[Swan] Help!!
Nick Howitt
nick at howitts.co.uk
Fri Jan 11 22:32:45 UTC 2019
Use a config like this:
https://libreswan.org/wiki/Subnet_to_subnet_VPN_with_PSK and always use
the left/rightsourceip for the local end. You can specify it for the
remote end but it is meaningless. (translated, if you are left yhere is
no point setting a rightsourceip and if you are right there is no point
setting a leftsourceip. Also leave out the ipv6 bits if you don't need it.
On 11/01/2019 22:24, Antonios Katsouros wrote:
> Hi Nick, what do you mean,
>
> can you please explain..
>
> is this finally so difficult to be done?? crazy!!
>
> what i need to do just to have the route UP after connection ?
>
> many thanks
>
> On Fri, Jan 11, 2019 at 3:00 PM <swan-request at lists.libreswan.org
> <mailto:swan-request at lists.libreswan.org>> wrote:
>
> Send Swan mailing list submissions to
> swan at lists.libreswan.org <mailto:swan at lists.libreswan.org>
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.libreswan.org/mailman/listinfo/swan
> or, via email, send a message with subject or body 'help' to
> swan-request at lists.libreswan.org
> <mailto:swan-request at lists.libreswan.org>
>
> You can reach the person managing the list at
> swan-owner at lists.libreswan.org <mailto:swan-owner at lists.libreswan.org>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Swan digest..."
>
>
> Today's Topics:
>
> 1. Re: Help!! (Paul Wouters)
> 2. Re: Help!! (Antonios Katsouros)
> 3. Re: Help!! (Nick Howitt)
> 4. Re: Libreswan 3.27 segfault (csszep)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 10 Jan 2019 10:09:54 -0500 (EST)
> From: Paul Wouters <paul at nohats.ca <mailto:paul at nohats.ca>>
> To: Antonios Katsouros <akatsourossony at gmail.com
> <mailto:akatsourossony at gmail.com>>
> Cc: swan at lists.libreswan.org <mailto:swan at lists.libreswan.org>
> Subject: Re: [Swan] Help!!
> Message-ID: <alpine.LRH.2.21.1901101008580.22400 at bofh.nohats.ca
> <mailto:alpine.LRH.2.21.1901101008580.22400 at bofh.nohats.ca>>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> On Thu, 10 Jan 2019, Antonios Katsouros wrote:
>
> Another solution people use is to add:
>
> leftupdown="ipsec _updown.netkey --route yes"
>
> (if left is your server side)
>
> That forces updown to automatically add the route.
>
> Paul
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 10 Jan 2019 19:31:42 +0300
> From: Antonios Katsouros <akatsourossony at gmail.com
> <mailto:akatsourossony at gmail.com>>
> To: swan at lists.libreswan.org <mailto:swan at lists.libreswan.org>
> Subject: Re: [Swan] Help!!
> Message-ID:
>
> <CAPOZpErV9aNp1DFuPWntiAFESR3FNqwz6EFyDQg8+baW1EOErw at mail.gmail.com
> <mailto:CAPOZpErV9aNp1DFuPWntiAFESR3FNqwz6EFyDQg8%2BbaW1EOErw at mail.gmail.com>>
> Content-Type: text/plain; charset="utf-8"
>
> yes its there!!!
>
> this is
>
> root at srv1:~# cat /etc/ipsec.conf
> version 2.0
>
> config setup
> virtual-private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.50.0.0/24,%v4:!10.50.1.0/24
> <http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.50.0.0/24,%v4:!10.50.1.0/24>
> protostack=netkey
> interfaces=%defaultroute
> uniqueids=no
>
> conn shared
> left=%defaultroute
> leftid=195.95.65.10
> right=%any
> encapsulation=yes
> authby=secret
> pfs=no
> rekey=no
> keyingtries=5
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
>
> ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
>
> phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
> sha2-truncbug=yes
>
> conn l2tp-psk
> auto=add
> leftprotoport=17/1701
> rightprotoport=17/%any
> type=transport
> phase2=esp
> also=shared
>
> conn xauth-psk
> auto=add
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> *rightaddresspool=10.50.1.2-10.50.1.3 (by the way is there a
> way to
> give a static in the other side??? i dont want pool)..*
> modecfgdns="8.8.8.8 8.8.4.4"
> leftxauthserver=yes
> rightxauthclient=yes
> leftmodecfgserver=yes
> rightmodecfgclient=yes
> modecfgpull=yes
> xauthby=file
> ike-frag=yes
> ikev2=never
> cisco-unity=yes
> also=shared
> root at srv1:~#
>
>
> Many thanks!!!
