[Swan] Need debugging pointer between libreswan and ASA5550

T.J. Yang tjyang2001 at gmail.com
Fri Mar 8 21:20:17 EET 2013 

May be my work place is blocking your site, I will try later from home.

tj


On Fri, Mar 8, 2013 at 12:53 PM, Philippe Vouters <
philippe.vouters at laposte.net> wrote:

>  Dear T.J Yang,
>
> At first glance, my Web site is up and accessible. Time is now 19:52
> French time and the last access to my http://vouters.dyndns.org/tima/ Web
> directory is at 19:36:09 as pzer what tells me Apache.
>
> Philippe Vouters (Fontainebleau/France)
> URL: http://vouters.dyndns.org/
> SIP: sip:Vouters at sip.linphone.org
>
> Le 08/03/2013 18:18, T.J. Yang a écrit :
>
> Thank Philippe,
>
>  Looking forward to see that URL, Are you sure your
> http://vouters.dyndns.org/ is up ?
>
>
>  tj
>
>
> On Fri, Mar 8, 2013 at 10:50 AM, Philippe Vouters <
> philippe.vouters at laposte.net> wrote:
>
>>  Hi,
>>
>> Have a look to
>> http://vouters.dyndns.org/tima/Linux-Shrew-VPN-Client-Setting_an_Intranet_VPN_with_Windows_Seven.htmland its '#ipsec auto --status' command. Do consider how Philippe_PSK and
>> FIXED_RIGHT_IP conns are retrieved.
>>
>> On your side and even if not connected to the Cisco remote peer, the
>> '#ipsec auto --status' should show up centos6-asa-net-net.
>> Yours truly,
>>
>> Philippe Vouters (Fontainebleau/France)
>> URL: http://vouters.dyndns.org/
>> SIP: sip:Vouters at sip.linphone.org
>>
>>  Le 08/03/2013 17:24, T.J. Yang a écrit :
>>
>>   1.  new /etc/ipsec.conf with tabs, no pound signs, public ip masked.
>>  version 2.0
>> config setup
>>         plutodebug="control parsing"
>>         plutostderrlog=/var/log/ipsec.log
>>         protostack=netkey
>>         nat_traversal=yes
>>         virtual_private=
>>         oe=no
>> conn centos6-asa-net-net
>>         keyingtries=3
>>         authby=secret
>>         left=x.x.x..5
>>         leftsubnet=192.168.50.0/24
>>         leftsourceip=192.168.50.254
>>         right=x.x.x..4
>>         rightsubnet=192.168.40.0/24
>>         rightsourceip=192.168.40.254
>>         auto=start
>>         keyexchange=ike
>>         type=tunnel
>>         pfs=no
>>         phase2=esp
>>         phase2alg=3des-sha1
>>
>>  2.  /etc/ipsec.d/psk.secrets, with ip,password masked.
>>
>>  [root at mlab-centos6-01 ipsec.d]# cat /etc/ipsec.d/psk.secrets
>> x.x.x.3  x.x.x.5: PSK "MyPassword"
>> x.x.x..5 x.x.x.4: PSK "MyPassword"
>> [root at mlab-centos6-01 ipsec.d]#
>>
>>  3. here is ipsec.log after runing libreswan 3.0 ipsec command.
>>
>>
>>  [root at mlab-centos6-01 ipsec.d]# ipsec setup stop;sleep
>> 2;>/var/log/ipsec.lo\
>> g;ipsec setup start;sleep 2;tail /var/log/ipsec.log
>> Redirecting to: service ipsec stop
>> Shutting down pluto IKE daemon
>> 002 shutting down
>>
>>  Redirecting to: service ipsec start
>> Starting pluto IKE daemon for IPsec: ^[[60G[^[[0;32m  OK  ^[[0;39m]
>> listening for IKE messages
>> adding interface em1/em1 192.168.50.254:500
>> adding interface em1/em1 192.168.50.254:4500
>> adding interface em1/em1 x.x.x.5:500
>> adding interface em1/em1 x.x.x.5:4500
>> adding interface lo/lo 127.0.0.1:500
>> adding interface lo/lo 127.0.0.1:4500
>> adding interface lo/lo ::1:500
>> loading secrets from "/etc/ipsec.secrets"
>> loading secrets from "/etc/ipsec.d/psk.secrets"
>> [root at mlab-centos6-01 ipsec.d]#
>>
>>  4. No traffic on Cisco ADSM latest syslog message window.
>>
>>  5. output from ipsec status command
>>
>>  [root at mlab-centos6-01 ~]# ipsec status
>> 000 using kernel interface: netkey
>> 000 interface lo/lo ::1
>> 000 interface lo/lo 127.0.0.1
>> 000 interface lo/lo 127.0.0.1
>> 000 interface em1/em1 x.x.x.5
>> 000 interface em1/em1 x.x.x.5
>> 000 interface em1/em1 192.168.50.254
>> 000 interface em1/em1 192.168.50.254
>> 000 %myid = (none)
>> 000 debug parsing+control
>> 000
>> 000 virtual_private (%priv):
>> 000 - allowed 0 subnets:
>> 000 - disallowed 0 subnets:
>> 000 WARNING: Either virtual_private= is not specified, or there is a
>> syntax
>> 000          error in that line. 'left/rightsubnet=vhost:%priv' will not
