<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Nick,<br>
<br>
I do not know whether this will make a difference with MumIn conn
but, as far as I know, the correct syntax ought to be:<br>
<b>leftid=@[FromNick]</b><br>
instead of<br>
leftid=@FromNick<br>
(see rightid specification inside conn Philippe_XAUTH_PSK_DHCP at
<a class="moz-txt-link-freetext" href="http://vouters.dyndns.org/tima/Linux-Libreswan-Shrew-VPN-Testing_PAM_XAUTH_DHCP_with_Shrew.html">http://vouters.dyndns.org/tima/Linux-Libreswan-Shrew-VPN-Testing_PAM_XAUTH_DHCP_with_Shrew.html</a>)<br>
<br>
As far as I am doing tests, David conn should only be an issue if
addcon uses the unbound library. This does NOT seem to be your
case.<br>
<br>
Provided you rebuild from sources, make sure you read in
Makefile.inc:<br>
USE_DNSSEC?=false<br>
instead of the default:<br>
USE_DNSSEC?=true<br>
<br>
For this ipsec configuration:<br>
<br>
# Mutual PSK<br>
conn Philippe_PSK<br>
authby=secret <br>
also=FIXED_RIGHT_IP <br>
<br>
conn FIXED_RIGHT_IP <br>
type=tunnel<br>
pfs=yes<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=restart<br>
<b>left=victor.vouters.dyndns.org</b><br>
leftnexthop=%defaultroute<br>
leftsubnet=0.0.0.0/0<br>
leftupdown="ipsec _updown --route yes"<br>
right=%any<br>
rightsubnet=vhost:%no,%priv<br>
rekey=no<br>
auto=add<br>
<br>
WITHOUT the unbound library, I read:<br>
[philippe@victor libreswan-3.0]$ <b>sudo /usr/local/sbin/ipsec
addconn --verbose --autoall</b><br>
opening file: /etc/ipsec.conf<br>
debugging mode enabled<br>
including file '/etc/ipsec.d/*.conf'(/etc/ipsec.d/*.conf) from
line /etc/ipsec.conf:26<br>
Loading conn Philippe_PSK<br>
while loading conn 'Philippe_PSK' also including
'FIXED_RIGHT_IP'<br>
starter: check what we need to do for 'victor.vouters.dyndns.org'
<br>
starter: ttoaddr_num failed, not numeric
'victor.vouters.dyndns.org' <br>
starter: Resolved to victor.vouters.dyndns.org !<br>
Loading conn FIXED_RIGHT_IP<br>
starter: check what we need to do for 'victor.vouters.dyndns.org'
<br>
starter: ttoaddr_num failed, not numeric
'victor.vouters.dyndns.org' <br>
<b>starter: Resolved to victor.vouters.dyndns.org !</b><br>
loading all conns according to their auto= settings<br>
Pass #1: Loading auto=add and auto=route connections<br>
<b>Philippe_PSK</b><br>
parse_src = 0, parse_gateway = 1, has_dst = 0<br>
dst via 192.168.1.1 dev eth0 src <br>
set nexthop: 192.168.1.1<br>
dst 169.254.0.0 via dev eth0 src <br>
dst 192.168.1.0 via dev eth0 src 192.168.1.2<br>
dst 127.0.0.0 via dev lo src 127.0.0.1<br>
dst 127.0.0.0 via dev lo src 127.0.0.1<br>
dst 127.0.0.1 via dev lo src 127.0.0.1<br>
dst 127.255.255.255 via dev lo src 127.0.0.1<br>
dst 192.168.1.0 via dev eth0 src 192.168.1.2<br>
dst 192.168.1.2 via dev eth0 src 192.168.1.2<br>
dst 192.168.1.255 via dev eth0 src 192.168.1.2<br>
022 connection Philippe_PSK must specify host IP address for our
side<br>
037 attempt to load incomplete connection<br>
FIXED_RIGHT_IP<br>
parse_src = 0, parse_gateway = 1, has_dst = 0<br>
dst via 192.168.1.1 dev eth0 src <br>
set nexthop: 192.168.1.1<br>
dst 169.254.0.0 via dev eth0 src <br>
dst 192.168.1.0 via dev eth0 src 192.168.1.2<br>
dst 127.0.0.0 via dev lo src 127.0.0.1<br>
dst 127.0.0.0 via dev lo src 127.0.0.1<br>
dst 127.0.0.1 via dev lo src 127.0.0.1<br>
dst 127.255.255.255 via dev lo src 127.0.0.1<br>
dst 192.168.1.0 via dev eth0 src 192.168.1.2<br>
dst 192.168.1.2 via dev eth0 src 192.168.1.2<br>
dst 192.168.1.255 via dev eth0 src 192.168.1.2<br>
022 connection FIXED_RIGHT_IP must specify host IP address for our
side<br>
037 attempt to load incomplete connection<br>
Pass #2: Loading auto=start connections<br>
<br>
What I do wonder is why I read from above:<br>
022 connection Philippe_PSK must specify host IP address for our
side<br>
037 attempt to load incomplete connection<br>
<br>
At first glance, they appear meaningless messages as I correctly
read src 192.168.1.2 which victor.vouters.dyndns.org translates
to.<br>
<br>
I have to do more tests regarding this problem to ensure these
messages are actually harmless.<br>
<pre class="moz-signature" cols="72">Philippe Vouters (Fontainebleau/France)
URL: <a class="moz-txt-link-freetext" href="http://vouters.dyndns.org/">http://vouters.dyndns.org/</a>
SIP: <a class="moz-txt-link-abbreviated" href="mailto:sip:Vouters@sip.linphone.org">sip:Vouters@sip.linphone.org</a></pre>
Le 06/01/2013 20:45, Nick Howitt a écrit :<br>
</div>
<blockquote cite="mid:50E9D476.1000307@gmail.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Philippe,<br>
