[Swan] Need debugging pointer between libreswan and ASA5550

T.J. Yang tjyang2001 at gmail.com
Fri Mar 8 18:24:43 EET 2013


1.  new /etc/ipsec.conf with tabs, no pound signs, public ip masked.
version 2.0
config setup
        plutodebug="control parsing"
        plutostderrlog=/var/log/ipsec.log
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=no
conn centos6-asa-net-net
        keyingtries=3
        authby=secret
        left=x.x.x..5
        leftsubnet=192.168.50.0/24
        leftsourceip=192.168.50.254
        right=x.x.x..4
        rightsubnet=192.168.40.0/24
        rightsourceip=192.168.40.254
        auto=start
        keyexchange=ike
        type=tunnel
        pfs=no
        phase2=esp
        phase2alg=3des-sha1

2.  /etc/ipsec.d/psk.secrets, with ip,password masked.

[root at mlab-centos6-01 ipsec.d]# cat /etc/ipsec.d/psk.secrets
x.x.x.3  x.x.x.5: PSK "MyPassword"
x.x.x..5 x.x.x.4: PSK "MyPassword"
[root at mlab-centos6-01 ipsec.d]#

3. here is ipsec.log after runing libreswan 3.0 ipsec command.


[root at mlab-centos6-01 ipsec.d]# ipsec setup stop;sleep 2;>/var/log/ipsec.lo\
g;ipsec setup start;sleep 2;tail /var/log/ipsec.log
Redirecting to: service ipsec stop
Shutting down pluto IKE daemon
002 shutting down

Redirecting to: service ipsec start
Starting pluto IKE daemon for IPsec: ^[[60G[^[[0;32m  OK  ^[[0;39m]
listening for IKE messages
adding interface em1/em1 192.168.50.254:500
adding interface em1/em1 192.168.50.254:4500
adding interface em1/em1 x.x.x.5:500
adding interface em1/em1 x.x.x.5:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"
loading secrets from "/etc/ipsec.d/psk.secrets"
[root at mlab-centos6-01 ipsec.d]#

4. No traffic on Cisco ADSM latest syslog message window.

5. output from ipsec status command

[root at mlab-centos6-01 ~]# ipsec status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface em1/em1 x.x.x.5
000 interface em1/em1 x.x.x.5
000 interface em1/em1 192.168.50.254
000 interface em1/em1 192.168.50.254
000 %myid = (none)
000 debug parsing+control
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000          error in that line. 'left/rightsubnet=vhost:%priv' will not
work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12,
keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16,
keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME,
keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000
000
/usr/sbin/ipsec: unknown IPsec command `status' (`ipsec --help' for list)
[root at mlab-centos6-01 ~]#



On Fri, Mar 8, 2013 at 9:39 AM, Paul Wouters <pwouters at redhat.com> wrote:

> On Fri, 8 Mar 2013, T.J. Yang wrote:
>
>  Thanks to Paul and Philippe's pointers. I tried the "oe" and spacing
>> suggestion without success. when I do
>> a "ipsec auto --add centos6-asa" to add connection manually.
>> /var/log/ipsec.log only showing  one line but
>> no other message.
>> I will keep digging
>>
>
> I am confused. Do not do this:
>
> conn foo
>     some=value
>     other=value
>
>     third=value
>
> And don't do this:
>
> conn foo
>     some=value
>     other=value
> #    third=value
>     fourth=value
>
> But do this:
>
> conn foo
>     some=value
>     other=value
>     #third=value
>     fourth=value
>
> Paul
>



-- 
T.J. Yang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130308/de1fe9c6/attachment-0001.html>


More information about the Swan mailing list