<div dir="ltr">Thank you all, it worked, <div><br></div><div>I made a "grep -nr python 2 /usr/libexec/ipsec" and got 3 files output:</div><div><ul><li>_unbound-hook:1:#!python2</li><li>show:1:#!python2</li><li>verify:1:#!python2</li></ul><div>Made the change to each file to "#!/usr/bin/env python2".</div></div><div><br></div><div>Al worked Nice!!!</div><div><br></div><div>Regards,</div><div><br></div><div>Rodolfo</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, May 14, 2021 at 1:46 AM <<a href="mailto:swan-request@lists.libreswan.org">swan-request@lists.libreswan.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Send Swan mailing list submissions to<br>
<a href="mailto:swan@lists.libreswan.org" target="_blank">swan@lists.libreswan.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.libreswan.org/mailman/listinfo/swan" rel="noreferrer" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:swan-request@lists.libreswan.org" target="_blank">swan-request@lists.libreswan.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:swan-owner@lists.libreswan.org" target="_blank">swan-owner@lists.libreswan.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Swan digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: problem command "ipsec verify" (Paul Wouters)<br>
2. Re: problem command "ipsec verify" (Tuomo Soini)<br>
3. SA lifetime too short, less than configured (Ivan Kuznetsov)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Thu, 13 May 2021 09:52:12 -0400 (EDT)<br>
From: Paul Wouters <<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>><br>
To: <a href="mailto:swan@lists.libreswan.org" target="_blank">swan@lists.libreswan.org</a><br>
Cc: <a href="mailto:swan@lists.libreswan.org" target="_blank">swan@lists.libreswan.org</a><br>
Subject: Re: [Swan] problem command "ipsec verify"<br>
Message-ID: <<a href="mailto:8f808ceb-f49-3d3d-f391-6439bd4abf3a@nohats.ca" target="_blank">8f808ceb-f49-3d3d-f391-6439bd4abf3a@nohats.ca</a>><br>
Content-Type: text/plain; charset=UTF-8; format=flowed<br>
<br>
On Wed, 12 May 2021, Jorge Sevillanos wrote:<br>
<br>
> Hi Bruno, something weird?is happening.<br>
> Amazon Linux 2 by default comes with python2 & python3 installed and their executables are? inside /usr/bin<br>
> image.png<br>
<br>
Whoever build libreswan for that linux distro should set the proper<br>
value for PYTHON_BINARY=<br>
<br>
eg see:<br>
<br>
paul@bofh:~$ grep PYTHON_BINARY libreswan/packaging/rhel/*/*spec<br>
libreswan/packaging/rhel/7/libreswan.spec: PYTHON_BINARY=python2 \\\<br>
libreswan/packaging/rhel/8/libreswan.spec: PYTHON_BINARY=%{__python3} \\\<br>
<br>
Paul<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Thu, 13 May 2021 17:06:00 +0300<br>
From: Tuomo Soini <<a href="mailto:tis@foobar.fi" target="_blank">tis@foobar.fi</a>><br>
To: <a href="mailto:swan@lists.libreswan.org" target="_blank">swan@lists.libreswan.org</a><br>
Subject: Re: [Swan] problem command "ipsec verify"<br>
Message-ID: <<a href="mailto:20210513170600.39cdfc75@tuomo.foobar.fi" target="_blank">20210513170600.39cdfc75@tuomo.foobar.fi</a>><br>
Content-Type: text/plain; charset=US-ASCII<br>
<br>
On Wed, 12 May 2021 18:29:13 -0600<br>
Jorge Sevillanos <<a href="mailto:rsevillanos@gmail.com" target="_blank">rsevillanos@gmail.com</a>> wrote:<br>
<br>
> Hi Libreswan, just installed Amazon Linux 2 (fresh) from default ami,<br>
> nftables nftables v0.9.0 (Fearless Fosdick) and libreswan<br>
> 4.4-1.el7_9<br>
> <br>
> I downloaded rpm package form:<br>
> <a href="https://download.libreswan.org/binaries/rhel/7/x86_64/libreswan-4.4-1.el7_9.x86_64.rpm" rel="noreferrer" target="_blank">https://download.libreswan.org/binaries/rhel/7/x86_64/libreswan-4.4-1.el7_9.x86_64.rpm</a><br>
> <br>
> And installed package: yum install<br>
