<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Mar 8, 2013 at 12:18 PM, Paul Wouters <span dir="ltr"><<a href="mailto:pwouters@redhat.com" target="_blank">pwouters@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">On 03/08/2013 01:07 PM, T.J. Yang wrote:<br>
<br>
Sorry, yes the alias "ipsec start" and "ipsec stop" do map to "ipsec setup start/stop"<br>
<br>
So your connection comes up fine. Are you saying it did not come up despite auto=start?</blockquote><div><br></div><div style>yes.</div><div style> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
I know there was an SElinux policy with include files that Tuomo ran into. You might want to run a test with SElinux in permissive mode for that.<br>
<br></blockquote><div><br></div><div style>My selinux indeed was at enforced mode(hmm, but his work with openwan),I have it set as disabled now and "auto=start" still didn't bring up the connection automatically.</div>
<div style>A manual startup still needed.</div><div style><br></div><div><div>[root@mlab-centos6-01 ~]# grep ^SELINUX= /etc/selinux/config</div><div>SELINUX=disabled</div><div>[root@mlab-centos6-01 ~]# ipsec version</div>
<div>Linux Libreswan 3.0 (netkey) on 2.6.32-279.22.1.el6.x86_64</div></div><div><div>[root@mlab-centos6-01 ~]# ipsec setup start</div><div>Redirecting to: service ipsec start</div><div>Starting pluto IKE daemon for IPsec: [ OK ]</div>
<div>[root@mlab-centos6-01 ~]# ipsec auto --add centos6-asa-net-net</div><div>multiple ip addresses, using 10.22.52.5 on em1</div><div>[root@mlab-centos6-01 ~]# ipsec auto --up centos6-asa-net-net</div><div>104 "centos6-asa-net-net" #1: STATE_MAIN_I1: initiate</div>
<div>003 "centos6-asa-net-net" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=draft-ietf-ipsec-nat-t-ike-02/03</div><div>003 "centos6-asa-net-net" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]</div>
<div>106 "centos6-asa-net-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2</div><div>003 "centos6-asa-net-net" #1: received Vendor ID payload [Cisco-Unity]</div><div>003 "centos6-asa-net-net" #1: received Vendor ID payload [XAUTH]</div>
<div>003 "centos6-asa-net-net" #1: ignoring unknown Vendor ID payload [9b157c17d3429c04a6b315d5e624bdb4]</div><div>003 "centos6-asa-net-net" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]</div>
<div>003 "centos6-asa-net-net" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected</div><div>108 "centos6-asa-net-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3</div><div>
003 "centos6-asa-net-net" #1: received Vendor ID payload [Dead Peer Detection]</div><div>004 "centos6-asa-net-net" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}</div>
<div>117 "centos6-asa-net-net" #2: STATE_QUICK_I1: initiate</div><div>004 "centos6-asa-net-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xb8143c93 <0x2d1ebea5 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}</div>
<div>[root@mlab-centos6-01 ~]#</div></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Paul<br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="im">
On Fri, Mar 8, 2013 at 11:46 AM, Paul Wouters <<a href="mailto:pwouters@redhat.com" target="_blank">pwouters@redhat.com</a><br></div><div class="im">
<mailto:<a href="mailto:pwouters@redhat.com" target="_blank">pwouters@redhat.com</a>>> wrote:<br>
<br>
On 03/08/2013 11:24 AM, T.J. Yang wrote:<br>
<br>
1. new /etc/ipsec.conf with tabs, no pound signs, public ip masked.<br>
version 2.0<br>
config setup<br>
plutodebug="control parsing"<br></div>
plutostderrlog=/var/log/ipsec.<u></u>__log<div><div class="h5"><br>
protostack=netkey<br>
nat_traversal=yes<br>
virtual_private=<br>
oe=no<br>
conn centos6-asa-net-net<br>
keyingtries=3<br>
