<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Ted Kaczmarek wrote:
<blockquote
cite="mid1123590687.16903.50.camel@inyoureyes.linsolutions.com"
type="cite">
<pre wrap="">On Tue, 2005-08-09 at 08:16 -0400, Vishal Dubey wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Ted Kaczmarek wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Mon, 2005-08-08 at 13:55 -0400, Vishal Dubey wrote:
</pre>
<blockquote type="cite">
<pre wrap="">can some point me to doc's that show how to setup net-to-net using
openswan 2.4.0dr8 and shorewall?
i am newbie and can use all the help i can get.
my setup
os is fc4 with kerenl 2.6.12.3 patched with netfilter+ipsec and policy
match
openswan as stated earlier 2.4.0dr8 ( it seems to comile when you "make
programs install" but does not compile KLIPS).
shorewall version is 2.4.2
here is what is happening:
192.168.10.0/24 <---> firewall/vpn <----> internet <---> firewall/vpn<----> 192.168.100.0/24
         (vangogh11.11.11.20/24) (kirchner 12.12.12.5/28)</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<br>
<blockquote
cite="mid1123590687.16903.50.camel@inyoureyes.linsolutions.com"
type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">i generated public/private key's for vangogh and kirchner on a third
system.
on vangogh i installed the the folloing key's and cert's:
vangogh.bbcllc.net.req.key to /etc/ipsec.d/private
vangogh.bbcllc.net.cert.pem to /etc/ipsec.d/certs
kirchner.bbcllc.net.cert.pem to /etc/ipsec.d/certs
cacert.pem to /etc/ipsec.d/cacerts
crl.pem to /etc/ipsec.d/crls
on kirchner key and files are in their respective directory including
cacert.pem and crl.pem. the only thing that is not on kirchner is the
vangogh's .pem file.
*****
i am geting the following error messages in the /var/log/messages file:
Aug 8 09:42:24 vangogh ipsec__plutorun: restarting IPsec after pause...
Aug 8 09:42:34 vangogh rmmod: ERROR: Module af_key is in use
Aug 8 09:42:34 vangogh ipsec_setup: ...Openswan IPsec stopped
Aug 8 09:42:34 vangogh ipsec_setup: Stopping Openswan IPsec...
Aug 8 09:42:35 vangogh ipsec_setup: KLIPS ipsec0 on eth0
11.11.11.20/255.255.255.0 broadcast 11.11.11.255
Aug 8 09:42:35 vangogh racoon: INFO: unsupported PF_KEY message REGISTER
Aug 8 09:42:35 vangogh last message repeated 2 times
Aug 8 09:42:35 vangogh ipsec_setup: ...Openswan IPsec started
Aug 8 09:42:35 vangogh ipsec_setup: Restarting Openswan IPsec
U2.4.0dr8/K2.6.12.3-bc-20050805-1...
Aug 8 09:42:35 vangogh ipsec_setup: insmod
/lib/modules/2.6.12.3-bc-20050805-1/kernel/net/ipv4/xfrm4_tunnel.ko
Aug 8 09:42:35 vangogh ipsec__plutorun: 003 FATAL ERROR: bind() failed
in find_raw_ifaces4(). Errno 98: Address already in use
Aug 8 09:42:35 vangogh ipsec__plutorun: !pluto failure!: exited with
error status 1
please help!
_______________________________________________
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote
cite="mid1123590687.16903.50.camel@inyoureyes.linsolutions.com"
type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">netstat -an | grep 500
If you have the same issue as me, it is left over racoon connection,
they don't like to go away properly.
rpm -e ipsec-tools
reboot
that was the cleanest for me testing with Centos 4.1(ES4 clone).
The blows away the racoon stuff, based upon what I have seen with FC3
and Centos 4, ipsec-tools and openswan don't mix well at this time.
Ted
</pre>
</blockquote>
<pre wrap="">thanks Ted, i'll try to remove raccon.
btw, is there a way to remove racoon when it is installed using
source?
