update to openswan 2.6.32<div>I found that if the client doesn't send the disconnect signal, openswan won't stop that ppp correctly. </div><div>I add a line in /etc/ppp/ip-down to echo a line to /tmp/ip-down.log, and normal exit from the client will echo that line to the ip-down.log file, which means when openswan stop that connection, it will call ppp to stop, and then ppp call /etc/ppp/ip-down script, which will echo the line I set. </div>
<div>But if I exit the client just unplug the etherent, the server won't know if the client exists. after several seconds, openswan will kill ppp0(used by my client), but won't call ppp, so there is no line written to /tmp/ip-down.log, which leads to no knowledge in the freeradius...</div>
<div><br></div><div><br><div class="gmail_quote">On Tue, Dec 28, 2010 at 2:16 PM, Spacelee <span dir="ltr"><<a href="mailto:fjctlzy@gmail.com">fjctlzy@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br><br><div class="gmail_quote"><div><div></div><div class="h5">On Tue, Dec 28, 2010 at 12:01 PM, Spacelee <span dir="ltr"><<a href="mailto:fjctlzy@gmail.com" target="_blank">fjctlzy@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Sorry, I think I should reply at the bottom...<br><br><div class="gmail_quote"><div><div></div><div>On Tue, Dec 28, 2010 at 10:47 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com" target="_blank">paul@xelerance.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On Tue, 28 Dec 2010, Spacelee wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
This is my version, should I use the newest one?<br>
<br>
ipsec --version<br>
Linux Openswan U2.6.24rc5/K2.6.26-2-xen-amd64 (netkey)<br>
</blockquote>
<br></div>
That's an "rc", a "release candidate". Yes you should upgrade to the latest<br>
full release, 2.6.32.<br><font color="#888888">
<br></font></blockquote><div><br></div><div><br></div></div></div><span style="font-family:arial, sans-serif;font-size:13px;border-collapse:collapse"><div><div></div><div>I already download the newest tar.gz, and make programs install , but I couldn't connect from the client this time, no response from the server seems(not the iptable problem)<div>
xl2tp : 1.25 </div><div>centos 5.3</div><div>xen virtual machine</div><div><br></div><div>it's working when I use the openswan 2.6.24 rpm</div><div><br></div><div><br></div><div>this is the results</div></div></div><div>
<br><div><div><div></div><div>
<div>ipsec verify</div><div>Checking your system to see if IPsec got installed and started correctly:</div><div>Version check and ipsec on-path <span style="white-space:pre-wrap"> </span>[OK]</div>
<div>Linux Openswan U2.6.32/K2.6.26-2-xen-amd64 (netkey)</div><div>Checking for IPsec support in kernel <span style="white-space:pre-wrap"> </span>[OK]</div><div> SAref kernel support <span style="white-space:pre-wrap"> </span>[N/A]</div>
<div> NETKEY: Testing for disabled ICMP send_redirects <span style="white-space:pre-wrap"> </span>[OK]</div><div>NETKEY detected, testing for disabled ICMP accept_redirects <span style="white-space:pre-wrap"> </span>[OK]</div>
<div>Checking that pluto is running <span style="white-space:pre-wrap"> </span>[OK]</div><div> Pluto listening for IKE on udp 500 <span style="white-space:pre-wrap"> </span>[OK]</div>
<div> Pluto listening for NAT-T on udp 4500 <span style="white-space:pre-wrap"> </span>[OK]</div><div>Checking for 'ip' command <span style="white-space:pre-wrap"> </span>[OK]</div>
<div>Checking /bin/sh is not /bin/dash <span style="white-space:pre-wrap"> </span>[OK]</div><div>Checking for 'iptables' command <span style="white-space:pre-wrap"> </span>[OK]</div>
<div>Opportunistic Encryption Support <span style="white-space:pre-wrap"> </span>[DISABLED]</div><div><br></div><div><br></div><div>ipsec.conf </div><div><div>version 2.0 # conforms to second version of ipsec.conf specification</div>
<div><br></div><div># basic configuration</div><div>config setup</div><div> # Debug-logging controls: "none" for (almost) none, "all" for lots.</div><div> # klipsdebug=none</div><div> # plutodebug="control parsing"</div>
<div> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey</div><div> protostack=netkey</div><div> nat_traversal=yes</div><div> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" style="color:rgb(51, 102, 51)" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</a></div>
<div> oe=off</div><div> # Enable this if you see "failed to find any available worker"</div><div> nhelpers=0</div><div><br></div><div>#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.</div>
<div>include /etc/ipsec.d/*.conf</div></div><div><br></div><div><br></div></div></div><div><div><div style="color:rgb(102, 102, 102)"><div>conn L2TP-PSK-NAT</div><div> overlapip=yes</div><div> rightsubnet=vhost:%priv</div>
<div> also=L2TP-PSK-noNAT</div><div><br></div><div>conn L2TP-PSK-noNAT</div><div> authby=secret</div><div> pfs=no</div><div> auto=add</div><div># keyingtries=3</div><div> rekey=no</div>
<div> ikelifetime=8h</div><div> keylife=1h</div><div> type=transport</div></div></div><div> left=my server ip</div><div><div style="color:rgb(102, 102, 102)"><div> leftprotoport=17/1701</div>
<div> right=%any</div><div> rightprotoport=17/%any</div></div></div><div> dpddelay=20</div><div> dpdtimeout=60</div></div></div></div></span><div><span style="font-family:arial, sans-serif;font-size:13px;border-collapse:collapse"> dpdaction=clear</span></div>
<div><br></div><div><br></div><div><span style="font-family:arial, sans-serif;font-size:13px;border-collapse:collapse"></span> </div></div></blockquote><div><br></div><div><br></div><div><br></div></div></div><div>I make it work now, the problem is there is no newline at the end of the configuration.</div>
<div>but it seems the parameters below still don't work when I unplug the ethernet. The server won't tell the radius that the client is no longer there.</div><div class="im"><div><br></div><div><span style="font-family:arial, sans-serif;font-size:13px;border-collapse:collapse"> dpddelay=20</span></div>
<span style="font-family:arial, sans-serif;font-size:13px;border-collapse:collapse"><div><div><div><div> dpdtimeout=60</div></div></div></div></span><div><span style="font-family:arial, sans-serif;font-size:13px;border-collapse:collapse"> dpdaction=clear</span></div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<font color="#888888">
Paul<br>
</font></blockquote></div><br><br clear="all"><br>-- <br><div><b>Space Lee</b></div><br>
</blockquote></div></div><font color="#888888"><br><br clear="all"><br>-- <br><div><b>Space Lee</b></div><br>
</font></blockquote></div><br><br clear="all"><br>-- <br><div><b>Space Lee</b></div><br>
</div>