Hi, I'm migrating an older CentOS 5 installation from Openswan-2.6.32-9 to Libreswan-3.0-1.
I have a couple of issues: 1) I downloaded the libreswan rpm fromhttps://download.libreswan.org/binaries/rhel/5/i386/ but it appears to have a bad signature: # rpm -qp libreswan-3.0-1.i386.rpm error: libreswan-3.0-1.i386.rpm: Header V4 RSA/SHA256 signature: BAD, key ID b30fc6f9 I've installed the https://download.libreswan.org/binaries/RPM-GPG-KEY-libreswan but it still reports a bad key. Now I've installed it with the --nosignature option. 2) With my openswan configurations I used an include statement in the main /etc/ipsec.conf file to include configurations in the /etc/ipsec.d directory. # grep include /etc/ipsec.conf include /etc/ipsec.d/*.conf But this appears to be broken on my setup with libreswan. Libreswan would load only one of three configurations. The others wouldn't load. Libreswan kept reporting such things as: # ipsec auto --add seattle conn 'seattle': not found (tried aliases) # ipsec auto --up seattle 000 initiating all conns with alias='seattle' 021 no connection named "seattle" OK, so here's another oddity. I put the connections directly into /etc/ipsec.conf and discarded the include statement. Now my connections are found and come up perfectly! # ipsec auto --up seattle 104 "seattle" #1: STATE_MAIN_I1: initiate 003 "seattle" #1: ignoring unknown Vendor ID payload [4f4568794c64414365636661] 003 "seattle" #1: received Vendor ID payload [Dead Peer Detection] 003 "seattle" #1: received Vendor ID payload [RFC 3947] method set to=RFC 3947 (NAT-Traversal) 106 "seattle" #1: STATE_MAIN_I2: sent MI2, expecting MR2 003 "seattle" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected 108 "seattle" #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 "seattle" #1: received Vendor ID payload [CAN-IKEv2] 004 "seattle" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048} 117 "seattle" #2: STATE_QUICK_I1: initiate 004 "seattle" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xfa928e70 <0xcd41c653 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none} Why won't the include statement work? Kind regards, Tom -- Tom Robinson IT Manager/System Administrator MoTeC Pty Ltd 121 Merrindale Drive Croydon South 3136 Victoria Australia T: +61 3 9761 5050 F: +61 3 9761 5051 E: [email protected]
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
