[Swan] Create multi encryption domain via ipsec whack command
Paul Wouters
paul at nohats.ca
Tue Oct 11 06:22:42 EEST 2022
On Mon, 3 Oct 2022, Uday Raj wrote:
> Subject: [Swan] Create multi encryption domain via ipsec whack command
> I am creating a multi encryption domain in ipsec via the below command. But the below command is throwing error ?
> Could you please let me know how to create a MED in ipsec via whack commands.
>
> Command:
>
> /usr/ipsec whack --name Tunnel1 --encrypt --tunnel --pfs --delete --psk \
>
> --host 10.0.15.251 --client 10.0.15.251/32 --id 10.0.15.251 \
>
> --updown "ipsec _updown" \
>
> --to \
>
> --host 10.10.0.1 --client {10.10.0.1/32,10.196.90.128/31} --id 10.10.0.1 \
>
> --updown "ipsec _updown" \
>
> --ike "aes192,3des" --esp "aes192,3des" \
>
> --ikelifetime 3600 \
>
> --ipseclifetime 28800 --rekeywindow 540 --keyingtries 10 --ikev1-allow/sbin
The way this currently works is that connections are instantiated by the
parser. So in a config file with conn "test" containing, leftsubnets={10.10.0.1/32,10.196.90.128/31}
we actually expand that to two conns named "test/1x0" and "test/2x0"
Ideally, you do not use whack but create a file in /etc/ipsec.d/test.conf and have an
include for /etc/ipsec.d/*.conf in /etc/ipsec.conf. Is there any reason
why you are using "ipsec whack" directly instead ?
If you really need to use whack, you need to emulate the expansion the
parser does for you:
/usr/ipsec whack --name Tunnel1a --encrypt --tunnel --pfs --delete --psk \
--host 10.0.15.251 --client 10.0.15.251/32 --id 10.0.15.251 \
--updown "ipsec _updown" \
--to \
--host 10.10.0.1 --client 10.10.0.1/32 --id 10.10.0.1 \
--updown "ipsec _updown" \
--ike "aes192,3des" --esp "aes192,3des" \
--ikelifetime 3600 \
--ipseclifetime 28800 --rekeywindow 540 --keyingtries 10 --ikev1-allow/sbin
/usr/ipsec whack --name Tunnel1b --encrypt --tunnel --pfs --delete --psk \
--host 10.0.15.251 --client 10.0.15.251/32 --id 10.0.15.251 \
--updown "ipsec _updown" \
--to \
--host 10.10.0.1 --client 10.196.90.128/31 --id 10.10.0.1 \
--updown "ipsec _updown" \
--ike "aes192,3des" --esp "aes192,3des" \
--ikelifetime 3600 \
--ipseclifetime 28800 --rekeywindow 540 --keyingtries 10 --ikev1-allow/sbin
Paul
More information about the Swan
mailing list