<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The routing changes really have little to do with OpenVPN or with IPsec; they are needed whenever you put your VPN on a machine that isn’t your default gateway. That is one of the reasons why it is generally best to connect routers with a VPN, instead of putting the VPN endpoint on a machine behind a router. That said, IPsec doesn’t really establish a VPN the way OpenVPN does; it simply encrypts the TCP/IP traffic between the two peers. Everything else, including forwarding to a private subnet behind the other IPsec peer, really works more like classic TCP/IP than like a more traditional VPN.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>IPsec really connects machines more than users. Machines can be identified with a preshared key, or with a certificate. Also, you need to get the various encryption parameters right. I would recommend that you read up on how IPsec works; you will need to have a good understanding of the two phases, of aggressive mode and main mode, etc. to troubleshoot. Once you have a firm understanding of how IPsec works, read the various README.xxx files that come with openswan to get started (you may need to install the openswan-doc package. Then you can find it in /usr/share/doc/packages/openswan-doc). One word of caution: I found that the documentation isn’t always perfect, especially because RedHat made substantial changes to how certificates are managed.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>There is a way to use IPsec to connect road warriors – users. You would first get IPsec to work machine-to-machine, and then you’d set up XAUTH. That works on top of the actual encrypted channel, though.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In the end, you are probably best off not to think of IPsec as a VPN at all, but rather as a mechanism to encrypt TCP/IP traffic (and to route traffic from subnets behind the machines through the encrypted connection).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Vigyan Kaushik [mailto:vkaushikdll@gmail.com] <br><b>Sent:</b> Wednesday, August 24, 2011 9:18 AM<br><b>To:</b> Kevin Keane<br><b>Cc:</b> users@openswan.org<br><b>Subject:</b> Re: [Openswan Users] Installing Openswan on CentOs<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'>Thanks Kevin.. I will make these changes. Now how do I create they Keys or User that will connect to my VPN server?<br><br>Also do I need any routing changes as well.. I have used openvpn and there I had to make some change in Ip Tables to route request from VPN server to the server in the local network. Something similar here?<o:p></o:p></p><div><p class=MsoNormal>On Tue, Aug 23, 2011 at 9:30 PM, Kevin Keane <<a href="mailto:subscription@kkeane.com">subscription@kkeane.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'>For the NETKEY errors, you need to edit /etc/sysctl.conf, and then reboot.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'>You need to change the following line:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'>net.ipv4.ip_forward = 1</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'>(the default is 0; ipsec needs 1).</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'>You need to add the following lines at the end.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'># for ipsec, configure some additional settings</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'>net.ipv4.conf.all.accept_redirects = 0</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'>net.ipv4.conf.all.send_redirects = 0</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'>net.ipv4.conf.default.accept_redirects = 0</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'>net.ipv4.conf.default.send_redirects = 0</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'>Ignore the DNS errors. That is only relevant if you want to use OE.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:10.0pt'> Vigyan Kaushik [mailto:<a href="mailto:vkaushikdll@gmail.com" target="_blank">vkaushikdll@gmail.com</a>] <br><b>Sent:</b> Tuesday, August 23, 2011 3:44 PM<br><b>To:</b> Kevin Keane<br><b>Cc:</b> <a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a><br><b>Subject:</b> Re: [Openswan Users] Installing Openswan on CentOs</span><o:p></o:p></p></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>Yes.. I can see it now.. I am using trixbox (freepbx) bundled centos. <br><br>So now how do I setup the keys etc.. below is the latest output.<br><br>[trixbox1.localdomain ~]# ipsec verify<br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]<br>Linux Openswan U2.6.21/K2.6.18-164.11.1.el5 (netkey)<br>Checking for IPsec support in kernel [OK]<br><b>NETKEY detected, testing for disabled ICMP send_redirects [FAILED]</b><br><br> Please disable /proc/sys/net/ipv4/conf/*/send_redirects<br> or NETKEY will cause the sending of bogus ICMP redirects!<br><b><br>NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]</b><br><br> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects<br> or NETKEY will accept bogus ICMP redirects!<br><br>Checking for RSA private key (/etc/ipsec.secrets) [OK]<br>Checking that pluto is running [OK]<br>Two or more interfaces found, checking IP forwarding [OK]<br>Checking NAT and MASQUERADEing <br>Checking for 'ip' command [OK]<br>Checking for 'iptables' command [OK]<br><br>Opportunistic Encryption DNS checks:<br> <b> Looking for TXT in forward dns zone: trixbox1.localdomain [MISSING]</b><br> <b> Does the machine have at least one non-private address? [FAILED]</b><br><br>[trixbox1.localdomain ~]# uname -a<br>Linux trixbox1.localdomain 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20 07:39:04 EST 2010 i686 i686 i386 GNU/Linux<br><br><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Tue, Aug 23, 2011 at 3:05 PM, Kevin Keane <<a href="mailto:subscription@kkeane.com" target="_blank">subscription@kkeane.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'>Try “service ipsec start”. That will start the ipsec daemon (pluto), and may also load some kernel modules.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'>If that doesn’t help: Which version of CentOS and what kernel are you running? Use the command “uname –a”.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'>I just set up openswan on two CentOS 5.6 servers. I didn’t need any special configuration for the kernel. One instance used the stock CentOS kernel, the other used a Rackspace kernel.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'>Everything else in your output looks good; you can ignore the remaining items. The DNS entries are only needed for opportunistic encryption.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:10.0pt'> <a href="mailto:users-bounces@openswan.org" target="_blank">users-bounces@openswan.org</a> [mailto:<a href="mailto:users-bounces@openswan.org" target="_blank">users-bounces@openswan.org</a>] <b>On Behalf Of </b>Vigyan Kaushik<br><b>Sent:</b> Tuesday, August 23, 2011 11:54 AM<br><b>To:</b> <a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a><br><b>Subject:</b> [Openswan Users] Installing Openswan on CentOs</span><o:p></o:p></p></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hi All,<br><br>I am installing Openswan for IPSec VPN connection from my iphone and ipad. I can not find a good detailed documentation on the openswan install so I tried using Yum to install the package in my Centos 5.<br><br><br>After installing if I run ipsec verify, I am not seeing the status of majorty things OK which means, I may have to setup/configure it further... One of the check is about the Kernel support. Can you please see the output below and suggest something?<br><br><br>[trixbox1.localdomain ~]# ipsec verify<br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]<br>Linux Openswan U2.6.21/K(no kernel code presently loaded)<br>Checking for IPsec support in kernel [FAILED]<br>Checking for RSA private key (/etc/ipsec.secrets) [OK]<br>Checking that pluto is running [FAILED]<br> whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")<br>Two or more interfaces found, checking IP forwarding [FAILED]<br> whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")<br>Checking NAT and MASQUERADEing <br>Checking for 'ip' command [OK]<br>Checking for 'iptables' command [OK]<br><br>Opportunistic Encryption DNS checks:<br> Looking for TXT in forward dns zone: trixbox1.localdomain [MISSING]<br> Does the machine have at least one non-private address? [FAILED]<br><br>Thanks,<br>VK<o:p></o:p></p></div></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><br>_______________________________________________<br><a href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a><br><a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>Building and Integrating Virtual Private Networks with Openswan:<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br><a href="mailto:Users@openswan.org">Users@openswan.org</a><br><a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>Building and Integrating Virtual Private Networks with Openswan:<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>