[Swan] Several problems with your configuration

Nick Howitt n1ck.h0w1tt at gmail.com
Tue Jan 8 23:03:54 EET 2013


For issue 1 it almost suggest the conf files should be run through sed 
first to remove any line beginning # or whitespace + # (as I dabble with 
scripts rather than code). The conditions then become the same.

Nick

On 08/01/2013 20:22, Paul Wouters wrote:
>
> On Tue, 8 Jan 2013, Philippe Vouters wrote:
>
>> This configuration is not accepted by libreswan when NO leftsubnet 
>> specified.
>>
>> conn FIXED_RIGHT_IP
>>      type=tunnel
>>      pfs=yes
>>      dpddelay=30
>>      dpdtimeout=120
>>      dpdaction=restart
>>      left=victor.vouters.dyndns.org
>> #     left=%defaultroute
>>      leftnexthop=%defaultroute
>>      leftsubnet=0.0.0.0/0
>>      leftupdown="ipsec _updown --route yes"
>>      right=%any
>>      rightsubnet=vhost:%no,%priv
>> #     keyingtries=10
>> #     rekey=yes
>>      rekey=no
>>      auto=add
>
> Two issues
>
> If you comment without indenting, then the parser thinks it is the end
> of the section. So unfortunately when you do:
>
> conn foo
>     a=b
>     #c=d
>     e=d
>
> That is different from
>
> conn foo
>     a=b
> #    c=d
>     e=d
>
> In the latter case, the conn foo ends and "e=d" is not part of the conn
> foo.
>
> (no I did not write the parser code)
>
> The second issue is what I mailed philippe about regarding commit
> bfa4b9d76f19e7dd8 that introduced the bad resolving by my
> misunderstanding of the ttoaddr_num() return code of NULL being success.
> I have not reverted it yet without more testing that I asked Philippe
> to do for me earlier (but my email was stuck for a few hours, so this
> email might be older then the request I send Philippe)
>
> Paul
>>
>> $ tail -f /var/log/messages
>> Jan  8 17:14:51 victor sudo: philippe : TTY=pts/2 ; 
>> PWD=/home/philippe/openswan-2.6.38 ; USER=root ;
>> COMMAND=/usr/local/sbin/ipsec addconn --verbose --autoall
>> Jan  8 17:14:51 victor pluto[15674]: |
>> Jan  8 17:14:51 victor pluto[15674]: | *received whack message
>> Jan  8 17:14:51 victor pluto[15674]: connection FIXED_RIGHT_IP must 
>> specify host IP address for our side
>> Jan  8 17:14:51 victor pluto[15674]: attempt to load incomplete 
>> connection
>> Jan  8 17:14:51 victor pluto[15674]: | * processed 0 messages from 
>> cryptographic helpers
>>
>> Philippe Vouters (Fontainebleau/France)
>> URL: http://vouters.dyndns.org/
>> SIP: sip:Vouters at sip.linphone.org
>> Le 08/01/2013 16:49, Philippe Vouters a écrit :
>>       For problem 1/, this configuration:
>>       [philippe at victor openswan-2.6.38]$ sudo cat 
>> /etc/ipsec.conf                     # The config file changed quite a
>>       bit from 1.x.
>>       # See 
>> http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/upgrading.html
>>
>>       version 2.0
>>
>>       # Default policy
>>       #---------------
>>
>>       config setup
>>               interfaces=%defaultroute
>>               #plutodebug=none
>>               plutodebug="all crypt"
>>               klipsdebug=none
>>               oe=no
>>               protostack=netkey       # 2.6.x only
>>               #plutostderrlog=/var/log/openswan
>>               #plutostderrlogtime=yes
>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24
>>
>>       # Tunnels defined in separate files
>>       #----------------------------------
>>
>>       include /etc/ipsec.d/ipsec.unmanaged.david.conf
>>
>>       $ sudo cat /etc/ipsec.d/ipsec.unmanaged.david.conf
>>       conn david
>>        type=tunnel
>>        authby=secret
>>        dpdtimeout=120
>>        dpddelay=30
>>        auto=add
>>       # left=howitts.poweredbyclear.com
>>        left=victor.vouters.dyndns.org
>>        leftsubnet=192.168.1.0/24
>>        right=88.98.137.158
>>        rightsubnet=10.1.0.0/16
>>        ike=3des-sha1;modp1024
>>        phase2alg=3des-sha1;modp1024
>>        dpdaction=hold
>>
>>       Causes the following:
>>       [philippe at victor openswan-2.6.38]$ sudo /usr/local/sbin/ipsec 
>> addconn --verbose --autoall
>>       opening file: /etc/ipsec.conf
>>       debugging mode enabled
>>       including file 
>> '/etc/ipsec.d/ipsec.unmanaged.david.conf'(/etc/ipsec.d/ipsec.unmanaged.david.conf) 
>> from line
>>       /etc/ipsec.conf:25
>>       end of file /etc/ipsec.d/ipsec.unmanaged.david.conf
>>       resuming /etc/ipsec.conf line 25
>>       end of file /etc/ipsec.conf
>>       Loading default conn
>>       starter: case KH_NOTSET: empty
>>       starter: case KH_NOTSET: empty
>>       Loading conn david
>>       loading all conns according to their auto= settings
>>         Pass #1: Loading auto=add and auto=route connections
>>       002 "david": deleting connection
>>       002 added connection description "david"
>>        david  Pass #2: Loading auto=start connections
>>
>>       [philippe at victor openswan-2.6.38]$
>>
>>       [philippe at victor openswan-2.6.38]$ tail -f /var/log/secure
>>       ...
>>       Jan  8 16:40:54 victor pluto[13755]: added connection 
>> description "david"
>>       Jan  8 16:40:54 victor pluto[13755]: |
>> 192.168.1.0/24===fe80::219:66ff:fe3b:52c8<victor.vouters.dyndns.org>...88.98.137.158<88.98.137.158>===10.1.0.0/16
>>       Jan  8 16:40:54 victor pluto[13755]: | ike_life: 3600s; 
>> ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
>>       keyingtries: 0; policy: 
>> PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK
>>       Jan  8 16:40:54 victor pluto[13755]: | * processed 0 messages 
>> from cryptographic
>>
>>       So left=victor.vouters.dyndns.org looks to be quite understood 
>> and accepted in this configuration case.
>>
>>       Philippe Vouters (Fontainebleau/France)
>>       URL: http://vouters.dyndns.org/
>>       SIP: sip:Vouters at sip.linphone.org
>>
>>       Le 08/01/2013 16:19, Paul Wouters a écrit :
>>             On Tue, 8 Jan 2013, Philippe Vouters wrote:
>>
>>                   Several bugs:
>>                   1/ Libreswan does NOT respect its man:
>>                   left=victor.vouters.dyndns.org
>>                   is perfectly legal.
>>
>>
>>             I am sorry I don't understand this one? You mean your 
>> /etc/hosts issues
>>             or this is something else?
>>
>>                   2/ Libreswan only processes the first gobbed file
>>                   include /etc/ipsec.d/ipsec.*.conf
>>
>>                   3/ Libreswan only processes the first include:
>>                   # Tunnels defined in separate files
>>                   #----------------------------------
>>
>>                   #include /etc/ipsec.d/ipsec.*.conf
>>                   include /etc/ipsec.d/ipsec.unmanaged.david.conf
>>                   include /etc/ipsec.d/ipsec.unmanaged.mumin.conf
>>                   include /etc/ipsec.d/ipsec.unmanaged.paulin.conf
>>
>>                   2/ and 3/ are possibly related.
>>
>>
>>             I'll ensure we have that as test cases in readwrite conf....
>>
>>             Paul
>>
>>
>>
>>
>>



More information about the Swan mailing list