Re: [Swan] VTI issue to SRX unable to send traffic through the interface
On Wed, 1 Nov 2017, Paul Tran wrote: RP_filter is disabled but the ipsec verify shows the same message about disabling it still (rp_filter is not fully aware of IPsec and should be disabled). The "all" or "default" options only take effect on newly created interfaces. So either manually disable each existing one, or restart the networking (or reboot?) XfrmInStateMismatch 19 Are they not marked properly? Or routed into the VTI interface? But there are XFRM policies in place for use - src 10.0.0.0/8 dst 192.168.0.0/16 uid 0 dir out action allow index 177 priority 2864 ptype main share any flag (0x) mark 5/0xfff so if you have a route into the vti device which has a key of 5, as shown with "ip tunnel" then it should work provided the ping packet has a 10.* source ip to 192.168.*.*. Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
[Swan-commit] Changes to ref refs/heads/master
New commits: commit 892fa8c15a7db860d2d834d6be767c0e6124e7f7 Author: Andrew CagneyDate: Fri Nov 10 10:46:15 2017 -0500 testing: add ikev1-impair-01-dup-incomming-packets When a machine is under load - taking time to get to each packet - the initator will timeout out and start sending duplicates for each request. This simulates the senario by overwhelming east's incomming queue with duplicates of all packets received. The test then checks that the duplicates are detected and either replied-to or discarded. Most important is the responder detecting duplicate initial requests (and not creating new states like was happening). ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/master
New commits: commit 04340e850cadd339dcf187815a73f3b5ea5be56e Author: Andrew CagneyDate: Fri Nov 10 10:12:58 2017 -0500 ikev1: when --impair dup-incoming-packets overwhelm the state with duplicates In tests, this will force the code capping re-transmits from duplicate packets to kick in. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
Re: [Swan] Forward of moderated message
In git master this is fixed. We will release 3.23 soon Sent from my iPhone > On Nov 10, 2017, at 18:35, Ivan Kuznetsovwrote: > > Hello > > Yes I hit the same problem with libreswan-3.22-2.el6_9.i686 rpm: > > [root@pine ipsec.d]# ipsec setup start > Redirecting to: service ipsec start > Starting pluto IKE daemon for IPsec: . [FAIL ] > [root@pine init.d]# ipsec pluto --config /etc/ipsec.conf > pluto: FATAL: unable to create lock dir: "/run/pluto/": No such file or > directory > Nov 10 15:54:04: | crl fetch request list locked by 'free_crl_fetch' > Nov 10 15:54:04: | crl fetch request list unlocked by 'free_crl_fetch' > > It seems that there is typo in libreswan.spec > > 10.11.2017 07:42, Paul Wouters пишет: >>> The binary package for RHEL/CentOS 6 in the LibreSWAN repository >>> appears to have been built with the RHEL/CentOS 7 directory structure >>> for the PID and socket files; upon upgrading the ipsec service would >>> no longer start, with a "pluto apparently already running (?!?)" error. >>> >>> Some troubleshooting indicated that pluto was trying to write to >>> /run/pluto (which doesn't exist) instead of /var/run/pluto. >>> >>> A quick symlink from /run to /var/run allows the ipsec service to >>> start successfully, but the package should be fixed. >> We had noticed that and released 3.22-2 packages. Is this still a >> problem? >> Paul >> ___ >> Swan mailing list >> Swan@lists.libreswan.org >> https://lists.libreswan.org/mailman/listinfo/swan > > -- > Ivan Kuznetsov > SOLVO ltd > ___ > Swan mailing list > Swan@lists.libreswan.org > https://lists.libreswan.org/mailman/listinfo/swan ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] Forward of moderated message
Hello Yes I hit the same problem with libreswan-3.22-2.el6_9.i686 rpm: [root@pine ipsec.d]# ipsec setup start Redirecting to: service ipsec start Starting pluto IKE daemon for IPsec: . [FAIL ] [root@pine init.d]# ipsec pluto --config /etc/ipsec.conf pluto: FATAL: unable to create lock dir: "/run/pluto/": No such file or directory Nov 10 15:54:04: | crl fetch request list locked by 'free_crl_fetch' Nov 10 15:54:04: | crl fetch request list unlocked by 'free_crl_fetch' It seems that there is typo in libreswan.spec 10.11.2017 07:42, Paul Wouters пишет: The binary package for RHEL/CentOS 6 in the LibreSWAN repository appears to have been built with the RHEL/CentOS 7 directory structure for the PID and socket files; upon upgrading the ipsec service would no longer start, with a "pluto apparently already running (?!?)" error. Some troubleshooting indicated that pluto was trying to write to /run/pluto (which doesn't exist) instead of /var/run/pluto. A quick symlink from /run to /var/run allows the ipsec service to start successfully, but the package should be fixed. We had noticed that and released 3.22-2 packages. Is this still a problem? Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan -- Ivan Kuznetsov SOLVO ltd ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan