[prev in list] [next in list] [prev in thread] [next in thread] 

List:       libreswan
Subject:    Re: [Swan] Libreswan to Cisco2921, sha2_256 (ikev1&ikev2), tunnel is up but cannot ping (with and wi
From:       Paul Wouters <paul () nohats ! ca>
Date:       2016-08-04 12:03:48
Message-ID: F5977CE0-A321-44D6-9F37-CEA354D449C3 () nohats ! ca
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Avoid sha2_256 for esp/phase2alg because there are many broken Linux implementations.
Use sha2_512 instead

Sent from my iPhone

> On Aug 4, 2016, at 7:54 AM, Satavee Junwana <satavee@gmail.com> wrote:
> 
> another thing, it is working file for sha1.
> 
> Best Regards,
> Satavee
> 
> > On Thu, Aug 4, 2016 at 2:51 PM, Satavee Junwana <satavee@gmail.com> wrote:
> > I've tested on libreswan 3.3,3.7 (centos5) and 3.15 (centos 6) but no luck.
> > 
> > Here is config, ipsec status and log during negotiation-
> > 
> > Config-
> > 
> > version 2.0
> > config setup
> > # plutodebug / klipsdebug = "all", "none" or a combation from below:
> > # "raw crypt parsing emitting control klips pfkey natt x509 private"
> > # eg: plutodebug="control parsing"
> > #
> > # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
> > nat_traversal=yes
> > nhelpers=1
> > oe=off
> > protostack=klips
> > plutorestartoncrash=no
> > plutostderrlog=/tmp/pluto.log
> > #Default-Connection:
> > conn %default
> > keyingtries=3
> > ikev2=yes
> > conn ppp1_DC
> > type=tunnel
> > rightid=107.25.23.119
> > right=107.25.23.119
> > rekey=yes
> > phase2alg=aes128-sha2_256
> > phase2=esp
> > pfs=no
> > #overridemtu=1410
> > leftsubnet="192.168.19.0/24"
> > leftsourceip=192.168.19.1
> > left=%ppp1
> > keylife=8h
> > initial_contact=yes
> > ikelifetime=24h
> > ike=aes128-sha2_256-modp1536
> > compress=no
> > authby=secret
> > aggrmode=no
> > 
> > Ipsec status -
> > 
> > 000 using kernel interface: klips
> > 000 interface ipsec0/ppp1 101.15.115.253
> > 000 interface ipsec0/ppp1 101.15.115.253
> > 000  
> > 000 fips mode=disabled;
> > 000 SElinux=disabled
> > 000  
> > 000 config setup options:
> > 000  
> > 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, \
> > ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto, statsbin=unset 000 \
> > sbindir=/usr/sbin, libdir=/usr/libexec/ipsec, libexecdir=/usr/libexec/ipsec 000 \
> > pluto_version=3.7, pluto_vendorid=OE-Libreswan-3.7 000 nhelpers=1, uniqueids=yes, \
> > retransmits=yes, force_busy=no 000 ikeport=500, strictcrlpolicy=no, \
> > crlcheckinterval=0, listen=<any> 000 secctx_attr_value=32001
> > 000 myid = (none)
> > 000 debug none
> > 000  
> > 000 nat_traversal=yes, keep_alive=20, nat_ikeport=4500, disable_port_floating=no
> > 000 virtual_private (%priv):
> > 000 - allowed 0 subnets:
> > 000 - disallowed 0 subnets:
> > 000 WARNING: Either virtual_private= is not specified, or there is a syntax
> > 000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
> > 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
> > 000          private address space in internal use, it should be excluded!
