<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<blockquote cite="mid6c18a4f0503060940175fab52@mail.gmail.com"
type="cite">
<pre wrap="">Are you really sure that you're using KLIPS? Neither RHES3 nor Centos4
nor the openswan-2.3.0-1rhel rpm contain KLIPS. Can you check with
"lsmod" if you have a module named "ipsec" loaded?
Bye,
Bernd.</pre>
</blockquote>
Working a bit more with Bernd, we find that I wasn't using KLIPS - I
was using af_key. I spent yesterday getting KLIPS (2.3.1dr3) to
compile and run on RHES 3. I spent today trying to get KLIPS running
on RHES 3.0 and CentOS 4.0, and failed. I can get it up and running,
but no matter what I do, pluto keeps saying that there are "no public
interfaces found". Googling was no help - everyone was misconfigured
in a different way or had two interfaces with the same IP. <br>
<br>
Here's the configuration I was using (just testing stuff):<br>
<br>
192.168.0.0/24 <===== GW =====> 10.0.0.0/8<br>
<br>
The 10.x.x.x (right) network is an untrusted network with N
road-warriors using a common PSK; the 192.168.x.x (left) net contains
services the road-warriors use (l2tp is involved on the backend, but
the IPsec stuff is what's not working).<br>
<br>
<blockquote><u><b>ifconfig:</b></u><br>
<tt>eth0 Link encap:Ethernet HWaddr 00:06:5B:05:CD:8A <br>
inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.0.0.0<br>
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
<br>
eth1 Link encap:Ethernet HWaddr 00:06:5B:05:CD:89 <br>
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0<br>
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
</tt><br>
<tt>lo Link encap:Local Loopback <br>
inet addr:127.0.0.1 Mask:255.0.0.0<br>
UP LOOPBACK RUNNING MTU:16436 Metric:1<br>
</tt><u><b><br>
route</b></u><br>
<tt>Kernel IP routing table<br>
Destination Gateway Genmask Flags Metric Ref Use
Iface<br>
192.168.0.0 * 255.255.255.0 U 0 0 0
eth1<br>
10.0.0.0 * 255.0.0.0 U 0 0 0
eth0<br>
127.0.0.0 * 255.0.0.0 U 0 0 0
lo<br>
default 192.168.0.1 0.0.0.0 UG 0 0 0
eth1<br>
</tt><br>
<u><b><br>
ipsec.conf:</b></u><br>
<tt>version 2.0<br>
<br>
include /etc/ipsec.d/examples/no_oe.conf<br>
<br>
config setup<br>
interfaces="ipsec0=eth0"<br>
klipsdebug="eroute esp"<br>
plutodebug="lifecycle control"<br>
plutoopts="--interface eth0"<br>
forwardcontrol=yes<br>
myid=10.0.0.1<br>
<br>
conn testvpn <br>
left=10.0.0.1<br>
leftid=%myid<br>
leftprotoport=17/0<br>
right=%any<br>
rightprotoport=17/1701<br>
auto=add<br>
ike=aes,3des<br>
esp=aes,3des<br>
authby=secret<br>
pfs=no <br>
dpddelay=15<br>
dpdtimeout=300<br>
dpdaction=clear<br>
keylife=3h<br>
keyingtries=10<br>
compress=yes<br>
<br>
</tt>The curious/sad/funny thing is, when I'm using KLIPS, pluto
comes up and says that it can't find any public interfaces ("003 no
public interfaces found"); it still 'binds' ipsec0 to eth0, but there's
nothing really listening on that IP (validated with nmap -sU 10.0.0.1,
doesn't show port 500 open). If I stop ipsec, modprobe af_key, and
re-start it, everything works perfectly (again, validated with nmap and
a successful client connection negotiation).<br>
<br>
So, who's going to point out my glaring mistake? Or could I have
actually found a problem?<br>
</blockquote>
</body>
</html>