>
>
>
> On Thu, Jan 10, 2019 at 7:23 PM Paul Wouters <paul at nohats.ca
> <mailto:paul at nohats.ca>> wrote:
>
> > On Thu, 10 Jan 2019, Antonios Katsouros wrote:
> >
> > > root at srv1:/etc/ipsec.d# ls
> > > cert9.db key4.db passwd pkcs11.txt policies
> >
> > check /etc/ipsec.conf
> >
> > Paul
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <https://lists.libreswan.org/pipermail/swan/attachments/20190110/8952eed1/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 10 Jan 2019 16:34:36 +0000
> From: Nick Howitt <nick at howitts.co.uk <mailto:nick at howitts.co.uk>>
> To: swan at lists.libreswan.org <mailto:swan at lists.libreswan.org>
> Subject: Re: [Swan] Help!!
> Message-ID: <c7b20dbc-a6aa-9adf-43cc-46b137e2f70b at howitts.co.uk
> <mailto:c7b20dbc-a6aa-9adf-43cc-46b137e2f70b at howitts.co.uk>>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Are you trying to do a LAN-LAN connection? If so you don't want
> anything
> to do with l2tp or xauth. Have a look at the examples I linked you to
> earlier on the libreswan web site. What you have here is for
> roadwarriors.
>
> NIck
>
> On 10/01/2019 16:31, Antonios Katsouros wrote:
> > yes its there!!!
> >
> > this is
> >
> > root at srv1:~# cat /etc/ipsec.conf
> > version 2.0
> >
> > config setup
> > ?
> >
> virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.50.0.0/24,%v4:!10.50.1.0/24
> <http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.50.0.0/24,%v4:!10.50.1.0/24>
>
> >
> <http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.50.0.0/24,%v4:!10.50.1.0/24>
> > ? protostack=netkey
> > ? interfaces=%defaultroute
> > ? uniqueids=no
> >
> > conn shared
> > ? left=%defaultroute
> > ? leftid=195.95.65.10
> > ? right=%any
> > ? encapsulation=yes
> > ? authby=secret
> > ? pfs=no
> > ? rekey=no
> > ? keyingtries=5
> > ? dpddelay=30
> > ? dpdtimeout=120
> > ? dpdaction=clear
> >
> ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
> >
> phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
> > ? sha2-truncbug=yes
> >
> > conn l2tp-psk
> > ? auto=add
> > ? leftprotoport=17/1701
> > ? rightprotoport=17/%any
> > ? type=transport
> > ? phase2=esp
> > ? also=shared
> >
> > conn xauth-psk
> > ? auto=add
> > ? leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> > *rightaddresspool=10.50.1.2-10.50.1.3? ?(by the way is there a
> way to
> > give a static in the other side??? i dont want pool)..*
> > ? modecfgdns="8.8.8.8 8.8.4.4"
> > ? leftxauthserver=yes
> > ? rightxauthclient=yes
> > ? leftmodecfgserver=yes
> > ? rightmodecfgclient=yes
> > ? modecfgpull=yes
> > ? xauthby=file
> > ? ike-frag=yes
> > ? ikev2=never
> > ? cisco-unity=yes
> > ? also=shared
> > root at srv1:~#
> >
> >
> > Many thanks!!!
> >
> >
> >
> > On Thu, Jan 10, 2019 at 7:23 PM Paul Wouters <paul at nohats.ca
> <mailto:paul at nohats.ca>
> > <mailto:paul at nohats.ca <mailto:paul at nohats.ca>>> wrote:
> >
> > On Thu, 10 Jan 2019, Antonios Katsouros wrote:
> >
> > > root at srv1:/etc/ipsec.d# ls
> > > cert9.db? key4.db? passwd? pkcs11.txt? policies
> >
> > check /etc/ipsec.conf
> >
> > Paul
> >
> >
> > _______________________________________________
> > Swan mailing list
> > Swan at lists.libreswan.org <mailto:Swan at lists.libreswan.org>
> > https://lists.libreswan.org/mailman/listinfo/swan
>
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 11 Jan 2019 10:56:45 +0100
> From: csszep <csszep at gmail.com <mailto:csszep at gmail.com>>
> To: Paul Wouters <paul at nohats.ca <mailto:paul at nohats.ca>>
> Cc: swan at lists.libreswan.org <mailto:swan at lists.libreswan.org>
> Subject: Re: [Swan] Libreswan 3.27 segfault
> Message-ID:
>
> <CADobNNJQNUAsV16Ny3Txqa6Egq7_=Mz07mF+tXbpPQJQm8O6NA at mail.gmail.com
> <mailto:Mz07mF%2BtXbpPQJQm8O6NA at mail.gmail.com>>
> Content-Type: text/plain; charset="utf-8"
>
> Hi!
>
> Still crashing with Libreswan master from 10 jan.
>
> I updating the github issue #169 with new gdb backtrace.
>
> The RHEL bugzilla enry is not accessible with regular RH account.
>
> Thx Csszep
>
> csszep <csszep at gmail.com <mailto:csszep at gmail.com>> ezt ?rta
> (id?pont: 2018. dec. 4., K, 9:23):
>
> > Hi Paul!
> >
> > Thx for the Answer. I will try and report. Unfortunately the
> crash now
> > happens ony once or twice a week....
> >
> > Paul Wouters <paul at nohats.ca <mailto:paul at nohats.ca>> ezt ?rta
> (id?pont: 2018. dec. 3., H, 15:40):
> >
> >> On Thu, 29 Nov 2018, csszep wrote:
> >>
> >> > I have a longstanding problem w libreswan. See github issue #169
> >> >
> >> > Can anyone help identify the problem?
> >> >
> >> > The crash happened daily (SA delete? rekey?), and after 4-5
> crashes it
> >> works again.
> >> >
> >> > The last few messages, before every crash:
> >> >
> >> >
> >> > 2018-11-28T10:43:15+01:00 firewall1 pluto[16834]: "customer2"
> #701:
> >> received Delete SA(0xb6ca75dc) payload: deleting IPSEC State #702
> >> > 2018-11-28T10:43:15+01:00 firewall1 pluto[16834]: "customer2"
> #702:
> >> deleting other state #702 (STATE_QUICK_R2) and sending notification
> >> > 2018-11-28T10:43:15+01:00 firewall1 pluto[16834]: "customer2"
> #702: ESP
> >> traffic information: in=1MB out=248KB
> >> > 2018-11-28T10:43:15+01:00 firewall1 pluto[16834]: "customer2
> #701:
> >> deleting state (STATE_MAIN_R3) and sending notification
> >> > 2018-11-28T10:40:23+01:00 firewall1 kernel: traps:
> pluto[16834] general
> >> protection ip:7f71e05e212b sp:7ffcd12c9180 error:0 in
> >> pluto[7f71e0587000+154000]
> >> >
> >> > The connection "customer2" is not the same in every crash,
> but maybe?
> >> all connections that causes the crash come from F5/BIG-IP peer....
> >>
> >> Can you try git master? I think this issue is fixed there. This
> is when
> >> there is a Delete plus an additional notify payload.
> >>
> >> A different backport of the same bug is applied for RHEL via
> >> https://bugzilla.redhat.com/show_bug.cgi?id=1630355
> >>
> >> Paul
> >>
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <https://lists.libreswan.org/pipermail/swan/attachments/20190111/7e5b1528/attachment-0001.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org <mailto:Swan at lists.libreswan.org>
> https://lists.libreswan.org/mailman/listinfo/swan
>
>
> ------------------------------
>
> End of Swan Digest, Vol 73, Issue 7
> ***********************************
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list