[Swan] Help!!

Antonios Katsouros akatsourossony at gmail.com
Fri Jan 11 22:24:25 UTC 2019 

Hi Nick, what do you mean,

can you please explain..

is this finally so difficult to be done?? crazy!!

what i need to do just to have the route UP after connection ?

many thanks

On Fri, Jan 11, 2019 at 3:00 PM <swan-request at lists.libreswan.org> wrote:

> Send Swan mailing list submissions to
>         swan at lists.libreswan.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.libreswan.org/mailman/listinfo/swan
> or, via email, send a message with subject or body 'help' to
>         swan-request at lists.libreswan.org
>
> You can reach the person managing the list at
>         swan-owner at lists.libreswan.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Swan digest..."
>
>
> Today's Topics:
>
>    1. Re: Help!! (Paul Wouters)
>    2. Re: Help!! (Antonios Katsouros)
>    3. Re: Help!! (Nick Howitt)
>    4. Re: Libreswan 3.27 segfault (csszep)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 10 Jan 2019 10:09:54 -0500 (EST)
> From: Paul Wouters <paul at nohats.ca>
> To: Antonios Katsouros <akatsourossony at gmail.com>
> Cc: swan at lists.libreswan.org
> Subject: Re: [Swan] Help!!
> Message-ID: <alpine.LRH.2.21.1901101008580.22400 at bofh.nohats.ca>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> On Thu, 10 Jan 2019, Antonios Katsouros wrote:
>
> Another solution people use is to add:
>
>         leftupdown="ipsec _updown.netkey --route yes"
>
> (if left is your server side)
>
> That forces updown to automatically add the route.
>
> Paul
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 10 Jan 2019 19:31:42 +0300
> From: Antonios Katsouros <akatsourossony at gmail.com>
> To: swan at lists.libreswan.org
> Subject: Re: [Swan] Help!!
> Message-ID:
>         <
> CAPOZpErV9aNp1DFuPWntiAFESR3FNqwz6EFyDQg8+baW1EOErw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> yes its there!!!
>
> this is
>
> root at srv1:~# cat /etc/ipsec.conf
> version 2.0
>
> config setup
>   virtual-private=%v4:
>
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.50.0.0/24,%v4:!10.50.1.0/24
>   protostack=netkey
>   interfaces=%defaultroute
>   uniqueids=no
>
> conn shared
>   left=%defaultroute
>   leftid=195.95.65.10
>   right=%any
>   encapsulation=yes
>   authby=secret
>   pfs=no
>   rekey=no
>   keyingtries=5
>   dpddelay=30
>   dpdtimeout=120
>   dpdaction=clear
>
>
> ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
>
>
> phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
>   sha2-truncbug=yes
>
> conn l2tp-psk
>   auto=add
>   leftprotoport=17/1701
>   rightprotoport=17/%any
>   type=transport
>   phase2=esp
>   also=shared
>
> conn xauth-psk
>   auto=add
>   leftsubnet=0.0.0.0/0
>   *rightaddresspool=10.50.1.2-10.50.1.3   (by the way is there a way to
> give a static in the other side??? i dont want pool)..*
>   modecfgdns="8.8.8.8 8.8.4.4"
>   leftxauthserver=yes
>   rightxauthclient=yes
>   leftmodecfgserver=yes
>   rightmodecfgclient=yes
>   modecfgpull=yes
>   xauthby=file
>   ike-frag=yes
>   ikev2=never
>   cisco-unity=yes
>   also=shared
> root at srv1:~#
>
>
> Many thanks!!!
>
>
>
> On Thu, Jan 10, 2019 at 7:23 PM Paul Wouters <paul at nohats.ca> wrote:
>
> > On Thu, 10 Jan 2019, Antonios Katsouros wrote:
> >
> > > root at srv1:/etc/ipsec.d# ls
> > > cert9.db  key4.db  passwd  pkcs11.txt  policies
> >
> > check /etc/ipsec.conf
> >
> > Paul
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://lists.libreswan.org/pipermail/swan/attachments/20190110/8952eed1/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 3
> Date: Thu, 10 Jan 2019 16:34:36 +0000
> From: Nick Howitt <nick at howitts.co.uk>
> To: swan at lists.libreswan.org
> Subject: Re: [Swan] Help!!
> Message-ID: <c7b20dbc-a6aa-9adf-43cc-46b137e2f70b at howitts.co.uk>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Are you trying to do a LAN-LAN connection? If so you don't want anything
> to do with l2tp or xauth. Have a look at the examples I linked you to
> earlier on the libreswan web site. What you have here is for roadwarriors.
>
> NIck
>
> On 10/01/2019 16:31, Antonios Katsouros wrote:
> > yes its there!!!
> >
> > this is
> >
> > root at srv1:~# cat /etc/ipsec.conf
> > version 2.0
> >
> > config setup
> > ?
> > virtual-private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.50.0.0/24,%v4:!10.50.1.0/24
> > <
> http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.50.0.0/24,%v4:!10.50.1.0/24
> >
> > ? protostack=netkey
> > ? interfaces=%defaultroute
> > ? uniqueids=no
> >
> > conn shared
> > ? left=%defaultroute
> > ? leftid=195.95.65.10
> > ? right=%any
> > ? encapsulation=yes
> > ? authby=secret
> > ? pfs=no
> > ? rekey=no
> > ? keyingtries=5
> > ? dpddelay=30
> > ? dpdtimeout=120
> > ? dpdaction=clear
> >
> ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
> >
> phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
> > ? sha2-truncbug=yes
> >
> > conn l2tp-psk
> > ? auto=add
> > ? leftprotoport=17/1701
> > ? rightprotoport=17/%any
> > ? type=transport
> > ? phase2=esp
> > ? also=shared
> >
> > conn xauth-psk
> > ? auto=add
> > ? leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> > *rightaddresspool=10.50.1.2-10.50.1.3? ?(by the way is there a way to
> > give a static in the other side??? i dont want pool)..*
> > ? modecfgdns="8.8.8.8 8.8.4.4"
> > ? leftxauthserver=yes
> > ? rightxauthclient=yes
> > ? leftmodecfgserver=yes
> > ? rightmodecfgclient=yes
> > ? modecfgpull=yes
> > ? xauthby=file
> > ? ike-frag=yes
> > ? ikev2=never
> > ? cisco-unity=yes
> > ? also=shared
> > root at srv1:~#
> >
> >
> > Many thanks!!!
> >
> >
> >
> > On Thu, Jan 10, 2019 at 7:23 PM Paul Wouters <paul at nohats.ca
> > <mailto:paul at nohats.ca>> wrote:
> >
> >     On Thu, 10 Jan 2019, Antonios Katsouros wrote:
> >
> >     > root at srv1:/etc/ipsec.d# ls
> >     > cert9.db? key4.db? passwd? pkcs11.txt? policies
> >
> >     check /etc/ipsec.conf
> >
> >     Paul
> >
> >
> > _______________________________________________
> > Swan mailing list
> > Swan at lists.libreswan.org
> > https://lists.libreswan.org/mailman/listinfo/swan
>
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 11 Jan 2019 10:56:45 +0100
> From: csszep <csszep at gmail.com>
> To: Paul Wouters <paul at nohats.ca>
> Cc: swan at lists.libreswan.org
> Subject: Re: [Swan] Libreswan 3.27 segfault
> Message-ID:
>         <CADobNNJQNUAsV16Ny3Txqa6Egq7_=
> Mz07mF+tXbpPQJQm8O6NA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi!
>
> Still crashing with Libreswan master from 10 jan.
>
> I updating the github issue #169 with new gdb backtrace.
>
> The RHEL bugzilla enry is not accessible with regular RH account.
>
> Thx Csszep
>
> csszep <csszep at gmail.com> ezt ?rta (id?pont: 2018. dec. 4., K, 9:23):
>
> > Hi Paul!
> >
> > Thx for the Answer. I will try and report. Unfortunately the crash now
> > happens ony once or twice a week....
> >
> > Paul Wouters <paul at nohats.ca> ezt ?rta (id?pont: 2018. dec. 3., H,
> 15:40):
> >
> >> On Thu, 29 Nov 2018, csszep wrote:
> >>
> >> > I have a longstanding problem w libreswan. See github issue #169
> >> >
> >> > Can anyone help identify the problem?
> >> >
> >> > The crash happened daily (SA delete? rekey?), and after 4-5 crashes it
> >> works again.
> >> >
> >> > The last few messages, before every  crash:
> >> >
> >> >
> >> > 2018-11-28T10:43:15+01:00 firewall1 pluto[16834]: "customer2" #701:
> >> received Delete SA(0xb6ca75dc) payload: deleting IPSEC State #702
> >> > 2018-11-28T10:43:15+01:00 firewall1 pluto[16834]: "customer2" #702:
> >> deleting other state #702 (STATE_QUICK_R2) and sending notification
> >> > 2018-11-28T10:43:15+01:00 firewall1 pluto[16834]: "customer2" #702:
> ESP
> >> traffic information: in=1MB out=248KB
> >> > 2018-11-28T10:43:15+01:00 firewall1 pluto[16834]: "customer2 #701:
> >> deleting state (STATE_MAIN_R3) and sending notification
> >> > 2018-11-28T10:40:23+01:00 firewall1 kernel: traps: pluto[16834]
> general
> >> protection ip:7f71e05e212b sp:7ffcd12c9180 error:0 in
> >> pluto[7f71e0587000+154000]
> >> >
> >> > The connection "customer2" is not the same in every crash, but maybe?
> >> all connections that causes the crash come from F5/BIG-IP peer....
> >>
> >> Can you try git master? I think this issue is fixed there. This is when
> >> there is a Delete plus an additional notify payload.
> >>
> >> A different backport of the same bug is applied for RHEL via
> >> https://bugzilla.redhat.com/show_bug.cgi?id=1630355
> >>
> >> Paul
> >>
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://lists.libreswan.org/pipermail/swan/attachments/20190111/7e5b1528/attachment-0001.html
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
>
> ------------------------------
>
> End of Swan Digest, Vol 73, Issue 7
> ***********************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190112/d48acc78/attachment-0001.html>

More information about the Swan mailing list