[Swan] Several problems with your configuration
Nick Howitt
n1ck.h0w1tt at gmail.com
Tue Jan 8 23:03:54 EET 2013
For issue 1 it almost suggest the conf files should be run through sed
first to remove any line beginning # or whitespace + # (as I dabble with
scripts rather than code). The conditions then become the same.
Nick
On 08/01/2013 20:22, Paul Wouters wrote:
>
> On Tue, 8 Jan 2013, Philippe Vouters wrote:
>
>> This configuration is not accepted by libreswan when NO leftsubnet
>> specified.
>>
>> conn FIXED_RIGHT_IP
>> type=tunnel
>> pfs=yes
>> dpddelay=30
>> dpdtimeout=120
>> dpdaction=restart
>> left=victor.vouters.dyndns.org
>> # left=%defaultroute
>> leftnexthop=%defaultroute
>> leftsubnet=0.0.0.0/0
>> leftupdown="ipsec _updown --route yes"
>> right=%any
>> rightsubnet=vhost:%no,%priv
>> # keyingtries=10
>> # rekey=yes
>> rekey=no
>> auto=add
>
> Two issues
>
> If you comment without indenting, then the parser thinks it is the end
> of the section. So unfortunately when you do:
>
> conn foo
> a=b
> #c=d
> e=d
>
> That is different from
>
> conn foo
> a=b
> # c=d
> e=d
>
> In the latter case, the conn foo ends and "e=d" is not part of the conn
> foo.
>
> (no I did not write the parser code)
>
> The second issue is what I mailed philippe about regarding commit
> bfa4b9d76f19e7dd8 that introduced the bad resolving by my
> misunderstanding of the ttoaddr_num() return code of NULL being success.
> I have not reverted it yet without more testing that I asked Philippe
> to do for me earlier (but my email was stuck for a few hours, so this
> email might be older then the request I send Philippe)
>
> Paul
>>
>> $ tail -f /var/log/messages
>> Jan 8 17:14:51 victor sudo: philippe : TTY=pts/2 ;
>> PWD=/home/philippe/openswan-2.6.38 ; USER=root ;
>> COMMAND=/usr/local/sbin/ipsec addconn --verbose --autoall
>> Jan 8 17:14:51 victor pluto[15674]: |
>> Jan 8 17:14:51 victor pluto[15674]: | *received whack message
>> Jan 8 17:14:51 victor pluto[15674]: connection FIXED_RIGHT_IP must
>> specify host IP address for our side
>> Jan 8 17:14:51 victor pluto[15674]: attempt to load incomplete
>> connection
>> Jan 8 17:14:51 victor pluto[15674]: | * processed 0 messages from
>> cryptographic helpers
>>
>> Philippe Vouters (Fontainebleau/France)
>> URL: http://vouters.dyndns.org/
>> SIP: sip:Vouters at sip.linphone.org
>> Le 08/01/2013 16:49, Philippe Vouters a écrit :
>> For problem 1/, this configuration:
>> [philippe at victor openswan-2.6.38]$ sudo cat
>> /etc/ipsec.conf # The config file changed quite a
>> bit from 1.x.
>> # See
>> http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/upgrading.html
>>
>> version 2.0
>>
>> # Default policy
>> #---------------
>>
>> config setup
>> interfaces=%defaultroute
>> #plutodebug=none
>> plutodebug="all crypt"
>> klipsdebug=none
>> oe=no
>> protostack=netkey # 2.6.x only
>> #plutostderrlog=/var/log/openswan
>> #plutostderrlogtime=yes
>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24
>>
>> # Tunnels defined in separate files
>> #----------------------------------
>>
>> include /etc/ipsec.d/ipsec.unmanaged.david.conf
>>
>> $ sudo cat /etc/ipsec.d/ipsec.unmanaged.david.conf
>> conn david
>> type=tunnel
>> authby=secret
>> dpdtimeout=120
>> dpddelay=30
>> auto=add
>> # left=howitts.poweredbyclear.com
>> left=victor.vouters.dyndns.org
>> leftsubnet=192.168.1.0/24
>> right=88.98.137.158
>> rightsubnet=10.1.0.0/16
>> ike=3des-sha1;modp1024
>> phase2alg=3des-sha1;modp1024
>> dpdaction=hold
>>
>> Causes the following:
>> [philippe at victor openswan-2.6.38]$ sudo /usr/local/sbin/ipsec
>> addconn --verbose --autoall
>> opening file: /etc/ipsec.conf
>> debugging mode enabled
>> including file
>> '/etc/ipsec.d/ipsec.unmanaged.david.conf'(/etc/ipsec.d/ipsec.unmanaged.david.conf)
>> from line
>> /etc/ipsec.conf:25
>> end of file /etc/ipsec.d/ipsec.unmanaged.david.conf
>> resuming /etc/ipsec.conf line 25
>> end of file /etc/ipsec.conf
>> Loading default conn
>> starter: case KH_NOTSET: empty
>> starter: case KH_NOTSET: empty
>> Loading conn david
>> loading all conns according to their auto= settings
>> Pass #1: Loading auto=add and auto=route connections
>> 002 "david": deleting connection
>> 002 added connection description "david"
>> david Pass #2: Loading auto=start connections
>>
>> [philippe at victor openswan-2.6.38]$
>>
>> [philippe at victor openswan-2.6.38]$ tail -f /var/log/secure
>> ...
>> Jan 8 16:40:54 victor pluto[13755]: added connection
>> description "david"
>> Jan 8 16:40:54 victor pluto[13755]: |
>> 192.168.1.0/24===fe80::219:66ff:fe3b:52c8<victor.vouters.dyndns.org>...88.98.137.158<88.98.137.158>===10.1.0.0/16
>> Jan 8 16:40:54 victor pluto[13755]: | ike_life: 3600s;
>> ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
>> keyingtries: 0; policy:
>> PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK
>> Jan 8 16:40:54 victor pluto[13755]: | * processed 0 messages
>> from cryptographic
>>
>> So left=victor.vouters.dyndns.org looks to be quite understood
>> and accepted in this configuration case.
>>
>> Philippe Vouters (Fontainebleau/France)
>> URL: http://vouters.dyndns.org/
>> SIP: sip:Vouters at sip.linphone.org
>>
>> Le 08/01/2013 16:19, Paul Wouters a écrit :
>> On Tue, 8 Jan 2013, Philippe Vouters wrote:
>>
>> Several bugs:
>> 1/ Libreswan does NOT respect its man:
>> left=victor.vouters.dyndns.org
>> is perfectly legal.
>>
>>
>> I am sorry I don't understand this one? You mean your
>> /etc/hosts issues
>> or this is something else?
>>
>> 2/ Libreswan only processes the first gobbed file
>> include /etc/ipsec.d/ipsec.*.conf
>>
>> 3/ Libreswan only processes the first include:
>> # Tunnels defined in separate files
>> #----------------------------------
>>
>> #include /etc/ipsec.d/ipsec.*.conf
>> include /etc/ipsec.d/ipsec.unmanaged.david.conf
>> include /etc/ipsec.d/ipsec.unmanaged.mumin.conf
>> include /etc/ipsec.d/ipsec.unmanaged.paulin.conf
>>
>> 2/ and 3/ are possibly related.
>>
>>
>> I'll ensure we have that as test cases in readwrite conf....
>>
>> Paul
>>
>>
>>
>>
>>
More information about the Swan
mailing list