<div dir="ltr"><div style>1. new /etc/ipsec.conf with tabs, no pound signs, public ip masked.</div><div style><div>version 2.0</div><div>config setup</div><div> plutodebug="control parsing"</div><div> plutostderrlog=/var/log/ipsec.log</div>
<div> protostack=netkey</div><div> nat_traversal=yes</div><div> virtual_private=</div><div> oe=no</div><div>conn centos6-asa-net-net</div><div> keyingtries=3</div><div> authby=secret</div>
<div> left=x.x.x..5</div><div> leftsubnet=<a href="http://192.168.50.0/24">192.168.50.0/24</a></div><div> leftsourceip=192.168.50.254</div><div> right=x.x.x..4</div><div> rightsubnet=<a href="http://192.168.40.0/24">192.168.40.0/24</a></div>
<div> rightsourceip=192.168.40.254</div><div> auto=start</div><div> keyexchange=ike</div><div> type=tunnel</div><div> pfs=no</div><div> phase2=esp</div><div> phase2alg=3des-sha1</div>
<div><br></div></div><div style>2. /etc/ipsec.d/psk.secrets, with ip,password masked. </div><div style><br></div><div style><div>[root@mlab-centos6-01 ipsec.d]# cat /etc/ipsec.d/psk.secrets</div><div>x.x.x.3 x.x.x.5: PSK "MyPassword"</div>
<div>x.x.x..5 x.x.x.4: PSK "MyPassword"</div><div>[root@mlab-centos6-01 ipsec.d]#</div><div><br></div><div style>3. here is ipsec.log after runing libreswan 3.0 ipsec command.</div><div style><br></div></div><div>
<br></div><div><div>[root@mlab-centos6-01 ipsec.d]# ipsec setup stop;sleep 2;>/var/log/ipsec.lo\</div><div>g;ipsec setup start;sleep 2;tail /var/log/ipsec.log</div><div>Redirecting to: service ipsec stop</div><div>Shutting down pluto IKE daemon</div>
<div>002 shutting down</div><div><br></div><div>Redirecting to: service ipsec start</div><div>Starting pluto IKE daemon for IPsec: ^[[60G[^[[0;32m OK ^[[0;39m]</div><div>listening for IKE messages</div><div>adding interface em1/em1 <a href="http://192.168.50.254:500">192.168.50.254:500</a></div>
<div>adding interface em1/em1 <a href="http://192.168.50.254:4500">192.168.50.254:4500</a></div><div>adding interface em1/em1 x.x.x.5:500</div><div>adding interface em1/em1 x.x.x.5:4500</div><div>adding interface lo/lo <a href="http://127.0.0.1:500">127.0.0.1:500</a></div>
<div>adding interface lo/lo <a href="http://127.0.0.1:4500">127.0.0.1:4500</a></div><div>adding interface lo/lo ::1:500</div><div>loading secrets from "/etc/ipsec.secrets"</div><div>loading secrets from "/etc/ipsec.d/psk.secrets"</div>
<div>[root@mlab-centos6-01 ipsec.d]#</div></div><div><br></div><div style>4. No traffic on Cisco ADSM latest syslog message window.</div><div style><br></div><div style>5. output from ipsec status command</div><div style>
<br></div><div style><div>[root@mlab-centos6-01 ~]# ipsec status</div><div>000 using kernel interface: netkey</div><div>000 interface lo/lo ::1</div><div>000 interface lo/lo 127.0.0.1</div><div>000 interface lo/lo 127.0.0.1</div>
<div>000 interface em1/em1 x.x.x.5</div><div>000 interface em1/em1 x.x.x.5</div><div>000 interface em1/em1 192.168.50.254</div><div>000 interface em1/em1 192.168.50.254</div><div>000 %myid = (none)</div><div>000 debug parsing+control</div>
<div>000</div><div>000 virtual_private (%priv):</div><div>000 - allowed 0 subnets:</div><div>000 - disallowed 0 subnets:</div><div>000 WARNING: Either virtual_private= is not specified, or there is a syntax</div><div>000 error in that line. 'left/rightsubnet=vhost:%priv' will not work!</div>
<div>000 WARNING: Disallowed subnets in virtual_private= is empty. If you have</div><div>000 private address space in internal use, it should be excluded!</div><div>000</div><div>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64</div>
<div>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192</div><div>000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128</div><div>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448</div>
<div>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0</div><div>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288</div><div>000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288</div><div>000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288</div>
<div>000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128</div><div>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160</div><div>000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256</div>
<div>000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384</div><div>000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512</div>
<div>000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160</div><div>000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128</div><div>000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0</div>
<div>000</div><div>000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131</div><div>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192</div><div>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128</div>
<div>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16</div><div>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20</div><div>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32</div><div>000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48</div>
<div>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64</div><div>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024</div><div>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536</div>
<div>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048</div><div>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072</div><div>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096</div>
<div>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144</div><div>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192</div><div>000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024</div>
<div>000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048</div><div>000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048</div><div>000</div><div>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}</div>
<div>000</div><div>000</div><div>000</div><div>/usr/sbin/ipsec: unknown IPsec command `status' (`ipsec --help' for list)</div><div>[root@mlab-centos6-01 ~]#</div><div><br></div></div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Fri, Mar 8, 2013 at 9:39 AM, Paul Wouters <span dir="ltr"><<a href="mailto:pwouters@redhat.com" target="_blank">pwouters@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Fri, 8 Mar 2013, T.J. Yang wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks to Paul and Philippe's pointers. I tried the "oe" and spacing suggestion without success. when I do<br>
a "ipsec auto --add centos6-asa" to add connection manually. /var/log/ipsec.log only showing one line but<br>
no other message.<br>
I will keep digging<br>
</blockquote>
<br></div>
I am confused. Do not do this:<br>
<br>
conn foo<br>
some=value<br>
other=value<br>
<br>
third=value<br>
<br>
And don't do this:<br>
<br>
conn foo<br>
some=value<br>
other=value<br>
# third=value<br>
fourth=value<br>
<br>
But do this:<br>
<br>
conn foo<br>
some=value<br>
other=value<br>
#third=value<br>
fourth=value<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br>T.J. Yang
</div>