[Swan] Create multi encryption domain via ipsec whack command

Paul Wouters paul at nohats.ca
Tue Oct 11 06:22:42 EEST 2022


On Mon, 3 Oct 2022, Uday Raj wrote:

> Subject: [Swan] Create multi encryption domain via ipsec whack command

> I am creating a multi encryption domain in ipsec via the below command. But the below command is throwing error ? 
> Could you please let me know how to create a MED in ipsec via whack commands.
> 
> Command:
> 
> /usr/ipsec whack --name Tunnel1 --encrypt --tunnel --pfs --delete  --psk  \
> 
>     --host 10.0.15.251 --client 10.0.15.251/32 --id 10.0.15.251 \
> 
>     --updown "ipsec _updown" \
> 
>     --to \
> 
>     --host 10.10.0.1 --client {10.10.0.1/32,10.196.90.128/31} --id 10.10.0.1 \
> 
>     --updown "ipsec _updown" \
> 
>     --ike "aes192,3des" --esp "aes192,3des" \
> 
>     --ikelifetime 3600 \
> 
>     --ipseclifetime 28800 --rekeywindow 540 --keyingtries 10 --ikev1-allow/sbin


The way this currently works is that connections are instantiated by the
parser. So in a config file with conn "test" containing, leftsubnets={10.10.0.1/32,10.196.90.128/31}
we actually expand that to two conns named "test/1x0" and "test/2x0"

Ideally, you do not use whack but create a file in /etc/ipsec.d/test.conf and have an
include for /etc/ipsec.d/*.conf in /etc/ipsec.conf. Is there any reason
why you are using "ipsec whack" directly instead ?

If you really need to use whack, you need to emulate the expansion the
parser does for you:


  /usr/ipsec whack --name Tunnel1a --encrypt --tunnel --pfs --delete  --psk  \
      --host 10.0.15.251 --client 10.0.15.251/32 --id 10.0.15.251 \
      --updown "ipsec _updown" \
      --to \
      --host 10.10.0.1 --client 10.10.0.1/32 --id 10.10.0.1 \
      --updown "ipsec _updown" \
      --ike "aes192,3des" --esp "aes192,3des" \
      --ikelifetime 3600 \
      --ipseclifetime 28800 --rekeywindow 540 --keyingtries 10 --ikev1-allow/sbin

  /usr/ipsec whack --name Tunnel1b --encrypt --tunnel --pfs --delete  --psk  \
      --host 10.0.15.251 --client 10.0.15.251/32 --id 10.0.15.251 \
      --updown "ipsec _updown" \
      --to \
      --host 10.10.0.1 --client 10.196.90.128/31 --id 10.10.0.1 \
      --updown "ipsec _updown" \
      --ike "aes192,3des" --esp "aes192,3des" \
      --ikelifetime 3600 \
      --ipseclifetime 28800 --rekeywindow 540 --keyingtries 10 --ikev1-allow/sbin


Paul


More information about the Swan mailing list