<div dir="ltr">Hi All,<br><br>Just for the sake of completion of this thread. IPSec is not supported by VPS vendors who are based on openVZ as explained below.<br>I shifted my server to Amazon EC2 and their custom packages solved all problems in first go..<br>
<br>[root@xxxxx~]# ipsec verify<br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]<br>Linux Openswan U2.6.27/K2.6.34.7-56.40.amzn1.i686 (netkey)<br>
Checking for IPsec support in kernel [OK]<br>NETKEY detected, testing for disabled ICMP send_redirects [OK]<br>NETKEY detected, testing for disabled ICMP accept_redirects [OK]<br>Checking that pluto is running [OK]<br>
Pluto listening for IKE on udp 500 [OK]<br>Pluto listening for NAT-T on udp 4500 [OK]<br>Checking for 'ip' command [OK]<br>
Checking for 'iptables' command [OK]<br>Opportunistic Encryption Support [DISABLED]<br><br>Thank you all for your help and fruitful discussion.<br><br>
Regards,<br><br><br><div class="gmail_quote">On Sat, Dec 4, 2010 at 9:07 PM, Michael H. Warfield <span dir="ltr"><<a href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">On Sat, 2010-12-04 at 20:09 +0500, Hammad wrote:<br>
> Hi Laurent,<br>
> You are right, packages come from my hosting company...<br>
> Does it make a difference?<br>
<br>
</div>So this VPS is a virtual machine hosted by them, correct? In that case,<br>
you are probably screwed. Contact them about VPN service. You probably<br>
can not do kernel level IPSec, not with an OpenVZ VM at least. To the<br>
best of my knowledge, OpenVZ / Virtuoso does not support IPsec in a<br>
container and everything I'm reading on the net even up to last July<br>
backs that up. I though I saw Kir post something to the OpenVZ list<br>
more recently but I haven't been able to find it.<br>
<br>
There's a little more about this in Wikipedia:<br>
<br>
<a href="http://en.wikipedia.org/wiki/OpenVZ" target="_blank">http://en.wikipedia.org/wiki/OpenVZ</a><br>
<br>
Look under "Limitations".<br>
<br>
A little more discussion is present in this thread from the OpenVZ<br>
mailing list...<br>
<br>
<a href="http://www.mail-archive.com/users@openvz.org/msg03250.html" target="_blank">http://www.mail-archive.com/users@openvz.org/msg03250.html</a><br>
<br>
I believe that OpenVPN would work for you, however, as that's a user<br>
space routed VPN solution that doesn't require any kernel modules. If<br>
you are trying to connect to an established IPsec gateway, you may want<br>
to look into VPNC, which is IPSec purely in user space but it's designed<br>
to interface to Cisco ASAs and similar XAUTH / Aggressive mode devices.<br>
<br>
This article certainly indicates you could use OpenVPN or VPNC:<br>
<br>
<a href="http://wiki.openvz.org/VPN_via_the_TUN/TAP_device" target="_blank">http://wiki.openvz.org/VPN_via_the_TUN/TAP_device</a><br>
<br>
Both of them operation based on the TUN / TAP interfaces. But you may<br>
still need support from the hosting provider to get access to the<br>
tun/tap modules.<br>
<br>
> Regards,<br>
> Hammad<br>
<br>
Regards,<br>
Mike<br>
<div><div></div><div class="h5"><br>
> On 12/4/10, Laurent Caron <<a href="mailto:lcaron@unix-scripts.info">lcaron@unix-scripts.info</a>> wrote:<br>
> > Hi<br>
> ><br>
> > Are u Sure The kernel package comes from redhat and not your virtual server<br>
> > hosting company?<br>
> ><br>
> ><br>
> ><br>
> > Le 4 déc. 2010 à 14:30, Hammad <<a href="mailto:raohammad@gmail.com">raohammad@gmail.com</a>> a écrit :<br>
> ><br>
> >> Hi,<br>
> >><br>
> >> Now thats a bit disturbing... I have now CentOS but still the same<br>
> >> /lib/modules/.... is missing. Its a fresh installation<br>
> >><br>
> >> Mike: How did you cater this situation? Any ideas?<br>
> >><br>
> >> [root@vps ~]# service ipsec start<br>
> >> ipsec_setup: FATAL: Could not load<br>
> >> /lib/modules/2.6.18-028stab068.9/modules.dep: No such file or directory<br>
