[Swan] Need debugging pointer between libreswan and ASA5550
Paul Wouters
pwouters at redhat.com
Fri Mar 8 20:18:22 EET 2013
On 03/08/2013 01:07 PM, T.J. Yang wrote:
Sorry, yes the alias "ipsec start" and "ipsec stop" do map to "ipsec
setup start/stop"
So your connection comes up fine. Are you saying it did not come up
despite auto=start?
I know there was an SElinux policy with include files that Tuomo ran
into. You might want to run a test with SElinux in permissive mode for that.
Paul
> On Fri, Mar 8, 2013 at 11:46 AM, Paul Wouters <pwouters at redhat.com
> <mailto:pwouters at redhat.com>> wrote:
>
> On 03/08/2013 11:24 AM, T.J. Yang wrote:
>
> 1. new /etc/ipsec.conf with tabs, no pound signs, public ip masked.
> version 2.0
> config setup
> plutodebug="control parsing"
> plutostderrlog=/var/log/ipsec.__log
> protostack=netkey
> nat_traversal=yes
> virtual_private=
> oe=no
> conn centos6-asa-net-net
> keyingtries=3
> authby=secret
> left=x.x.x..5
> leftsubnet=192.168.50.0/24 <http://192.168.50.0/24>
> <http://192.168.50.0/24>
> leftsourceip=192.168.50.254
> right=x.x.x..4
> rightsubnet=192.168.40.0/24 <http://192.168.40.0/24>
> <http://192.168.40.0/24>
>
> rightsourceip=192.168.40.254
> auto=start
> keyexchange=ike
> type=tunnel
> pfs=no
> phase2=esp
> phase2alg=3des-sha1
>
>
> So what's the output of:
>
> ipsec start
> ipsec auto --add centos6-asa-net-net
> ipsec auto --up centos6-asa-net-net
>
>
> for version 3.0, after add the connection, I still need to bring up the
> connection. This was the step I missed.
> "ipsec stop" is not valid for 3.0 libreswan. Hopefully, in 3.1 release,
> "ipsec start" will start up the connection labelled as "auto=start"
>
> I am really thankful for Paul and Philippe's help.
>
>
> [root at il93mlab-centos6-01 ~]# ipsec stop
> /usr/sbin/ipsec: unknown IPsec command `stop' (`ipsec --help' for list)
> [root at il93mlab-centos6-01 ~]# ispec version
> -bash: ispec: command not found
> [root at il93mlab-centos6-01 ~]# ipsec version
> Linux Libreswan 3.0 (netkey) on 2.6.32-279.22.1.el6.x86_64
> [root at il93mlab-centos6-01 ~]# ipsec stop
> /usr/sbin/ipsec: unknown IPsec command `stop' (`ipsec --help' for list)
> [root at il93mlab-centos6-01 ~]# ipsec setup stop
> Redirecting to: service ipsec stop
> Shutting down pluto IKE daemon
> 002 shutting down
>
> [root at il93mlab-centos6-01 ~]# ipsec setup start
> Redirecting to: service ipsec start
> Starting pluto IKE daemon for IPsec: [ OK ]
> [root at il93mlab-centos6-01 ~]# ipsec auto --add centos6-asa-net-net
> multiple ip addresses, using 10.20.52.5 on em1
> [root at il93mlab-centos6-01 ~]# ipsec auto --up centos6-asa-net-net
> 104 "centos6-asa-net-net" #1: STATE_MAIN_I1: initiate
> 003 "centos6-asa-net-net" #1: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] method set
> to=draft-ietf-ipsec-nat-t-ike-02/03
> 003 "centos6-asa-net-net" #1: ignoring Vendor ID payload [Cisco IKE
> Fragmentation]
> 106 "centos6-asa-net-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "centos6-asa-net-net" #1: received Vendor ID payload [Cisco-Unity]
> 003 "centos6-asa-net-net" #1: received Vendor ID payload [XAUTH]
> 003 "centos6-asa-net-net" #1: ignoring unknown Vendor ID payload
> [54da3d7d997900e48394f45bcb1bec70]
> 003 "centos6-asa-net-net" #1: ignoring Vendor ID payload [Cisco VPN 3000
> Series]
> 003 "centos6-asa-net-net" #1: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
> 108 "centos6-asa-net-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "centos6-asa-net-net" #1: received Vendor ID payload [Dead Peer
> Detection]
> 004 "centos6-asa-net-net" #1: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp1024}
> 117 "centos6-asa-net-net" #2: STATE_QUICK_I1: initiate
> 004 "centos6-asa-net-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA
> established tunnel mode {ESP=>0x4d9ac07c <0x5e3db534
> xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
>
> Paul
>
>
>
>
> --
> T.J. Yang
More information about the Swan
mailing list