[Swan] IPSec secure messages.
Madhan Raj
madhanrajrm at gmail.com
Sun May 19 12:34:19 UTC 2019
Hi Paul,
Your ipsec.conf does not contain any connection so it would not do
anything? Do you have other *.conf files in /etc/ipsec.d/ perhaps?
I have missed to paste this . At the end of my ipsec.conf file, i have
this line
# Place all our user configurations (.conf) files below
include /etc/ipsec.d/conf/*.conf
perhaps for the other queries let me give a short currently all my servers
are down . will update you shortly.
Thanks,
Madhan
On Thu, May 16, 2019 at 9:12 AM Paul Wouters <paul at nohats.ca> wrote:
> On Wed, 15 May 2019, Madhan Raj wrote:
>
> > Which version?
>
> > <MADHAN> Sry i was using this openswan-2.6.32-37.el6.x86_64 version
> > This is my ipsec.conf file.
>
> Your ipsec.conf does not contain any connection so it would not do
> anything? Do you have other *.conf files in /etc/ipsec.d/ perhaps?
>
> > 2. I have configured an Ipsec policy on one of my server
> pointing to other server. but i didn't configure the policies
>
> How have you configured this if you have no "conn" sections in your
> ipsec.conf or include files?
>
> > <MADHAN> I have auto=start in my policy.conf file.
>
> Oh, you do have a conn...
>
> > conn 772007410_x509 left=10.63.101.19
> > leftcert=ipsec-db
> > leftrsasigkey=%cert
> > leftprotoport=tcp/0
> > leftid="C=RS, O=home, OU=cup, CN=esc-imppub-12.burren.pst,
> ST=serbia, L=belgrade"
> > right=10.63.101.18
> > rightcert=esc-cucm-12.burren.pst
> > rightrsasigkey=%cert
> > rightprotoport=tcp/0
> > rightid=""
> > type=transport
> > auth=esp
> > authby=rsasig
> > keyexchange=ike
> > keyingtries=%forever
> > rekey=yes
> > ike=3des-sha1-modp1024
> > esp=aes128-sha1
> > ikelifetime=3600s
> > salifetime=3600s
> > pfs=no
> > auto=start
> > I can see still the ping to the normal server is working fine ? so this
> means that openswan is not blocking any trafffic to the other
> > server if ipsec policy is not up ??
>
> you can run: ipsec auto --add 772007410_x509
> to see if the connection loaded fine. If it does, you can run: ipsec auto
> --up 772007410_x509
> to see if it brings the connection up or what error you see.
>
> > <MADHAN> I have shared my policy and ipsec.conf file above i am sure
> we are not adding any failureshunt=passthrough anywhere. but i
> > can see the network connectivity is intact though the policies are still
> in PENDING state . am i missing something here ?
>
> I suspect the connection isn't getting loaded at all?
>
> For RHEL6 or CentOS6, you should be using 6.8 or 6.9, which use
> libreswan instead of openswan. centos6.9 should come with at least
> libreswan version 3.15. Or you can grab binaries that are even never
> from download.libreswan.org/binaries/rhel/6/
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190519/435242dc/attachment.html>
More information about the Swan
mailing list