<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Nick,<br>
<br>
I do not know if this intentional from but I am used to type in:<br>
<b>/usr/local/sbin/ipsec</b><b> addconn</b> --verbose connname<br>
You typed in: <br>
<b>/usr/libexec/ipsec/addconn</b> --verbose MumIn<br>
<br>
I do not know if this will make an actual difference, but in my
case, I have not yet incurred any problem.<br>
<br>
Here my attempt to best match your auto=ignore case:<br>
<br>
[philippe@victor ~]$ sudo /usr/local/sbin/ipsec addconn --verbose
Philippe_PSK opening file: /etc/ipsec.conf<br>
debugging mode enabled<br>
including file '/etc/ipsec.d/*.conf'(/etc/ipsec.d/*.conf) from
line /etc/ipsec.conf:26<br>
Loading conn Philippe_RSA_Fixed_IP<br>
while loading conn 'Philippe_RSA_Fixed_IP' also including
'FIXED_RIGHT_IP'<br>
starter: case KH_DEFAULTROUTE: empty<br>
Loading conn Vladimir_RSA_Fixed_IP<br>
while loading conn 'Vladimir_RSA_Fixed_IP' also including
'FIXED_RIGHT_IP'<br>
starter: case KH_DEFAULTROUTE: empty<br>
Loading conn Philippe_PSK<br>
while loading conn 'Philippe_PSK' also including
'FIXED_RIGHT_IP'<br>
starter: case KH_DEFAULTROUTE: empty<br>
Loading conn DHCP_RIGHT_IP<br>
starter: case KH_DEFAULTROUTE: empty<br>
Loading conn FIXED_RIGHT_IP<br>
starter: case KH_DEFAULTROUTE: empty<br>
loading named conns: Philippe_PSK<br>
parse_src = 0, parse_gateway = 1, has_dst = 0<br>
dst via 192.168.1.1 dev eth0 src <br>
set nexthop: 192.168.1.1<br>
dst 169.254.0.0 via dev eth0 src <br>
dst 192.168.1.0 via dev eth0 src 192.168.1.2<br>
dst 127.0.0.0 via dev lo src 127.0.0.1<br>
dst 127.0.0.0 via dev lo src 127.0.0.1<br>
dst 127.0.0.1 via dev lo src 127.0.0.1<br>
dst 127.255.255.255 via dev lo src 127.0.0.1<br>
dst 192.168.1.0 via dev eth0 src 192.168.1.2<br>
dst 192.168.1.2 via dev eth0 src 192.168.1.2<br>
dst 192.168.1.255 via dev eth0 src 192.168.1.2<br>
<br>
parse_src = 1, parse_gateway = 0, has_dst = 1<br>
dst 192.168.1.1 via dev eth0 src 192.168.1.2<br>
set addr: 192.168.1.2<br>
002 "Philippe_PSK": deleting connection<br>
002 added connection description "Philippe_PSK"<br>
<br>
Here is my current complete /etc/ipsec.d/vouters.conf<br>
<br>
[philippe@victor ~]$ sudo cat
/etc/ipsec.d/vouters.conf # Mutual RSA +
XAuth + DHCP<br>
#conn Vladimir_RSA_XAuth_DHCP<br>
# rightcert="Vladimir - Vouters Illimited"<br>
# also=Philippe_XAUTH_RSA_DHCP<br>
<br>
# Mutual RSA + XAuth + DHCP<br>
#conn Philippe_RSA_XAuth_DHCP<br>
# rightcert="Philippe - Vouters Illimited"<br>
# also=Philippe_XAUTH_RSA_DHCP<br>
<br>
# Mutual RSA + XAuth<br>
#conn Vladimir_RSA_XAuth<br>
# rightcert="Vladimir - Vouters Illimited"<br>
# also=Philippe_XAUTH_RSA<br>
<br>
# Mutual RSA + XAuth<br>
#conn Philippe_RSA_XAuth<br>
# rightcert="Philippe - Vouters Illimited"<br>
# also=Philippe_XAUTH_RSA<br>
<br>
# Mutual RSA + Fixed IP<br>
conn Philippe_RSA_Fixed_IP<br>
rightcert="Philippe - Vouters Illimited"<br>
leftcert="victor.vouters.dyndns.org - Vouters Illimited"<br>
also=FIXED_RIGHT_IP<br>
<br>
# Mutual RSA + Fixed IP<br>
conn Vladimir_RSA_Fixed_IP<br>
rightcert="Vladimir - Vouters Illimited"<br>
