<html><head><style type='text/css'>p { margin: 0; }</style></head><body>Hi Aaron<br><br>I seem to be incrementally getting Openswan to nearly run but still apparently not quite there?! Any help gratefully received!!<br><br>Regards Richard<br><br>$sudo ipsec verify<br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]<br>Linux Openswan U2.4.12/K2.6.27-8-eeepc (netkey)<br>Checking for IPsec support in kernel [OK]<br>NETKEY detected, testing for disabled ICMP send_redirects [FAILED]<br><br> Please disable /proc/sys/net/ipv4/conf/*/send_redirects<br> or NETKEY will cause the sending of bogus ICMP redirects!<br><br>NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]<br><br> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects<br> or NETKEY will accept bogus ICMP redirects!<br><br>Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]<br> ipsec showhostkey: no default key in "/etc/ipsec.secrets"<br>Checking that pluto is running [OK]<br>Two or more interfaces found, checking IP forwarding [OK]<br>Checking NAT and MASQUERADEing [OK]<br>Checking for 'ip' command [OK]<br>Checking for 'iptables' command [OK]<br>Opportunistic Encryption Support [DISABLED]<br><br><br>sysctl.conf:<br><br>#<br># /etc/sysctl.conf - Configuration file for setting system variables<br># See /etc/sysctl.d/ for additional system variables.<br># See sysctl.conf (5) for information.<br>#<br><br>#kernel.domainname = example.com<br><br># Uncomment the following to stop low-level messages on console<br>#kernel.printk = 4 4 1 7<br><br>##############################################################3<br># Functions previously found in netbase<br>#<br><br># Uncomment the next two lines to enable Spoof protection (reverse-path filter)<br># Turn on Source Address Verification in all interfaces to<br># prevent some spoofing attacks<br>#net.ipv4.conf.default.rp_filter=1<br>#net.ipv4.conf.all.rp_filter=1<br><br># Uncomment the next line to enable TCP/IP SYN cookies<br># This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167),<br># and is not recommended.<br>#net.ipv4.tcp_syncookies=1<br><br># Uncomment the next line to enable packet forwarding for IPv4<br>net.ipv4.ip_forward=1<br><br># Uncomment the next line to enable packet forwarding for IPv6<br>net.ipv6.conf.all.forwarding=1<br><br><br>###################################################################<br># Additional settings - these settings can improve the network<br># security of the host and prevent against some network attacks<br># including spoofing attacks and man in the middle attacks through<br># redirection. Some network environments, however, require that these<br># settings are disabled so review and enable them as needed.<br>#<br># Ignore ICMP broadcasts<br>net.ipv4.icmp_echo_ignore_broadcasts = 1<br>#<br># Ignore bogus ICMP errors<br>net.ipv4.icmp_ignore_bogus_error_responses = 1<br># <br># Do not accept ICMP redirects (prevent MITM attacks)<br>net.ipv4.conf.all.accept_redirects = 0<br>net.ipv6.conf.all.accept_redirects = 0<br># _or_<br># Accept ICMP redirects only for gateways listed in our default<br># gateway list (enabled by default)<br># net.ipv4.conf.all.secure_redirects = 1<br>#<br># Do not send ICMP redirects (we are not a router)<br># net.ipv4.conf.all.send_redirects = 1<br>#<br># Do not accept IP source route packets (we are not a router)<br>net.ipv4.conf.all.accept_source_route = 0<br>net.ipv6.conf.all.accept_source_route = 0<br>#<br># Log Martian Packets<br>net.ipv4.conf.all.log_martians = 1<br>#<br># The contents of /proc/<pid>/maps and smaps files are only visible to <br># readers that are allowed to ptrace() the process<br># sys.kernel.maps_protect = 1<br><br>ipsec.conf:<br><br># /etc/ipsec.conf - Openswan IPsec configuration file<br># RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006-10-19 03:49:46 paul Exp $<br><br># This file: /usr/share/doc/openswan/ipsec.conf-sample<br>#<br># Manual: ipsec.conf.5<br><br><br>version 2.0 # conforms to second version of ipsec.conf specification<br><br># basic configuration<br>config setup<br> interfaces="ipsec0=eth0"<br> protostack=netkey<br> # plutodebug / klipsdebug = "all", "none" or a combation from below:<br> # "raw crypt parsing emitting control klips pfkey natt x509 private"<br> # eg: plutodebug="control parsing"<br> #<br> # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!<br> #<br> # NAT-TRAVERSAL support, see README.NAT-Traversal<br> nat_traversal=yes<br> # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12<br> #<br> # enable this if you see "failed to find any available worker"<br> nhelpers=0<br><br># Add connections here<br><br># sample VPN connections, see /etc/ipsec.d/examples/<br><br><br>#Disable Opportunistic Encryption<br>include /etc/ipsec.d/examples/no_oe.conf<br><br>ipsec setup:<br><br>$sudo ipsec setup --status<br>IPsec running - pluto pid: 9062<br>pluto pid 9062<br>No tunnels up<br><br>-- <br><br>Richard de Rivaz<br>MDR Interfaces Ltd<br>Computer Control Specialists<br><br>Tel: +44(0)1825 790294 Fax: +44(0)1825 790119<br>Reg in England No. 1577056 Directors: R de Rivaz Z de Rivaz<br>Reg Address: Little Bridge House, Danehill, Sussex RH17 7JD<br><br>http://www.mdr.co.uk</body></html>