<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Mar 8, 2013 at 11:46 AM, Paul Wouters <span dir="ltr"><<a href="mailto:pwouters@redhat.com" target="_blank">pwouters@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div>On 03/08/2013 11:24 AM, T.J. Yang wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div>
1. new /etc/ipsec.conf with tabs, no pound signs, public ip masked.<br>
version 2.0<br>
config setup<br>
plutodebug="control parsing"<br>
plutostderrlog=/var/log/ipsec.<u></u>log<br>
protostack=netkey<br>
nat_traversal=yes<br>
virtual_private=<br>
oe=no<br>
conn centos6-asa-net-net<br>
keyingtries=3<br>
authby=secret<br>
left=x.x.x..5<br></div>
leftsubnet=<a href="http://192.168.50.0/24" target="_blank">192.168.50.0/24</a> <<a href="http://192.168.50.0/24" target="_blank">http://192.168.50.0/24</a>><br>
leftsourceip=192.168.50.254<br>
right=x.x.x..4<br>
rightsubnet=<a href="http://192.168.40.0/24" target="_blank">192.168.40.0/24</a> <<a href="http://192.168.40.0/24" target="_blank">http://192.168.40.0/24</a>><div><br>
rightsourceip=192.168.40.254<br>
auto=start<br>
keyexchange=ike<br>
type=tunnel<br>
pfs=no<br>
phase2=esp<br>
phase2alg=3des-sha1<br>
</div></blockquote>
<br>
So what's the output of:<br>
<br>
ipsec start<br>
ipsec auto --add centos6-asa-net-net<br>
ipsec auto --up centos6-asa-net-net<span><font color="#888888"><br>
<br></font></span></blockquote><div><br></div><div>for version 3.0, after add the connection, I still need to bring up the connection. This was the step I missed.</div><div> </div><div>"ipsec stop" is not valid for 3.0 libreswan. Hopefully, in 3.1 release, "ipsec start" will start up the connection labelled as "auto=start"</div>
<div><br></div><div>I am really thankful for Paul and Philippe's help.</div><div><br></div><div><br></div><div>[root@il93mlab-centos6-01 ~]# ipsec stop</div><div>/usr/sbin/ipsec: unknown IPsec command `stop' (`ipsec --help' for list)</div>
<div>[root@il93mlab-centos6-01 ~]# ispec version</div><div>-bash: ispec: command not found</div><div>[root@il93mlab-centos6-01 ~]# ipsec version</div><div>Linux Libreswan 3.0 (netkey) on 2.6.32-279.22.1.el6.x86_64</div><div>
[root@il93mlab-centos6-01 ~]# ipsec stop</div><div>/usr/sbin/ipsec: unknown IPsec command `stop' (`ipsec --help' for list)</div><div>[root@il93mlab-centos6-01 ~]# ipsec setup stop</div><div>Redirecting to: service ipsec stop</div>
<div>Shutting down pluto IKE daemon</div><div>002 shutting down</div><div><br></div><div>[root@il93mlab-centos6-01 ~]# ipsec setup start</div><div>Redirecting to: service ipsec start</div><div>Starting pluto IKE daemon for IPsec: [ OK ]</div>
<div>[root@il93mlab-centos6-01 ~]# ipsec auto --add centos6-asa-net-net</div><div>multiple ip addresses, using 10.20.52.5 on em1</div><div>[root@il93mlab-centos6-01 ~]# ipsec auto --up centos6-asa-net-net</div><div>104 "centos6-asa-net-net" #1: STATE_MAIN_I1: initiate</div>
<div>003 "centos6-asa-net-net" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=draft-ietf-ipsec-nat-t-ike-02/03</div><div>003 "centos6-asa-net-net" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]</div>
<div>106 "centos6-asa-net-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2</div><div>003 "centos6-asa-net-net" #1: received Vendor ID payload [Cisco-Unity]</div><div>003 "centos6-asa-net-net" #1: received Vendor ID payload [XAUTH]</div>
<div>003 "centos6-asa-net-net" #1: ignoring unknown Vendor ID payload [54da3d7d997900e48394f45bcb1bec70]</div><div>003 "centos6-asa-net-net" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]</div>
<div>003 "centos6-asa-net-net" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected</div><div>108 "centos6-asa-net-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3</div><div>
003 "centos6-asa-net-net" #1: received Vendor ID payload [Dead Peer Detection]</div><div>004 "centos6-asa-net-net" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}</div>
<div>117 "centos6-asa-net-net" #2: STATE_QUICK_I1: initiate</div><div>004 "centos6-asa-net-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x4d9ac07c <0x5e3db534 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none} </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span><font color="#888888">
Paul<br>
<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br>T.J. Yang
</div></div>