<div dir="ltr">Thank Philippe,<div><br></div><div>Looking forward to see that URL, Are you sure your <a href="http://vouters.dyndns.org/" target="_blank" style="white-space:pre-wrap">http://vouters.dyndns.org/</a> is up ?</div>
<div><br></div><div><div><br></div><div style>tj</div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Mar 8, 2013 at 10:50 AM, Philippe Vouters <span dir="ltr"><<a href="mailto:philippe.vouters@laposte.net" target="_blank">philippe.vouters@laposte.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi,<br>
<br>
Have a look to
<a href="http://vouters.dyndns.org/tima/Linux-Shrew-VPN-Client-Setting_an_Intranet_VPN_with_Windows_Seven.html" target="_blank">http://vouters.dyndns.org/tima/Linux-Shrew-VPN-Client-Setting_an_Intranet_VPN_with_Windows_Seven.html</a>
and its '#ipsec auto --status' command. Do consider how
Philippe_PSK and FIXED_RIGHT_IP conns are retrieved.<br>
<br>
On your side and even if not connected to the Cisco remote peer,
the '#ipsec auto --status' should show up centos6-asa-net-net.<br>
Yours truly,<div class="im"><br>
<pre cols="72">Philippe Vouters (Fontainebleau/France)
URL: <a href="http://vouters.dyndns.org/" target="_blank">http://vouters.dyndns.org/</a>
SIP: <a href="mailto:sip:Vouters@sip.linphone.org" target="_blank">sip:Vouters@sip.linphone.org</a></pre></div>
Le 08/03/2013 17:24, T.J. Yang a écrit :<br>
</div>
<blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<div>1. new /etc/ipsec.conf with tabs, no pound signs,
public ip masked.</div>
<div>
<div>version 2.0</div>
<div>config setup</div>
<div> plutodebug="control parsing"</div>
<div> plutostderrlog=/var/log/ipsec.log</div>
<div> protostack=netkey</div>
<div> nat_traversal=yes</div>
<div> virtual_private=</div>
<div> oe=no</div>
<div>conn centos6-asa-net-net</div>
<div> keyingtries=3</div>
<div> authby=secret</div>
<div> left=x.x.x..5</div>
<div> leftsubnet=<a href="http://192.168.50.0/24" target="_blank">192.168.50.0/24</a></div>
<div> leftsourceip=192.168.50.254</div>
<div> right=x.x.x..4</div>
<div> rightsubnet=<a href="http://192.168.40.0/24" target="_blank">192.168.40.0/24</a></div>
<div> rightsourceip=192.168.40.254</div>
<div> auto=start</div>
<div> keyexchange=ike</div>
<div> type=tunnel</div>
<div> pfs=no</div>
<div> phase2=esp</div>
<div> phase2alg=3des-sha1</div>
<div><br>
</div>
</div>
<div>2. /etc/ipsec.d/psk.secrets, with ip,password
masked. </div>
<div><br>
</div>
<div>
<div>[root@mlab-centos6-01 ipsec.d]# cat
/etc/ipsec.d/psk.secrets</div>
<div>x.x.x.3 x.x.x.5: PSK "MyPassword"</div>
<div>x.x.x..5 x.x.x.4: PSK "MyPassword"</div>
<div>[root@mlab-centos6-01 ipsec.d]#</div>
<div><br>
</div>
<div>3. here is ipsec.log after runing libreswan 3.0
ipsec command.</div>
<div><br>
</div>
</div>
<div>
<br>
</div>
<div>
<div>[root@mlab-centos6-01 ipsec.d]# ipsec setup stop;sleep
2;>/var/log/ipsec.lo\</div>
<div>g;ipsec setup start;sleep 2;tail /var/log/ipsec.log</div>
<div>Redirecting to: service ipsec stop</div>
<div>Shutting down pluto IKE daemon</div>
<div>002 shutting down</div>
<div><br>
</div>
<div>Redirecting to: service ipsec start</div>
<div>Starting pluto IKE daemon for IPsec: ^[[60G[^[[0;32m OK
^[[0;39m]</div>
<div>listening for IKE messages</div>
<div>adding interface em1/em1 <a href="http://192.168.50.254:500" target="_blank">192.168.50.254:500</a></div>
<div>adding interface em1/em1 <a href="http://192.168.50.254:4500" target="_blank">192.168.50.254:4500</a></div>
<div>adding interface em1/em1 x.x.x.5:500</div>
<div>adding interface em1/em1 x.x.x.5:4500</div>
<div>adding interface lo/lo <a href="http://127.0.0.1:500" target="_blank">127.0.0.1:500</a></div>
<div>adding interface lo/lo <a href="http://127.0.0.1:4500" target="_blank">127.0.0.1:4500</a></div>
<div>adding interface lo/lo ::1:500</div>
<div>loading secrets from "/etc/ipsec.secrets"</div>
<div>loading secrets from "/etc/ipsec.d/psk.secrets"</div>
<div>[root@mlab-centos6-01 ipsec.d]#</div>
</div>
<div><br>
</div>
<div>4. No traffic on Cisco ADSM latest syslog message
window.</div>
<div><br>
</div>
<div>5. output from ipsec status command</div>
<div>
<br>
</div>
<div>
<div>[root@mlab-centos6-01 ~]# ipsec status</div>
<div>000 using kernel interface: netkey</div>
<div>000 interface lo/lo ::1</div>
<div>000 interface lo/lo 127.0.0.1</div>
<div>000 interface lo/lo 127.0.0.1</div>
<div>000 interface em1/em1 x.x.x.5</div>
<div>000 interface em1/em1 x.x.x.5</div>
<div>000 interface em1/em1 192.168.50.254</div>
<div>000 interface em1/em1 192.168.50.254</div>
<div>000 %myid = (none)</div>
<div>000 debug parsing+control</div>
<div>000</div>
<div>000 virtual_private (%priv):</div>
<div>000 - allowed 0 subnets:</div>
<div>000 - disallowed 0 subnets:</div>
<div>000 WARNING: Either virtual_private= is not specified, or
there is a syntax</div>
<div>000 error in that line.