</pre>
</blockquote>
<pre wrap=""><!---->
Hopefully make uninstall cleans it all out. As long as you didn't
compile anything into the kernel you should be able to remove it. It
doesn't have to be removed as long as you make sure it doesn't run, but
removing it will prevent any chance of that :-)
Ted
</pre>
</blockquote>
i finaly got around to removing and reinstalling ipsec-tools-0.6 and
openswan2.4.0.dr8<br>
now - i think, both gateway see each other but i don't see any tunnels
being created.<br>
what am i missing?<br>
<br>
following are the log files, netstat and ipsec.conf from both gateway:<br>
<br>
<br>
+++/var/log/secure from kirchner:<br>
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: STATE_MAIN_R1: sent
MR1, expecting MI2<br>
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: NAT-Traversal:
Result using RFC 3947 (NAT-Traversal): no NAT detected<br>
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2<br>
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: STATE_MAIN_R2: sent
MR2, expecting MI3<br>
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: Main mode peer ID
is ID_FQDN: '@vangogh.bbcllc.net'<br>
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: I did not send a
certificate because I do not have one.<br>
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}<br>
Aug 11 14:09:27 kirchner pluto[1906]: packet from 12.12.12.20:500:
Informational Exchange is for an unknown (expired?) SA<br>
<br>
+++netstat from kirchner:<br>
Destination Gateway Genmask Flags MSS Window
irtt Iface<br>
12.12.12.0.0 0.0.0.0 255.255.255.240 U 0 0
0 eth0<br>
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0
0 eth1<br>
192.168.10.0 12.38.202.1 255.255.255.0 UG 0 0
0 eth0<br>
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
0 eth1<br>
0.0.0.0 12.12.12.1 0.0.0.0 UG 0 0 0
eth0<br>
<br>
+++ ipsec.conf from kirchner:<br>
version 2.0 # conforms to second version of ipsec.conf specification<br>
<br>
# basic configuration<br>
<br>
config setup<br>
interfaces=%defaultroute<br>
nat_traversal=yes<br>
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16<br>
<br>
<br>
conn bc2sun<br>
left=12.12.12.5<br>
leftsubnet=192.168.100.0/24<br>
<a class="moz-txt-link-abbreviated" href="mailto:leftid=@kirchner.bbcllc.net">leftid=@kirchner.bbcllc.net</a><br>
leftnexthop=%defaultroute<br>
leftrsasigkey=0sAQPk6fHF+yOLUoF2pW2DK/cai4Kx/EH84i3xbEjL2...<br>
right=11.11.11.20<br>
rightsubnet=192.168.10.0/24<br>
<a class="moz-txt-link-abbreviated" href="mailto:rightid=@vangogh.bbcllc.net">rightid=@vangogh.bbcllc.net</a><br>
rightrsasigkey=0sAQOen5ZRzSbWRKTFlXWWIz0jPaYBLmyzcoMGVr...<br>
rightnexthop=%defaultroute<br>
auto=add<br>
<br>
conn block<br>
auto=ignore<br>
<br>
conn private<br>
auto=ignore<br>
<br>
conn private-or-clear<br>
auto=ignore<br>
<br>
conn clear-or-private<br>
auto=ignore<br>
<br>
conn clear<br>
auto=ignore<br>
<br>
conn packetdefault<br>
auto=ignore<br>
<br>
=====================================================<br>
<br>
***/var/log/secure from vangogh:<br>
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2<br>
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: STATE_MAIN_I2: sent
MI2, expecting MR2<br>
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: I did not send a
certificate because I do not have one.<br>
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: NAT-Traversal:
Result using RFC 3947 (NAT-Traversal): no NAT detected<br>
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3<br>
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: STATE_MAIN_I3: sent
MI3, expecting MR3<br>
Aug 11 10:00:31 vangogh pluto[2016]: "bc2sun" #72: Main mode peer ID is
ID_FQDN: '@kirchner.bbcllc.net'<br>
Aug 11 10:00:31 vangogh pluto[2016]: "bc2sun" #72: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4<br>
Aug 11 10:00:31 vangogh pluto[2016]: "bc2sun" #72: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1536}<br>
Aug 11 10:04:51 vangogh pluto[2016]: packet from 11.11.11.5:500:
Informational Exchange is for an unknown (expired?) SA<br>
<br>
***here is a netstat from vangogh:<br>
Destination Gateway Genmask Flags MSS Window
irtt Iface<br>
192.168.100.0 11.11.11.1 255.255.255.0 UG 0 0 0
eth0<br>
11.11.11.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0<br>
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0
0 eth1<br>
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
0 eth1<br>
0.0.0.0 11.11.11.1 0.0.0.0 UG 0 0 0
eth0<br>
<br>
*** ipsec.conf from vangogh:<br>
<br>
version 2.0 # conforms to second version of ipsec.conf specification<br>
<br>
# basic configuration<br>
<br>
config setup<br>
interfaces=%defaultroute<br>
nat_traversal=yes<br>
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16<br>
<br>
<br>
conn bc2sun<br>
left=12.12.12.5<br>
leftsubnet=192.168.100.0/24<br>
<a class="moz-txt-link-abbreviated" href="mailto:leftid=@kirchner.bbcllc.net">leftid=@kirchner.bbcllc.net</a><br>
leftrsasigkey=0sAQPk6fHF+yOLUoF2pW2DK/c.... <br>
leftnexthop=12.12.12.1<br>
right=11.11.11.20<br>
rightsubnet=192.168.10.0/24<br>
<a class="moz-txt-link-abbreviated" href="mailto:rightid=@vangogh.bbcllc.net">rightid=@vangogh.bbcllc.net</a><br>
rightrsasigkey=0sAQOen5ZRzSbWRK.....<br>
rightnexthop=11.11.11.1<br>
auto=add<br>
<br>
conn private<br>
auto=ignore<br>
<br>
conn private-or-clear<br>
auto=ignore<br>
<br>
conn clear-or-private<br>
auto=ignore<br>
<br>
conn clear<br>
auto=ignore<br>
<br>
conn packetdefault<br>
auto=ignore<br>
<br>
</body>
</html>