<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Mar 8, 2013 at 11:46 AM, Paul Wouters <span dir="ltr">&lt;<a href="mailto:pwouters@redhat.com" target="_blank">pwouters@redhat.com</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div>On 03/08/2013 11:24 AM, T.J. Yang wrote:<br>

</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div>
1.  new /etc/ipsec.conf with tabs, no pound signs, public ip masked.<br>
version 2.0<br>
config setup<br>
         plutodebug=&quot;control parsing&quot;<br>
         plutostderrlog=/var/log/ipsec.<u></u>log<br>
         protostack=netkey<br>
         nat_traversal=yes<br>
         virtual_private=<br>
         oe=no<br>
conn centos6-asa-net-net<br>
         keyingtries=3<br>
         authby=secret<br>
         left=x.x.x..5<br></div>
         leftsubnet=<a href="http://192.168.50.0/24" target="_blank">192.168.50.0/24</a> &lt;<a href="http://192.168.50.0/24" target="_blank">http://192.168.50.0/24</a>&gt;<br>
         leftsourceip=192.168.50.254<br>
         right=x.x.x..4<br>
         rightsubnet=<a href="http://192.168.40.0/24" target="_blank">192.168.40.0/24</a> &lt;<a href="http://192.168.40.0/24" target="_blank">http://192.168.40.0/24</a>&gt;<div><br>
         rightsourceip=192.168.40.254<br>
         auto=start<br>
         keyexchange=ike<br>
         type=tunnel<br>
         pfs=no<br>
         phase2=esp<br>
         phase2alg=3des-sha1<br>
</div></blockquote>
<br>
So what&#39;s the output of:<br>
<br>
ipsec start<br>
ipsec auto --add centos6-asa-net-net<br>
ipsec auto --up centos6-asa-net-net<span><font color="#888888"><br>
<br></font></span></blockquote><div><br></div><div>for version 3.0, after add the connection, I still need to bring up the connection. This was the step I missed.</div><div> </div><div>&quot;ipsec stop&quot;  is not valid for 3.0 libreswan. Hopefully, in 3.1 release, &quot;ipsec start&quot; will start up the connection labelled as &quot;auto=start&quot;</div>

<div><br></div><div>I am really thankful for Paul and Philippe&#39;s  help.</div><div><br></div><div><br></div><div>[root@il93mlab-centos6-01 ~]# ipsec stop</div><div>/usr/sbin/ipsec: unknown IPsec command `stop&#39; (`ipsec --help&#39; for list)</div>

<div>[root@il93mlab-centos6-01 ~]# ispec version</div><div>-bash: ispec: command not found</div><div>[root@il93mlab-centos6-01 ~]# ipsec version</div><div>Linux Libreswan 3.0 (netkey) on 2.6.32-279.22.1.el6.x86_64</div><div>

[root@il93mlab-centos6-01 ~]# ipsec stop</div><div>/usr/sbin/ipsec: unknown IPsec command `stop&#39; (`ipsec --help&#39; for list)</div><div>[root@il93mlab-centos6-01 ~]# ipsec setup stop</div><div>Redirecting to: service ipsec stop</div>

<div>Shutting down pluto IKE daemon</div><div>002 shutting down</div><div><br></div><div>[root@il93mlab-centos6-01 ~]# ipsec setup start</div><div>Redirecting to: service ipsec start</div><div>Starting pluto IKE daemon for IPsec:                       [  OK  ]</div>

<div>[root@il93mlab-centos6-01 ~]# ipsec auto --add centos6-asa-net-net</div><div>multiple ip addresses, using  10.20.52.5 on em1</div><div>[root@il93mlab-centos6-01 ~]# ipsec auto --up centos6-asa-net-net</div><div>104 &quot;centos6-asa-net-net&quot; #1: STATE_MAIN_I1: initiate</div>

<div>003 &quot;centos6-asa-net-net&quot; #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=draft-ietf-ipsec-nat-t-ike-02/03</div><div>003 &quot;centos6-asa-net-net&quot; #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]</div>

<div>106 &quot;centos6-asa-net-net&quot; #1: STATE_MAIN_I2: sent MI2, expecting MR2</div><div>003 &quot;centos6-asa-net-net&quot; #1: received Vendor ID payload [Cisco-Unity]</div><div>003 &quot;centos6-asa-net-net&quot; #1: received Vendor ID payload [XAUTH]</div>

<div>003 &quot;centos6-asa-net-net&quot; #1: ignoring unknown Vendor ID payload [54da3d7d997900e48394f45bcb1bec70]</div><div>003 &quot;centos6-asa-net-net&quot; #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]</div>

<div>003 &quot;centos6-asa-net-net&quot; #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected</div><div>108 &quot;centos6-asa-net-net&quot; #1: STATE_MAIN_I3: sent MI3, expecting MR3</div><div>

003 &quot;centos6-asa-net-net&quot; #1: received Vendor ID payload [Dead Peer Detection]</div><div>004 &quot;centos6-asa-net-net&quot; #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}</div>

<div>117 &quot;centos6-asa-net-net&quot; #2: STATE_QUICK_I1: initiate</div><div>004 &quot;centos6-asa-net-net&quot; #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=&gt;0x4d9ac07c &lt;0x5e3db534 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none} </div>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span><font color="#888888">
Paul<br>
<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br>T.J. Yang
</div></div>