'left/rightsubnet=vhost:%priv' will not work!</div>
<div>000 WARNING: Disallowed subnets in virtual_private= is
empty. If you have</div>
<div>000 private address space in internal use, it
should be excluded!</div>
<div>000</div>
<div>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
keysizemin=64, keysizemax=64</div>
<div>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192</div>
<div>000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
keysizemin=40, keysizemax=128</div>
<div>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH,
ivlen=8, keysizemin=40, keysizemax=448</div>
<div>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0</div>
<div>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR,
ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A,
ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B,
ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C,
ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A,
ivlen=8, keysizemin=160, keysizemax=288</div>
<div>000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B,
ivlen=12, keysizemin=160, keysizemax=288</div>
<div>000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C,
ivlen=16, keysizemin=160, keysizemax=288</div>
<div>000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA,
ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT,
ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH,
ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128</div>
<div>000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,
keysizemax=160</div>
<div>000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,
keysizemax=256</div>
<div>000 algorithm ESP auth attr: id=6,
name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384,
keysizemax=384</div>
<div>000 algorithm ESP auth attr: id=7,
name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512,
keysizemax=512</div>
<div>000 algorithm ESP auth attr: id=8,
name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160,
keysizemax=160</div>
<div>000 algorithm ESP auth attr: id=9,
name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128</div>
<div>000 algorithm ESP auth attr: id=251,
name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0</div>
<div>000</div>
<div>000 algorithm IKE encrypt: id=0, name=(null),
blocksize=16, keydeflen=131</div>
<div>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
blocksize=8, keydeflen=192</div>
<div>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
blocksize=16, keydeflen=128</div>
<div>000 algorithm IKE hash: id=1, name=OAKLEY_MD5,
hashsize=16</div>
<div>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1,
hashsize=20</div>
<div>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256,
hashsize=32</div>
<div>000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384,
hashsize=48</div>
<div>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512,
hashsize=64</div>
<div>000 algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024</div>
<div>000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536</div>
<div>000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048</div>
<div>000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072</div>
<div>000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096</div>
<div>000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144</div>
<div>000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192</div>
<div>000 algorithm IKE dh group: id=22,
name=OAKLEY_GROUP_DH22, bits=1024</div>
<div>000 algorithm IKE dh group: id=23,
name=OAKLEY_GROUP_DH23, bits=2048</div>
<div>000 algorithm IKE dh group: id=24,
name=OAKLEY_GROUP_DH24, bits=2048</div>
<div>000</div>
<div>000 stats db_ops: {curr_cnt, total_cnt, maxsz}
:context={0,0,0} trans={0,0,0} attrs={0,0,0}</div>
<div>000</div>
<div>000</div>
<div>000</div>
<div>/usr/sbin/ipsec: unknown IPsec command `status' (`ipsec
--help' for list)</div>
<div>[root@mlab-centos6-01 ~]#</div>
<div><br>
</div>
</div>
</div>
<div class="gmail_extra">
<br>
<br>
<div class="gmail_quote">On Fri, Mar 8, 2013 at 9:39 AM, Paul
Wouters <span dir="ltr"><<a href="mailto:pwouters@redhat.com" target="_blank">pwouters@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>On Fri, 8 Mar 2013, T.J. Yang wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks to Paul and Philippe's pointers. I tried the "oe"
and spacing suggestion without success. when I do<br>
a "ipsec auto --add centos6-asa" to add connection
manually. /var/log/ipsec.log only showing one line but<br>
no other message.<br>
I will keep digging<br>
</blockquote>
<br>
</div>
I am confused. Do not do this:<br>
<br>
conn foo<br>
some=value<br>
other=value<br>
<br>
third=value<br>
<br>
And don't do this:<br>
<br>
conn foo<br>
some=value<br>
other=value<br>
# third=value<br>
fourth=value<br>
<br>
But do this:<br>
<br>
conn foo<br>
some=value<br>
other=value<br>
#third=value<br>
fourth=value<span><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
T.J. Yang
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><div class="im"><pre>_______________________________________________
Swan mailing list
<a href="mailto:Swan@lists.libreswan.org" target="_blank">Swan@lists.libreswan.org</a>
<a href="https://lists.libreswan.org/mailman/listinfo/swan" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</div></blockquote>
<br>
</div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>T.J. Yang
</div>