[Swan] Several problems with your configuration
Philippe Vouters
philippe.vouters at laposte.net
Tue Jan 8 17:49:48 EET 2013
For problem 1/, this configuration:
[philippe at victor openswan-2.6.38]$ sudo cat
/etc/ipsec.conf # The config file changed quite a
bit from 1.x.
# See
http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/upgrading.html
version 2.0
# Default policy
#---------------
config setup
interfaces=%defaultroute
#plutodebug=none
plutodebug="all crypt"
klipsdebug=none
oe=no
protostack=netkey # 2.6.x only
#plutostderrlog=/var/log/openswan
#plutostderrlogtime=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24
# Tunnels defined in separate files
#----------------------------------
include /etc/ipsec.d/ipsec.unmanaged.david.conf
$ sudo cat /etc/ipsec.d/ipsec.unmanaged.david.conf
conn david
type=tunnel
authby=secret
dpdtimeout=120
dpddelay=30
auto=add
# left=howitts.poweredbyclear.com
left=victor.vouters.dyndns.org
leftsubnet=192.168.1.0/24
right=88.98.137.158
rightsubnet=10.1.0.0/16
ike=3des-sha1;modp1024
phase2alg=3des-sha1;modp1024
dpdaction=hold
Causes the following:
[philippe at victor openswan-2.6.38]$ sudo /usr/local/sbin/ipsec addconn
--verbose --autoall
opening file: /etc/ipsec.conf
debugging mode enabled
including file
'/etc/ipsec.d/ipsec.unmanaged.david.conf'(/etc/ipsec.d/ipsec.unmanaged.david.conf)
from line /etc/ipsec.conf:25
end of file /etc/ipsec.d/ipsec.unmanaged.david.conf
resuming /etc/ipsec.conf line 25
end of file /etc/ipsec.conf
Loading default conn
starter: case KH_NOTSET: empty
starter: case KH_NOTSET: empty
Loading conn david
loading all conns according to their auto= settings
Pass #1: Loading auto=add and auto=route connections
002 "david": deleting connection
002 added connection description "david"
david Pass #2: Loading auto=start connections
[philippe at victor openswan-2.6.38]$
[philippe at victor openswan-2.6.38]$ tail -f /var/log/secure
...
Jan 8 16:40:54 victor pluto[13755]: added connection description "david"
Jan 8 16:40:54 victor pluto[13755]: |
192.168.1.0/24===fe80::219:66ff:fe3b:52c8<victor.vouters.dyndns.org>...88.98.137.158<88.98.137.158>===10.1.0.0/16
Jan 8 16:40:54 victor pluto[13755]: | ike_life: 3600s; ipsec_life:
28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK
Jan 8 16:40:54 victor pluto[13755]: | * processed 0 messages from
cryptographic
So left=victor.vouters.dyndns.org looks to be quite understood and
accepted in this configuration case.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
Le 08/01/2013 16:19, Paul Wouters a écrit :
> On Tue, 8 Jan 2013, Philippe Vouters wrote:
>
>> Several bugs:
>> 1/ Libreswan does NOT respect its man:
>> left=victor.vouters.dyndns.org
>> is perfectly legal.
>
> I am sorry I don't understand this one? You mean your /etc/hosts issues
> or this is something else?
>
>> 2/ Libreswan only processes the first gobbed file
>> include /etc/ipsec.d/ipsec.*.conf
>>
>> 3/ Libreswan only processes the first include:
>> # Tunnels defined in separate files
>> #----------------------------------
>>
>> #include /etc/ipsec.d/ipsec.*.conf
>> include /etc/ipsec.d/ipsec.unmanaged.david.conf
>> include /etc/ipsec.d/ipsec.unmanaged.mumin.conf
>> include /etc/ipsec.d/ipsec.unmanaged.paulin.conf
>>
>> 2/ and 3/ are possibly related.
>
> I'll ensure we have that as test cases in readwrite conf....
>
> Paul
>
More information about the Swan
mailing list