Re: [Swan] IPSec secure messages.

Wed, 15 May 2019 20:42:34 -0700 

On Wed, 15 May 2019, Madhan Raj wrote:


      Which version?



<MADHAN> Sry i was using this openswan-2.6.32-37.el6.x86_64  version
            This is my ipsec.conf file.


Your ipsec.conf does not contain any connection so it would not do
anything? Do you have other *.conf files in /etc/ipsec.d/ perhaps?


        2.  I have configured an Ipsec policy on one of my server pointing to 
other server. but i didn't configure the policies


How have you configured this if you have no "conn" sections in your
ipsec.conf or include files?


  <MADHAN> I have auto=start in my policy.conf file.


Oh, you do have a conn...


   conn 772007410_x509        left=10.63.101.19
        leftcert=ipsec-db
        leftrsasigkey=%cert
        leftprotoport=tcp/0
        leftid="C=RS, O=home, OU=cup, CN=esc-imppub-12.burren.pst, ST=serbia, 
L=belgrade"
        right=10.63.101.18
        rightcert=esc-cucm-12.burren.pst
        rightrsasigkey=%cert
        rightprotoport=tcp/0
        rightid=""
        type=transport
        auth=esp
        authby=rsasig
        keyexchange=ike
        keyingtries=%forever
        rekey=yes
        ike=3des-sha1-modp1024
        esp=aes128-sha1
        ikelifetime=3600s
        salifetime=3600s
        pfs=no
        auto=start
I can see still the ping to the normal server is working fine ? so this means 
that openswan is not blocking any trafffic to the other
server if ipsec policy is not up ??


you can run: ipsec auto --add 772007410_x509
to see if the connection loaded fine. If it does, you can run: ipsec auto --up 
772007410_x509
to see if it brings the connection up or what error you see.


<MADHAN>  I have shared my policy  and ipsec.conf file above i am sure we are 
not adding any failureshunt=passthrough anywhere. but i
can see the network connectivity is intact though the policies are still in 
PENDING state . am i missing something here ?


I suspect the connection isn't getting loaded at all?

For RHEL6 or CentOS6, you should be using 6.8 or 6.9, which use
libreswan instead of openswan. centos6.9 should come with at least
libreswan version 3.15. Or you can grab binaries that are even never
from download.libreswan.org/binaries/rhel/6/

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to