> >> ipsec_setup: Starting Openswan IPsec 2.6.21...<br>
> >> ipsec_setup: multiple ip addresses, using 127.0.0.1 on venet0<br>
> >><br>
> >> [root@vps ~]# uname -a<br>
> >> Linux <a href="http://vps.flexilogix.com" target="_blank">vps.flexilogix.com</a> 2.6.18-028stab068.9 #1 SMP Tue Mar 30 17:22:31<br>
> >> MSD 2010 i686 athlon i386 GNU/Linux<br>
> >><br>
> >><br>
> >> [root@vps ~]# ipsec verify<br>
> >> Checking your system to see if IPsec got installed and started correctly:<br>
> >> Version check and ipsec on-path [OK]<br>
> >> Linux Openswan U2.6.21/K(no kernel code presently loaded)<br>
> >> Checking for IPsec support in kernel [FAILED]<br>
> >> Checking for RSA private key (/etc/ipsec.secrets) [OK]<br>
> >> Checking that pluto is running [FAILED]<br>
> >> whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")<br>
> >> Checking for 'ip' command [OK]<br>
> >> Checking for 'iptables' command [OK]<br>
> >><br>
> >> Opportunistic Encryption DNS checks:<br>
> >> Looking for TXT in forward dns zone: <a href="http://vps.flexilogix.com" target="_blank">vps.flexilogix.com</a> [MISSING]<br>
> >> Does the machine have at least one non-private address? [OK]<br>
> >> Looking for TXT in reverse dns zone: 20.69.65.216.in-addr.arpa.<br>
> >> [MISSING]<br>
> >><br>
> >> Regards,<br>
> >> Hammad<br>
> >><br>
> >> On Sat, Dec 4, 2010 at 9:51 AM, Hammad <<a href="mailto:raohammad@gmail.com">raohammad@gmail.com</a>> wrote:<br>
> >> Hi Paul,<br>
> >> No its not a custom compiled (by me) in fact I bought VPS and this is the<br>
> >> ubuntu version I got (jaunty 9.0.4).<br>
> >><br>
> >> Hi Mike,<br>
> >><br>
> >><br>
> >> > WARNING: Couldn't open directory /lib/modules/2.6.18-<br>
> >> 028stab068.9: No<br>
> >> > such file or directory<br>
> >><br>
> >> I overcame this problem. I 'd 2.6.18-028stab059.6 directory in place<br>
> >> but not the one mentioned in error; I created a soft-link with same name<br>
> >> pointing to actual dir and installation succeeded well ;)<br>
> >><br>
> >><br>
> >> So our problem is again back to original, ipsec is not supported by<br>
> >> kernel...<br>
> >><br>
> >><br>
> >> > Are you currently actively running and OpenVZ kernel on that machine?<br>
> >><br>
> >> I suppose yes this VPS is using OpenVZ.<br>
> >><br>
> >><br>
> >> > What version are you at? From there site, it looks like 028stab070.14<br>
> >> > is the latest in the RHEL/CentOS stable 2.6.18 line.<br>
> >><br>
> >> # uname -a<br>
> >> Linux <a href="http://vps.flexilogix.com" target="_blank">vps.flexilogix.com</a> 2.6.18-028stab068.9 #1 SMP Tue Mar 30 17:22:31<br>
> >> MSD 2010 i686 GNU/Linux<br>
> >><br>
> >> > You must have built that Openswan 2.6.31 package yourself, the latest<br>
> >> > RHEL/CentOS 5.x Openswan is 2.6.21. Did you merely compile it or<br>
> >> > actually build your own rpms?<br>
> >><br>
> >> Yes, I actually compiled openswan 2,6,31 from sources<br>
> >><br>
> >> I've come to know from Ubuntu Support groups that there is no ipsec<br>
> >> package for ubuntu jaunty 9.0.4 and its no more updated since Oct 23 2010.<br>
> >> So I suppose its the time to switch back to CentOS that is my actual<br>
> >> playground...<br>
> >><br>
> >> Thanks for your help all.<br>
> >> Hammad ( aka Hammond :) )<br>
> >><br>
> >><br>
> >> On Sat, Dec 4, 2010 at 2:32 AM, Michael H. Warfield <<a href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>><br>
> >> wrote:<br>
> >> Paul (and Hammond),<br>
> >><br>
> >> On Fri, 2010-12-03 at 11:49 -0500, Paul Wouters wrote:<br>
> >> > On Fri, 3 Dec 2010, Hammad wrote:<br>
> >> ><br>
> >> > > Here is the output of commands...<br>
> >> > > root@vps:/usr/local# modprobe ipsec<br>
> >> > > WARNING: Deprecated config file /etc/modprobe.conf, all config files<br>
> >> > > belong into /etc/modprobe.d/.<br>
> >> > > FATAL: Module ipsec not found.<br>
> >> > ><br>