> > 000  
> > 000 ESP algorithms supported:
> > 000  
> > 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, \
> > keysizemax=64 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, \
> > keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=6, name=ESP_CAST, \
> > ivlen=64, keysizemin=128, keysizemax=128 000 algorithm ESP encrypt: id=7, \
> > name=ESP_BLOWFISH, ivlen=64, keysizemin=96, keysizemax=448 000 algorithm ESP \
> > encrypt: id=12, name=ESP_AES, ivlen=16, keysizemin=128, keysizemax=256 000 \
> > algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=128, keysizemin=128, \
> > keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=128, \
> > keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, \
> > name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP \
> > auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 \
> > 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, \
> > keysizemin=256, keysizemax=256 000 algorithm ESP auth attr: id=7, \
> > name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512 000  
> > 000 IKE algorithms supported:
> > 000  
> > 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, \
> > blocksize=8, keydeflen=192 000 algorithm IKE encrypt: v1id=7, \
> > v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128 000 \
> > algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, \
> > v2name=SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: \
> > v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, \
> > blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65289, \
> > v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, \
> > keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> > 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> > 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
> > 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
> > 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
> > 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> > 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> > 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> > 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> > 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> > 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> > 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> > 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
> > 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
> > 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
> > 000  
> > 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,3,36} trans={0,3,864} \
> > attrs={0,3,1152} 000  
> > 000 Connection list:
> > 000  
> > 000 "ppp1_DC192": \
> > 192.168.19.0/24===101.15.115.253<%ppp1>...107.25.23.119<107.25.23.119>===10.0.0.0/8; \
> > erouted; eroute owner: #2 000 "ppp1_DC192":     oriented; my_ip=192.168.19.1; \
> > their_ip=unset; 000 "ppp1_DC192":   xauth info: us:none, them:none,  \
> > my_xauthuser=[any]; their_xauthuser=[any]; ; 000 "ppp1_DC192":   modecfg info: \
> > us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, \
> > banner:unset; 000 "ppp1_DC192":   labeled_ipsec:no, loopback:no;
> > 000 "ppp1_DC192":    policy_label:unset;
> > 000 "ppp1_DC192":   ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 540s; \
> > rekey_fuzz: 100%; keyingtries: 3; 000 "ppp1_DC192":   sha2_truncbug:no; \
> > initial_contact:yes; cisco_unity:no; send_vendorid:no; 000 "ppp1_DC192":   \
> > policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+IKEv2Init+SAREFTRACK+IKE_FRAG; 000 \
> > "ppp1_DC192":   conn_prio: 24,8; interface: ppp1; metric: 0; mtu: unset; \
> > sa_prio:auto; 000 "ppp1_DC192":   newest ISAKMP SA: #1; newest IPsec SA: #2;
> > 000 "ppp1_DC192":   IKE algorithms wanted: \
> > AES_CBC(7)_128-SHA2_256(4)_000-MODP1536(5) 000 "ppp1_DC192":   IKE algorithms \
> > found:  AES_CBC(7)_128-SHA2_256(4)_256-MODP1536(5) 000 "ppp1_DC192":   IKEv2 \
> > algorithm newest: AES_CBC_128-AUTH_HMAC_SHA2_256_128-PRF_HMAC_SHA2-256-MODP1536 \
> > 000 "ppp1_DC192":   ESP algorithms wanted: AES(12)_128-SHA2_256(5)_000 000 \
