[Swan] CentOS 5 Migrate to Libreswan 3.0-1 from Openswan - include statement not working

Tom Robinson tom.robinson at motec.com.au
Tue Oct 27 00:54:43 UTC 2015


Hi,

I'm migrating an older CentOS 5 installation from Openswan-2.6.32-9 to Libreswan-3.0-1.

I have a couple of issues:

1) I downloaded the libreswan rpm fromhttps://download.libreswan.org/binaries/rhel/5/i386/ but it
appears to have a bad signature:
 # rpm -qp libreswan-3.0-1.i386.rpm
 error: libreswan-3.0-1.i386.rpm: Header V4 RSA/SHA256 signature: BAD, key ID b30fc6f9

I've installed the https://download.libreswan.org/binaries/RPM-GPG-KEY-libreswan but it still
reports a bad key. Now I've installed it with the --nosignature option.

2) With my openswan configurations I used an include statement in the main /etc/ipsec.conf file to
include configurations in the /etc/ipsec.d directory.

# grep include /etc/ipsec.conf
include /etc/ipsec.d/*.conf

But this appears to be broken on my setup with libreswan. Libreswan would load only one of three
configurations. The others wouldn't load. Libreswan kept reporting such things as:

# ipsec auto --add seattle
conn 'seattle': not found (tried aliases)

# ipsec auto --up seattle
000 initiating all conns with alias='seattle'
021 no connection named "seattle"

OK, so here's another oddity. I put the connections directly into /etc/ipsec.conf and discarded the
include statement. Now my connections are found and come up perfectly!

# ipsec auto --up seattle
104 "seattle" #1: STATE_MAIN_I1: initiate
003 "seattle" #1: ignoring unknown Vendor ID payload [4f4568794c64414365636661]
003 "seattle" #1: received Vendor ID payload [Dead Peer Detection]
003 "seattle" #1: received Vendor ID payload [RFC 3947] method set to=RFC 3947 (NAT-Traversal)
106 "seattle" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "seattle" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "seattle" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "seattle" #1: received Vendor ID payload [CAN-IKEv2]
004 "seattle" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128
prf=oakley_sha group=modp2048}
117 "seattle" #2: STATE_QUICK_I1: initiate
004 "seattle" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xfa928e70
<0xcd41c653 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

Why won't the include statement work?

Kind regards,
Tom

-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051
E: tom.robinson at motec.com.au

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151027/c031977e/attachment.sig>


More information about the Swan mailing list