<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Paul, Nick,<br>
<br>
This configuration is not accepted by libreswan when NO leftsubnet
specified.<br>
<br>
conn FIXED_RIGHT_IP <br>
type=tunnel<br>
pfs=yes<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=restart<br>
<b>left=victor.vouters.dyndns.org</b><br>
# left=%defaultroute<br>
leftnexthop=%defaultroute<br>
leftsubnet=0.0.0.0/0<br>
leftupdown="ipsec _updown --route yes"<br>
right=%any<br>
rightsubnet=vhost:%no,%priv<br>
# keyingtries=10<br>
# rekey=yes<br>
rekey=no<br>
auto=add<br>
<br>
<br>
$ tail -f /var/log/messages<br>
Jan 8 17:14:51 victor sudo: philippe : TTY=pts/2 ;
PWD=/home/philippe/openswan-2.6.38 ; USER=root ;
COMMAND=/usr/local/sbin/ipsec addconn --verbose --autoall<br>
Jan 8 17:14:51 victor pluto[15674]: |<br>
Jan 8 17:14:51 victor pluto[15674]: | *received whack message<br>
Jan 8 17:14:51 victor pluto[15674]: <b>connection FIXED_RIGHT_IP
must specify host IP address for our side</b><br>
Jan 8 17:14:51 victor pluto[15674]: attempt to load incomplete
connection<br>
Jan 8 17:14:51 victor pluto[15674]: | * processed 0 messages from
cryptographic helpers<br>
<br>
<pre class="moz-signature" cols="72">Philippe Vouters (Fontainebleau/France)
URL: <a class="moz-txt-link-freetext" href="http://vouters.dyndns.org/">http://vouters.dyndns.org/</a>
SIP: <a class="moz-txt-link-abbreviated" href="mailto:sip:Vouters@sip.linphone.org">sip:Vouters@sip.linphone.org</a></pre>
Le 08/01/2013 16:49, Philippe Vouters a écrit :<br>
</div>
<blockquote cite="mid:50EC401C.30702@laposte.net" type="cite">For
problem 1/, this configuration:
<br>
[philippe@victor openswan-2.6.38]$ sudo cat
/etc/ipsec.conf # The config file changed
quite a bit from 1.x.
<br>
# See
<a class="moz-txt-link-freetext" href="http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/upgrading.html">http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/upgrading.html</a>
<br>
<br>
version 2.0
<br>
<br>
# Default policy
<br>
#---------------
<br>
<br>
config setup
<br>
interfaces=%defaultroute
<br>
#plutodebug=none
<br>
plutodebug="all crypt"
<br>
klipsdebug=none
<br>
oe=no
<br>
protostack=netkey # 2.6.x only
<br>
#plutostderrlog=/var/log/openswan
<br>
#plutostderrlogtime=yes
<br>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24
<br>
<br>
# Tunnels defined in separate files
<br>
#----------------------------------
<br>
<br>
include /etc/ipsec.d/ipsec.unmanaged.david.conf
<br>
<br>
$ sudo cat /etc/ipsec.d/ipsec.unmanaged.david.conf
<br>
conn david
<br>
type=tunnel
<br>
authby=secret
<br>
dpdtimeout=120
<br>
dpddelay=30
<br>
auto=add
<br>
# left=howitts.poweredbyclear.com
<br>
left=victor.vouters.dyndns.org
<br>
leftsubnet=192.168.1.0/24
<br>
right=88.98.137.158
<br>
rightsubnet=10.1.0.0/16
<br>
ike=3des-sha1;modp1024
<br>
phase2alg=3des-sha1;modp1024
<br>
dpdaction=hold
<br>
<br>
Causes the following:
<br>
[philippe@victor openswan-2.6.38]$ sudo /usr/local/sbin/ipsec
addconn --verbose --autoall
<br>
opening file: /etc/ipsec.conf
<br>
debugging mode enabled
<br>
including file
'/etc/ipsec.d/ipsec.unmanaged.david.conf'(/etc/ipsec.d/ipsec.unmanaged.david.conf)
from line /etc/ipsec.conf:25
<br>
end of file /etc/ipsec.d/ipsec.unmanaged.david.conf
<br>
resuming /etc/ipsec.conf line 25
<br>
end of file /etc/ipsec.conf
<br>
Loading default conn
<br>
starter: case KH_NOTSET: empty
<br>
starter: case KH_NOTSET: empty
<br>
Loading conn david
<br>
loading all conns according to their auto= settings
<br>
Pass #1: Loading auto=add and auto=route connections
<br>
002 "david": deleting connection
<br>
002 added connection description "david"
<br>
david Pass #2: Loading auto=start connections
<br>
<br>
[philippe@victor openswan-2.6.38]$
<br>
<br>
[philippe@victor openswan-2.6.38]$ tail -f /var/log/secure
<br>
...
<br>
Jan 8 16:40:54 victor pluto[13755]: added connection description
"david"
<br>
Jan 8 16:40:54 victor pluto[13755]: |
192.168.1.0/24===fe80::219:66ff:fe3b:52c8<victor.vouters.dyndns.org>...88.98.137.158<88.98.137.158>===10.1.0.0/16<br>
Jan 8 16:40:54 victor pluto[13755]: | ike_life: 3600s;
ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0; policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK
<br>
Jan 8 16:40:54 victor pluto[13755]: | * processed 0 messages from
cryptographic
<br>
<br>
So left=victor.vouters.dyndns.org looks to be quite understood and
accepted in this configuration case.
<br>
<br>
Philippe Vouters (Fontainebleau/France)
<br>
URL: <a class="moz-txt-link-freetext" href="http://vouters.dyndns.org/">http://vouters.dyndns.org/</a>
<br>
SIP: <a class="moz-txt-link-abbreviated" href="mailto:sip:Vouters@sip.linphone.org">sip:Vouters@sip.linphone.org</a>
<br>
<br>
Le 08/01/2013 16:19, Paul Wouters a écrit :
<br>
<blockquote type="cite">On Tue, 8 Jan 2013, Philippe Vouters
wrote:
<br>
<br>
<blockquote type="cite">Several bugs:
<br>
1/ Libreswan does NOT respect its man:
<br>
left=victor.vouters.dyndns.org
<br>
is perfectly legal.
<br>
</blockquote>
<br>
I am sorry I don't understand this one? You mean your /etc/hosts
issues
<br>
or this is something else?
<br>
<br>
<blockquote type="cite">2/ Libreswan only processes the first
gobbed file
<br>
include /etc/ipsec.d/ipsec.*.conf
<br>
<br>
3/ Libreswan only processes the first include:
<br>
# Tunnels defined in separate files
<br>
#----------------------------------
<br>
<br>
#include /etc/ipsec.d/ipsec.*.conf
<br>
include /etc/ipsec.d/ipsec.unmanaged.david.conf
<br>
include /etc/ipsec.d/ipsec.unmanaged.mumin.conf
<br>
include /etc/ipsec.d/ipsec.unmanaged.paulin.conf
<br>
<br>
2/ and 3/ are possibly related.
<br>
</blockquote>
<br>
I'll ensure we have that as test cases in readwrite conf....
<br>
<br>
Paul
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>