[prev in list] [next in list] [prev in thread] [next in thread]
List: openikev2-users
Subject: Re: [openikev2-users] hi
From: Alejandro =?ISO-8859-1?Q?P=E9rez_M=E9ndez?= <alejandro_perez () dif ! um ! es>
Date: 2007-03-29 18:11:58
Message-ID: 1175191918.11612.3.camel () isabel
[Download RAW message or body]
Hi,
You have two identical policies in your configuration file, so when
openikev2 is going to create the second one, it gives you that error
because an identical policy already exists.
Best regards,
Alejandro
> Hi evrybody;
> I installed openikev2 in two peers and when i run openikve2 I have this error
> message:"[ERROR] OpenIKEv2: Exception: IPSEC: Error performing an CREATE POLICY
> action
> [THRDS] OpenIKEv2: Stopped"
> Could you please help me!!!!!
> and this is the openikev2.conf:
> ######################################################################################
> ################################ LOG SECTION
> #####################################
> ######################################################################################
> log {
> # Indicates if show extra info is desired
> show_extra_info = yes
>
> # Put in show_mask list the message log types you want to show
> show_mask = {all}
>
> # Put in hide_mask list the message log types you want to hide
> hide_mask = { none }
>
> # You can use more than one of the following types for show_mask and
> hide_mask:
> # none - No info is promnted
> # info - General information
> # messages - Messages of exchages
> # crypto - Crypto information
> # exceptions - Shows the exceptions
> # transitions - Shows the state machine transitions
> # config - Shows the configuration info
> # threads - Shows threads events
> # alarms - Shows alarms events
> # dhcp - Shows dhcp events
> # ebus - Shows bus events
> # ipsec - Shows ipsec events
> # halfopen - Shows the number of half-opened IKE SAs
> # policies - Shows the IPSEC policies
> # warnings - Shows the warnings messages
> # all - Shows all the information available
> }
>
> ######################################################################################
> ############################## GENERAL SECTION
> ###################################
> ######################################################################################
> general {
> # Max time (in seconds) to perform the initial exchanges (when acting as
> responder)
> max_ike_negotiation_time = 30
>
> # Max. use time of the same cookie secret
> cookies_lifetime = 20
>
> # Number of half-opened IKE SAs that activates cookies
> cookies_threshold = 5
>
> # EAP user/passwd list for the test EAP_Controller
> eap_users_filename = "/etc/openikev2/eap_users.txt"
>
> # A vendor string (default value is openikev2-version)
> # vendor_id = openikev2-XX
> }
>
> ######################################################################################
> ############################## POLICIES SECTION
> ###################################
> ######################################################################################
>
> # Uncomment and adjust to match your needs
>
> policies{
> # Indicates that the SPD will be flushed before adding the new ones
> flush_before = true
>
> # Indicate if the the allow policies must be automatically generated.
> These policies
> # allow IPv4 and IPv6 IKE traffic and ICMPv6 Neighbor Solicitation and
> Neighbor Advertisement
> generate_allow_policies = false
>
> # Define a policy to be added in the SPD
> policy{
> # Source address range of the traffic matching this policy
> src_selector = 192.168.1.0/24
>
> # Source port of the traffic matching this policy (0 = any port)
> src_port = 0
>
> # Destination address range of the traffic matching this policy
> dst_selector = 192.168.1.0/24
>
> # Destination port of the traffic matching this policy (0 = any
> port)
> dst_port = 0
>
> # IP protocol of the traffic matching this policy (tcp, udp, icmp,
> icmpv6 or any number)
> ip_proto = icmp
>
> # Direction of the policy (in, out, fwd, all). If all is selected,
> the policy is assumed as out
> # and the symmetric in and fwd directions are automatically
> generated
> dir = all
>
> # IPsec protocol to be used (esp, ah, none). If none is used, then
> ipsec will
> # not be used for such traffic.