> > "ppp1_DC192":   ESP algorithms loaded: AES(12)_128-SHA2_256(5)_256 000 \
> > "ppp1_DC192":   ESP algorithm newest: AES_128-HMAC_SHA2_256; pfsgroup=<N/A> 000  
> > 000 Total IPsec connections: loaded 1, active 1
> > 000  
> > 000 State list:
> > 000  
> > 000 #2: "ppp1_DC192":500 STATE_PARENT_I3 (PARENT SA established); \
> > EVENT_SA_REPLACE in 27777s; newest IPSEC; eroute owner; idle; import:admin \
> > initiate 000 #1: "ppp1_DC192":500 STATE_PARENT_I3 (PARENT SA established); \
> > EVENT_SA_REPLACE in 86369s; newest ISAKMP; idle; import:admin initiate 000  
> > 000 Shunt list:
> > 000
> > 
> > Log-
> > 2016-08-04T11:52:07.185568+07:00 pluto[15179]: listening for IKE messages
> > 2016-08-04T11:52:07.185568+07:00 pluto[15179]: adding interface ipsec0/ppp1 \
> > 101.15.115.253:500 2016-08-04T11:52:07.185568+07:00 pluto[15179]: adding \
> > interface ipsec0/ppp1 101.15.115.253:4500 2016-08-04T11:52:07.185568+07:00 \
> > pluto[15179]: forgetting secrets 2016-08-04T11:52:07.185568+07:00 pluto[15179]: \
> > loading secrets from "/etc/ipsec.secrets" 2016-08-04T11:52:07.605113+07:00 \
> > pluto[15179]: added connection description "ppp1_DC192" \
> > 2016-08-04T11:52:07.721381+07:00 pluto[15179]: "ppp1_DC192" #1: initiating v2 \
> > parent SA 2016-08-04T11:52:07.761597+07:00 pluto[15179]: "ppp1_DC192" #1: \
> > transition from state STATE_IKEv2_START to state STATE_PARENT_I1 \
> > 2016-08-04T11:52:07.761597+07:00 pluto[15179]: "ppp1_DC192" #1: STATE_PARENT_I1: \
> > sent v2I1, expected v2R1 2016-08-04T11:52:07.928538+07:00 pluto[15179]: \
> > "ppp1_DC192" #2: transition from state STATE_PARENT_I1 to state STATE_PARENT_I2 \
> > 2016-08-04T11:52:07.929458+07:00 pluto[15179]: "ppp1_DC192" #2: STATE_PARENT_I2: \
> > sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha256_128 \
> > prf=OAKLEY_SHA2_256 group=modp1536} 2016-08-04T11:52:07.995450+07:00 \
> > pluto[15179]: packet from 107.25.23.119:500: IKEv2 mode peer ID is ID_IPV4_ADDR: \
> > '107.25.23.119' 2016-08-04T11:52:07.998515+07:00 pluto[15179]: | printing \
> > contents struct traffic_selector 2016-08-04T11:52:07.999124+07:00 pluto[15179]: | \
> > ts_type: IKEv2_TS_IPV4_ADDR_RANGE 2016-08-04T11:52:07.999660+07:00 pluto[15179]: \
> > |   ipprotoid: 0 2016-08-04T11:52:08.000163+07:00 pluto[15179]: |   startport: 0
> > 2016-08-04T11:52:08.000660+07:00 pluto[15179]: |   endport: 65535
> > 2016-08-04T11:52:08.001178+07:00 pluto[15179]: |   ip low: 192.168.19.0
> > 2016-08-04T11:52:08.001517+07:00 pluto[15179]: |   ip high: 192.168.19.255
> > 2016-08-04T11:52:08.002388+07:00 pluto[15179]: | printing contents struct \
> > traffic_selector 2016-08-04T11:52:08.002937+07:00 pluto[15179]: |   ts_type: \
> > IKEv2_TS_IPV4_ADDR_RANGE 2016-08-04T11:52:08.003475+07:00 pluto[15179]: |   \
> > ipprotoid: 0 2016-08-04T11:52:08.003976+07:00 pluto[15179]: |   startport: 0
> > 2016-08-04T11:52:08.004473+07:00 pluto[15179]: |   endport: 65535
> > 2016-08-04T11:52:08.004932+07:00 pluto[15179]: |   ip low: 10.0.0.0
> > 2016-08-04T11:52:08.005373+07:00 pluto[15179]: |   ip high: 10.255.255.255
> > 2016-08-04T11:52:08.177293+07:00 pluto[15179]: packet from 107.25.23.119:500: \
> > up-client output: /usr/libexec/ipsec/_updown.klips: changesource "ip route change \
> > 10.0.0.0/8 dev ipsec0 src 192.168.19.1" failed (RTNETLINK answers: No such file \
> > or directory) 2016-08-04T11:52:08.436034+07:00 pluto[15179]: "ppp1_DC192" #2: \
> > transition from state STATE_PARENT_I2 to state STATE_PARENT_I3 \
> > 2016-08-04T11:52:08.436034+07:00 pluto[15179]: "ppp1_DC192" #2: negotiated tunnel \
> > [192.168.19.0,192.168.19.255:0-65535 0] -> [10.0.0.0,10.255.255.255:0-65535 0] \
> > 2016-08-04T11:52:08.436034+07:00 pluto[15179]: "ppp1_DC192" #2: STATE_PARENT_I3: \
> > PARENT SA established tunnel mode {ESP=>0x2d26ed88 <0xf43c29bd \
> > xfrm=AES_128-HMAC_SHA2_256 NATOA=none NATD=none DPD=none} \
> > 2016-08-04T11:52:08.436034+07:00 pluto[15179]: | releasing whack for #2 (sock=18) \
> > 2016-08-04T11:52:08.436034+07:00 pluto[15179]: | releasing whack and unpending \
> > for #1 (sock=17) 2016-08-04T11:52:09.120814+07:00 logger: ntp[0000]: no server \
