[Swan] Need debugging pointer between libreswan and ASA5550

Philippe Vouters philippe.vouters at laposte.net
Fri Mar 8 20:53:21 EET 2013


Dear T.J Yang,

At first glance, my Web site is up and accessible. Time is now 19:52 
French time and the last access to my http://vouters.dyndns.org/tima/ 
Web directory is at 19:36:09 as pzer what tells me Apache.

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Le 08/03/2013 18:18, T.J. Yang a écrit :
> Thank Philippe,
>
> Looking forward to see that URL, Are you sure your 
> http://vouters.dyndns.org/ is up ?
>
>
> tj
>
>
> On Fri, Mar 8, 2013 at 10:50 AM, Philippe Vouters 
> <philippe.vouters at laposte.net <mailto:philippe.vouters at laposte.net>> 
> wrote:
>
>     Hi,
>
>     Have a look to
>     http://vouters.dyndns.org/tima/Linux-Shrew-VPN-Client-Setting_an_Intranet_VPN_with_Windows_Seven.html
>     and its '#ipsec auto --status' command. Do consider how
>     Philippe_PSK and FIXED_RIGHT_IP conns are retrieved.
>
>     On your side and even if not connected to the Cisco remote peer,
>     the '#ipsec auto --status' should show up centos6-asa-net-net.
>     Yours truly,
>
>     Philippe Vouters (Fontainebleau/France)
>     URL:http://vouters.dyndns.org/
>     SIP:sip:Vouters at sip.linphone.org  <mailto:sip:Vouters at sip.linphone.org>
>
>     Le 08/03/2013 17:24, T.J. Yang a écrit :
>>     1.  new /etc/ipsec.conf with tabs, no pound signs, public ip masked.
>>     version 2.0
>>     config setup
>>             plutodebug="control parsing"
>>             plutostderrlog=/var/log/ipsec.log
>>             protostack=netkey
>>             nat_traversal=yes
>>             virtual_private=
>>             oe=no
>>     conn centos6-asa-net-net
>>             keyingtries=3
>>             authby=secret
>>             left=x.x.x..5
>>             leftsubnet=192.168.50.0/24 <http://192.168.50.0/24>
>>             leftsourceip=192.168.50.254
>>             right=x.x.x..4
>>             rightsubnet=192.168.40.0/24 <http://192.168.40.0/24>
>>             rightsourceip=192.168.40.254
>>             auto=start
>>             keyexchange=ike
>>             type=tunnel
>>             pfs=no
>>             phase2=esp
>>             phase2alg=3des-sha1
>>
>>     2.  /etc/ipsec.d/psk.secrets, with ip,password masked.
>>
>>     [root at mlab-centos6-01 ipsec.d]# cat /etc/ipsec.d/psk.secrets
>>     x.x.x.3  x.x.x.5: PSK "MyPassword"
>>     x.x.x..5 x.x.x.4: PSK "MyPassword"
>>     [root at mlab-centos6-01 ipsec.d]#
>>
>>     3. here is ipsec.log after runing libreswan 3.0 ipsec command.
>>
>>
>>     [root at mlab-centos6-01 ipsec.d]# ipsec setup stop;sleep
>>     2;>/var/log/ipsec.lo\
>>     g;ipsec setup start;sleep 2;tail /var/log/ipsec.log
>>     Redirecting to: service ipsec stop
>>     Shutting down pluto IKE daemon
>>     002 shutting down
>>
>>     Redirecting to: service ipsec start
>>     Starting pluto IKE daemon for IPsec: ^[[60G[^[[0;32m  OK  ^[[0;39m]
>>     listening for IKE messages
>>     adding interface em1/em1 192.168.50.254:500
>>     <http://192.168.50.254:500>
>>     adding interface em1/em1 192.168.50.254:4500
>>     <http://192.168.50.254:4500>
>>     adding interface em1/em1 x.x.x.5:500
>>     adding interface em1/em1 x.x.x.5:4500
>>     adding interface lo/lo 127.0.0.1:500 <http://127.0.0.1:500>
>>     adding interface lo/lo 127.0.0.1:4500 <http://127.0.0.1:4500>
>>     adding interface lo/lo ::1:500
>>     loading secrets from "/etc/ipsec.secrets"
>>     loading secrets from "/etc/ipsec.d/psk.secrets"
>>     [root at mlab-centos6-01 ipsec.d]#
>>
>>     4. No traffic on Cisco ADSM latest syslog message window.
>>
>>     5. output from ipsec status command
>>
>>     [root at mlab-centos6-01 ~]# ipsec status
>>     000 using kernel interface: netkey
>>     000 interface lo/lo ::1
>>     000 interface lo/lo 127.0.0.1
>>     000 interface lo/lo 127.0.0.1
>>     000 interface em1/em1 x.x.x.5
>>     000 interface em1/em1 x.x.x.5
>>     000 interface em1/em1 192.168.50.254
>>     000 interface em1/em1 192.168.50.254
>>     000 %myid = (none)
>>     000 debug parsing+control
>>     000
>>     000 virtual_private (%priv):
>>     000 - allowed 0 subnets:
>>     000 - disallowed 0 subnets:
>>     000 WARNING: Either virtual_private= is not specified, or there
>>     is a syntax
>>     000          error in that line. 'left/rightsubnet=vhost:%priv'
>>     will not work!
>>     000 WARNING: Disallowed subnets in virtual_private= is empty. If
>>     you have
>>     000          private address space in internal use, it should be
>>     excluded!
>>     000
>>     000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
>>     keysizemin=64, keysizemax=64
>>     000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
>>     keysizemin=192, keysizemax=192
>>     000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
>>     keysizemin=40, keysizemax=128
>>     000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
>>     keysizemin=40, keysizemax=448
>>     000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
>>     keysizemin=0, keysizemax=0
>>     000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
>>     keysizemin=128, keysizemax=256
>>     000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
>>     keysizemin=128, keysizemax=256
>>     000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
>>     keysizemin=128, keysizemax=256
>>     000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
>>     keysizemin=128, keysizemax=256
>>     000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
>>     keysizemin=128, keysizemax=256
>>     000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
>>     keysizemin=160, keysizemax=288
>>     000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12,
>>     keysizemin=160, keysizemax=288
>>     000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16,
>>     keysizemin=160, keysizemax=288
>>     000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
>>     keysizemin=128, keysizemax=256
>>     000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
>>     keysizemin=128, keysizemax=256
>>     000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
>>     keysizemin=128, keysizemax=256
>>     000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
>>     keysizemin=128, keysizemax=128
>>     000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
>>     keysizemin=160, keysizemax=160
>>     000 algorithm ESP auth attr: id=5,
>>     name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
>>     000 algorithm ESP auth attr: id=6,
>>     name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
>>     000 algorithm ESP auth attr: id=7,
>>     name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
>>     000 algorithm ESP auth attr: id=8,
>>     name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
>>     000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
>>     keysizemin=128, keysizemax=128
>>     000 algorithm ESP auth attr: id=251,
>>     name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
>>     000
>>     000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
>>     keydeflen=131
>>     000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
>>     blocksize=8, keydeflen=192
>>     000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
>>     blocksize=16, keydeflen=128
>>     000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>>     000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
>>     000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
>>     000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
>>     000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
>>     000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,
>>     bits=1024
>>     000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,
>>     bits=1536
>>     000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,
>>     bits=2048
>>     000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
>>     bits=3072
>>     000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,
>>     bits=4096
>>     000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,
>>     bits=6144
>>     000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
>>     bits=8192
>>     000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
>>     000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
>>     000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
>>     000
>>     000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
>>     trans={0,0,0} attrs={0,0,0}
>>     000
>>     000
>>     000
>>     /usr/sbin/ipsec: unknown IPsec command `status' (`ipsec --help'
>>     for list)
>>     [root at mlab-centos6-01 ~]#
>>
>>
>>
>>     On Fri, Mar 8, 2013 at 9:39 AM, Paul Wouters <pwouters at redhat.com
>>     <mailto:pwouters at redhat.com>> wrote:
>>
>>         On Fri, 8 Mar 2013, T.J. Yang wrote:
>>
>>             Thanks to Paul and Philippe's pointers. I tried the "oe"
>>             and spacing suggestion without success. when I do
>>             a "ipsec auto --add centos6-asa" to add connection
>>             manually. /var/log/ipsec.log only showing  one line but
>>             no other message.
>>             I will keep digging
>>
>>
>>         I am confused. Do not do this:
>>
>>         conn foo
>>             some=value
>>             other=value
>>
>>             third=value
>>
>>         And don't do this:
>>
>>         conn foo
>>             some=value
>>             other=value
>>         #    third=value
>>             fourth=value
>>
>>         But do this:
>>
>>         conn foo
>>             some=value
>>             other=value
>>             #third=value
>>             fourth=value
>>
>>         Paul
>>
>>
>>
>>
>>     -- 
>>     T.J. Yang
>>
>>
>>     _______________________________________________
>>     Swan mailing list
>>     Swan at lists.libreswan.org  <mailto:Swan at lists.libreswan.org>
>>     https://lists.libreswan.org/mailman/listinfo/swan
>
>
>
>
> -- 
> T.J. Yang

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130308/9f2d11c1/attachment-0001.html>


More information about the Swan mailing list