[Openswan Users] Minimal working ipsec.config

Thulium Thulium at bichtoubard.com
Tue Jan 31 07:07:13 EST 2012


Please remove me from distribution list.


On Tue, 31 Jan 2012 16:30:44 +0530, satpal parmar
<systems.satpal at gmail.com> wrote:
> Hi All!
> 
> I am facing a small problem. I have ipsec running on two Linux boxes.
> Now I want to connect them through ipsec tunnels. I build a small
> script for this as you have to type them every time  for a connection
> 
> #!/bin/sh
> 
> service ipsec stop
> service ipsec start
> ipsec auto --add test
> ipsec auto --up test
> 
> I have this on both sides of my connections. My problem is when I run
> I get following message very often .
> 
> 
> root at vnl-desktop:~# ./ipsec_restart.sh
> ipsec_setup: Stopping Openswan IPsec...
> ipsec_setup: Starting Openswan IPsec U2.6.23/K2.6.32-33-generic...
> 024 need --listen before --initiate
> 
> Many times  in while I get :
> 
> root at R3BTS-CP-PFS1.0# /etc/init.d/ipsec status
> IPsec running  - pluto pid: 2807
> pluto pid 2807
> 1 tunnels up
> some eroutes exist
> 
> 
> And in ramdom  cases I get :
> 
> root at R3BTS-CP-PFS1.0# /etc/init.d/ipsec status
> IPsec running  - pluto pid: 2807
> pluto pid 2807
> 2 tunnels up
> some eroutes exist
> 
> 
> At times I also get
> root at R3BTS-CP-PFS1.0# /etc/init.d/ipsec start
> ipsec_setup: Starting Openswan IPsec U2.6.33/K2.6.37-svn5271...
> ipsec_setup: no default routes detected
> 
> I want to automate whole connection with 100% success rate for
> connection (both sides SAs ). I need help in building minimal
> ipsec.config which will not return unless there is a connection when
> issue "/etc/ipsec.d/start"
> 
> Possible cases I see I might have to handle in my config:
> 
> a) No IPsec running on other side or other side is down.  I will wait
> till box n  ipsec is up in other side.
> 
> b) No connection 'test' in config other side . I will wait till admin
add
> that.
> 
> c) Connection 'test' is not up. Wait. Till it is up.
> 
> So to say again I do not report partial success or failure and
> retry/wait  till have I have both side SAs. Is it possible to build
> such ipsec config?  Is there any security related flaws in this
> scheme.?
> 
> Appreciate any input.
> 
> -SP
> _______________________________________________
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list