[Swan] Need debugging pointer between libreswan and ASA5550
T.J. Yang
tjyang2001 at gmail.com
Fri Mar 8 04:01:31 EET 2013
Hi
I am testing if a existing openswan connection between centos6.3 and Cisco
ASA5550 can be switched to libreswan.
ASA550 has logging send centos 6 rsyslog server.Same left machine(x.x.x.5)
using openswan can make connection ok.
And it logged the successful IPSec connection in the rsyslog file.
But once I switched over to libreswan using same config file. I got very
little error message from /var/log/ipsec.log about the connection
centos-asa.o
And on ASA side there is no attempt of connection shown.
/etc/ipsec.conf
version 2.0
config setup
plutodebug="control parsing"
dumpdir=/var/run/pluto/
nat_traversal=yes
#virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey
plutostderrlog=/var/log/ipsec.log
conn connection-asa
keyingtries=3
authby=secret
left=x.x.x.5
leftsubnet=192.168.50.0/24
leftsourceip=192.168.50.254
# the ASA5550
right=x.x.x..4
rightsubnet=192.168.40.0/24
rightsourceip=192.168.40.254
auto=start
keyexchange=ike
type=tunnel
pfs=no
phase2=esp
phase2alg=3des-sha1
[root at mlab-centos6-01 ~]# ipsec setup stop;>/var/log/ipsec.log;ipsec setup
start;sleep 5;tail -n 30 /var/log/ipsec.log
Redirecting to: service ipsec stop
Shutting down pluto IKE daemon
002 shutting down
Redirecting to: service ipsec start
Starting pluto IKE daemon for IPsec: [ OK ]
NSS crypto [enabled]
XAUTH PAM support [enabled]
HAVE_STATSD notification support [disabled]
Setting NAT-Traversal port-4500 floating to on
port floating activation criteria nat_t=1/port_float=1
NAT-Traversal support [enabled]
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
no helpers will be started, all cryptographic operations will be done inline
Using Linux XFRM/NETKEY IPsec interface code on 2.6.32-279.22.1.el6.x86_64
ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already
exists
ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already
exists
ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already
exists
ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already
exists
ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already
exists
ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
listening for IKE messages
adding interface em1/em1 x.x.x.5:500
adding interface em1/em1 x.x.x..5:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"
[root at mlab-centos6-01 ~]# ipsec version
Linux Libreswan 3.0 (netkey) on 2.6.32-279.22.1.el6.x86_64
[root at mlab-centos6-01 ~]#
Can some one provide me the debugging pointers ?
I feel like the "conn centos-asa" part was not loaded in /etc/ipsec.conf at
all
--
T.J. Yang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130307/3731ba46/attachment.html>
More information about the Swan
mailing list