> <a href="https://download.libreswan.org/binaries/rhel/7/x86_64/libreswan-4.4-1.el7_9.x86_64.rpm" rel="noreferrer" target="_blank">https://download.libreswan.org/binaries/rhel/7/x86_64/libreswan-4.4-1.el7_9.x86_64.rpm</a><br>
> <br>
> I run the command "ipsec verify" and shows me the following:<br>
> <br>
> [root@ip-10-10-2-15 sysctl.d]# ipsec verify<br>
> /sbin/ipsec: /usr/libexec/ipsec/verify: python2: bad interpreter: No<br>
> such file or directory<br>
> /sbin/ipsec: line 565: /usr/libexec/ipsec/verify: Success<br>
> <br>
> Please help.<br>
<br>
This was a bug in our spec file for rhel7. I fixed that few minutes ago<br>
but this is not severe enough problem to rebuild package because verify<br>
is completely optional like all python scripts in Libreswan. If you want<br>
to use verify, do:<br>
<br>
sed -i -e 's|python2|/usr/bin/python2|' /usr/libexec/ipsec/verify<br>
<br>
Bug was introduced as part of 4.2 release.<br>
<br>
-- <br>
Tuomo Soini <<a href="mailto:tis@foobar.fi" target="_blank">tis@foobar.fi</a>><br>
Foobar Linux services<br>
+358 40 5240030<br>
Foobar Oy <<a href="https://foobar.fi/" rel="noreferrer" target="_blank">https://foobar.fi/</a>><br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Fri, 14 May 2021 10:37:19 +0300<br>
From: Ivan Kuznetsov <<a href="mailto:kia@solvo.ru" target="_blank">kia@solvo.ru</a>><br>
To: <a href="mailto:swan@lists.libreswan.org" target="_blank">swan@lists.libreswan.org</a><br>
Subject: [Swan] SA lifetime too short, less than configured<br>
Message-ID: <<a href="mailto:dc162bef-fa7a-7f7d-5860-d1875d173636@solvo.ru" target="_blank">dc162bef-fa7a-7f7d-5860-d1875d173636@solvo.ru</a>><br>
Content-Type: text/plain; charset="koi8-r"; Format="flowed"<br>
<br>
Hello<br>
<br>
We use libreswan 3.32 under Linux and have a IPsec peer recently <br>
upgraded their Cisco ASA. Tunnel was migrated to IKEv2. All works fine <br>
except the libreswan side restarts ISAKMP too often, mostly after 1h. <br>
ESP is restarted too. Settings for lifetime are 24h for phase 1 and 8h <br>
for phase 2 on both sides. rekeymargin has default value (300s)<br>
<br>
Why libreswan drops ISAKMP SA regardless of explicit settings?<br>
<br>
Libreswan configuration:<br>
<br>
conn bkp<br>
type=tunnel<br>
auto=start<br>
authby=secret<br>
left=11.22.33.44<br>
leftsubnet=<a href="http://172.16.80.0/20" rel="noreferrer" target="_blank">172.16.80.0/20</a><br>
right=55.66.77.88<br>
<br>
rightsubnets=<a href="http://10.1.208.0/28,10.1.102.0/24,10.1.100.22/32,10.1.104.0/29" rel="noreferrer" target="_blank">10.1.208.0/28,10.1.102.0/24,10.1.100.22/32,10.1.104.0/29</a><br>
<br>
ikev2=yes<br>
ikelifetime=24h<br>
initial-contact=yes<br>
<br>
phase2=esp<br>
salifetime=8h<br>
# BKP's Cisco ASA has stranges regarding DH groups on phase2<br>
pfs=no<br>
<br>
rekey=yes<br>
rekeymargin=5m<br>
keyingtries=3<br>
<br>
fragmentation=yes<br>
# BKP's Cisco ASA has nonstadard DPD<br>
# dpddelay=30<br>
# dpdtimeout=120<br>
# dpdaction=restart<br>
<br>
<br>
Libreswan log is attached<br>
<br>
--<br>
Regards, Ivan Kuznetsov<br>
SOLVO ltd<br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: bkp.log<br>
Type: text/x-log<br>
Size: 19504 bytes<br>
Desc: not available<br>
URL: <<a href="https://lists.libreswan.org/pipermail/swan/attachments/20210514/9e00f8d3/attachment.bin" rel="noreferrer" target="_blank">https://lists.libreswan.org/pipermail/swan/attachments/20210514/9e00f8d3/attachment.bin</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
Swan mailing list<br>
<a href="mailto:Swan@lists.libreswan.org" target="_blank">Swan@lists.libreswan.org</a><br>
<a href="https://lists.libreswan.org/mailman/listinfo/swan" rel="noreferrer" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a><br>
<br>
<br>
------------------------------<br>
<br>
End of Swan Digest, Vol 101, Issue 4<br>
************************************<br>
</blockquote></div>