<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><span class="gmail-im" style="color:rgb(80,0,80)">Hi Paul & andrew,<br><br></span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><i>Which version?<br></i><i> <br></i><i>The below is debug output, it should only appear when debugging is<br></i><i>enabled. Can you check /etc/ipsec.conf to see if there is a line<br></i><i>like:<br></i><i> plutodebug=...<br></i><i>for instance:<br></i><i> plutodebug=lifecycle<br></i><i>(these all appear to be controlled by that flag) </i></blockquote><br><MADHAN> Sry i was using this openswan-2.6.32-37.el6.x86_64 version<br> This is my ipsec.conf file.<br><div dir="ltr"><br></div><div dir="ltr">version 2.0 # conforms to second version of ipsec.conf specification</div><div dir="ltr"><br></div><div dir="ltr"># basic configuration</div><div dir="ltr">config setup</div><div dir="ltr"> # For Red Hat Enterprise Linux, leave protostack=netkey</div><div dir="ltr"> protostack=netkey</div><div dir="ltr"> # plutodebug=crypt control controlmore pfkey dpd</div><div dir="ltr"> plutodebug=all</div><div dir="ltr"> klipsdebug=all</div><div dir="ltr"> nat_traversal=yes</div><div dir="ltr"> virtual_private=</div><div dir="ltr"> oe=off</div> # Enable this if you see failed to find any available worker</div><div dir="ltr"> nhelpers=0</div><div dir="ltr"> plutorestartoncrash=yes</div><div dir="ltr"> # NSS DB Storage</div><div dir="ltr"> plutoopts="--ipsecdir /usr/local/platform/.security/ipsec"</div><div dir="ltr"> # Pluto core file if it cores...</div><div dir="ltr"> dumpdir=/var/log/active/core</div><div dir="ltr"> # For redirecting pluto logs, use plutostderrlog=directory of our choice</div><div dir="ltr">conn block</div><div dir="ltr"> auto=ignore</div><div dir="ltr">conn private</div><div dir="ltr"> auto=ignore</div><div dir="ltr">conn private-or-clear</div><div dir="ltr"> auto=ignore</div><div dir="ltr">conn clear-or-private</div><div dir="ltr"> auto=ignore</div><div dir="ltr">conn clear</div><div dir="ltr"> auto=ignore</div><div dir="ltr">conn packetdefault</div><div dir="ltr"> auto=ignore</div><div dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<span class="gmail-im" style="color:rgb(80,0,80)">2. I have configured an Ipsec policy on one of my server pointing to other server. but i didn't configure the policies on<br></span><blockquote><span class="gmail-im" style="color:rgb(80,0,80)">> other side to point this server. <br></span><span class="gmail-im" style="color:rgb(80,0,80)">> will network ping be successful?</span><span class="gmail-im" style="color:rgb(80,0,80)"><br></span><span class="gmail-im" style="color:rgb(80,0,80)">> other side to point this server. <br></span><span class="gmail-im" style="color:rgb(80,0,80)">> will network ping be successful?<br></span>If you use auto=add, then yes because libreswan would not initiate<br>IPsec.<br> <br>If you use auto=ondemand or auto=start, then no because libreswan<br>,will block leaking packets until the IPsec connection is up.</blockquote></blockquote><span class="gmail-im" style="color:rgb(80,0,80)"> <MADHAN> I have auto=start in my policy.conf file.<br> conn 772007410_x509<div dir="ltr"> left=10.63.101.19</div><div dir="ltr"> leftcert=ipsec-db</div><div dir="ltr"> leftrsasigkey=%cert</div><div dir="ltr"> leftprotoport=tcp/0</div><div dir="ltr"> leftid="C=RS, O=home, OU=cup, CN=esc-imppub-12.burren.pst, ST=serbia, L=belgrade"</div><div dir="ltr"> right=10.63.101.18</div><div dir="ltr"> rightcert=esc-cucm-12.burren.pst</div><div dir="ltr"> rightrsasigkey=%cert</div><div dir="ltr"> rightprotoport=tcp/0</div><div dir="ltr"> rightid=""</div><div dir="ltr"> type=transport</div><div dir="ltr"> auth=esp</div><div dir="ltr"> authby=rsasig</div><div dir="ltr"> keyexchange=ike</div><div dir="ltr"> keyingtries=%forever</div><div dir="ltr"> rekey=yes</div><div dir="ltr"> ike=3des-sha1-modp1024</div><div dir="ltr"> esp=aes128-sha1</div><div dir="ltr"> ikelifetime=3600s</div><div dir="ltr"> salifetime=3600s</div><div dir="ltr"> pfs=no</div><div dir="ltr"> <b style=""><span style="background-color:rgb(255,0,0)"> auto=start</span><br><span style="background-color:rgb(243,243,243)">I can see still the ping to the normal server is working fine ? so this means that openswan is not blocking any trafffic to the other server if ipsec policy is not up ??</span></b></div><div><br></div></span><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><span class="gmail-im" style="color:rgb(80,0,80)">> 3. Will the network between two servers will be intact if the ipsec policies are down ? .i just wanna know if the ping<br></span><span class="gmail-im" style="color:rgb(80,0,80)">> command will work at least between two servers ?. </span><span class="gmail-im" style="color:rgb(80,0,80)"><br></span>No, unless you set failureshunt=passthrough, but I would not recommend<br>that.<br><img class="gmail-ajT" src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif" style="background: url("https://www.gstatic.com/images/icons/material/system/2x/more_horiz_black_20dp.png") 50% 50% / 20px no-repeat; height: 11px; opacity: 0.7; width: 24px;"></blockquote><div><MADHAN> I have shared my policy and ipsec.conf file above i am sure we are not adding any failureshunt=passthrough anywhere. but i can see the network connectivity is intact though the policies are still in PENDING state . am i missing something here ?</div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 14, 2019 at 7:17 PM Paul Wouters <<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Tue, 14 May 2019, Madhan Raj wrote:<br>
<br>
> 2. I have configured an Ipsec policy on one of my server pointing to other server. but i didn't configure the policies on<br>
> other side to point this server. <br>
> will network ping be successful?<br>
<br>
If you use auto=add, then yes because libreswan would not initiate<br>
IPsec.<br>
<br>
If you use auto=ondemand or auto=start, then no because libreswan<br>
will block leaking packets until the IPsec connection is up.<br>
<br>
> 3. Will the network between two servers will be intact if the ipsec policies are down ? .i just wanna know if the ping<br>
> command will work at least between two servers ?. <br>
<br>
No, unless you set failureshunt=passthrough, but I would not recommend<br>
that.<br>
<br>
Paul<br>
</blockquote></div>