<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Dear T.J Yang,<br>
<br>
At first glance, my Web site is up and accessible. Time is now
19:52 French time and the last access to my
<a class="moz-txt-link-freetext" href="http://vouters.dyndns.org/tima/">http://vouters.dyndns.org/tima/</a> Web directory is at 19:36:09 as
pzer what tells me Apache.<br>
<pre class="moz-signature" cols="72">Philippe Vouters (Fontainebleau/France)
URL: <a class="moz-txt-link-freetext" href="http://vouters.dyndns.org/">http://vouters.dyndns.org/</a>
SIP: <a class="moz-txt-link-abbreviated" href="mailto:sip:Vouters@sip.linphone.org">sip:Vouters@sip.linphone.org</a></pre>
Le 08/03/2013 18:18, T.J. Yang a écrit :<br>
</div>
<blockquote
cite="mid:CAD2GW8odtNGM250-=BzkFM8Ccwp2AA6YjeJvoepWOFRNOZs++A@mail.gmail.com"
type="cite">
<div dir="ltr">Thank Philippe,
<div><br>
</div>
<div>Looking forward to see that URL, Are you sure your <a
moz-do-not-send="true" href="http://vouters.dyndns.org/"
target="_blank" style="white-space:pre-wrap">http://vouters.dyndns.org/</a> is
up ?</div>
<div><br>
</div>
<div>
<div><br>
</div>
<div style="">tj</div>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Mar 8, 2013 at 10:50 AM,
Philippe Vouters <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:philippe.vouters@laposte.net" target="_blank">philippe.vouters@laposte.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi,<br>
<br>
Have a look to <a moz-do-not-send="true"
href="http://vouters.dyndns.org/tima/Linux-Shrew-VPN-Client-Setting_an_Intranet_VPN_with_Windows_Seven.html"
target="_blank">http://vouters.dyndns.org/tima/Linux-Shrew-VPN-Client-Setting_an_Intranet_VPN_with_Windows_Seven.html</a>
and its '#ipsec auto --status' command. Do consider how
Philippe_PSK and FIXED_RIGHT_IP conns are retrieved.<br>
<br>
On your side and even if not connected to the Cisco
remote peer, the '#ipsec auto --status' should show up
centos6-asa-net-net.<br>
Yours truly,
<div class="im"><br>
<pre cols="72">Philippe Vouters (Fontainebleau/France)
URL: <a moz-do-not-send="true" href="http://vouters.dyndns.org/" target="_blank">http://vouters.dyndns.org/</a>
SIP: <a moz-do-not-send="true" href="mailto:sip:Vouters@sip.linphone.org" target="_blank">sip:Vouters@sip.linphone.org</a></pre>
</div>
Le 08/03/2013 17:24, T.J. Yang a écrit :<br>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr">
<div>1. new /etc/ipsec.conf with tabs, no pound
signs, public ip masked.</div>
<div>
<div>version 2.0</div>
<div>config setup</div>
<div> plutodebug="control parsing"</div>
<div> plutostderrlog=/var/log/ipsec.log</div>
<div> protostack=netkey</div>
<div> nat_traversal=yes</div>
<div> virtual_private=</div>
<div> oe=no</div>
<div>conn centos6-asa-net-net</div>
<div> keyingtries=3</div>
<div> authby=secret</div>
<div> left=x.x.x..5</div>
<div> leftsubnet=<a
moz-do-not-send="true"
href="http://192.168.50.0/24"
target="_blank">192.168.50.0/24</a></div>
<div> leftsourceip=192.168.50.254</div>
<div> right=x.x.x..4</div>
<div> rightsubnet=<a
moz-do-not-send="true"
href="http://192.168.40.0/24"
target="_blank">192.168.40.0/24</a></div>
<div> rightsourceip=192.168.40.254</div>
<div> auto=start</div>
<div> keyexchange=ike</div>
<div> type=tunnel</div>
<div> pfs=no</div>
<div> phase2=esp</div>
<div> phase2alg=3des-sha1</div>
<div><br>
</div>
</div>
<div>2. /etc/ipsec.d/psk.secrets, with
ip,password masked. </div>
<div><br>
</div>
<div>
<div>[root@mlab-centos6-01 ipsec.d]# cat
/etc/ipsec.d/psk.secrets</div>
<div>x.x.x.3 x.x.x.5: PSK "MyPassword"</div>
<div>x.x.x..5 x.x.x.4: PSK "MyPassword"</div>
<div>[root@mlab-centos6-01 ipsec.d]#</div>
<div><br>
</div>
<div>3. here is ipsec.log after runing libreswan
3.0 ipsec command.</div>
<div><br>
</div>
</div>
<div> <br>
</div>
<div>
<div>[root@mlab-centos6-01 ipsec.d]# ipsec setup
stop;sleep 2;>/var/log/ipsec.lo\</div>
<div>g;ipsec setup start;sleep 2;tail
/var/log/ipsec.log</div>
<div>Redirecting to: service ipsec stop</div>
<div>Shutting down pluto IKE daemon</div>
<div>002 shutting down</div>
<div><br>
</div>
<div>Redirecting to: service ipsec start</div>
<div>Starting pluto IKE daemon for IPsec:
^[[60G[^[[0;32m OK ^[[0;39m]</div>
<div>listening for IKE messages</div>
<div>adding interface em1/em1 <a
moz-do-not-send="true"
href="http://192.168.50.254:500"
target="_blank">192.168.50.254:500</a></div>
<div>adding interface em1/em1 <a
moz-do-not-send="true"
href="http://192.168.50.254:4500"
target="_blank">192.168.50.254:4500</a></div>
<div>adding interface em1/em1 x.x.x.5:500</div>
<div>adding interface em1/em1 x.x.x.5:4500</div>
<div>adding interface lo/lo <a
moz-do-not-send="true"
href="http://127.0.0.1:500" target="_blank">127.0.0.1:500</a></div>
<div>adding interface lo/lo <a
moz-do-not-send="true"
href="http://127.0.0.1:4500" target="_blank">127.0.0.1:4500</a></div>
<div>adding interface lo/lo ::1:500</div>
<div>loading secrets from "/etc/ipsec.secrets"</div>
<div>loading secrets from
"/etc/ipsec.d/psk.secrets"</div>
<div>[root@mlab-centos6-01 ipsec.d]#</div>
</div>
<div><br>
</div>
<div>4. No traffic on Cisco ADSM latest syslog
message window.</div>
<div><br>
</div>
<div>5. output from ipsec status command</div>
<div> <br>
</div>
<div>
<div>[root@mlab-centos6-01 ~]# ipsec status</div>
<div>000 using kernel interface: netkey</div>
<div>000 interface lo/lo ::1</div>
<div>000 interface lo/lo 127.0.0.1</div>
<div>000 interface lo/lo 127.0.0.1</div>
<div>000 interface em1/em1 x.x.x.5</div>
<div>000 interface em1/em1 x.x.x.5</div>
<div>000 interface em1/em1 192.168.50.254</div>
<div>000 interface em1/em1 192.168.50.254</div>
<div>000 %myid = (none)</div>
<div>000 debug parsing+control</div>
<div>000</div>
<div>000 virtual_private (%priv):</div>
<div>000 - allowed 0 subnets:</div>
<div>000 - disallowed 0 subnets:</div>
<div>000 WARNING: Either virtual_private= is not
specified, or there is a syntax</div>
<div>000 error in that line.
