[Swan] Migrating OpenSWAN from Fedora 13 to CentOS 7.5 using LIBRESWAN
guilsson at gmail.com
guilsson at gmail.com
Tue Apr 2 18:26:14 UTC 2019
Huge progress Paul.
I made all changes you suggested.
Now the daemon starts without errors, although doesn't connect yet.
Maybe due the observation you made about ike=/esp=.
In the log bellow, there are several lines talking about IKE...
I don't know what I need to put in cfg file.
Thanks
--Guilsson
SNIFFING AT FIREWALL:
=====================
96.628879 222.222.222.222 500 192.168.1.16 500 ISAKMP Informational
96.629606 192.168.1.16 500 222.222.222.222 500 ISAKMP Informational
116.626414 222.222.222.222 500 192.168.1.16 500 ISAKMP Informational
116.627080 192.168.1.16 500 222.222.222.222 500 ISAKMP Informational
123.606003 192.168.1.16 500 222.222.222.222 500 ISAKMP Informational
123.620161 222.222.222.222 500 192.168.1.16 500 ISAKMP Informational
123.651333 192.168.1.16 500 222.222.222.222 500 ISAKMP Informational
125.253336 192.168.1.16 500 222.222.222.222 500 ISAKMP Identity
Protection (Main Mode)
125.267048 222.222.222.222 500 192.168.1.16 500 ISAKMP Identity
Protection (Main Mode)
125.269660 192.168.1.16 500 222.222.222.222 500 ISAKMP Identity
Protection (Main Mode)
125.282521 222.222.222.222 500 192.168.1.16 500 ISAKMP Identity
Protection (Main Mode)
125.285585 192.168.1.16 500 222.222.222.222 500 ISAKMP Identity
Protection (Main Mode)
125.296799 222.222.222.222 500 192.168.1.16 500 ISAKMP Identity
Protection (Main Mode)
125.298416 192.168.1.16 500 222.222.222.222 500 ISAKMP Quick Mode
125.312624 222.222.222.222 500 192.168.1.16 500 ISAKMP Quick Mode
125.454623 192.168.1.16 500 222.222.222.222 500 ISAKMP Quick Mode
136.624847 222.222.222.222 500 192.168.1.16 500 ISAKMP Informational
136.625812 192.168.1.16 500 222.222.222.222 500 ISAKMP Informational
156.622182 222.222.222.222 500 192.168.1.16 500 ISAKMP Informational
156.622948 192.168.1.16 500 222.222.222.222 500 ISAKMP Informational
176.621066 222.222.222.222 500 192.168.1.16 500 ISAKMP Informational
[... THIS SEQUENCE IS REPEATED INDEFINITELY...]
Here the output of /VAR/LOG/MESSAGES:
=================================
Apr 2 15:07:39 vm-ipsec-new systemd: Starting Internet Key Exchange
(IKE) Protocol Daemon for IPsec...
Apr 2 15:07:39 vm-ipsec-new kernel: AVX2 instructions are not detected.
Apr 2 15:07:39 vm-ipsec-new kernel: AVX2 or AES-NI instructions are
not detected.
Apr 2 15:07:40 vm-ipsec-new ipsec: nflog ipsec capture disabled
Apr 2 15:07:40 vm-ipsec-new systemd: Started Internet Key Exchange
(IKE) Protocol Daemon for IPsec.