> ipsec_proto = none
>
> # IPsec mode to be applied (transport, tunnel)
> mode = transport
> /*
> # Source tunnel address (only needed when tunnel mode is selected)
> src_tunnel = 192.168.1.1
>
> # Destination tunnel address (only needed when tunnel mode is
> selected)
> dst_tunnel = 192.168.2.15
> */
> # Policy priority
> priority = 1000
> }
>
> policy{
> src_selector = 192.168.1.0/24
> dst_selector = 192.168.1.0/24
> ip_proto = icmp
> dir = all
> ipsec_proto = none
> }
> }
>
>
> ######################################################################################
> ############################## PEER SECTION
> ###################################
> ######################################################################################
>
> # There is a "peer" section for each diferenciated peer identity gruop and
> role. For
> # example, this section will be applied when the role is INITIATOR and peer ID
> is
> # FQDN="openikev2-admin@dif.um.es" or IPv4="192.168.1.1" or IPv6="100::1"
>
>
> peer{
> # Peer IDs
> # Supported types are "fqdn", "rfc822" and "ipaddr". "ipaddr" can be an
> IPv4 address, an IPv6
> # address or a name to be resolved in the system DNS.
> /*
> peer_id{
> id_type = rfc822
> id = openikev2-admin@dif.um.es
> }
> */
> peer_id{
> id_type = ipaddr
> id = 192.168.1.1
> }
> /*
> peer_id{
> id_type = ipaddr
> id = 100::1
> }
> */
>
> # Our Role.
> # Allowed values are "any", "initiator" or "responder". If you omit this
> parameter, "any" is assumed by default
> role = any
>
> # These are the IKE_SA parameters when this peer section is applied
> ike{
> # This is the ID to be sent to the peer (same types as peer_id
> section. See above)
> my_id{
> id_type = ipaddr
> id = 192.168.1.2
> }
>
> # IKE proposal to be used (to be sent if initiator role or to be
> used in the selection process
> # if responder role). The IKE proposal must have, at least, an
> "encr", "integ", "prf" and "dh"
> # transforms.
> proposal{
> # You can choose one or more in order of preference of the
> following:
> # des, 3des, aes128, aes192, aes256
> encr = {3des, des}
>
> # You can choose one or more in order of preference of the
> following:
> # hmac_md5, hmac_sha1
> integ = {hmac_sha1, hmac_md5}
>
> # You can choose one or more in order of preference of the
> following:
> # md5, sha1
> prf = {md5}
>
> # You can choose one or more in order of preference of the
> following:
> # 1, 2
> dh = {2, 1}
> }
> /*
> # This is the address configuration section for Roadwarrior
> scenarios. If ommited no Roadwarrior is allowed
> address_configuration{
> # This is the server side address configuration section
> server{
> # Method to obtain the remote address. You can choose one of
> the following
> # none = No addresss configuration
> # fixed = Get a random address with a prefix specified in
> this configuration file
> # dhcp = Get the address form a DHCP server (not
> implemented yet)
> method = none
>
> # Subnets to be protected by the server. You must specify at
> least one (or both) of the following:
> protected_ipv4_subnet = 192.168.1.0/24
> protected_ipv6_subnet = 2005:100::/64
>
> # When fixed method is applied, then you must specify at
> least one (or both) of the following:
> # Note that assigned address must not be inside of protected
> subnet
> fixed_ipv4_prefix = 192.168.2.0/24
> fixed_ipv6_prefix = 2005:200::/64
>
> # If DHCP is the chosen method, then you must set the
> following attributes:
> dhcp_interface = eth0 # In witch interface we want
> to look for a DHCP server.
>
> dhcp_server_ip = 192.168.1.1 # The DHCP server IP
> address. It is optional.
> # Used to check if the found
> DHCP server is the desired.
> # If it doesn't set, then no
> check is performed.
>
> dhcp_timeout = 3 # Timeout in seconds
>
> dhcp_retries = 3 # Number of retries to send
> a DHCP message
>
>
> }
> # This is the client side address configuration section
> client{
> # Indicates if client wants to request an internal address
> request_configuration = no
>
> # If an IPv6 address is to be requested then a client could
> fix a suffix. The mask indicates the length of the suffix starting
> # from the end of the address
> request_ipv6_suffix = ::100/16
> }
> }
> */
> # Seconds before retransmit a exchange request
> retransmition_time = 5
>
> # Factor to increase retransmition_time after each retransmition
> retransmition_factor = 2
>
> # Maximun number of exchange retransmition before consider peer is
> dead an to close IKE_SA
> max_retries = 10
>
> # Lifetime of the IKE_SA
> rekey_time = 60
>
> # Maximum time before force to the original authenticatin inititator
> to close the IKE_SA and start again the
> # initial exchanges (only used when acting as responder). 0 means no
> reauthentication.