>> work!
>> 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
>> 000          private address space in internal use, it should be excluded!
>> 000
>> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
>> keysizemax=64
>> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
>> keysizemax=192
>> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
>> keysizemax=128
>> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
>> keysizemin=40, keysizemax=448
>> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
>> keysizemax=0
>> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
>> keysizemax=256
>> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
>> keysizemin=160, keysizemax=288
>> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12,
>> keysizemin=160, keysizemax=288
>> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16,
>> keysizemin=160, keysizemax=288
>> 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
>> keysizemin=128, keysizemax=128
>> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
>> keysizemin=160, keysizemax=160
>> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
>> keysizemin=256, keysizemax=256
>> 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
>> keysizemin=384, keysizemax=384
>> 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
>> keysizemin=512, keysizemax=512
>> 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
>> keysizemin=160, keysizemax=160
>> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
>> keysizemin=128, keysizemax=128
>> 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME,
>> keysizemin=0, keysizemax=0
>> 000
>> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
>> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
>> keydeflen=192
>> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
>> keydeflen=128
>> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
>> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
>> 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
>> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
>> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
>> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
>> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
>> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
>> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
>> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
>> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
>> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
>> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
>> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
>> 000
>> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
>> trans={0,0,0} attrs={0,0,0}
>> 000
>> 000
>> 000
>> /usr/sbin/ipsec: unknown IPsec command `status' (`ipsec --help' for list)
>> [root at mlab-centos6-01 ~]#
>>
>>
>>
>> On Fri, Mar 8, 2013 at 9:39 AM, Paul Wouters <pwouters at redhat.com> wrote:
>>
>>> On Fri, 8 Mar 2013, T.J. Yang wrote:
>>>
>>>  Thanks to Paul and Philippe's pointers. I tried the "oe" and spacing
>>>> suggestion without success. when I do
>>>> a "ipsec auto --add centos6-asa" to add connection manually.
>>>> /var/log/ipsec.log only showing  one line but
>>>> no other message.
>>>> I will keep digging
>>>>
>>>
>>>  I am confused. Do not do this:
>>>
>>> conn foo
>>>     some=value
>>>     other=value
>>>
>>>     third=value
>>>
>>> And don't do this:
>>>
>>> conn foo
>>>     some=value
>>>     other=value
>>> #    third=value
>>>     fourth=value
>>>
>>> But do this:
>>>
>>> conn foo
>>>     some=value
>>>     other=value
>>>     #third=value
>>>     fourth=value
>>>
>>> Paul
>>>
>>
>>
>>
>>  --
>> T.J. Yang
>>
>>
>>   _______________________________________________
>> Swan mailing listSwan at lists.libreswan.orghttps://lists.libreswan.org/mailman/listinfo/swan
>>
>>
>>
>
>
>  --
> T.J. Yang
>
>
>


-- 
T.J. Yang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130308/a7a130ca/attachment-0001.html>

More information about the Swan mailing list