> > suitable for synchronization found 2016-08-04T11:52:12.672228+07:00 logger: \
> > pppd[0000]: ppp1 ipsec conn:ppp1_DC192  Up 2016-08-04T11:52:14.653590+07:00 \
> > logger: ntp[0000]: no server suitable for synchronization found \
> > 2016-08-04T11:53:13.457204+07:00 pluto[15179]: listening for IKE messages \
> > 2016-08-04T11:53:13.457204+07:00 pluto[15179]: forgetting secrets \
> > 2016-08-04T11:53:13.457204+07:00 pluto[15179]: loading secrets from \
> > "/etc/ipsec.secrets" 2016-08-04T11:53:13.580613+07:00 pluto[15179]: "ppp1_DC192": \
> > deleting connection 2016-08-04T11:53:13.580717+07:00 pluto[15179]: "ppp1_DC192" \
> > #2: deleting state (STATE_PARENT_I3) 2016-08-04T11:53:13.699047+07:00 \
> > pluto[15179]: "ppp1_DC192" #2: down-client output: \
> > /usr/libexec/ipsec/_updown.klips: dorule "ip rule delete from 192.168.19.0/24 to \
> > 10.0.0.0/8 " failed (RTNETLINK answers: No such file or directory) \
> > 2016-08-04T11:53:13.708746+07:00 pluto[15179]: "ppp1_DC192" #1: deleting state \
> > (STATE_PARENT_I3) 2016-08-04T11:53:14.250259+07:00 pluto[15179]: added connection \
> > description "ppp1_DC192" 2016-08-04T11:53:14.364389+07:00 pluto[15179]: \
> > "ppp1_DC192" #3: initiating v2 parent SA 2016-08-04T11:53:14.406023+07:00 \
> > pluto[15179]: "ppp1_DC192" #3: transition from state STATE_IKEv2_START to state \
> > STATE_PARENT_I1 2016-08-04T11:53:14.406125+07:00 pluto[15179]: "ppp1_DC192" #3: \
> > STATE_PARENT_I1: sent v2I1, expected v2R1 2016-08-04T11:53:15.109380+07:00 \
> > pluto[15179]: "ppp1_DC192" #4: transition from state STATE_PARENT_I1 to state \
> > STATE_PARENT_I2 2016-08-04T11:53:15.113292+07:00 pluto[15179]: "ppp1_DC192" #4: \
> > STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 \
> > integ=sha256_128 prf=OAKLEY_SHA2_256 group=modp1536} \
> > 2016-08-04T11:53:15.169082+07:00 pluto[15179]: packet from 107.25.23.119:500: \
> > IKEv2 mode peer ID is ID_IPV4_ADDR: '107.25.23.119' \
> > 2016-08-04T11:53:15.173375+07:00 pluto[15179]: | printing contents struct \
> > traffic_selector 2016-08-04T11:53:15.173375+07:00 pluto[15179]: |   ts_type: \
> > IKEv2_TS_IPV4_ADDR_RANGE 2016-08-04T11:53:15.173375+07:00 pluto[15179]: |   \
> > ipprotoid: 0 2016-08-04T11:53:15.173375+07:00 pluto[15179]: |   startport: 0
> > 2016-08-04T11:53:15.173375+07:00 pluto[15179]: |   endport: 65535
> > 2016-08-04T11:53:15.176186+07:00 pluto[15179]: |   ip low: 192.168.19.0
> > 2016-08-04T11:53:15.176713+07:00 pluto[15179]: |   ip high: 192.168.19.255
> > 2016-08-04T11:53:15.177243+07:00 pluto[15179]: | printing contents struct \
> > traffic_selector 2016-08-04T11:53:15.177243+07:00 pluto[15179]: |   ts_type: \
> > IKEv2_TS_IPV4_ADDR_RANGE 2016-08-04T11:53:15.177243+07:00 pluto[15179]: |   \
> > ipprotoid: 0 2016-08-04T11:53:15.177243+07:00 pluto[15179]: |   startport: 0
> > 2016-08-04T11:53:15.177243+07:00 pluto[15179]: |   endport: 65535
> > 2016-08-04T11:53:15.177243+07:00 pluto[15179]: |   ip low: 10.0.0.0
> > 2016-08-04T11:53:15.179999+07:00 pluto[15179]: |   ip high: 10.255.255.255
> > 2016-08-04T11:53:15.320392+07:00 pluto[15179]: packet from 107.25.23.119:500: \
> > up-client output: /usr/libexec/ipsec/_updown.klips: changesource "ip route change \
> > 10.0.0.0/8 dev ipsec0 src 192.168.19.1" failed (RTNETLINK answers: No such file \
> > or directory) 2016-08-04T11:53:15.576394+07:00 pluto[15179]: "ppp1_DC192" #4: \
> > transition from state STATE_PARENT_I2 to state STATE_PARENT_I3 \
> > 2016-08-04T11:53:15.576501+07:00 pluto[15179]: "ppp1_DC192" #4: negotiated tunnel \
> > [192.168.19.0,192.168.19.255:0-65535 0] -> [10.0.0.0,10.255.255.255:0-65535 0] \
> > 2016-08-04T11:53:15.576579+07:00 pluto[15179]: "ppp1_DC192" #4: STATE_PARENT_I3: \
> > PARENT SA established tunnel mode {ESP=>0x9794fb91 <0xf43c29be \
> > xfrm=AES_128-HMAC_SHA2_256 NATOA=none NATD=none DPD=none} \
> > 2016-08-04T11:53:15.576646+07:00 pluto[15179]: | releasing whack for #4 (sock=18) \
> > 2016-08-04T11:53:15.576774+07:00 pluto[15179]: | releasing whack and unpending \
> > for #3 (sock=17) 
> > 
> > Best Regards,
> > Satavee
