[Swan] IPSec secure messages.

Madhan Raj madhanrajrm at gmail.com
Sun May 19 12:34:19 UTC 2019 

Hi Paul,

Your ipsec.conf does not contain any connection so it would not do

anything? Do you have other *.conf files in /etc/ipsec.d/ perhaps?


I have missed to paste this . At the end of my ipsec.conf file, i have
this line
# Place all our user configurations (.conf) files below
include /etc/ipsec.d/conf/*.conf


 perhaps for the other queries let me give a short currently all my servers
are down . will update you shortly.

Thanks,
Madhan

On Thu, May 16, 2019 at 9:12 AM Paul Wouters <paul at nohats.ca> wrote:

> On Wed, 15 May 2019, Madhan Raj wrote:
>
> >       Which version?
>
> > <MADHAN> Sry i was using this openswan-2.6.32-37.el6.x86_64  version
> >             This is my ipsec.conf file.
>
> Your ipsec.conf does not contain any connection so it would not do
> anything? Do you have other *.conf files in /etc/ipsec.d/ perhaps?
>
> >         2.  I have configured an Ipsec policy on one of my server
> pointing to other server. but i didn't configure the policies
>
> How have you configured this if you have no "conn" sections in your
> ipsec.conf or include files?
>
> >   <MADHAN> I have auto=start in my policy.conf file.
>
> Oh, you do have a conn...
>
> >    conn 772007410_x509        left=10.63.101.19
> >         leftcert=ipsec-db
> >         leftrsasigkey=%cert
> >         leftprotoport=tcp/0
> >         leftid="C=RS, O=home, OU=cup, CN=esc-imppub-12.burren.pst,
> ST=serbia, L=belgrade"
> >         right=10.63.101.18
> >         rightcert=esc-cucm-12.burren.pst
> >         rightrsasigkey=%cert
> >         rightprotoport=tcp/0
> >         rightid=""
> >         type=transport
> >         auth=esp
> >         authby=rsasig
> >         keyexchange=ike
> >         keyingtries=%forever
> >         rekey=yes
> >         ike=3des-sha1-modp1024
> >         esp=aes128-sha1
> >         ikelifetime=3600s
> >         salifetime=3600s
> >         pfs=no
> >         auto=start
> > I can see still the ping to the normal server is working fine ? so this
> means that openswan is not blocking any trafffic to the other
> > server if ipsec policy is not up ??
>
> you can run: ipsec auto --add 772007410_x509
> to see if the connection loaded fine. If it does, you can run: ipsec auto
> --up 772007410_x509
> to see if it brings the connection up or what error you see.
>
> > <MADHAN>  I have shared my policy  and ipsec.conf file above i am sure
> we are not adding any failureshunt=passthrough anywhere. but i
> > can see the network connectivity is intact though the policies are still
> in PENDING state . am i missing something here ?
>
> I suspect the connection isn't getting loaded at all?
>
> For RHEL6 or CentOS6, you should be using 6.8 or 6.9, which use
> libreswan instead of openswan. centos6.9 should come with at least
> libreswan version 3.15. Or you can grab binaries that are even never
> from download.libreswan.org/binaries/rhel/6/
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190519/435242dc/attachment.html>

More information about the Swan mailing list