> >> > > root@vps:/usr/local# modprobe af_key<br>
> >> > > WARNING: Deprecated config file /etc/modprobe.conf, all config files<br>
> >> > > belong into /etc/modprobe.d/.<br>
> >> > > FATAL: Module af_key not found.<br>
> >> > ><br>
> >> > > root@vps:/usr/local# ipsec --version<br>
> >> > > Linux Openswan U2.6.31/K(no kernel code presently loaded)<br>
> >> > > See `ipsec --copyright' for copyright information.<br>
> >><br>
> >> > Your kernel has no IPsec support. Perhaps you are missing the right<br>
> >> > modules directory, or support<br>
> >> > was not compiled on that kernel. Seems like this is a non-distribution,<br>
> >> > custom built kernel?<br>
> >><br>
> >> It doesn't show up in this last message but in an earlier post I saw<br>
> >> this...<br>
> >><br>
> >> > WARNING: Couldn't open directory /lib/modules/2.6.18-028stab068.9: No<br>
> >> > such file or directory<br>
> >><br>
> >> That tells me two things.<br>
> >><br>
> >> 1) He's running an OpenVZ kernel. That's one of their revision strings<br>
> >> and that's one of their releases for the RHEL distro. Not too terribly<br>
> >> old but back several clicks.<br>
> >><br>
> >> 2) He was, at that time, running on a kernel which had been updated<br>
> >> (possibly by a mainline distro kernel or possibly by a newer OpenVZ<br>
> >> kernel) and the running kernel had been uninstalled by yum so the<br>
> >> modules directory no longer existed.<br>
> >><br>
> >> Now... That being said... Prior to swapping all of my OpenVZ VM's (> 3<br>
> >> dozen) over to LXC to get back on a more current kernel with in-tree<br>
> >> container virtualization, I was an extensive user of OpenVZ. Those<br>
> >> kernels certainly do have IPsec compiled in as modules. I've used it.<br>
> >><br>
> >> Hammond,<br>
> >><br>
> >> Are you currently actively running and OpenVZ kernel on that machine?<br>
> >><br>
> >> What version are you at? From there site, it looks like 028stab070.14<br>
> >> is the latest in the RHEL/CentOS stable 2.6.18 line.<br>
> >><br>
> >> What are you running (uname -a) and what do you have installed?<br>
> >><br>
> >> Did you install it from their site with yum or downloaded it or build a<br>
> >> custom build (which I often had done with newer releases)? (One flaw<br>
> >> with their yum repo is that it doesn't properly setup the install only<br>
> >> and a couple of other conditions to prevent removing the running<br>
> >> kernel).<br>
> >><br>
> >> You must have built that Openswan 2.6.31 package yourself, the latest<br>
> >> RHEL/CentOS 5.x Openswan is 2.6.21. Did you merely compile it or<br>
> >> actually build your own rpms?<br>
> >><br>
> >> What's in your grub.conf file and are you running on the latest kernel<br>
> >> which was installed?<br>
> >><br>
> >> > Paul<br>
> >><br>
> >> Regards,<br>
> >> Mike<br>
> >> --<br>
> >> Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com<br>
> >> /\/\|=mhw=|\/\/ | (678) 463-0932 |<br>
> >> <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
> >> NIC whois: MHW9 | An optimist believes we live in the best of<br>
> >> all<br>
> >> PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
> >><br>
> >><br>
> >> _______________________________________________<br>
> >> <a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
> >> <a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
> >> Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
> >> Building and Integrating Virtual Private Networks with Openswan:<br>
> >> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
> ><br>
><br>
<br>
</div></div>--<br>
<div><div></div><div class="h5">Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com<br>
/\/\|=mhw=|\/\/ | (678) 463-0932 | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in the best of all<br>
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
</div></div></blockquote></div><br></div>