Re: [Swan] Create multi encryption domain via ipsec whack command

Mon, 10 Oct 2022 20:23:17 -0700 

On Mon, 3 Oct 2022, Uday Raj wrote:


Subject: [Swan] Create multi encryption domain via ipsec whack command



I am creating a multi encryption domain in ipsec via the below command. But the 
below command is throwing error ? 
Could you please let me know how to create a MED in ipsec via whack commands.

Command:

/usr/ipsec whack --name Tunnel1 --encrypt --tunnel --pfs --delete  --psk  \

    --host 10.0.15.251 --client 10.0.15.251/32 --id 10.0.15.251 \

    --updown "ipsec _updown" \

    --to \

    --host 10.10.0.1 --client {10.10.0.1/32,10.196.90.128/31} --id 10.10.0.1 \

    --updown "ipsec _updown" \

    --ike "aes192,3des" --esp "aes192,3des" \

    --ikelifetime 3600 \

    --ipseclifetime 28800 --rekeywindow 540 --keyingtries 10 --ikev1-allow/sbin



The way this currently works is that connections are instantiated by the
parser. So in a config file with conn "test" containing, 
leftsubnets={10.10.0.1/32,10.196.90.128/31}
we actually expand that to two conns named "test/1x0" and "test/2x0"

Ideally, you do not use whack but create a file in /etc/ipsec.d/test.conf and 
have an
include for /etc/ipsec.d/*.conf in /etc/ipsec.conf. Is there any reason
why you are using "ipsec whack" directly instead ?

If you really need to use whack, you need to emulate the expansion the
parser does for you:


 /usr/ipsec whack --name Tunnel1a --encrypt --tunnel --pfs --delete  --psk  \
     --host 10.0.15.251 --client 10.0.15.251/32 --id 10.0.15.251 \
     --updown "ipsec _updown" \
     --to \
     --host 10.10.0.1 --client 10.10.0.1/32 --id 10.10.0.1 \
     --updown "ipsec _updown" \
     --ike "aes192,3des" --esp "aes192,3des" \
     --ikelifetime 3600 \
     --ipseclifetime 28800 --rekeywindow 540 --keyingtries 10 --ikev1-allow/sbin

 /usr/ipsec whack --name Tunnel1b --encrypt --tunnel --pfs --delete  --psk  \
     --host 10.0.15.251 --client 10.0.15.251/32 --id 10.0.15.251 \
     --updown "ipsec _updown" \
     --to \
     --host 10.10.0.1 --client 10.196.90.128/31 --id 10.10.0.1 \
     --updown "ipsec _updown" \
     --ike "aes192,3des" --esp "aes192,3des" \
     --ikelifetime 3600 \
     --ipseclifetime 28800 --rekeywindow 540 --keyingtries 10 --ikev1-allow/sbin


Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to