leftcert="victor.vouters.dyndns.org - Vouters Illimited"<br>
also=FIXED_RIGHT_IP<br>
<br>
# Mutual PSK<br>
conn Philippe_PSK<br>
authby=secret <br>
# leftsourceip=192.168.1.2<br>
also=FIXED_RIGHT_IP <br>
<br>
# Mutual PSK + DHCP <br>
#conn Philippe_PSK_DHCP<br>
# authby=secret <br>
# also=DHCP_RIGHT_IP<br>
<br>
<br>
# Mutual PSK + XAuth + Fixed IP<br>
#conn Philippe_XAUTH_PSK<br>
# authby=secret<br>
# aggrmode=yes<br>
# leftxauthserver=yes<br>
# rightxauthclient=yes<br>
# rightid=@[GroupVPN]<br>
# xauthby=pam<br>
# also=FIXED_RIGHT_IP<br>
<br>
# Mutual RSA + XAuth + Fixed IP<br>
#conn Philippe_XAUTH_RSA<br>
# authby=rsasig<br>
# aggrmode=yes<br>
# leftxauthserver=yes<br>
# rightxauthclient=yes<br>
# leftcert="victor.vouters.dyndns.org - Vouters Illimited"<br>
# xauthby=pam<br>
# also=FIXED_RIGHT_IP<br>
<br>
# Mutual PSK + XAuth + DHCP<br>
#conn Philippe_XAUTH_PSK_DHCP<br>
# authby=secret<br>
# aggrmode=yes<br>
# leftxauthserver=yes<br>
# rightxauthclient=yes<br>
# rightid=@[GroupVPN]<br>
# xauthby=pam<br>
# also=DHCP_RIGHT_IP<br>
<br>
# Mutual RSA + XAuth + DHCP<br>
#conn Philippe_XAUTH_RSA_DHCP<br>
# authby=rsasig<br>
# aggrmode=yes<br>
# leftxauthserver=yes<br>
# rightxauthclient=yes<br>
# leftcert="victor.vouters.dyndns.org - Vouters Illimited"<br>
# xauthby=pam<br>
# also=DHCP_RIGHT_IP<br>
<br>
conn DHCP_RIGHT_IP<br>
type=tunnel<br>
pfs=yes<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=restart<br>
left=%defaultroute<br>
leftnexthop=%defaultroute<br>
leftprotoport=udp/bootps<br>
leftupdown="ipsec _updown --route yes"<br>
right=%any<br>
rightsubnetwithin=192.168.1.0/24<br>
rightprotoport=udp/bootps<br>
rekey=no<br>
auto=ignore<br>
# auto=add<br>
<br>
conn FIXED_RIGHT_IP <br>
type=tunnel<br>
pfs=yes<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=restart<br>
left=%defaultroute<br>
leftnexthop=%defaultroute<br>
leftsubnet=0.0.0.0/0<br>
leftupdown="ipsec _updown --route yes"<br>
right=%any<br>
rightsubnet=vhost:%no,%priv<br>
rekey=no<br>
auto=add<br>
[philippe@victor ~]$ <br>
<br>
<pre class="moz-signature" cols="72">
Philippe Vouters (Fontainebleau/France)
URL: <a class="moz-txt-link-freetext" href="http://vouters.dyndns.org/">http://vouters.dyndns.org/</a>
SIP: <a class="moz-txt-link-abbreviated" href="mailto:sip:Vouters@sip.linphone.org">sip:Vouters@sip.linphone.org</a></pre>
Le 06/01/2013 17:58, Nick Howitt a écrit :<br>
</div>
<blockquote cite="mid:50E9AD25.2060502@gmail.com" type="cite">I'm in
a bit of a mess here and I cannot get the conn to load at all to
test. Using the command below I get:
<br>
<br>
[root@server src]# /usr/libexec/ipsec/addconn --verbose MumIn
<br>
opening file: /etc/ipsec.conf
<br>
debugging mode enabled
<br>
including file
'/etc/ipsec.d/ipsec.*.conf'(/etc/ipsec.d/ipsec.*.conf) from line
/etc/ipsec.conf:36
<br>
Loading default conn
<br>
starter: case KH_NOTSET: empty
<br>
starter: case KH_NOTSET: empty
<br>
Loading conn David
<br>
starter: check what we need to do for 'howitts.poweredbyclear.com'
<br>
starter: ttoaddr_num failed, not numeric
'howitts.poweredbyclear.com'
<br>
starter: Resolved to howitts.poweredbyclear.com !
<br>
starter: check what we need to do for '88.98.137.158'
<br>
loading named conns: MumIn(notfound)[root@server src]#
<br>
<br>
The ttoaddr error is coming from another conn (David) which I'm
not trying to load. In that conn David if I change left to
%defaultroute the 3 "howitts.poweredbyclear.com" errors go away
but I don't see why MumIn is not found. My ipsec.conf is:
<br>
<br>
version 2.0
<br>
<br>
# Default policy
<br>
#---------------
<br>
<br>
config setup
<br>
interfaces=%defaultroute
<br>
plutodebug=none
<br>
klipsdebug=none
<br>
oe=no
<br>
protostack=netkey
<br>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24
<br>
<br>
<br>
conn %default
<br>
type=tunnel
<br>
authby=secret
<br>
<br>
# Tunnels defined in separate files
<br>
#----------------------------------
<br>
<br>
include /etc/ipsec.d/ipsec.*.conf
<br>
<br>
And /etc/ipsec.d/ipsec.unmanaged.MumIn.conf is:
<br>
<br>
conn MumIn
<br>
type=tunnel
<br>
authby=secret
<br>
dpdtimeout=120
<br>
dpddelay=30
<br>
auto=add
<br>
left=%defaultroute
<br>
leftsourceip=192.168.2.1
<br>
leftsubnet=192.168.2.0/24
<br>
leftid=@FromNick
<br>
right=%any
<br>
rightsubnet=192.168.10.0/24
<br>
salifetime=1h
<br>
dpdaction=restart_by_peer
<br>
ikelifetime=8h
<br>
ike=aes256
<br>
phase2alg=aes256
<br>
<br>
Until I can get these errors to clear, I can't try to reproduce
the dev lo route error.
<br>
<br>
As a separate question, the command "ipsec secrets" appears to
load secrets as before, but I notice we now get new files in the
installation. Are we forced to use nss now or ipsec.*.secrets
still OK to use.
<br>
<br>
This is using your RHEL rpm. Having to roll back to the rival for
the moment
<br>
<br>
Regards,
<br>
<br>
Nick
<br>
<br>
On 04/01/2013 17:26, Paul Wouters wrote:
<br>
<blockquote type="cite">
<br>
On 01/04/2013 12:13 PM, Nick Howitt wrote:
<br>
<blockquote type="cite">In Oguz' Yilmaz's case he appears to
have a right specified
<br>
(right=RIGHT_EXT_IP) and a leftnexthop
(leftnexthop=LEFT_EXT_GW) rathr
<br>
than right=%any and no leftnexthop. :(
<br>
</blockquote>
<br>
you can use /usr/libexec/ipsec/addconn --verbose connname to get
a verbose output that includes the routes we got back for making
the decision.
<br>
<br>
<blockquote type="cite">We have hit some minor odd issues -
ipsec auto --status does not give
<br>
any info on phase2alg unless it is specified. It may also fail
if it is
<br>
specified with the hash function e.g. aes256-sha1 but I need
to test
<br>
further and my time for testing is very limited. But this
should all be
<br>
for another thread......
<br>
</blockquote>
<br>
I've filed that as <a class="moz-txt-link-freetext" href="https://bugs.libreswan.org/show_bug.cgi?id=53">https://bugs.libreswan.org/show_bug.cgi?id=53</a>
but I also have not had the time yet to look into this.
<br>
<br>
Paul
<br>
<br>
</blockquote>
<br>
_______________________________________________
<br>
Swan mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
<br>
<br>
</blockquote>
<br>
</body>
</html>