> reauth_time = 600
>
> # Initiator must use EAP authentication
> initiator_uses_eap = no
>
> # Use UNAME notification (foo test notification)
> use_uname = no
>
> # Authentication method. You can choose "psk" or "cert"
> authentication_method = psk
>
> # Peer authentication method. If this parameter is not set, it takes
> the same value of authentication_method
> peer_authentication_method = psk
>
> # Path to the preshared key to be used when using "psk"
> authentication method
> preshared_key = "/etc/openikev2/key.txt"
>
> # Path to the peer preshared key to be used when using "psk" peer
> authentication method.
> # If this paramenter is not set, it takes the same value of
> preshared_key
> peer_preshared_key = "/etc/openikev2/key.txt"
>
> # List of the certificates that can be used to authenticate us.
> # A ".crt" is appended to obtain the real certificate filename and a
> ".key" is appended to obtain the real private key filename
> # Both must be stored in PEM format.
> # In addition, if you want to use HASH & URL certificates, it is
> needed to indicate the url where the certificate (in DER format)
> # is located. The certificate3 uses this feature. Don't forget
> enclose all the string with doble-quoted symbols (" ") to avoid
> # parsing failures with the dashes.
> # my_certificates = {certificate1, certificate2,
> "certificate3@http://server/cert.der"}
>
> # List of the CA certificates. A ".crt" is appended to obtain the
> real certificate filename
> # They must be stored in PEM format
> # ca_certificates = {ca_certificate1, ca_certificate2}
>
> # List of the peer trusted certificates. A ".crt" is appended to
> obtain the real certificate filename.
> # It is also used to find the peer public key when he doesn't send
> any payload CERT
> # cert_white_list = {cert1, cert2}
>
> # List of the peer black listed certificates. A ".crt" is appended
> to obtain the real certificate filename
> # cert_black_list = {cert3, cert4}
>
> # Indicates if we support to retrieve HASH & URL certificates (only
> HTTP urls)
> hash_url_support = no
>
> # Send CERT payload when needed
> send_cert_payload = no
>
> # Send CERT_REQ payload when needed
> send_cert_req_payload = no
> }
>
> # These are the IPSEC_SA parameters when this peer section is applied
> ipsec{
> # ESP proposal to be used (to be sent if initiator role or to be
> used in the selection process
> # if responder role). The ESP proposal must have, at least, an
> "encr" and "integ" transforms.
> # Optionally it can have an "pfs_dh" tranform, if PFS is desired and
> "use_esn" if ESN transform must be included
> esp_proposal{
> encr = {3des, des}
> integ = {hmac_sha1}
> # pfs_dh = {2 ,1}
> # use_esn = no # you can use "omit" (default), "yes"
> and "no" for this option
> }
>
> # AH proposal to be used (to be sent if initiator role or to be used
> in the selection process
> # if responder role). The AH proposal must have, at least, an
> "integ" transform.
> # Optionally it can have an "pfs_dh" tranform, if PFS is desired
> ah_proposal{
> integ = {hmac_sha1}
> }
>
> # The soft and hard lifetime of the IPSEC SA in seconds (default
> value = 0x0FFFFFFF)
> lifetime_soft = 500
> lifetime_hard = 800
>
> # The soft and hard lifetime of the IPSEC SA in bytes (default value
> = 0x0FFFFFFF)
> max_bytes_soft = 1000000
> max_bytes_hard = 1200000
> }
> }
>
>
> ######################################################################################
> ############################## ANONYMOUS SECTION
> ###################################
> ######################################################################################
>
> # This section is applied (if exist) when the peer ID is not found in any
> previous
> # peer section. The role must match. This section has the same parameters than
> "peer"
> # sections, but this haven't any "peer_id" subsection.
>
> /*
> anonymous {
> role = any
> ike{
> proposal{
> encr = {aes256}
> integ = {hmac_sha1}
> prf = {sha1}
> dh = {2}
> }
>
> my_id{
> id_type = rfc822
> id = anonymous
> }
>
> authentication_method = psk
> preshared_key = "/etc/openikev2/key.txt"
> }
>
> ipsec{
> esp_proposal{
> encr = {3des}
> integ = {hmac_sha1}
> }
> ah_proposal{
> integ = {hmac_sha1}
> }
>
> lifetime_soft = 500
> }
>
> }
> */
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
> _______________________________________________
> openikev2-users mailing list
> openikev2-users@dif.um.es
> https://correo.dif.um.es/cgi-bin/mailman/listinfo/openikev2-users
_______________________________________________
openikev2-users mailing list
openikev2-users@dif.um.es
https://correo.dif.um.es/cgi-bin/mailman/listinfo/openikev2-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic