On Tue, 15 May 2018, Veetil, Vyshnav wrote:
We are getting problem with ipsec connection in Centos7.4
Libreswan is unable to read the nssdir path /usr/local/platform/.security/ipsec
instead always trying to only
read /etc/ipsec.d Also, want to mention that /etc/ipsec.conf already has
ipsecdir=/usr/local/platform/.security/ipsec which was working earlier with
CentOS 7.3.
In CentOS 7.3 libreswan-3.15-8.el7.x86_64 is used.
In CentOS 7.4 libreswan-3.20-3.el7.x86_64 is used.
What has been changed in libreswan-3.20-3.el7.x86_64 packages?
Can you try CentOS 7.5 with libreswan 3.23 ? We fixed some things to
ensure the nssdb could be in /var/lib/ipsec/nss for Debian, so it
should really work for you as well.
For overcoming the pluto related issue, I have done some changes in
configuration file.
I have removed the --stderrlog=directory in /etc/ipsec.conf
That is a pluto commandline argument, not an ipsec.conf option? The
option for that would be logfile=directory
And also replaced auth=esp and esp=aes128-sha1 with phase2alg=aes128-sha1 in
/etc/ipsec.d/conf/71221031513.conf
file .
esp= and phase2alg= are aliases. Both can be used.
There is no auth= option. There is authby= or leftauth= / rightauth=
What is differnce between nssdir and ipsecdir if we are using in
/etc/ipsec.conf file
The /etc/ipsec.d directory contains a bunch of config files AND the nss
binary db files. Now using ipsecdir and nssdir, you can split this and
keep the configs in /etc/ipsec.d/ and keep the nss *db binary files in
another dedicated nss directory (eg /var/lib/ipsec/nss on Debian)
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
