<html><head><style type='text/css'>p { margin: 0; }</style></head><body><font size="3"><font face="Arial">Hi<br><br>I wonder if anyone has example config files that work with Netkey?<br><br>Regards Richard<br><br><br></font></font>Richard de Rivaz wrote:<br><blockquote style="border-left: 1px solid lightgrey; margin-left: 8px; padding-left: 8px;">
<style type="text/css">p { margin: 0; }</style>Hi<br><br>I am trying to use Openswan on Ubuntu to create an ipsec vpn but so far do not seem able to get Openswan to startup correctly. 'ipsec verify' produces the following:<br><br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]<br>Linux Openswan U2.4.12/K2.6.27-9-generic (netkey)<br>Checking for IPsec support in kernel [OK]<br>NETKEY detected, testing for disabled ICMP send_redirects [FAILED]<br><br> Please disable /proc/sys/net/ipv4/conf/*/send_redirects<br> or NETKEY will cause the sending of bogus ICMP redirects!<br><br>NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]<br><br> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects<br> or NETKEY will accept bogus ICMP redirects!<br><br>Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]<br> ipsec showhostkey: no default key in "/etc/ipsec.secrets"<br>Checking that pluto is running [FAILED]<br> whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")<br>Two or more interfaces found, checking IP forwarding [FAILED]<br> whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")<br>Checking NAT and MASQUERADEing [N/A]<br> whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")<br>Checking for 'ip' command [OK]<br>Checking for 'iptables' command [OK]<br>Opportunistic Encryption Support [DISABLED]<br><br><br>sysctl.conf is as follows:<br><br>#<br># /etc/sysctl.conf - Configuration file for setting system variables<br># See /etc/sysctl.d/ for additional system variables.<br># See sysctl.conf (5) for information.<br>#<br><br>#kernel.domainname = example.com<br><br># Uncomment the following to stop low-level messages on console<br>#kernel.printk = 4 4 1 7<br><br>##############################################################3<br># Functions previously found in netbase<br>#<br><br># Uncomment the next two lines to enable Spoof protection (reverse-path filter)<br># Turn on Source Address Verification in all interfaces to<br># prevent some spoofing attacks<br>net.ipv4.conf.default.rp_filter = 0<br>net.ipv4.conf.all.rp_filter = 1<br><br># Uncomment the next line to enable TCP/IP SYN cookies<br># This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167),<br># and is not recommended.<br>net.ipv4.tcp_syncookies = 1<br><br># Uncomment the next line to enable packet forwarding for IPv4<br>net.ipv4.ip_forward = 1<br><br># Uncomment the next line to enable packet forwarding for IPv6<br>net.ipv6.conf.all.forwarding=1<br><br><br>###################################################################<br># Additional settings - these settings can improve the network<br># security of the host and prevent against some network attacks<br># including spoofing attacks and man in the middle attacks through<br># redirection. Some network environments, however, require that these<br># settings are disabled so review and enable them as needed.<br>#<br># Ignore ICMP broadcasts<br>net.ipv4.icmp_echo_ignore_broadcasts = 1<br>#<br># Ignore bogus ICMP errors<br>net.ipv4.icmp_ignore_bogus_error_responses = 1<br># <br># Do not accept ICMP redirects (prevent MITM attacks)<br>net.ipv4.conf.all.accept_redirects = 0<br>net.ipv6.conf.all.accept_redirects = 0<br># _or_<br># Accept ICMP redirects only for gateways listed in our default<br># gateway list (enabled by default)<br>net.ipv4.conf.all.secure_redirects = 0<br>#<br># Do not send ICMP redirects (we are not a router)<br>net.ipv4.conf.all.send_redirects = 0<br>#<br># Do not accept IP source route packets (we are not a router)<br>net.ipv4.conf.all.accept_source_route = 0<br>net.ipv6.conf.all.accept_source_route = 0<br>#<br># Log Martian Packets<br>net.ipv4.conf.all.log_martians = 1<br>#<br># The contents of /proc/<pid>/maps and smaps files are only visible to <br># readers that are allowed to ptrace() the process<br>sys.kernel.maps_protect = 1<br><br>I would be grateful for any help in getting Openswan to work on Ubuntu 8.10<br><br>Regards Richard<br>-- <br><br>Richard de Rivaz<br>MDR Interfaces Ltd<br>Computer Control Specialists<br><br>Tel: +44(0)1825 790294 Fax: +44(0)1825 790119<br>Reg in England No. 1577056 Directors: R de Rivaz Z de Rivaz<br>Reg Address: Little Bridge House, Danehill, Sussex RH17 7JD<br><br>http://www.mdr.co.uk</blockquote>
<br>-- <br><br>Richard de Rivaz<br>MDR Interfaces Ltd<br>Computer Control Specialists<br><br>Tel: +44(0)1825 790294 Fax: +44(0)1825 790119<br>Reg in England No. 1577056 Directors: R de Rivaz Z de Rivaz<br>Reg Address: Little Bridge House, Danehill, Sussex RH17 7JD<br><br>http://www.mdr.co.uk</body></html>