<div dir="ltr"><div dir="ltr">Hi Paul,<br><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Your ipsec.conf does not contain any connection so it would not do</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">anything? Do you have other *.conf files in /etc/ipsec.d/ perhaps? </blockquote><div><br></div><div>I have missed to paste this . At the end of my ipsec.conf file, i have this line<br><div># Place all our user configurations (.conf) files below</div><div>include /etc/ipsec.d/conf/*.conf<br><br><br></div> perhaps for the other queries let me give a short currently all my servers are down . will update you shortly.<br><br>Thanks,</div><div>Madhan</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 16, 2019 at 9:12 AM Paul Wouters <<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, 15 May 2019, Madhan Raj wrote:<br>
<br>
> Which version?<br>
<br>
> <MADHAN> Sry i was using this openswan-2.6.32-37.el6.x86_64 version<br>
> This is my ipsec.conf file.<br>
<br>
Your ipsec.conf does not contain any connection so it would not do<br>
anything? Do you have other *.conf files in /etc/ipsec.d/ perhaps?<br>
<br>
> 2. I have configured an Ipsec policy on one of my server pointing to other server. but i didn't configure the policies<br>
<br>
How have you configured this if you have no "conn" sections in your<br>
ipsec.conf or include files?<br>
<br>
> <MADHAN> I have auto=start in my policy.conf file.<br>
<br>
Oh, you do have a conn...<br>
<br>
> conn 772007410_x509 left=10.63.101.19<br>
> leftcert=ipsec-db<br>
> leftrsasigkey=%cert<br>
> leftprotoport=tcp/0<br>
> leftid="C=RS, O=home, OU=cup, CN=esc-imppub-12.burren.pst, ST=serbia, L=belgrade"<br>
> right=10.63.101.18<br>
> rightcert=esc-cucm-12.burren.pst<br>
> rightrsasigkey=%cert<br>
> rightprotoport=tcp/0<br>
> rightid=""<br>
> type=transport<br>
> auth=esp<br>
> authby=rsasig<br>
> keyexchange=ike<br>
> keyingtries=%forever<br>
> rekey=yes<br>
> ike=3des-sha1-modp1024<br>
> esp=aes128-sha1<br>
> ikelifetime=3600s<br>
> salifetime=3600s<br>
> pfs=no<br>
> auto=start<br>
> I can see still the ping to the normal server is working fine ? so this means that openswan is not blocking any trafffic to the other<br>
> server if ipsec policy is not up ??<br>
<br>
you can run: ipsec auto --add 772007410_x509<br>
to see if the connection loaded fine. If it does, you can run: ipsec auto --up 772007410_x509<br>
to see if it brings the connection up or what error you see.<br>
<br>
> <MADHAN> I have shared my policy and ipsec.conf file above i am sure we are not adding any failureshunt=passthrough anywhere. but i<br>
> can see the network connectivity is intact though the policies are still in PENDING state . am i missing something here ?<br>
<br>
I suspect the connection isn't getting loaded at all?<br>
<br>
For RHEL6 or CentOS6, you should be using 6.8 or 6.9, which use<br>
libreswan instead of openswan. centos6.9 should come with at least<br>
libreswan version 3.15. Or you can grab binaries that are even never<br>
from <a href="http://download.libreswan.org/binaries/rhel/6/" rel="noreferrer" target="_blank">download.libreswan.org/binaries/rhel/6/</a><br>
<br>
Paul<br>
</blockquote></div>