<br>
ClearOS (maybe RHEL as well) does not normally put anything under
/usr/local. I have lots of directories under it and olly share has
anything in it. Paul Wouters in a parallel reply gave me the other
command. I've just checked the RHEL rpm and Paul's syntax is
correct.<br>
<br>
What is curious about the command is why is it even looking at the
auto=ignore case. It is in a conn called David. As I am trying to
load a conn called MumIn directly from the command, why is it
looking at conn David at all?<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 06/01/2013 19:24, Philippe Vouters
wrote:<br>
</div>
<blockquote cite="mid:50E9CF53.8000904@laposte.net" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Le 06/01/2013 17:58, Nick Howitt a
écrit :<br>
</div>
<blockquote cite="mid:50E9AD25.2060502@gmail.com" type="cite">I'm
in a bit of a mess here and I cannot get the conn to load at
all to test. Using the command below I get: <br>
<br>
[root@server src]# /usr/libexec/ipsec/addconn --verbose MumIn
<br>
opening file: /etc/ipsec.conf <br>
debugging mode enabled <br>
including file
'/etc/ipsec.d/ipsec.*.conf'(/etc/ipsec.d/ipsec.*.conf) from
line /etc/ipsec.conf:36 <br>
Loading default conn <br>
starter: case KH_NOTSET: empty <br>
starter: case KH_NOTSET: empty <br>
Loading conn David <br>
starter: check what we need to do for
'howitts.poweredbyclear.com' <br>
starter: ttoaddr_num failed, not numeric
'howitts.poweredbyclear.com' <br>
starter: Resolved to howitts.poweredbyclear.com ! <br>
starter: check what we need to do for '88.98.137.158' <br>
loading named conns: MumIn(notfound)[root@server src]# <br>
<br>
The ttoaddr error is coming from another conn (David) which
I'm not trying to load. In that conn David if I change left to
%defaultroute the 3 "howitts.poweredbyclear.com" errors go
away but I don't see why MumIn is not found. My ipsec.conf is:
<br>
<br>
version 2.0 <br>
<br>
# Default policy <br>
#--------------- <br>
<br>
config setup <br>
interfaces=%defaultroute <br>
plutodebug=none <br>
klipsdebug=none <br>
oe=no <br>
protostack=netkey <br>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24
<br>
<br>
<br>
conn %default <br>
type=tunnel <br>
authby=secret <br>
<br>
# Tunnels defined in separate files <br>
#---------------------------------- <br>
<br>
include /etc/ipsec.d/ipsec.*.conf <br>
<br>
And /etc/ipsec.d/ipsec.unmanaged.MumIn.conf is: <br>
<br>
conn MumIn <br>
type=tunnel <br>
authby=secret <br>
dpdtimeout=120 <br>
dpddelay=30 <br>
auto=add <br>
left=%defaultroute <br>
leftsourceip=192.168.2.1 <br>
leftsubnet=192.168.2.0/24 <br>
leftid=@FromNick <br>
right=%any <br>
rightsubnet=192.168.10.0/24 <br>
salifetime=1h <br>
dpdaction=restart_by_peer <br>
ikelifetime=8h <br>
ike=aes256 <br>
phase2alg=aes256 <br>
<br>
Until I can get these errors to clear, I can't try to
reproduce the dev lo route error. <br>
<br>
As a separate question, the command "ipsec secrets" appears to
load secrets as before, but I notice we now get new files in
the installation. Are we forced to use nss now or
ipsec.*.secrets still OK to use. <br>
<br>
This is using your RHEL rpm. Having to roll back to the rival
for the moment <br>
<br>
Regards, <br>
<br>
Nick <br>
<br>
On 04/01/2013 17:26, Paul Wouters wrote: <br>
<blockquote type="cite"> <br>
On 01/04/2013 12:13 PM, Nick Howitt wrote: <br>
<blockquote type="cite">In Oguz' Yilmaz's case he appears to
have a right specified <br>
(right=RIGHT_EXT_IP) and a leftnexthop
(leftnexthop=LEFT_EXT_GW) rathr <br>
than right=%any and no leftnexthop. :( <br>
</blockquote>
<br>
you can use /usr/libexec/ipsec/addconn --verbose connname to
get a verbose output that includes the routes we got back
for making the decision. <br>
<br>
<blockquote type="cite">We have hit some minor odd issues -
ipsec auto --status does not give <br>
any info on phase2alg unless it is specified. It may also
fail if it is <br>
specified with the hash function e.g. aes256-sha1 but I
need to test <br>
further and my time for testing is very limited. But this
should all be <br>
for another thread...... <br>
</blockquote>
<br>
I've filed that as <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://bugs.libreswan.org/show_bug.cgi?id=53">https://bugs.libreswan.org/show_bug.cgi?id=53</a>
but I also have not had the time yet to look into this. <br>
<br>
Paul <br>
<br>
</blockquote>
<br>
_______________________________________________ <br>
Swan mailing list <br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>