[Swan] Several problems with your configuration

Philippe Vouters philippe.vouters at laposte.net
Tue Jan 8 18:21:53 EET 2013


Paul, Nick,

This configuration is not accepted by libreswan when NO leftsubnet 
specified.

conn FIXED_RIGHT_IP
      type=tunnel
      pfs=yes
      dpddelay=30
      dpdtimeout=120
      dpdaction=restart
*left=victor.vouters.dyndns.org*
#     left=%defaultroute
      leftnexthop=%defaultroute
      leftsubnet=0.0.0.0/0
      leftupdown="ipsec _updown --route yes"
      right=%any
      rightsubnet=vhost:%no,%priv
#     keyingtries=10
#     rekey=yes
      rekey=no
      auto=add


$ tail -f /var/log/messages
Jan  8 17:14:51 victor sudo: philippe : TTY=pts/2 ; 
PWD=/home/philippe/openswan-2.6.38 ; USER=root ; 
COMMAND=/usr/local/sbin/ipsec addconn --verbose --autoall
Jan  8 17:14:51 victor pluto[15674]: |
Jan  8 17:14:51 victor pluto[15674]: | *received whack message
Jan  8 17:14:51 victor pluto[15674]: *connection FIXED_RIGHT_IP must 
specify host IP address for our side*
Jan  8 17:14:51 victor pluto[15674]: attempt to load incomplete connection
Jan  8 17:14:51 victor pluto[15674]: | * processed 0 messages from 
cryptographic helpers

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Le 08/01/2013 16:49, Philippe Vouters a écrit :
> For problem 1/, this configuration:
> [philippe at victor openswan-2.6.38]$ sudo cat 
> /etc/ipsec.conf                     # The config file changed quite a 
> bit from 1.x.
> # See 
> http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/upgrading.html
>
> version 2.0
>
> # Default policy
> #---------------
>
> config setup
>         interfaces=%defaultroute
>         #plutodebug=none
>         plutodebug="all crypt"
>         klipsdebug=none
>         oe=no
>         protostack=netkey       # 2.6.x only
>         #plutostderrlog=/var/log/openswan
>         #plutostderrlogtime=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24 
>
>
> # Tunnels defined in separate files
> #----------------------------------
>
> include /etc/ipsec.d/ipsec.unmanaged.david.conf
>
> $ sudo cat /etc/ipsec.d/ipsec.unmanaged.david.conf
> conn david
>  type=tunnel
>  authby=secret
>  dpdtimeout=120
>  dpddelay=30
>  auto=add
> # left=howitts.poweredbyclear.com
>  left=victor.vouters.dyndns.org
>  leftsubnet=192.168.1.0/24
>  right=88.98.137.158
>  rightsubnet=10.1.0.0/16
>  ike=3des-sha1;modp1024
>  phase2alg=3des-sha1;modp1024
>  dpdaction=hold
>
> Causes the following:
> [philippe at victor openswan-2.6.38]$ sudo /usr/local/sbin/ipsec addconn 
> --verbose --autoall
> opening file: /etc/ipsec.conf
> debugging mode enabled
> including file 
> '/etc/ipsec.d/ipsec.unmanaged.david.conf'(/etc/ipsec.d/ipsec.unmanaged.david.conf) 
> from line /etc/ipsec.conf:25
> end of file /etc/ipsec.d/ipsec.unmanaged.david.conf
> resuming /etc/ipsec.conf line 25
> end of file /etc/ipsec.conf
> Loading default conn
> starter: case KH_NOTSET: empty
> starter: case KH_NOTSET: empty
> Loading conn david
> loading all conns according to their auto= settings
>   Pass #1: Loading auto=add and auto=route connections
> 002 "david": deleting connection
> 002 added connection description "david"
>  david  Pass #2: Loading auto=start connections
>
> [philippe at victor openswan-2.6.38]$
>
> [philippe at victor openswan-2.6.38]$ tail -f /var/log/secure
> ...
> Jan  8 16:40:54 victor pluto[13755]: added connection description "david"
> Jan  8 16:40:54 victor pluto[13755]: | 
> 192.168.1.0/24===fe80::219:66ff:fe3b:52c8<victor.vouters.dyndns.org>...88.98.137.158<88.98.137.158>===10.1.0.0/16
> Jan  8 16:40:54 victor pluto[13755]: | ike_life: 3600s; ipsec_life: 
> 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: 
> PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK
> Jan  8 16:40:54 victor pluto[13755]: | * processed 0 messages from 
> cryptographic
>
> So left=victor.vouters.dyndns.org looks to be quite understood and 
> accepted in this configuration case.
>
> Philippe Vouters (Fontainebleau/France)
> URL: http://vouters.dyndns.org/
> SIP: sip:Vouters at sip.linphone.org
>
> Le 08/01/2013 16:19, Paul Wouters a écrit :
>> On Tue, 8 Jan 2013, Philippe Vouters wrote:
>>
>>> Several bugs:
>>> 1/ Libreswan does NOT respect its man:
>>> left=victor.vouters.dyndns.org
>>> is perfectly legal.
>>
>> I am sorry I don't understand this one? You mean your /etc/hosts issues
>> or this is something else?
>>
>>> 2/ Libreswan only processes the first gobbed file
>>> include /etc/ipsec.d/ipsec.*.conf
>>>
>>> 3/ Libreswan only processes the first include:
>>> # Tunnels defined in separate files
>>> #----------------------------------
>>>
>>> #include /etc/ipsec.d/ipsec.*.conf
>>> include /etc/ipsec.d/ipsec.unmanaged.david.conf
>>> include /etc/ipsec.d/ipsec.unmanaged.mumin.conf
>>> include /etc/ipsec.d/ipsec.unmanaged.paulin.conf
>>>
>>> 2/ and 3/ are possibly related.
>>
>> I'll ensure we have that as test cases in readwrite conf....
>>
>> Paul
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130108/f07d4d5e/attachment.html>


More information about the Swan mailing list