[Swan] Swan Digest, Vol 101, Issue 4

Jorge Sevillanos rsevillanos at gmail.com
Sat May 15 06:11:19 UTC 2021


Thank you all, it worked,

I made a "grep -nr python 2 /usr/libexec/ipsec" and got 3 files output:

   - _unbound-hook:1:#!python2
   - show:1:#!python2
   - verify:1:#!python2

Made the change to each file to "#!/usr/bin/env python2".

Al worked Nice!!!

Regards,

Rodolfo

On Fri, May 14, 2021 at 1:46 AM <swan-request at lists.libreswan.org> wrote:

> Send Swan mailing list submissions to
>         swan at lists.libreswan.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.libreswan.org/mailman/listinfo/swan
> or, via email, send a message with subject or body 'help' to
>         swan-request at lists.libreswan.org
>
> You can reach the person managing the list at
>         swan-owner at lists.libreswan.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Swan digest..."
>
>
> Today's Topics:
>
>    1. Re: problem command "ipsec verify" (Paul Wouters)
>    2. Re: problem command "ipsec verify" (Tuomo Soini)
>    3. SA lifetime too short, less than configured (Ivan Kuznetsov)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 13 May 2021 09:52:12 -0400 (EDT)
> From: Paul Wouters <paul at nohats.ca>
> To: swan at lists.libreswan.org
> Cc: swan at lists.libreswan.org
> Subject: Re: [Swan] problem command "ipsec verify"
> Message-ID: <8f808ceb-f49-3d3d-f391-6439bd4abf3a at nohats.ca>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On Wed, 12 May 2021, Jorge Sevillanos wrote:
>
> > Hi Bruno, something weird?is happening.
> > Amazon Linux 2 by default comes with python2 & python3 installed and
> their executables are? inside /usr/bin
> > image.png
>
> Whoever build libreswan for that linux distro should set the proper
> value for PYTHON_BINARY=
>
> eg see:
>
> paul at bofh:~$ grep PYTHON_BINARY libreswan/packaging/rhel/*/*spec
> libreswan/packaging/rhel/7/libreswan.spec:    PYTHON_BINARY=python2 \\\
> libreswan/packaging/rhel/8/libreswan.spec:    PYTHON_BINARY=%{__python3}
> \\\
>
> Paul
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 13 May 2021 17:06:00 +0300
> From: Tuomo Soini <tis at foobar.fi>
> To: swan at lists.libreswan.org
> Subject: Re: [Swan] problem command "ipsec verify"
> Message-ID: <20210513170600.39cdfc75 at tuomo.foobar.fi>
> Content-Type: text/plain; charset=US-ASCII
>
> On Wed, 12 May 2021 18:29:13 -0600
> Jorge Sevillanos <rsevillanos at gmail.com> wrote:
>
> > Hi Libreswan, just installed Amazon Linux 2 (fresh) from default ami,
> > nftables  nftables v0.9.0 (Fearless Fosdick) and libreswan
> > 4.4-1.el7_9
> >
> > I downloaded rpm package form:
> >
> https://download.libreswan.org/binaries/rhel/7/x86_64/libreswan-4.4-1.el7_9.x86_64.rpm
> >
> > And installed package: yum install
> >
> https://download.libreswan.org/binaries/rhel/7/x86_64/libreswan-4.4-1.el7_9.x86_64.rpm
> >
> > I run the command "ipsec verify" and shows me the following:
> >
> > [root at ip-10-10-2-15 sysctl.d]# ipsec verify
> > /sbin/ipsec: /usr/libexec/ipsec/verify: python2: bad interpreter: No
> > such file or directory
> > /sbin/ipsec: line 565: /usr/libexec/ipsec/verify: Success
> >
> > Please help.
>
> This was a bug in our spec file for rhel7. I fixed that few minutes ago
> but this is not severe enough problem to rebuild package because verify
> is completely optional like all python scripts in Libreswan. If you want
> to use verify, do:
>
> sed -i -e 's|python2|/usr/bin/python2|' /usr/libexec/ipsec/verify
>
> Bug was introduced as part of 4.2 release.
>
> --
> Tuomo Soini <tis at foobar.fi>
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <https://foobar.fi/>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 14 May 2021 10:37:19 +0300
> From: Ivan Kuznetsov <kia at solvo.ru>
> To: swan at lists.libreswan.org
> Subject: [Swan] SA lifetime too short, less than configured
> Message-ID: <dc162bef-fa7a-7f7d-5860-d1875d173636 at solvo.ru>
> Content-Type: text/plain; charset="koi8-r"; Format="flowed"
>
> Hello
>
> We use libreswan 3.32 under Linux and have a IPsec peer recently
> upgraded their Cisco ASA. Tunnel was migrated to IKEv2. All works fine
> except the libreswan side restarts ISAKMP too often, mostly after 1h.
> ESP is restarted too. Settings for lifetime are 24h for phase 1 and 8h
> for phase 2 on both sides. rekeymargin has default value (300s)
>
> Why libreswan drops ISAKMP SA regardless of explicit settings?
>
> Libreswan configuration:
>
> conn bkp
>          type=tunnel
>          auto=start
>          authby=secret
>          left=11.22.33.44
>          leftsubnet=172.16.80.0/20
>          right=55.66.77.88
>
> rightsubnets=10.1.208.0/28,10.1.102.0/24,10.1.100.22/32,10.1.104.0/29
>
>          ikev2=yes
>          ikelifetime=24h
>          initial-contact=yes
>
>          phase2=esp
>          salifetime=8h
> #        BKP's Cisco ASA has stranges regarding DH groups on phase2
>          pfs=no
>
>          rekey=yes
>          rekeymargin=5m
>          keyingtries=3
>
>          fragmentation=yes
> #        BKP's Cisco ASA has nonstadard DPD
> #        dpddelay=30
> #        dpdtimeout=120
> #        dpdaction=restart
>
>
> Libreswan log is attached
>
> --
> Regards, Ivan Kuznetsov
> SOLVO ltd
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: bkp.log
> Type: text/x-log
> Size: 19504 bytes
> Desc: not available
> URL: <
> https://lists.libreswan.org/pipermail/swan/attachments/20210514/9e00f8d3/attachment.bin
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
>
> ------------------------------
>
> End of Swan Digest, Vol 101, Issue 4
> ************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210515/43365df7/attachment-0001.html>


More information about the Swan mailing list