[Swan] Migrating OpenSWAN from Fedora 13 to CentOS 7.5 using LIBRESWAN

Paul Wouters paul at nohats.ca
Tue Apr 2 09:22:48 UTC 2019 

On Tue, 2 Apr 2019, guilsson at gmail.com wrote:

> # /etc/ipsec.conf - Openswan IPsec configuration file
> #
> # Manual:     ipsec.conf.5
> #
> # Please place your own config files in /etc/ipsec.d/ ending in .conf
> 
> version 2.0     # conforms to second version of ipsec.conf specification

You can remove the entire version line

> # basic configuration
> #config setup
> #       # Debug-logging controls:  "none" for (almost) none, "all" for lots.
> #       # klipsdebug=none
> #       # plutodebug="control parsing"
> #       # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
> #       protostack=netkey
> #       nat_traversal=yes
> #       virtual_private=
> #       oe=off
> #       # Enable this if you see "failed to find any available worker"
> #       nhelpers=0

You can comment out all the options here.

> #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
> #include /etc/ipsec.d/*.conf
> 
> conn block
>         auto=ignore
> conn private
>         auto=ignore
> conn private-or-clear
>         auto=ignore
> conn clear-or-private
>         auto=ignore
> conn clear
>         auto=ignore
> conn packetdefault
>         auto=ignore

Delete all of those conns. It is not needed.

> config setup
>         #klipsdebug=all
>         #plutodebug="control parsing"
>         nat_traversal=yes
>         protostack=netkey
>         virtual_private=
>         oe=off
>         nhelpers=0
>         #forceencaps=yes
>         interfaces=%defaultroute
>         force_keepalive=yes
>         keep_alive=2

Comment out all those options.

> conn vpnbank
>         type=tunnel
>         left=192.168.1.16
>         leftsubnet=192.168.1.0/26
>         leftnexthop=192.168.1.100
>         right=222.222.222.222
>         rightsubnet=111.111.111.111/32
>         rightnexthop=192.168.1.100
>         keyexchange=ike
>         auto=start
>         authby=secret
>         pfs=no
>         compress=no
>         auth=esp
>         keylife=1440m
>         ikelifetime=3600s

Remove the auth=esp line and nexthop lines.

> /VAR/LOG/MESSAGES:------------------
> Apr  2 00:04:18 vm-ipsec-new systemd: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
> Apr  2 00:04:18 vm-ipsec-new addconn: ERROR: /etc/ipsec.d/ipsec.conf: 66: keyword auth, invalid value: esp

That is due to the auth=esp line which you should remove.

> I tried to comment #auth=esp ...
> 
> # service ipsec start
> Job for ipsec.service failed because the control process exited with error code. See "systemctl status ipsec.service" and "journalctl -xe" for
> details.
> 
> /VAR/LOG/MESSAGES:
> ------------------
> Apr  2 00:10:00 vm-ipsec-new systemd: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
> Apr  2 00:10:00 vm-ipsec-new addconn: cannot load config '/etc/ipsec.conf': /etc/ipsec.d/ipsec.conf:8: syntax error, unexpected VERSION,
> expecting $end [version]

Remove the version line.

> Could anyone point me some directions how to fix/adapt my configuration (or LibreSwan cfg) to make compatible with LIBRESWAN at CentOS 7.5 ?

Otherwise, it should be compatible. There might be some ike= / esp=
settings you need if you defaulted to low ones and the higher ones
are not allowed by the remote. but you have to try to find out.

Paul

More information about the Swan mailing list