> > Sent via Iphone
> 
> _______________________________________________
> Swan mailing list
> Swan@lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan


[Attachment #5 (text/html)]

<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body dir="auto"><div>Avoid sha2_256 for esp/phase2alg because \
there are many broken Linux implementations.</div><div id="AppleMailSignature">Use \
sha2_512 instead<br><br>Sent from my iPhone</div><div><br>On Aug 4, 2016, at 7:54 AM, \
Satavee Junwana &lt;<a href="mailto:satavee@gmail.com">satavee@gmail.com</a>&gt; \
wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">another thing, it is \
working file for sha1.<div><br></div><div><div style="font-size:12.8px">Best \
Regards,</div><div style="font-size:12.8px">Satavee</div></div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 4, 2016 at 2:51 PM, \
Satavee Junwana <span dir="ltr">&lt;<a href="mailto:satavee@gmail.com" \
target="_blank">satavee@gmail.com</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div \
dir="auto"><div><span></span></div><div><div><span></span></div><div><div>I've tested \
on libreswan 3.3,3.7 (centos5) and 3.15 (centos 6) but no \
luck.</div><div><br></div><div>Here is config, ipsec status and log during \
negotiation-</div><div><br></div><div>Config-</div><div><br></div><div><table \
border="1" style="font-family:Arial;border-collapse:collapse;table-layout:fixed;width:467px;border-style:none;border-color:rgb(210,210,223)"><tbody><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> version \
2.0</span></font></td></tr><tr><td height="12"></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> config \
setup</span></font></td></tr><tr><td style="padding-top:0px;padding-bottom:0px"><font \
face="UICTFontTextStyleBody"><span style="background-color:rgba(255,255,255,0)">  \
&nbsp; &nbsp; &nbsp; &nbsp;# plutodebug / klipsdebug = "all", "none" or a combation \
from below:</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; &nbsp;# "raw \
crypt parsing emitting control klips pfkey natt x509 \
private"</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; &nbsp;# eg: \
plutodebug="control parsing"</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;#</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; &nbsp;# ONLY \
enable plutodebug=all or klipsdebug=all if you are a developer \
!!</span></font></td></tr><tr><td height="12"></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;nat_traversal=yes</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;nhelpers=1</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;oe=off</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;protostack=klips</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;plutorestartoncrash=no</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;plutostderrlog=/tmp/pluto.log</span></font></td></tr><tr><td \
height="12"></td></tr><tr><td style="padding-top:0px;padding-bottom:0px"><font \
face="UICTFontTextStyleBody"><span style="background-color:rgba(255,255,255,0)"> \
#Default-Connection:</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> conn \
%default</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;keyingtries=3</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;ikev2=yes</span></font></td></tr><tr><td height="12"></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> conn \
ppp1_DC</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;type=tunnel</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;rightid=107.25.23.119</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;right=107.25.23.119</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;rekey=yes</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;phase2alg=aes128-sha2_256</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;phase2=esp</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;pfs=no</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;#overridemtu=1410</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;leftsubnet="<a href="http://192.168.19.0/24" \