Here the output of /VAR/LOG/SECURE:
===============================
Apr 2 15:07:39 vm-ipsec-new polkitd[975]: Registered Authentication
Agent for unix-process:6712:4822023 (system bus name :1.295
[/usr/bin/pkttyagent --notify-fd 5 --fallback], object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: FIPS Product: NO
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: FIPS Kernel: NO
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: FIPS Mode: NO
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: NSS DB directory: sql:/etc/ipsec.d
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: Initializing NSS
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: Opening NSS database
"sql:/etc/ipsec.d" read-only
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: NSS initialized
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: NSS crypto library initialized
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: FIPS HMAC integrity support [enabled]
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: FIPS mode disabled for pluto daemon
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: FIPS HMAC integrity
verification self-test passed
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: libcap-ng support [enabled]
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: Linux audit support [enabled]
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: Linux audit activated
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: Starting Pluto (Libreswan
Version 3.25 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO
GCC_EXCEPTIONS NSS (AVA copy) (IPsec profile) DNSSEC SYSTEMD_WATCHDOG
FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM
NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:7008
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: core dump dir: /run/pluto
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: secrets file: /etc/ipsec.secrets
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: leak-detective enabled
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: NSS crypto [enabled]
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: XAUTH PAM support [enabled]
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: NAT-Traversal support [enabled]
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: Initializing libevent in
pthreads mode: headers: 2.0.21-stable (2001500); library:
2.0.21-stable (2001500)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: Encryption algorithms:
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: AES_CCM_16 IKEv1:
ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm
aes_ccm_c)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: AES_CCM_12 IKEv1:
ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: AES_CCM_8 IKEv1:
ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: 3DES_CBC IKEv1:
IKE ESP IKEv2: IKE ESP FIPS [*192] (3des)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: CAMELLIA_CTR IKEv1:
ESP IKEv2: ESP {256,192,*128}
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: CAMELLIA_CBC IKEv1:
IKE ESP IKEv2: IKE ESP {256,192,*128} (camellia)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: AES_GCM_16 IKEv1:
ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm
aes_gcm_c)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: AES_GCM_12 IKEv1:
ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: AES_GCM_8 IKEv1:
ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: AES_CTR IKEv1:
IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aesctr)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: AES_CBC IKEv1:
IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: SERPENT_CBC IKEv1:
IKE ESP IKEv2: IKE ESP {256,192,*128} (serpent)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: TWOFISH_CBC IKEv1:
IKE ESP IKEv2: IKE ESP {256,192,*128} (twofish)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: TWOFISH_SSH IKEv1:
IKE IKEv2: IKE ESP {256,192,*128} (twofish_cbc_ssh)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: CAST_CBC IKEv1:
ESP IKEv2: ESP {*128} (cast)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: NULL_AUTH_AES_GMAC IKEv1:
ESP IKEv2: ESP {256,192,*128} (aes_gmac)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: NULL IKEv1:
ESP IKEv2: ESP []
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: Hash algorithms:
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: MD5 IKEv1:
IKE IKEv2:
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: SHA1 IKEv1:
IKE IKEv2: FIPS (sha)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: SHA2_256 IKEv1:
IKE IKEv2: FIPS (sha2 sha256)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: SHA2_384 IKEv1:
IKE IKEv2: FIPS (sha384)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: SHA2_512 IKEv1:
IKE IKEv2: FIPS (sha512)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: PRF algorithms:
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: HMAC_MD5 IKEv1:
IKE IKEv2: IKE (md5)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: HMAC_SHA1 IKEv1:
IKE IKEv2: IKE FIPS (sha sha1)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: HMAC_SHA2_256 IKEv1:
IKE IKEv2: IKE FIPS (sha2 sha256 sha2_256)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: HMAC_SHA2_384 IKEv1:
IKE IKEv2: IKE FIPS (sha384 sha2_384)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: HMAC_SHA2_512 IKEv1:
IKE IKEv2: IKE FIPS (sha512 sha2_512)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: AES_XCBC IKEv1:
IKEv2: IKE FIPS (aes128_xcbc)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: Integrity algorithms:
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: HMAC_MD5_96 IKEv1:
IKE ESP AH IKEv2: IKE ESP AH (md5 hmac_md5)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: HMAC_SHA1_96 IKEv1:
IKE ESP AH IKEv2: IKE ESP AH FIPS (sha sha1 sha1_96 hmac_sha1)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: HMAC_SHA2_512_256 IKEv1:
IKE ESP AH IKEv2: IKE ESP AH FIPS (sha512 sha2_512 hmac_sha2_512)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: HMAC_SHA2_384_192 IKEv1:
IKE ESP AH IKEv2: IKE ESP AH FIPS (sha384 sha2_384 hmac_sha2_384)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: HMAC_SHA2_256_128 IKEv1:
IKE ESP AH IKEv2: IKE ESP AH FIPS (sha2 sha256 sha2_256
hmac_sha2_256)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: AES_XCBC_96 IKEv1:
ESP AH IKEv2: IKE ESP AH FIPS (aes_xcbc aes128_xcbc
aes128_xcbc_96)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: AES_CMAC_96 IKEv1:
ESP AH IKEv2: ESP AH FIPS (aes_cmac)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: NONE IKEv1:
ESP IKEv2: ESP FIPS (null)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: DH algorithms:
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: NONE IKEv1:
IKEv2: IKE ESP AH (null dh0)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: MODP1024 IKEv1:
IKE ESP AH IKEv2: IKE ESP AH (dh2)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: MODP1536 IKEv1:
