New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IPsec not working - Please help urgent request ! #103
Comments
neither left= or right= is identified with your machine. You must configure either left= or right= with an IP address (or hostname resolving to an IP address) that is locally on the machine. If that local address is dynamic, use the magic value "%defaultroute" if you are on AWS, you cannot have identical configuration files because on the AWS side, you need to use (if AWS is left) left=%defaultroute with leftid=elasticip (if using IP as ID) See also: https://libreswan.org/wiki/Interoperability#Amazon_EC2 |
We are creating VM instance on google Cloud platform running CentOS 7/ openswan and customer is having Checkpoint : Can you please send us the exact configuration to put on ipsec.conf file on Google VM instance and Customer checkpoint configuration,as we some doubt with example. We will be highly obliged to you. Thanks |
Bud you need to NAT one side. You can't have the same left/right subnet. On Tuesday, December 30, 2014, ashutosh1701204 notifications@github.com
Sent from Gmail Mobile |
Hi Can you please confirm if the below configuration is correct on google Please note we have DB and APP server , Customer AD/SSO server will [root@redhat-1 ~]# more /etc/ipsec.d/ipsec.conf On Wed, Dec 31, 2014 at 12:59 PM, Ben Irving notifications@github.com
|
Leftsubnet and rightsubnet range will be modify later . but please confirm Thanks On Wed, Dec 31, 2014 at 1:07 PM, Ashutosh Adhikari <
|
Now we are getting this error On Wed, Dec 31, 2014 at 1:09 PM, Ashutosh Adhikari <
|
Why are you using openswan on centos7? centos7 is based on rhel7 which obsoleted openswan for libreswan. clearly you cannot use the same subne on both ends, so you must change that |
Is it ok to use to centos 6 , can you please give us the exact output of Please help us....
|
apart from the bad identical subnet, the config looks fine, asuming all entries of the conn are indented. which is why i asked you to run those commands that will show errors. |
You can use CentOS 6 or CentOS 7 with Openswan. |
If you wish for a CentOS 7 RPM of Openswan, you can download it here https://download.openswan.org/rhel7/x86_64/openswanX-2.6.43-2.1.x86_64.rpm You can install this version if you wish, but the description of your problem does point towards a configuration error, and letoams and puravidahope are trying to help you. |
note that 2.6.42 seems to be the latest release. not sure what the 2.6.43 rpms are. I guess a pre-release |
Can we use centos 6 ..which version of openswan works please let us know.
|
@ashutosh1701204 Your problem is configuration, not the version of Openswan. The version you are currently running, 2.6.32, will work once you have answered letoams' questions and implement whatever suggestions we may have. You can use Openswan 2.6.32, or 2.6.42, on CentOS6. All of them will work. Please show us the configuration that you are currently using. |
The cconfiguration file is given below. we will use different version but
|
This is the error we get while runing the command below.
|
Hi all, I am running Libreswan 3.23 on Cent OS 7 on google cloud, ``
`` Tunnel is not connecting, it hangs up in phase 2 and keeps reconnecting, When pinged from the other network sometimes tunnel gets connected, and doesnt connect when ipsec restarts. |
On Fri, 15 Jun 2018, Dinuka Salwathura wrote:
I am running Libreswan 3.23 on Cent OS 7 on google cloud,
So this question really belongs to the libreswan github repository,
not the old openswan legacy code.
conn ez-cash
leftsourceip=35.229.xx.xx
left=10.142.0.4
leftsubnet=10.142.0.0/24
leftsourceip should be an ip from your leftsubnet. The one that's on
the libreswan machine itself.
You also need to ensure traffic from leftsubnet to rightsubnet is not
NAT'ed by accident.
Paul
|
Thank you for the response, but when the tunnel is ip communication is NAT'ed |
On Jun 16, 2018, at 02:42, Dinuka Salwathura ***@***.***> wrote:
Thank you for the response,
unfortunately traffic is NAT'ed, so I cannot use libreswan if traffic is NAT'ed?
Of course you can, you need to exclude those from NAT using iptables. See the libreswan FAQ
… —
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
This is the output of "watch -n0.5 ipsec status" |
@dinukasal as you have noted, this issue is on Libreswan. As such, I will locking this closed issue. If you have any Openswan specific issues, please feel free to open a new issue |
[root@redhat-1 ~]# ipsec auto --up myconnect
022 "myconnect": We cannot identify ourselves with either end of this connection
We have the same configuration on both gateway severs.
Once this setup works we need to setup IPsec tunnel between CentOS 7 machine and Checkpoint.
Please send KB article or let us know how can we achieve this.
[root@redhat-1 ~]# more /etc/ipsec.d/ipsec.conf
conn myconnect
type=tunnel
left=104.155.211.218
leftsubnet=10.240.0.0/16
right=104.155.216.232
rightsubnet=10.240.0.0/16
keyexchange=ike
auth=esp
auto=start
authby=secret
ike=aes256-sha1-modp2048
esp=aes256-sha1
root@redhat-1 ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-504.3.3.el6.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Testing against enforced SElinux mode [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
[root@redhat-1 ~]#
The text was updated successfully, but these errors were encountered: