<div dir="ltr"><br clear="all"><div style>Hi </div><div style>I am testing if a existing openswan connection between centos6.3 and Cisco ASA5550 can be switched to libreswan.</div><div style>ASA550 has logging send centos 6 rsyslog server.Same left machine(x.x.x.5) using openswan can make connection ok.</div>
<div style>And it logged the successful IPSec connection in the rsyslog file.</div><div style><br></div><div style>But once I switched over to libreswan using same config file. I got very little error message from /var/log/ipsec.log about the connection centos-asa.o</div>
<div style>And on ASA side there is no attempt of connection shown.</div><div style><br></div><div style><br></div><div style><br></div><div style>/etc/ipsec.conf</div><div style><div>version 2.0</div><div>config setup</div>
<div> plutodebug="control parsing"</div><div> dumpdir=/var/run/pluto/</div><div> nat_traversal=yes</div><div> #virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10</a></div>
<div><br></div><div> oe=off</div><div> protostack=netkey</div><div> plutostderrlog=/var/log/ipsec.log</div><div><br></div><div>conn connection-asa</div><div> keyingtries=3</div><div> authby=secret</div>
<div> left=x.x.x.5</div><div> leftsubnet=<a href="http://192.168.50.0/24">192.168.50.0/24</a></div><div> leftsourceip=192.168.50.254</div><div> # the ASA5550</div><div> right=x.x.x..4</div>
<div> rightsubnet=<a href="http://192.168.40.0/24">192.168.40.0/24</a></div><div> rightsourceip=192.168.40.254</div><div> auto=start</div><div> keyexchange=ike</div><div> type=tunnel</div>
<div> pfs=no</div><div> phase2=esp</div><div> phase2alg=3des-sha1</div><div><br></div><div><br></div></div><div style><div>[root@mlab-centos6-01 ~]# ipsec setup stop;>/var/log/ipsec.log;ipsec setup start;sleep 5;tail -n 30 /var/log/ipsec.log</div>
<div>Redirecting to: service ipsec stop</div><div>Shutting down pluto IKE daemon</div><div>002 shutting down</div><div><br></div><div>Redirecting to: service ipsec start</div><div>Starting pluto IKE daemon for IPsec: [ OK ]</div>
<div>NSS crypto [enabled]</div><div>XAUTH PAM support [enabled]</div><div>HAVE_STATSD notification support [disabled]</div><div>Setting NAT-Traversal port-4500 floating to on</div><div> port floating activation criteria nat_t=1/port_float=1</div>
<div> NAT-Traversal support [enabled]</div><div>ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)</div><div>ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)</div><div>ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok (ret=0)</div>
<div>ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)</div><div>no helpers will be started, all cryptographic operations will be done inline</div><div>Using Linux XFRM/NETKEY IPsec interface code on 2.6.32-279.22.1.el6.x86_64</div>
<div>ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)</div><div>ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists</div><div>ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)</div>
<div>ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists</div><div>ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)</div><div>ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists</div>
<div>ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)</div><div>ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists</div><div>ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)</div>
<div>ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists</div><div>ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)</div><div>listening for IKE messages</div><div>
adding interface em1/em1 x.x.x.5:500</div><div>adding interface em1/em1 x.x.x..5:4500</div><div>adding interface lo/lo <a href="http://127.0.0.1:500">127.0.0.1:500</a></div><div>adding interface lo/lo <a href="http://127.0.0.1:4500">127.0.0.1:4500</a></div>
<div>adding interface lo/lo ::1:500</div><div>loading secrets from "/etc/ipsec.secrets"</div><div>[root@mlab-centos6-01 ~]# ipsec version<br></div><div><div>Linux Libreswan 3.0 (netkey) on 2.6.32-279.22.1.el6.x86_64</div>
<div>[root@mlab-centos6-01 ~]#</div></div><div><br></div><div><br></div></div><div style>Can some one provide me the debugging pointers ?</div><div style>I feel like the "conn centos-asa" part was not loaded in /etc/ipsec.conf at all</div>
<div style><br></div>-- <br>T.J. Yang
</div>