authby=secret<br>
left=x.x.x..5<br>
leftsubnet=<a href="http://192.168.50.0/24" target="_blank">192.168.50.0/24</a> <<a href="http://192.168.50.0/24" target="_blank">http://192.168.50.0/24</a>><br>
<<a href="http://192.168.50.0/24" target="_blank">http://192.168.50.0/24</a>><br>
leftsourceip=192.168.50.254<br>
right=x.x.x..4<br>
rightsubnet=<a href="http://192.168.40.0/24" target="_blank">192.168.40.0/24</a> <<a href="http://192.168.40.0/24" target="_blank">http://192.168.40.0/24</a>><br>
<<a href="http://192.168.40.0/24" target="_blank">http://192.168.40.0/24</a>><br>
<br>
rightsourceip=192.168.40.254<br>
auto=start<br>
keyexchange=ike<br>
type=tunnel<br>
pfs=no<br>
phase2=esp<br>
phase2alg=3des-sha1<br>
<br>
<br>
So what's the output of:<br>
<br>
ipsec start<br>
ipsec auto --add centos6-asa-net-net<br>
ipsec auto --up centos6-asa-net-net<br>
<br>
<br>
for version 3.0, after add the connection, I still need to bring up the<br>
connection. This was the step I missed.<br>
"ipsec stop" is not valid for 3.0 libreswan. Hopefully, in 3.1 release,<br>
"ipsec start" will start up the connection labelled as "auto=start"<br>
<br>
I am really thankful for Paul and Philippe's help.<br>
<br>
<br>
[root@il93mlab-centos6-01 ~]# ipsec stop<br>
/usr/sbin/ipsec: unknown IPsec command `stop' (`ipsec --help' for list)<br>
[root@il93mlab-centos6-01 ~]# ispec version<br>
-bash: ispec: command not found<br>
[root@il93mlab-centos6-01 ~]# ipsec version<br>
Linux Libreswan 3.0 (netkey) on 2.6.32-279.22.1.el6.x86_64<br>
[root@il93mlab-centos6-01 ~]# ipsec stop<br>
/usr/sbin/ipsec: unknown IPsec command `stop' (`ipsec --help' for list)<br>
[root@il93mlab-centos6-01 ~]# ipsec setup stop<br>
Redirecting to: service ipsec stop<br>
Shutting down pluto IKE daemon<br>
002 shutting down<br>
<br>
[root@il93mlab-centos6-01 ~]# ipsec setup start<br>
Redirecting to: service ipsec start<br>
Starting pluto IKE daemon for IPsec: [ OK ]<br>
[root@il93mlab-centos6-01 ~]# ipsec auto --add centos6-asa-net-net<br>
multiple ip addresses, using 10.20.52.5 on em1<br>
[root@il93mlab-centos6-01 ~]# ipsec auto --up centos6-asa-net-net<br>
104 "centos6-asa-net-net" #1: STATE_MAIN_I1: initiate<br>
003 "centos6-asa-net-net" #1: received Vendor ID payload<br>
[draft-ietf-ipsec-nat-t-ike-<u></u>02_n] method set<br>
to=draft-ietf-ipsec-nat-t-ike-<u></u>02/03<br>
003 "centos6-asa-net-net" #1: ignoring Vendor ID payload [Cisco IKE<br>
Fragmentation]<br>
106 "centos6-asa-net-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>
003 "centos6-asa-net-net" #1: received Vendor ID payload [Cisco-Unity]<br>
003 "centos6-asa-net-net" #1: received Vendor ID payload [XAUTH]<br>
003 "centos6-asa-net-net" #1: ignoring unknown Vendor ID payload<br>
[<u></u>54da3d7d997900e48394f45bcb1bec<u></u>70]<br>
003 "centos6-asa-net-net" #1: ignoring Vendor ID payload [Cisco VPN 3000<br>
Series]<br>
003 "centos6-asa-net-net" #1: NAT-Traversal: Result using<br>
draft-ietf-ipsec-nat-t-ike-02/<u></u>03: no NAT detected<br>
108 "centos6-asa-net-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>
003 "centos6-asa-net-net" #1: received Vendor ID payload [Dead Peer<br>
Detection]<br>
004 "centos6-asa-net-net" #1: STATE_MAIN_I4: ISAKMP SA established<br>
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha<br>
group=modp1024}<br>
117 "centos6-asa-net-net" #2: STATE_QUICK_I1: initiate<br>
004 "centos6-asa-net-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA<br>
established tunnel mode {ESP=>0x4d9ac07c <0x5e3db534<br>
xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}<br>
<br>
Paul<br>
<br>
<br>
<br>
<br>
--<br>
T.J. Yang<br>
</div></div></blockquote>
<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>T.J. Yang
</div></div>