Hi Paul, Your ipsec.conf does not contain any connection so it would not do
anything? Do you have other *.conf files in /etc/ipsec.d/ perhaps? I have missed to paste this . At the end of my ipsec.conf file, i have this line # Place all our user configurations (.conf) files below include /etc/ipsec.d/conf/*.conf perhaps for the other queries let me give a short currently all my servers are down . will update you shortly. Thanks, Madhan On Thu, May 16, 2019 at 9:12 AM Paul Wouters <[email protected]> wrote: > On Wed, 15 May 2019, Madhan Raj wrote: > > > Which version? > > > <MADHAN> Sry i was using this openswan-2.6.32-37.el6.x86_64 version > > This is my ipsec.conf file. > > Your ipsec.conf does not contain any connection so it would not do > anything? Do you have other *.conf files in /etc/ipsec.d/ perhaps? > > > 2. I have configured an Ipsec policy on one of my server > pointing to other server. but i didn't configure the policies > > How have you configured this if you have no "conn" sections in your > ipsec.conf or include files? > > > <MADHAN> I have auto=start in my policy.conf file. > > Oh, you do have a conn... > > > conn 772007410_x509 left=10.63.101.19 > > leftcert=ipsec-db > > leftrsasigkey=%cert > > leftprotoport=tcp/0 > > leftid="C=RS, O=home, OU=cup, CN=esc-imppub-12.burren.pst, > ST=serbia, L=belgrade" > > right=10.63.101.18 > > rightcert=esc-cucm-12.burren.pst > > rightrsasigkey=%cert > > rightprotoport=tcp/0 > > rightid="" > > type=transport > > auth=esp > > authby=rsasig > > keyexchange=ike > > keyingtries=%forever > > rekey=yes > > ike=3des-sha1-modp1024 > > esp=aes128-sha1 > > ikelifetime=3600s > > salifetime=3600s > > pfs=no > > auto=start > > I can see still the ping to the normal server is working fine ? so this > means that openswan is not blocking any trafffic to the other > > server if ipsec policy is not up ?? > > you can run: ipsec auto --add 772007410_x509 > to see if the connection loaded fine. If it does, you can run: ipsec auto > --up 772007410_x509 > to see if it brings the connection up or what error you see. > > > <MADHAN> I have shared my policy and ipsec.conf file above i am sure > we are not adding any failureshunt=passthrough anywhere. but i > > can see the network connectivity is intact though the policies are still > in PENDING state . am i missing something here ? > > I suspect the connection isn't getting loaded at all? > > For RHEL6 or CentOS6, you should be using 6.8 or 6.9, which use > libreswan instead of openswan. centos6.9 should come with at least > libreswan version 3.15. Or you can grab binaries that are even never > from download.libreswan.org/binaries/rhel/6/ > > Paul >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