'left/rightsubnet=vhost:%priv' will not work!</div>
<div>000 WARNING: Disallowed subnets in
virtual_private= is empty. If you have</div>
<div>000 private address space in
internal use, it should be excluded!</div>
<div>000</div>
<div>000 algorithm ESP encrypt: id=2,
name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64</div>
<div>000 algorithm ESP encrypt: id=3,
name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192</div>
<div>000 algorithm ESP encrypt: id=6,
name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128</div>
<div>000 algorithm ESP encrypt: id=7,
name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448</div>
<div>000 algorithm ESP encrypt: id=11,
name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0</div>
<div>000 algorithm ESP encrypt: id=12,
name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=13,
name=ESP_AES_CTR, ivlen=8, keysizemin=128,
keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=14,
name=ESP_AES_CCM_A, ivlen=8, keysizemin=128,
keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=15,
name=ESP_AES_CCM_B, ivlen=8, keysizemin=128,
keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=16,
name=ESP_AES_CCM_C, ivlen=8, keysizemin=128,
keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=18,
name=ESP_AES_GCM_A, ivlen=8, keysizemin=160,
keysizemax=288</div>
<div>000 algorithm ESP encrypt: id=19,
name=ESP_AES_GCM_B, ivlen=12, keysizemin=160,
keysizemax=288</div>
<div>000 algorithm ESP encrypt: id=20,
name=ESP_AES_GCM_C, ivlen=16, keysizemin=160,
keysizemax=288</div>
<div>000 algorithm ESP encrypt: id=22,
name=ESP_CAMELLIA, ivlen=8, keysizemin=128,
keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=252,
name=ESP_SERPENT, ivlen=8, keysizemin=128,
keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=253,
name=ESP_TWOFISH, ivlen=8, keysizemin=128,
keysizemax=256</div>
<div>000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
keysizemax=128</div>
<div>000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,
keysizemax=160</div>
<div>000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256</div>
<div>000 algorithm ESP auth attr: id=6,
name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384</div>
<div>000 algorithm ESP auth attr: id=7,
name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512</div>
<div>000 algorithm ESP auth attr: id=8,
name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160</div>
<div>000 algorithm ESP auth attr: id=9,
name=AUTH_ALGORITHM_AES_CBC, keysizemin=128,
keysizemax=128</div>
<div>000 algorithm ESP auth attr: id=251,
name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0,
keysizemax=0</div>
<div>000</div>
<div>000 algorithm IKE encrypt: id=0,
name=(null), blocksize=16, keydeflen=131</div>
<div>000 algorithm IKE encrypt: id=5,
name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192</div>
<div>000 algorithm IKE encrypt: id=7,
name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128</div>
<div>000 algorithm IKE hash: id=1,
name=OAKLEY_MD5, hashsize=16</div>
<div>000 algorithm IKE hash: id=2,
name=OAKLEY_SHA1, hashsize=20</div>
<div>000 algorithm IKE hash: id=4,
name=OAKLEY_SHA2_256, hashsize=32</div>
<div>000 algorithm IKE hash: id=5,
name=OAKLEY_SHA2_384, hashsize=48</div>
<div>000 algorithm IKE hash: id=6,
name=OAKLEY_SHA2_512, hashsize=64</div>
<div>000 algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024</div>
<div>000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536</div>
<div>000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048</div>
<div>000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072</div>
<div>000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096</div>
<div>000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144</div>
<div>000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192</div>
<div>000 algorithm IKE dh group: id=22,
name=OAKLEY_GROUP_DH22, bits=1024</div>
<div>000 algorithm IKE dh group: id=23,
name=OAKLEY_GROUP_DH23, bits=2048</div>
<div>000 algorithm IKE dh group: id=24,
name=OAKLEY_GROUP_DH24, bits=2048</div>
<div>000</div>
<div>000 stats db_ops: {curr_cnt, total_cnt,
maxsz} :context={0,0,0} trans={0,0,0}
attrs={0,0,0}</div>
<div>000</div>
<div>000</div>
<div>000</div>
<div>/usr/sbin/ipsec: unknown IPsec command
`status' (`ipsec --help' for list)</div>
<div>[root@mlab-centos6-01 ~]#</div>
<div><br>
</div>
</div>
</div>
<div class="gmail_extra"> <br>
<br>
<div class="gmail_quote">On Fri, Mar 8, 2013 at
9:39 AM, Paul Wouters <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:pwouters@redhat.com"
target="_blank">pwouters@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div>On Fri, 8 Mar 2013, T.J. Yang wrote:<br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"> Thanks to
Paul and Philippe's pointers. I tried the
"oe" and spacing suggestion without
success. when I do<br>
a "ipsec auto --add centos6-asa" to add
connection manually. /var/log/ipsec.log
only showing one line but<br>
no other message.<br>
I will keep digging<br>
</blockquote>
<br>
</div>
I am confused. Do not do this:<br>
<br>
conn foo<br>
some=value<br>
other=value<br>
<br>
third=value<br>
<br>
And don't do this:<br>
<br>
conn foo<br>
some=value<br>
other=value<br>
# third=value<br>
fourth=value<br>
<br>
But do this:<br>
<br>
conn foo<br>
some=value<br>
other=value<br>
#third=value<br>
fourth=value<span><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
T.J. Yang </div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<div class="im">
<pre>_______________________________________________
Swan mailing list
<a moz-do-not-send="true" href="mailto:Swan@lists.libreswan.org" target="_blank">Swan@lists.libreswan.org</a>
<a moz-do-not-send="true" href="https://lists.libreswan.org/mailman/listinfo/swan" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
T.J. Yang
</div>
</blockquote>
<br>
</body>
</html>