[Swan] Several problems with your configuration
Philippe Vouters
philippe.vouters at laposte.net
Tue Jan 8 18:21:53 EET 2013
Paul, Nick,
This configuration is not accepted by libreswan when NO leftsubnet
specified.
conn FIXED_RIGHT_IP
type=tunnel
pfs=yes
dpddelay=30
dpdtimeout=120
dpdaction=restart
*left=victor.vouters.dyndns.org*
# left=%defaultroute
leftnexthop=%defaultroute
leftsubnet=0.0.0.0/0
leftupdown="ipsec _updown --route yes"
right=%any
rightsubnet=vhost:%no,%priv
# keyingtries=10
# rekey=yes
rekey=no
auto=add
$ tail -f /var/log/messages
Jan 8 17:14:51 victor sudo: philippe : TTY=pts/2 ;
PWD=/home/philippe/openswan-2.6.38 ; USER=root ;
COMMAND=/usr/local/sbin/ipsec addconn --verbose --autoall
Jan 8 17:14:51 victor pluto[15674]: |
Jan 8 17:14:51 victor pluto[15674]: | *received whack message
Jan 8 17:14:51 victor pluto[15674]: *connection FIXED_RIGHT_IP must
specify host IP address for our side*
Jan 8 17:14:51 victor pluto[15674]: attempt to load incomplete connection
Jan 8 17:14:51 victor pluto[15674]: | * processed 0 messages from
cryptographic helpers
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
Le 08/01/2013 16:49, Philippe Vouters a écrit :
> For problem 1/, this configuration:
> [philippe at victor openswan-2.6.38]$ sudo cat
> /etc/ipsec.conf # The config file changed quite a
> bit from 1.x.
> # See
> http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/upgrading.html
>
> version 2.0
>
> # Default policy
> #---------------
>
> config setup
> interfaces=%defaultroute
> #plutodebug=none
> plutodebug="all crypt"
> klipsdebug=none
> oe=no
> protostack=netkey # 2.6.x only
> #plutostderrlog=/var/log/openswan
> #plutostderrlogtime=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24
>
>
> # Tunnels defined in separate files
> #----------------------------------
>
> include /etc/ipsec.d/ipsec.unmanaged.david.conf
>
> $ sudo cat /etc/ipsec.d/ipsec.unmanaged.david.conf
> conn david
> type=tunnel
> authby=secret
> dpdtimeout=120
> dpddelay=30
> auto=add
> # left=howitts.poweredbyclear.com
> left=victor.vouters.dyndns.org
> leftsubnet=192.168.1.0/24
> right=88.98.137.158
> rightsubnet=10.1.0.0/16
> ike=3des-sha1;modp1024
> phase2alg=3des-sha1;modp1024
> dpdaction=hold
>
> Causes the following:
> [philippe at victor openswan-2.6.38]$ sudo /usr/local/sbin/ipsec addconn
> --verbose --autoall
> opening file: /etc/ipsec.conf
> debugging mode enabled
> including file
> '/etc/ipsec.d/ipsec.unmanaged.david.conf'(/etc/ipsec.d/ipsec.unmanaged.david.conf)
> from line /etc/ipsec.conf:25
> end of file /etc/ipsec.d/ipsec.unmanaged.david.conf
> resuming /etc/ipsec.conf line 25
> end of file /etc/ipsec.conf
> Loading default conn
> starter: case KH_NOTSET: empty
> starter: case KH_NOTSET: empty
> Loading conn david
> loading all conns according to their auto= settings
> Pass #1: Loading auto=add and auto=route connections
> 002 "david": deleting connection
> 002 added connection description "david"
> david Pass #2: Loading auto=start connections
>
> [philippe at victor openswan-2.6.38]$
>
> [philippe at victor openswan-2.6.38]$ tail -f /var/log/secure
> ...
> Jan 8 16:40:54 victor pluto[13755]: added connection description "david"
> Jan 8 16:40:54 victor pluto[13755]: |
> 192.168.1.0/24===fe80::219:66ff:fe3b:52c8<victor.vouters.dyndns.org>...88.98.137.158<88.98.137.158>===10.1.0.0/16
> Jan 8 16:40:54 victor pluto[13755]: | ike_life: 3600s; ipsec_life:
> 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy:
> PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK
> Jan 8 16:40:54 victor pluto[13755]: | * processed 0 messages from
> cryptographic
>
> So left=victor.vouters.dyndns.org looks to be quite understood and
> accepted in this configuration case.
>
> Philippe Vouters (Fontainebleau/France)
> URL: http://vouters.dyndns.org/
> SIP: sip:Vouters at sip.linphone.org
>
> Le 08/01/2013 16:19, Paul Wouters a écrit :
>> On Tue, 8 Jan 2013, Philippe Vouters wrote:
>>
>>> Several bugs:
>>> 1/ Libreswan does NOT respect its man:
>>> left=victor.vouters.dyndns.org
>>> is perfectly legal.
>>
>> I am sorry I don't understand this one? You mean your /etc/hosts issues
>> or this is something else?
>>
>>> 2/ Libreswan only processes the first gobbed file
>>> include /etc/ipsec.d/ipsec.*.conf
>>>
>>> 3/ Libreswan only processes the first include:
>>> # Tunnels defined in separate files
>>> #----------------------------------
>>>
>>> #include /etc/ipsec.d/ipsec.*.conf
>>> include /etc/ipsec.d/ipsec.unmanaged.david.conf
>>> include /etc/ipsec.d/ipsec.unmanaged.mumin.conf
>>> include /etc/ipsec.d/ipsec.unmanaged.paulin.conf
>>>
>>> 2/ and 3/ are possibly related.
>>
>> I'll ensure we have that as test cases in readwrite conf....
>>
>> Paul
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130108/f07d4d5e/attachment.html>
More information about the Swan
mailing list