[Swan] IPSec secure messages.

Paul Wouters paul at nohats.ca
Thu May 16 03:42:00 UTC 2019 

On Wed, 15 May 2019, Madhan Raj wrote:

>       Which version?

> <MADHAN> Sry i was using this openswan-2.6.32-37.el6.x86_64  version
>             This is my ipsec.conf file.

Your ipsec.conf does not contain any connection so it would not do
anything? Do you have other *.conf files in /etc/ipsec.d/ perhaps?

>         2.  I have configured an Ipsec policy on one of my server pointing to other server. but i didn't configure the policies

How have you configured this if you have no "conn" sections in your
ipsec.conf or include files?

>   <MADHAN> I have auto=start in my policy.conf file.

Oh, you do have a conn...

>    conn 772007410_x509        left=10.63.101.19
>         leftcert=ipsec-db
>         leftrsasigkey=%cert
>         leftprotoport=tcp/0
>         leftid="C=RS, O=home, OU=cup, CN=esc-imppub-12.burren.pst, ST=serbia, L=belgrade"
>         right=10.63.101.18
>         rightcert=esc-cucm-12.burren.pst
>         rightrsasigkey=%cert
>         rightprotoport=tcp/0
>         rightid=""
>         type=transport
>         auth=esp
>         authby=rsasig
>         keyexchange=ike
>         keyingtries=%forever
>         rekey=yes
>         ike=3des-sha1-modp1024
>         esp=aes128-sha1
>         ikelifetime=3600s
>         salifetime=3600s
>         pfs=no
>         auto=start
> I can see still the ping to the normal server is working fine ? so this means that openswan is not blocking any trafffic to the other
> server if ipsec policy is not up ??

you can run: ipsec auto --add 772007410_x509
to see if the connection loaded fine. If it does, you can run: ipsec auto --up 772007410_x509
to see if it brings the connection up or what error you see.

> <MADHAN>  I have shared my policy  and ipsec.conf file above i am sure we are not adding any failureshunt=passthrough anywhere. but i
> can see the network connectivity is intact though the policies are still in PENDING state . am i missing something here ?

I suspect the connection isn't getting loaded at all?

For RHEL6 or CentOS6, you should be using 6.8 or 6.9, which use
libreswan instead of openswan. centos6.9 should come with at least
libreswan version 3.15. Or you can grab binaries that are even never
from download.libreswan.org/binaries/rhel/6/

Paul

More information about the Swan mailing list