IKE ESP AH IKEv2: IKE ESP AH (dh5)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: MODP2048 IKEv1:
IKE ESP AH IKEv2: IKE ESP AH FIPS (dh14)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: MODP3072 IKEv1:
IKE ESP AH IKEv2: IKE ESP AH FIPS (dh15)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: MODP4096 IKEv1:
IKE ESP AH IKEv2: IKE ESP AH FIPS (dh16)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: MODP6144 IKEv1:
IKE ESP AH IKEv2: IKE ESP AH FIPS (dh17)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: MODP8192 IKEv1:
IKE ESP AH IKEv2: IKE ESP AH FIPS (dh18)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: DH19 IKEv1:
IKE IKEv2: IKE ESP AH FIPS (ecp_256)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: DH20 IKEv1:
IKE IKEv2: IKE ESP AH FIPS (ecp_384)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: DH21 IKEv1:
IKE IKEv2: IKE ESP AH FIPS (ecp_521)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: DH22 IKEv1:
IKE ESP AH IKEv2: IKE ESP AH
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: DH23 IKEv1:
IKE ESP AH IKEv2: IKE ESP AH FIPS
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: DH24 IKEv1:
IKE ESP AH IKEv2: IKE ESP AH FIPS
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: starting up 31 crypto helpers
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 0
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 1
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 2
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 3
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 4
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 5
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 6
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 7
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 8
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 9
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 10
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 11
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 12
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 13
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 14
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 15
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 16
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 17
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 18
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 19
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 20
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 21
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 22
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 23
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 24
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 25
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 26
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 27
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 28
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 29
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: started thread for crypto helper 30
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: Using Linux XFRM/NETKEY
IPsec interface code on 3.10.0-862.14.4.el7.x86_64
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: | selinux support is NOT enabled.
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: systemd watchdog for ipsec
service configured with timeout of 200000000 usecs
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: watchdog: sending probes
every 100 secs
Apr 2 15:07:40 vm-ipsec-new polkitd[975]: Unregistered Authentication
Agent for unix-process:6712:4822023 (system bus name :1.295, object
path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale
en_US.UTF-8) (disconnected from bus)
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: added connection description "vpnbank"
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: listening for IKE messages
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: adding interface eth0/eth0
192.168.1.16:500
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: adding interface eth0/eth0
192.168.1.16:4500
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: adding interface lo/lo 127.0.0.1:500
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: adding interface lo/lo 127.0.0.1:4500
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: adding interface lo/lo ::1:500
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: | setup callback for
interface lo:500 fd 19
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: | setup callback for
interface lo:4500 fd 18
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: | setup callback for
interface lo:500 fd 17
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: | setup callback for
interface eth0:4500 fd 16
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: | setup callback for
interface eth0:500 fd 15
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: loading secrets from
"/etc/ipsec.secrets"
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: loading secrets from
"/etc/ipsec.d/ipsec.secrets"
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: "vpnbank" #1: initiating Main Mode
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: "vpnbank" #1: STATE_MAIN_I2:
sent MI2, expecting MR2
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: "vpnbank" #1: ignoring
unknown Vendor ID payload [fc647b93c064cf4d78b88b17fd232058]
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: "vpnbank" #1: STATE_MAIN_I3:
sent MI3, expecting MR3
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: "vpnbank" #1: Peer ID is
ID_IPV4_ADDR: '200.196.145.40'
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: "vpnbank" #1: STATE_MAIN_I4:
ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192
integ=sha group=MODP1536}
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: "vpnbank" #2: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#1 msgid:ac2a0e99 proposal=defaults pfsgroup=no-pfs}
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: "vpnbank" #2: ignoring
informational payload IPSEC_RESPONDER_LIFETIME, msgid=ac2a0e99,
length=32
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: | ISAKMP Notification Payload
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: | 00 00 00 20 00 00 00 01
03 04 60 00
Apr 2 15:07:40 vm-ipsec-new pluto[7008]: "vpnbank" #2:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x0f471dc4 <0x7dc96388 xfrm=3DES_CBC_0-HMAC_SHA1_96 NATOA=none
NATD=none DPD=passive}
On Tue, Apr 2, 2019 at 6:22 AM Paul Wouters <paul at nohats.ca> wrote:
>
> On Tue, 2 Apr 2019, guilsson at gmail.com wrote:
>
> > # /etc/ipsec.conf - Openswan IPsec configuration file
> > #
> > # Manual: ipsec.conf.5
> > #
> > # Please place your own config files in /etc/ipsec.d/ ending in .conf
> >
> > version 2.0 # conforms to second version of ipsec.conf specification
>
> You can remove the entire version line
>
> > # basic configuration
> > #config setup
> > # # Debug-logging controls: "none" for (almost) none, "all" for lots.
