[Openswan Users] Minimal working ipsec.config

Panagiotis Tamtamis tamtamis at gmail.com
Mon Feb 6 14:42:53 EST 2012


Hi

Using shell script is doable but you will need to put some stall time
between start and stop in order to give openswan time to fully stop and
start.

You can check if you successfully made a tunnel with the command: " ip [-s]
xfrm state"  with -s optionally in order to get more details.
You must have at least 2 entries. But "ip xfrm state" is only to show you
the established SAs.

You need to have configured SPDs and you can see them with command: "ip
[-s] xfrm policy"

There you must see at least 3 entries for "in" "out" and "fwd" direction.
Everything is done automatically from openswan. But if you have these
values there then you know that your tunnel is up from kernel side of view.


I hope it was helpful

Best regards,
Tamis

2012/1/31 satpal parmar <systems.satpal at gmail.com>

> Hi All!
>
> I am facing a small problem. I have ipsec running on two Linux boxes.
> Now I want to connect them through ipsec tunnels. I build a small
> script for this as you have to type them every time  for a connection
>
> #!/bin/sh
>
> service ipsec stop
> service ipsec start
> ipsec auto --add test
> ipsec auto --up test
>
> I have this on both sides of my connections. My problem is when I run
> I get following message very often .
>
>
> root at vnl-desktop:~# ./ipsec_restart.sh
> ipsec_setup: Stopping Openswan IPsec...
> ipsec_setup: Starting Openswan IPsec U2.6.23/K2.6.32-33-generic...
> 024 need --listen before --initiate
>
> Many times  in while I get :
>
> root at R3BTS-CP-PFS1.0# /etc/init.d/ipsec status
> IPsec running  - pluto pid: 2807
> pluto pid 2807
> 1 tunnels up
> some eroutes exist
>
>
> And in ramdom  cases I get :
>
> root at R3BTS-CP-PFS1.0# /etc/init.d/ipsec status
> IPsec running  - pluto pid: 2807
> pluto pid 2807
> 2 tunnels up
> some eroutes exist
>
>
> At times I also get
> root at R3BTS-CP-PFS1.0# /etc/init.d/ipsec start
> ipsec_setup: Starting Openswan IPsec U2.6.33/K2.6.37-svn5271...
> ipsec_setup: no default routes detected
>
> I want to automate whole connection with 100% success rate for
> connection (both sides SAs ). I need help in building minimal
> ipsec.config which will not return unless there is a connection when
> issue "/etc/ipsec.d/start"
>
> Possible cases I see I might have to handle in my config:
>
> a) No IPsec running on other side or other side is down.  I will wait
> till box n  ipsec is up in other side.
>
> b) No connection 'test' in config other side . I will wait till admin add
> that.
>
> c) Connection 'test' is not up. Wait. Till it is up.
>
> So to say again I do not report partial success or failure and
> retry/wait  till have I have both side SAs. Is it possible to build
> such ipsec config?  Is there any security related flaws in this
> scheme.?
>
> Appreciate any input.
>
> -SP
> _______________________________________________
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>



-- 
Think simple!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120206/2b69d2a5/attachment.html>


More information about the Users mailing list