On Tue, 2 Apr 2019, [email protected] wrote:
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
You can remove the entire version line
# basic configuration
#config setup
# # Debug-logging controls: "none" for (almost) none, "all" for lots.
# # klipsdebug=none
# # plutodebug="control parsing"
# # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
# protostack=netkey
# nat_traversal=yes
# virtual_private=
# oe=off
# # Enable this if you see "failed to find any available worker"
# nhelpers=0
You can comment out all the options here.
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
uncomment this.
#include /etc/ipsec.d/*.conf
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
Delete all of those conns. It is not needed.
config setup
#klipsdebug=all
#plutodebug="control parsing"
nat_traversal=yes
protostack=netkey
virtual_private=
oe=off
nhelpers=0
#forceencaps=yes
interfaces=%defaultroute
force_keepalive=yes
keep_alive=2
Comment out all those options.
conn vpnbank
type=tunnel
left=192.168.1.16
leftsubnet=192.168.1.0/26
leftnexthop=192.168.1.100
right=222.222.222.222
rightsubnet=111.111.111.111/32
rightnexthop=192.168.1.100
keyexchange=ike
auto=start
authby=secret
pfs=no
compress=no
auth=esp
keylife=1440m
ikelifetime=3600s
Remove the auth=esp line and nexthop lines.
/VAR/LOG/MESSAGES:------------------
Apr 2 00:04:18 vm-ipsec-new systemd: Starting Internet Key Exchange (IKE)
Protocol Daemon for IPsec...
Apr 2 00:04:18 vm-ipsec-new addconn: ERROR: /etc/ipsec.d/ipsec.conf: 66:
keyword auth, invalid value: esp
That is due to the auth=esp line which you should remove.
I tried to comment #auth=esp ...
# service ipsec start
Job for ipsec.service failed because the control process exited with error code. See
"systemctl status ipsec.service" and "journalctl -xe" for
details.
/VAR/LOG/MESSAGES:
------------------
Apr 2 00:10:00 vm-ipsec-new systemd: Starting Internet Key Exchange (IKE)
Protocol Daemon for IPsec...
Apr 2 00:10:00 vm-ipsec-new addconn: cannot load config '/etc/ipsec.conf':
/etc/ipsec.d/ipsec.conf:8: syntax error, unexpected VERSION,
expecting $end [version]
Remove the version line.
Could anyone point me some directions how to fix/adapt my configuration (or
LibreSwan cfg) to make compatible with LIBRESWAN at CentOS 7.5 ?
Otherwise, it should be compatible. There might be some ike= / esp=
settings you need if you defaulted to low ones and the higher ones
are not allowed by the remote. but you have to try to find out.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