> > # # klipsdebug=none
> > # # plutodebug="control parsing"
> > # # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
> > # protostack=netkey
> > # nat_traversal=yes
> > # virtual_private=
> > # oe=off
> > # # Enable this if you see "failed to find any available worker"
> > # nhelpers=0
>
> You can comment out all the options here.
>
> > #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
> > #include /etc/ipsec.d/*.conf
> >
> > conn block
> > auto=ignore
> > conn private
> > auto=ignore
> > conn private-or-clear
> > auto=ignore
> > conn clear-or-private
> > auto=ignore
> > conn clear
> > auto=ignore
> > conn packetdefault
> > auto=ignore
>
> Delete all of those conns. It is not needed.
>
> > config setup
> > #klipsdebug=all
> > #plutodebug="control parsing"
> > nat_traversal=yes
> > protostack=netkey
> > virtual_private=
> > oe=off
> > nhelpers=0
> > #forceencaps=yes
> > interfaces=%defaultroute
> > force_keepalive=yes
> > keep_alive=2
>
> Comment out all those options.
>
> > conn vpnbank
> > type=tunnel
> > left=192.168.1.16
> > leftsubnet=192.168.1.0/26
> > leftnexthop=192.168.1.100
> > right=222.222.222.222
> > rightsubnet=111.111.111.111/32
> > rightnexthop=192.168.1.100
> > keyexchange=ike
> > auto=start
> > authby=secret
> > pfs=no
> > compress=no
> > auth=esp
> > keylife=1440m
> > ikelifetime=3600s
>
> Remove the auth=esp line and nexthop lines.
>
> > /VAR/LOG/MESSAGES:------------------
> > Apr 2 00:04:18 vm-ipsec-new systemd: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
> > Apr 2 00:04:18 vm-ipsec-new addconn: ERROR: /etc/ipsec.d/ipsec.conf: 66: keyword auth, invalid value: esp
>
> That is due to the auth=esp line which you should remove.
>
> > I tried to comment #auth=esp ...
> >
> > # service ipsec start
> > Job for ipsec.service failed because the control process exited with error code. See "systemctl status ipsec.service" and "journalctl -xe" for
> > details.
> >
> > /VAR/LOG/MESSAGES:
> > ------------------
> > Apr 2 00:10:00 vm-ipsec-new systemd: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
> > Apr 2 00:10:00 vm-ipsec-new addconn: cannot load config '/etc/ipsec.conf': /etc/ipsec.d/ipsec.conf:8: syntax error, unexpected VERSION,
> > expecting $end [version]
>
> Remove the version line.
>
> > Could anyone point me some directions how to fix/adapt my configuration (or LibreSwan cfg) to make compatible with LIBRESWAN at CentOS 7.5 ?
>
> Otherwise, it should be compatible. There might be some ike= / esp=
> settings you need if you defaulted to low ones and the higher ones
> are not allowed by the remote. but you have to try to find out.
>
> Paul
More information about the Swan
mailing list