Re: [strongSwan] migration from StrongSwan 5.1.2 to 5.3.2

Li, Charlie Fri, 04 Sep 2015 10:24:13 -0700

Thanks Noel for your help.

First I confirmed files in both Ubuntu 14.04 and Fedora 22 are correct


But in Fedora, it fails to set up tunnels.

I also checked statusall in both Ubuntu and Fedora and the major difference is 
that - in Fedora no IP address is listed under " Listening IP addresses:", even 
though all IP addresses are identical in both cases.

I am attaching some logs from both Ubuntu and Fedora.

Regards,
Charlie Li

-----Original Message-----
From: Noel Kuntze [mailto:[email protected]] 
Sent: Thursday, September 03, 2015 2:15 PM
To: Li, Charlie; '[email protected]'
Subject: Re: [strongSwan] migration from StrongSwan 5.1.2 to 5.3.2


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Charlie,

Am 03.09.2015 um 01:32 schrieb Li, Charlie:
>
> Hi Team,
>
> 
>
> I have been using StrongSwan 5.1.2 (in Ubuntu 14.04) for a while. Attached 
> are the ipsec.confand ipsec.secretsfiles used for my tests. Basically PSK = 
> ipsecis used for all connections.
>
> 
>
> But when I use the same ipsec.confand ipsec.secretsfiles with StrongSwan 
> 5.3.2 (in Fedora 22), it does not work.
>
> 
>
> Looks like with 5.3.2, ipsec.secretsfile is not used anymore, instead 
> swanctl.confis introduced.
>
> 
>
> Appreciate if someone can show me how to migrate to 5.3.2.
>
> 
>
> Thanks,
>
> Charlie
>

Nope.
strongSwan still supports ipsec.conf. swanctl.conf is just an additonal 
configuration file, which you /can/ use instead of ipsec.conf. The format is 
much nicer than the one ipsec.conf uses and it is loaded over vici socket, 
which is much better to handle as an API than stroke socket.

Fedora and other RHEL like distros (CentOS, ...) store the strongSwan 
configuration files in /etc/strongswan/, not in /etc/.
Make sure to adjust the ACLs and SElinux context of the files.

- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV6JwnAAoJEDg5KY9j7GZYW3gP/2pKZlcGJYeGDxi0rUv99xkm
99KWqE7fYNihEprhjtYvMca1vWP1pMmbS8WYRerriLfA9afpRrrWZ0LeKty/9Ijj
ple2fiP+rKgnz8pcjeFBCqZCOXbG6cvtiqAXtrL9APwjKwnPMkoRZmXkZEHi1JmO
yGNkZmIHmySVdU8yM+woB0+Akj1tGPFkekvnLPd01aBLal5QjD8BHZwBhYPrEJPS
YM53jtrpc+cfBYWWlu/Rrg2UmVyg14dKyiCc0D/v18swg0Qz1AK1JtgIHcHp5UZU
9jhrzNI7tGCecoFZuSAL4VXwZne0jdO3st1XdLvvSa50pgBj/zD0ACVJ4bEc5mf2
NgPZ4CJCqaH+jxi0PI4bYJOlmqWJGfCMkyh4PjAY69WgDAsAfNS0XYB6vp+WATYJ
ZJNRCRdHuWTt5udAe+gdzCHq76oS7eDsMfzmTHHNFfxHeB8sO0ipT+Mu/Ic554s8
3eqhxXeSCGfmBzQPAKnwPA7bsLXc/zxAYfWBDlNFA/84ZRXOH8VKNZmN1xYwnctG
Ed9GPgoBhUEWIFlJcP7dXp/9ECuWmLwtnyn1e0pD5YP05ys4AyfwgLaRVygkllJL
SxoAaVuxZw/juN8USsrGpNbLkicTeDnvKdL8ddAR2Pn70Q8nWZdDj8hXshgfDffA
OvPXkd6BphJEJkS2bxoV
=ZT2N
-----END PGP SIGNATURE-----

root@amd-desktop:/etc# pwd
/etc
root@amd-desktop:/etc# ll ipsec.*
-rw-r--r--  1 root root  622 Dec  5  2014 ipsec.conf
-rw-------  1 root root  435 Nov 10  2014 ipsec.secrets


# ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.16.7-ckt7-1-custom+, 
x86_64):
  uptime: 30 minutes, since Sep 04 10:29:15 2015
  malloc: sbrk 3096576, mmap 0, used 436224, free 2660352
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 400
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce 
x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac 
ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown 
eap-identity addrblock
Listening IP addresses:
  10.236.12.57
  22.20.0.1
  111.222.0.1
Connections:
    tun1_0_0:  %any...%any  IKEv2
    tun1_0_0:   local:  uses pre-shared key authentication
    tun1_0_0:   remote: uses pre-shared key authentication
    tun1_0_0:   child:  140.0.0.0/8 === 50.0.0.0/8 TUNNEL
Security Associations (0 up, 0 connecting):

[root@Overdrive strongswan]# pwd
/etc/strongswan
[root@Overdrive strongswan]# ll ipsec.*
-rw-r--r--  1 root root 622 Sep  2 21:20 ipsec.conf
-rw-------  1 root root 435 Sep  2 21:56 ipsec.secrets


# strongswan statusall
Status of IKE charon daemon (strongSwan 5.3.2, Linux 
4.1.0-hf-kvm-sriov-ipsec-64k.fc22.aarch64+, aarch64):
  uptime: 9 minutes, since Sep 04 16:22:58 2015
  malloc: sbrk 3604480, mmap 0, used 1633856, free 1970624
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 200
  loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 
revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem 
openssl fips-prf gmp xcbc cmac hmac ctr ccm curl attr kernel-netlink resolve 
socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc 
eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam 
xauth-noauth dhcp
Listening IP addresses:
Connections:
    tun1_0_0:  %any...%any  IKEv2
    tun1_0_0:   local:  uses pre-shared key authentication
    tun1_0_0:   remote: uses pre-shared key authentication
    tun1_0_0:   child:  140.0.0.0/8 === 50.0.0.0/8 TUNNEL

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] migration from StrongSwan 5.1.2 to 5.3.2

Reply via email to