[Swan] Several problems with your configuration

Philippe Vouters philippe.vouters at laposte.net
Tue Jan 8 17:49:48 EET 2013 

For problem 1/, this configuration:
[philippe at victor openswan-2.6.38]$ sudo cat 
/etc/ipsec.conf                     # The config file changed quite a 
bit from 1.x.
# See 
http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/upgrading.html

version 2.0

# Default policy
#---------------

config setup
         interfaces=%defaultroute
         #plutodebug=none
         plutodebug="all crypt"
         klipsdebug=none
         oe=no
         protostack=netkey       # 2.6.x only
         #plutostderrlog=/var/log/openswan
         #plutostderrlogtime=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24

# Tunnels defined in separate files
#----------------------------------

include /etc/ipsec.d/ipsec.unmanaged.david.conf

$ sudo cat /etc/ipsec.d/ipsec.unmanaged.david.conf
conn david
  type=tunnel
  authby=secret
  dpdtimeout=120
  dpddelay=30
  auto=add
# left=howitts.poweredbyclear.com
  left=victor.vouters.dyndns.org
  leftsubnet=192.168.1.0/24
  right=88.98.137.158
  rightsubnet=10.1.0.0/16
  ike=3des-sha1;modp1024
  phase2alg=3des-sha1;modp1024
  dpdaction=hold

Causes the following:
[philippe at victor openswan-2.6.38]$ sudo /usr/local/sbin/ipsec addconn 
--verbose --autoall
opening file: /etc/ipsec.conf
debugging mode enabled
including file 
'/etc/ipsec.d/ipsec.unmanaged.david.conf'(/etc/ipsec.d/ipsec.unmanaged.david.conf) 
from line /etc/ipsec.conf:25
end of file /etc/ipsec.d/ipsec.unmanaged.david.conf
resuming /etc/ipsec.conf line 25
end of file /etc/ipsec.conf
Loading default conn
starter: case KH_NOTSET: empty
starter: case KH_NOTSET: empty
Loading conn david
loading all conns according to their auto= settings
   Pass #1: Loading auto=add and auto=route connections
002 "david": deleting connection
002 added connection description "david"
  david  Pass #2: Loading auto=start connections

[philippe at victor openswan-2.6.38]$

[philippe at victor openswan-2.6.38]$ tail -f /var/log/secure
...
Jan  8 16:40:54 victor pluto[13755]: added connection description "david"
Jan  8 16:40:54 victor pluto[13755]: | 
192.168.1.0/24===fe80::219:66ff:fe3b:52c8<victor.vouters.dyndns.org>...88.98.137.158<88.98.137.158>===10.1.0.0/16
Jan  8 16:40:54 victor pluto[13755]: | ike_life: 3600s; ipsec_life: 
28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: 
PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK
Jan  8 16:40:54 victor pluto[13755]: | * processed 0 messages from 
cryptographic

So left=victor.vouters.dyndns.org looks to be quite understood and 
accepted in this configuration case.

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Le 08/01/2013 16:19, Paul Wouters a écrit :
> On Tue, 8 Jan 2013, Philippe Vouters wrote:
>
>> Several bugs:
>> 1/ Libreswan does NOT respect its man:
>> left=victor.vouters.dyndns.org
>> is perfectly legal.
>
> I am sorry I don't understand this one? You mean your /etc/hosts issues
> or this is something else?
>
>> 2/ Libreswan only processes the first gobbed file
>> include /etc/ipsec.d/ipsec.*.conf
>>
>> 3/ Libreswan only processes the first include:
>> # Tunnels defined in separate files
>> #----------------------------------
>>
>> #include /etc/ipsec.d/ipsec.*.conf
>> include /etc/ipsec.d/ipsec.unmanaged.david.conf
>> include /etc/ipsec.d/ipsec.unmanaged.mumin.conf
>> include /etc/ipsec.d/ipsec.unmanaged.paulin.conf
>>
>> 2/ and 3/ are possibly related.
>
> I'll ensure we have that as test cases in readwrite conf....
>
> Paul
>

More information about the Swan mailing list