[Swan] CentOS 5 Migrate to Libreswan 3.0-1 from Openswan - include statement not working
Tom Robinson
tom.robinson at motec.com.au
Tue Oct 27 00:54:43 UTC 2015
Hi,
I'm migrating an older CentOS 5 installation from Openswan-2.6.32-9 to Libreswan-3.0-1.
I have a couple of issues:
1) I downloaded the libreswan rpm fromhttps://download.libreswan.org/binaries/rhel/5/i386/ but it
appears to have a bad signature:
# rpm -qp libreswan-3.0-1.i386.rpm
error: libreswan-3.0-1.i386.rpm: Header V4 RSA/SHA256 signature: BAD, key ID b30fc6f9
I've installed the https://download.libreswan.org/binaries/RPM-GPG-KEY-libreswan but it still
reports a bad key. Now I've installed it with the --nosignature option.
2) With my openswan configurations I used an include statement in the main /etc/ipsec.conf file to
include configurations in the /etc/ipsec.d directory.
# grep include /etc/ipsec.conf
include /etc/ipsec.d/*.conf
But this appears to be broken on my setup with libreswan. Libreswan would load only one of three
configurations. The others wouldn't load. Libreswan kept reporting such things as:
# ipsec auto --add seattle
conn 'seattle': not found (tried aliases)
# ipsec auto --up seattle
000 initiating all conns with alias='seattle'
021 no connection named "seattle"
OK, so here's another oddity. I put the connections directly into /etc/ipsec.conf and discarded the
include statement. Now my connections are found and come up perfectly!
# ipsec auto --up seattle
104 "seattle" #1: STATE_MAIN_I1: initiate
003 "seattle" #1: ignoring unknown Vendor ID payload [4f4568794c64414365636661]
003 "seattle" #1: received Vendor ID payload [Dead Peer Detection]
003 "seattle" #1: received Vendor ID payload [RFC 3947] method set to=RFC 3947 (NAT-Traversal)
106 "seattle" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "seattle" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "seattle" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "seattle" #1: received Vendor ID payload [CAN-IKEv2]
004 "seattle" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128
prf=oakley_sha group=modp2048}
117 "seattle" #2: STATE_QUICK_I1: initiate
004 "seattle" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xfa928e70
<0xcd41c653 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Why won't the include statement work?
Kind regards,
Tom
--
Tom Robinson
IT Manager/System Administrator
MoTeC Pty Ltd
121 Merrindale Drive
Croydon South
3136 Victoria
Australia
T: +61 3 9761 5050
F: +61 3 9761 5051
E: tom.robinson at motec.com.au
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151027/c031977e/attachment.sig>
More information about the Swan
mailing list