[Swan] Several problems with your configuration
Paul Wouters
paul at nohats.ca
Tue Jan 8 22:22:26 EET 2013
On Tue, 8 Jan 2013, Philippe Vouters wrote:
> This configuration is not accepted by libreswan when NO leftsubnet specified.
>
> conn FIXED_RIGHT_IP
> type=tunnel
> pfs=yes
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart
> left=victor.vouters.dyndns.org
> # left=%defaultroute
> leftnexthop=%defaultroute
> leftsubnet=0.0.0.0/0
> leftupdown="ipsec _updown --route yes"
> right=%any
> rightsubnet=vhost:%no,%priv
> # keyingtries=10
> # rekey=yes
> rekey=no
> auto=add
Two issues
If you comment without indenting, then the parser thinks it is the end
of the section. So unfortunately when you do:
conn foo
a=b
#c=d
e=d
That is different from
conn foo
a=b
# c=d
e=d
In the latter case, the conn foo ends and "e=d" is not part of the conn
foo.
(no I did not write the parser code)
The second issue is what I mailed philippe about regarding commit
bfa4b9d76f19e7dd8 that introduced the bad resolving by my
misunderstanding of the ttoaddr_num() return code of NULL being success.
I have not reverted it yet without more testing that I asked Philippe
to do for me earlier (but my email was stuck for a few hours, so this
email might be older then the request I send Philippe)
Paul
>
> $ tail -f /var/log/messages
> Jan 8 17:14:51 victor sudo: philippe : TTY=pts/2 ; PWD=/home/philippe/openswan-2.6.38 ; USER=root ;
> COMMAND=/usr/local/sbin/ipsec addconn --verbose --autoall
> Jan 8 17:14:51 victor pluto[15674]: |
> Jan 8 17:14:51 victor pluto[15674]: | *received whack message
> Jan 8 17:14:51 victor pluto[15674]: connection FIXED_RIGHT_IP must specify host IP address for our side
> Jan 8 17:14:51 victor pluto[15674]: attempt to load incomplete connection
> Jan 8 17:14:51 victor pluto[15674]: | * processed 0 messages from cryptographic helpers
>
> Philippe Vouters (Fontainebleau/France)
> URL: http://vouters.dyndns.org/
> SIP: sip:Vouters at sip.linphone.org
> Le 08/01/2013 16:49, Philippe Vouters a écrit :
> For problem 1/, this configuration:
> [philippe at victor openswan-2.6.38]$ sudo cat /etc/ipsec.conf # The config file changed quite a
> bit from 1.x.
> # See http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/upgrading.html
>
> version 2.0
>
> # Default policy
> #---------------
>
> config setup
> interfaces=%defaultroute
> #plutodebug=none
> plutodebug="all crypt"
> klipsdebug=none
> oe=no
> protostack=netkey # 2.6.x only
> #plutostderrlog=/var/log/openswan
> #plutostderrlogtime=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24
>
> # Tunnels defined in separate files
> #----------------------------------
>
> include /etc/ipsec.d/ipsec.unmanaged.david.conf
>
> $ sudo cat /etc/ipsec.d/ipsec.unmanaged.david.conf
> conn david
> type=tunnel
> authby=secret
> dpdtimeout=120
> dpddelay=30
> auto=add
> # left=howitts.poweredbyclear.com
> left=victor.vouters.dyndns.org
> leftsubnet=192.168.1.0/24
> right=88.98.137.158
> rightsubnet=10.1.0.0/16
> ike=3des-sha1;modp1024
> phase2alg=3des-sha1;modp1024
> dpdaction=hold
>
> Causes the following:
> [philippe at victor openswan-2.6.38]$ sudo /usr/local/sbin/ipsec addconn --verbose --autoall
> opening file: /etc/ipsec.conf
> debugging mode enabled
> including file '/etc/ipsec.d/ipsec.unmanaged.david.conf'(/etc/ipsec.d/ipsec.unmanaged.david.conf) from line
> /etc/ipsec.conf:25
> end of file /etc/ipsec.d/ipsec.unmanaged.david.conf
> resuming /etc/ipsec.conf line 25
> end of file /etc/ipsec.conf
> Loading default conn
> starter: case KH_NOTSET: empty
> starter: case KH_NOTSET: empty
> Loading conn david
> loading all conns according to their auto= settings
> Pass #1: Loading auto=add and auto=route connections
> 002 "david": deleting connection
> 002 added connection description "david"
> david Pass #2: Loading auto=start connections
>
> [philippe at victor openswan-2.6.38]$
>
> [philippe at victor openswan-2.6.38]$ tail -f /var/log/secure
> ...
> Jan 8 16:40:54 victor pluto[13755]: added connection description "david"
> Jan 8 16:40:54 victor pluto[13755]: |
> 192.168.1.0/24===fe80::219:66ff:fe3b:52c8<victor.vouters.dyndns.org>...88.98.137.158<88.98.137.158>===10.1.0.0/16
> Jan 8 16:40:54 victor pluto[13755]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
> keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK
> Jan 8 16:40:54 victor pluto[13755]: | * processed 0 messages from cryptographic
>
> So left=victor.vouters.dyndns.org looks to be quite understood and accepted in this configuration case.
>
> Philippe Vouters (Fontainebleau/France)
> URL: http://vouters.dyndns.org/
> SIP: sip:Vouters at sip.linphone.org
>
> Le 08/01/2013 16:19, Paul Wouters a écrit :
> On Tue, 8 Jan 2013, Philippe Vouters wrote:
>
> Several bugs:
> 1/ Libreswan does NOT respect its man:
> left=victor.vouters.dyndns.org
> is perfectly legal.
>
>
> I am sorry I don't understand this one? You mean your /etc/hosts issues
> or this is something else?
>
> 2/ Libreswan only processes the first gobbed file
> include /etc/ipsec.d/ipsec.*.conf
>
> 3/ Libreswan only processes the first include:
> # Tunnels defined in separate files
> #----------------------------------
>
> #include /etc/ipsec.d/ipsec.*.conf
> include /etc/ipsec.d/ipsec.unmanaged.david.conf
> include /etc/ipsec.d/ipsec.unmanaged.mumin.conf
> include /etc/ipsec.d/ipsec.unmanaged.paulin.conf
>
> 2/ and 3/ are possibly related.
>
>
> I'll ensure we have that as test cases in readwrite conf....
>
> Paul
>
>
>
>
>
More information about the Swan
mailing list