'(/etc/ipsec.d/ipsec.*.conf)
> from line /etc/ipsec.conf:36
> Loading default conn
> starter: case KH_NOTSET: empty
> starter: case KH_NOTSET: empty
> Loading conn David
> starter: check what we need to do for 'howitts.poweredbyclear.com'
> starter: ttoaddr_num failed, not numeric 'howitts.poweredbyclear.com'
> starter: Resolved to howitts.poweredbyclear.com !
> starter: check what we need to do for '88.98.137.158'
> loading named conns: MumIn(notfound)[root at server src]#
>
> The ttoaddr error is coming from another conn (David) which I'm not
> trying to load. In that conn David if I change left to %defaultroute
> the 3 "howitts.poweredbyclear.com" errors go away but I don't see why
> MumIn is not found. My ipsec.conf is:
>
> version 2.0
>
> # Default policy
> #---------------
>
> config setup
> interfaces=%defaultroute
> plutodebug=none
> klipsdebug=none
> oe=no
> protostack=netkey
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24
>
>
>
> conn %default
> type=tunnel
> authby=secret
>
> # Tunnels defined in separate files
> #----------------------------------
>
> include /etc/ipsec.d/ipsec.*.conf
>
> And /etc/ipsec.d/ipsec.unmanaged.MumIn.conf is:
>
> conn MumIn
> type=tunnel
> authby=secret
> dpdtimeout=120
> dpddelay=30
> auto=add
> left=%defaultroute
> leftsourceip=192.168.2.1
> leftsubnet=192.168.2.0/24
> leftid=@FromNick
> right=%any
> rightsubnet=192.168.10.0/24
> salifetime=1h
> dpdaction=restart_by_peer
> ikelifetime=8h
> ike=aes256
> phase2alg=aes256
>
> Until I can get these errors to clear, I can't try to reproduce the
> dev lo route error.
>
> As a separate question, the command "ipsec secrets" appears to load
> secrets as before, but I notice we now get new files in the
> installation. Are we forced to use nss now or ipsec.*.secrets still OK
> to use.
>
> This is using your RHEL rpm. Having to roll back to the rival for the
> moment
>
> Regards,
>
> Nick
>
> On 04/01/2013 17:26, Paul Wouters wrote:
>>
>> On 01/04/2013 12:13 PM, Nick Howitt wrote:
>>> In Oguz' Yilmaz's case he appears to have a right specified
>>> (right=RIGHT_EXT_IP) and a leftnexthop (leftnexthop=LEFT_EXT_GW) rathr
>>> than right=%any and no leftnexthop. :(
>>
>> you can use /usr/libexec/ipsec/addconn --verbose connname to get a
>> verbose output that includes the routes we got back for making the
>> decision.
>>
>>> We have hit some minor odd issues - ipsec auto --status does not give
>>> any info on phase2alg unless it is specified. It may also fail if it is
>>> specified with the hash function e.g. aes256-sha1 but I need to test
>>> further and my time for testing is very limited. But this should all be
>>> for another thread......
>>
>> I've filed that as https://bugs.libreswan.org/show_bug.cgi?id=53 but
>> I also have not had the time yet to look into this.
>>
>> Paul
>>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130106/20f15676/attachment.html>
More information about the Swan
mailing list