[Swan] Need debugging pointer between libreswan and ASA5550

T.J. Yang tjyang2001 at gmail.com
Fri Mar 8 20:07:35 EET 2013 

On Fri, Mar 8, 2013 at 11:46 AM, Paul Wouters <pwouters at redhat.com> wrote:

> On 03/08/2013 11:24 AM, T.J. Yang wrote:
>
>> 1.  new /etc/ipsec.conf with tabs, no pound signs, public ip masked.
>> version 2.0
>> config setup
>>          plutodebug="control parsing"
>>          plutostderrlog=/var/log/ipsec.**log
>>          protostack=netkey
>>          nat_traversal=yes
>>          virtual_private=
>>          oe=no
>> conn centos6-asa-net-net
>>          keyingtries=3
>>          authby=secret
>>          left=x.x.x..5
>>          leftsubnet=192.168.50.0/24 <http://192.168.50.0/24>
>>          leftsourceip=192.168.50.254
>>          right=x.x.x..4
>>          rightsubnet=192.168.40.0/24 <http://192.168.40.0/24>
>>
>>          rightsourceip=192.168.40.254
>>          auto=start
>>          keyexchange=ike
>>          type=tunnel
>>          pfs=no
>>          phase2=esp
>>          phase2alg=3des-sha1
>>
>
> So what's the output of:
>
> ipsec start
> ipsec auto --add centos6-asa-net-net
> ipsec auto --up centos6-asa-net-net
>
>
for version 3.0, after add the connection, I still need to bring up the
connection. This was the step I missed.

"ipsec stop"  is not valid for 3.0 libreswan. Hopefully, in 3.1 release,
"ipsec start" will start up the connection labelled as "auto=start"

I am really thankful for Paul and Philippe's  help.


[root at il93mlab-centos6-01 ~]# ipsec stop
/usr/sbin/ipsec: unknown IPsec command `stop' (`ipsec --help' for list)
[root at il93mlab-centos6-01 ~]# ispec version
-bash: ispec: command not found
[root at il93mlab-centos6-01 ~]# ipsec version
Linux Libreswan 3.0 (netkey) on 2.6.32-279.22.1.el6.x86_64
[root at il93mlab-centos6-01 ~]# ipsec stop
/usr/sbin/ipsec: unknown IPsec command `stop' (`ipsec --help' for list)
[root at il93mlab-centos6-01 ~]# ipsec setup stop
Redirecting to: service ipsec stop
Shutting down pluto IKE daemon
002 shutting down

[root at il93mlab-centos6-01 ~]# ipsec setup start
Redirecting to: service ipsec start
Starting pluto IKE daemon for IPsec:                       [  OK  ]
[root at il93mlab-centos6-01 ~]# ipsec auto --add centos6-asa-net-net
multiple ip addresses, using  10.20.52.5 on em1
[root at il93mlab-centos6-01 ~]# ipsec auto --up centos6-asa-net-net
104 "centos6-asa-net-net" #1: STATE_MAIN_I1: initiate
003 "centos6-asa-net-net" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set
to=draft-ietf-ipsec-nat-t-ike-02/03
003 "centos6-asa-net-net" #1: ignoring Vendor ID payload [Cisco IKE
Fragmentation]
106 "centos6-asa-net-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "centos6-asa-net-net" #1: received Vendor ID payload [Cisco-Unity]
003 "centos6-asa-net-net" #1: received Vendor ID payload [XAUTH]
003 "centos6-asa-net-net" #1: ignoring unknown Vendor ID payload
[54da3d7d997900e48394f45bcb1bec70]
003 "centos6-asa-net-net" #1: ignoring Vendor ID payload [Cisco VPN 3000
Series]
003 "centos6-asa-net-net" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
108 "centos6-asa-net-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "centos6-asa-net-net" #1: received Vendor ID payload [Dead Peer
Detection]
004 "centos6-asa-net-net" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
117 "centos6-asa-net-net" #2: STATE_QUICK_I1: initiate
004 "centos6-asa-net-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA
established tunnel mode {ESP=>0x4d9ac07c <0x5e3db534 xfrm=3DES_0-HMAC_SHA1
NATOA=none NATD=none DPD=none}

> Paul
>
>


-- 
T.J. Yang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130308/ead5d7c9/attachment.html>

More information about the Swan mailing list