target="_blank">192.168.19.0/24</a>"</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;leftsourceip=192.168.19.1</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;left=%ppp1</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;keylife=8h</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;initial_contact=yes</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;ikelifetime=24h</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;ike=aes128-sha2_256-modp1536</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;compress=no</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;authby=secret</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)">  &nbsp; &nbsp; &nbsp; \
&nbsp;aggrmode=no</span></font></td></tr></tbody></table><div><br></div><div>Ipsec \
status -</div><div><br></div><div><table border="1" \
style="font-family:Arial;border-collapse:collapse;table-layout:fixed;width:851px;border-style:none;border-color:rgb(210,210,223)"><tbody><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 using kernel interface: \
klips</span></font></td></tr><tr><td style="padding-top:0px;padding-bottom:0px"><font \
face="UICTFontTextStyleBody"><span style="background-color:rgba(255,255,255,0)"> 000 \
interface ipsec0/ppp1 101.15.115.253</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 interface ipsec0/ppp1 \
101.15.115.253</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 \
&nbsp;</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 fips \
mode=disabled;</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 \
SElinux=disabled</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 \
&nbsp;</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 config setup \
options:</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 \
&nbsp;</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 configdir=/etc, \
configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, \
dumpdir=/var/run/pluto, statsbin=unset</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 sbindir=/usr/sbin, \
libdir=/usr/libexec/ipsec, \
libexecdir=/usr/libexec/ipsec</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 pluto_version=3.7, \
pluto_vendorid=OE-Libreswan-3.7</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 nhelpers=1, uniqueids=yes, \
retransmits=yes, force_busy=no</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 ikeport=500, strictcrlpolicy=no, \
crlcheckinterval=0, listen=&lt;any&gt;</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 \
secctx_attr_value=32001</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 myid = \
(none)</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 debug \
none</span></font></td></tr><tr><td style="padding-top:0px;padding-bottom:0px"><font \
face="UICTFontTextStyleBody"><span style="background-color:rgba(255,255,255,0)"> 000 \
&nbsp;</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 nat_traversal=yes, keep_alive=20, \
nat_ikeport=4500, disable_port_floating=no</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 virtual_private \
(%priv):</span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 - allowed 0 subnets: \
</span></font></td></tr><tr><td style="padding-top:0px;padding-bottom:0px"><font \
face="UICTFontTextStyleBody"><span style="background-color:rgba(255,255,255,0)"> 000 \
- disallowed 0 subnets: </span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 WARNING: Either virtual_private= is \
not specified, or there is a syntax </span></font></td></tr><tr><td \
style="padding-top:0px;padding-bottom:0px"><font face="UICTFontTextStyleBody"><span \
style="background-color:rgba(255,255,255,0)"> 000 &nbsp; &nbsp; &nbsp; &nbsp; \
&nbsp;error in that line. 'left/rightsubnet=vhost:%priv' will not \
</div></blockquote><blockquote \
type="cite"><div><span>_______________________________________________</span><br><span>Swan \
mailing list</span><br><span><a \
href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a></span><br><span><a \
href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a></span><br></div></blockquote></body></html>




_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic