[Swan] Need debugging pointer between libreswan and ASA5550

T.J. Yang tjyang2001 at gmail.com
Fri Mar 8 20:43:48 EET 2013 

On Fri, Mar 8, 2013 at 12:18 PM, Paul Wouters <pwouters at redhat.com> wrote:

> On 03/08/2013 01:07 PM, T.J. Yang wrote:
>
> Sorry, yes the alias "ipsec start" and "ipsec stop" do map to "ipsec setup
> start/stop"
>
> So your connection comes up fine. Are you saying it did not come up
> despite auto=start?


yes.


> I know there was an SElinux policy with include files that Tuomo ran into.
> You might want to run a test with SElinux in permissive mode for that.
>
>
My selinux indeed was at enforced mode(hmm, but his work with openwan),I
have it set as disabled now and "auto=start" still didn't bring up the
connection automatically.
A manual startup still needed.

[root at mlab-centos6-01 ~]# grep ^SELINUX= /etc/selinux/config
SELINUX=disabled
[root at mlab-centos6-01 ~]# ipsec version
Linux Libreswan 3.0 (netkey) on 2.6.32-279.22.1.el6.x86_64
[root at mlab-centos6-01 ~]# ipsec setup start
Redirecting to: service ipsec start
Starting pluto IKE daemon for IPsec:                       [  OK  ]
[root at mlab-centos6-01 ~]# ipsec auto --add centos6-asa-net-net
multiple ip addresses, using  10.22.52.5 on em1
[root at mlab-centos6-01 ~]# ipsec auto --up  centos6-asa-net-net
104 "centos6-asa-net-net" #1: STATE_MAIN_I1: initiate
003 "centos6-asa-net-net" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set
to=draft-ietf-ipsec-nat-t-ike-02/03
003 "centos6-asa-net-net" #1: ignoring Vendor ID payload [Cisco IKE
Fragmentation]
106 "centos6-asa-net-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "centos6-asa-net-net" #1: received Vendor ID payload [Cisco-Unity]
003 "centos6-asa-net-net" #1: received Vendor ID payload [XAUTH]
003 "centos6-asa-net-net" #1: ignoring unknown Vendor ID payload
[9b157c17d3429c04a6b315d5e624bdb4]
003 "centos6-asa-net-net" #1: ignoring Vendor ID payload [Cisco VPN 3000
Series]
003 "centos6-asa-net-net" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
108 "centos6-asa-net-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "centos6-asa-net-net" #1: received Vendor ID payload [Dead Peer
Detection]
004 "centos6-asa-net-net" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
117 "centos6-asa-net-net" #2: STATE_QUICK_I1: initiate
004 "centos6-asa-net-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA
established tunnel mode {ESP=>0xb8143c93 <0x2d1ebea5 xfrm=3DES_0-HMAC_SHA1
NATOA=none NATD=none DPD=none}
[root at mlab-centos6-01 ~]#



> Paul
>
>
>  On Fri, Mar 8, 2013 at 11:46 AM, Paul Wouters <pwouters at redhat.com
>> <mailto:pwouters at redhat.com>> wrote:
>>
>>     On 03/08/2013 11:24 AM, T.J. Yang wrote:
>>
>>         1.  new /etc/ipsec.conf with tabs, no pound signs, public ip
>> masked.
>>         version 2.0
>>         config setup
>>                   plutodebug="control parsing"
>>                   plutostderrlog=/var/log/ipsec.**__log
>>
>>                   protostack=netkey
>>                   nat_traversal=yes
>>                   virtual_private=
>>                   oe=no
>>         conn centos6-asa-net-net
>>                   keyingtries=3
>>                   authby=secret
>>                   left=x.x.x..5
>>                   leftsubnet=192.168.50.0/24 <http://192.168.50.0/24>
>>         <http://192.168.50.0/24>
>>                   leftsourceip=192.168.50.254
>>                   right=x.x.x..4
>>                   rightsubnet=192.168.40.0/24 <http://192.168.40.0/24>
>>         <http://192.168.40.0/24>
>>
>>                   rightsourceip=192.168.40.254
>>                   auto=start
>>                   keyexchange=ike
>>                   type=tunnel
>>                   pfs=no
>>                   phase2=esp
>>                   phase2alg=3des-sha1
>>
>>
>>     So what's the output of:
>>
>>     ipsec start
>>     ipsec auto --add centos6-asa-net-net
>>     ipsec auto --up centos6-asa-net-net
>>
>>
>> for version 3.0, after add the connection, I still need to bring up the
>> connection. This was the step I missed.
>> "ipsec stop"  is not valid for 3.0 libreswan. Hopefully, in 3.1 release,
>> "ipsec start" will start up the connection labelled as "auto=start"
>>
>> I am really thankful for Paul and Philippe's  help.
>>
>>
>> [root at il93mlab-centos6-01 ~]# ipsec stop
>> /usr/sbin/ipsec: unknown IPsec command `stop' (`ipsec --help' for list)
>> [root at il93mlab-centos6-01 ~]# ispec version
>> -bash: ispec: command not found
>> [root at il93mlab-centos6-01 ~]# ipsec version
>> Linux Libreswan 3.0 (netkey) on 2.6.32-279.22.1.el6.x86_64
>> [root at il93mlab-centos6-01 ~]# ipsec stop
>> /usr/sbin/ipsec: unknown IPsec command `stop' (`ipsec --help' for list)
>> [root at il93mlab-centos6-01 ~]# ipsec setup stop
>> Redirecting to: service ipsec stop
>> Shutting down pluto IKE daemon
>> 002 shutting down
>>
>> [root at il93mlab-centos6-01 ~]# ipsec setup start
>> Redirecting to: service ipsec start
>> Starting pluto IKE daemon for IPsec:                       [  OK  ]
>> [root at il93mlab-centos6-01 ~]# ipsec auto --add centos6-asa-net-net
>> multiple ip addresses, using  10.20.52.5 on em1
>> [root at il93mlab-centos6-01 ~]# ipsec auto --up centos6-asa-net-net
>> 104 "centos6-asa-net-net" #1: STATE_MAIN_I1: initiate
>> 003 "centos6-asa-net-net" #1: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-**02_n] method set
>> to=draft-ietf-ipsec-nat-t-ike-**02/03
>> 003 "centos6-asa-net-net" #1: ignoring Vendor ID payload [Cisco IKE
>> Fragmentation]
>> 106 "centos6-asa-net-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>> 003 "centos6-asa-net-net" #1: received Vendor ID payload [Cisco-Unity]
>> 003 "centos6-asa-net-net" #1: received Vendor ID payload [XAUTH]
>> 003 "centos6-asa-net-net" #1: ignoring unknown Vendor ID payload
>> [**54da3d7d997900e48394f45bcb1bec**70]
>> 003 "centos6-asa-net-net" #1: ignoring Vendor ID payload [Cisco VPN 3000
>> Series]
>> 003 "centos6-asa-net-net" #1: NAT-Traversal: Result using
>> draft-ietf-ipsec-nat-t-ike-02/**03: no NAT detected
>> 108 "centos6-asa-net-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>> 003 "centos6-asa-net-net" #1: received Vendor ID payload [Dead Peer
>> Detection]
>> 004 "centos6-asa-net-net" #1: STATE_MAIN_I4: ISAKMP SA established
>> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
>> group=modp1024}
>> 117 "centos6-asa-net-net" #2: STATE_QUICK_I1: initiate
>> 004 "centos6-asa-net-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA
>> established tunnel mode {ESP=>0x4d9ac07c <0x5e3db534
>> xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
>>
>>     Paul
>>
>>
>>
>>
>> --
>> T.J. Yang
>>
>
>


-- 
T.J. Yang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130308/b5fe7597/attachment.html>

More information about the Swan mailing list