Thanks Kevin.. this is very helpful.<br><br><div class="gmail_quote">On Wed, Aug 24, 2011 at 1:52 PM, Kevin Keane <span dir="ltr"><<a href="mailto:kkeane@4nettech.com">kkeane@4nettech.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div link="blue" vlink="purple" lang="EN-US"><div><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">The routing changes really have little to do with OpenVPN or with IPsec; they are needed whenever you put your VPN on a machine that isn’t your default gateway. That is one of the reasons why it is generally best to connect routers with a VPN, instead of putting the VPN endpoint on a machine behind a router. That said, IPsec doesn’t really establish a VPN the way OpenVPN does; it simply encrypts the TCP/IP traffic between the two peers. Everything else, including forwarding to a private subnet behind the other IPsec peer, really works more like classic TCP/IP than like a more traditional VPN.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">IPsec really connects machines more than users. Machines can be identified with a preshared key, or with a certificate. Also, you need to get the various encryption parameters right. I would recommend that you read up on how IPsec works; you will need to have a good understanding of the two phases, of aggressive mode and main mode, etc. to troubleshoot. Once you have a firm understanding of how IPsec works, read the various README.xxx files that come with openswan to get started (you may need to install the openswan-doc package. Then you can find it in /usr/share/doc/packages/openswan-doc). One word of caution: I found that the documentation isn’t always perfect, especially because RedHat made substantial changes to how certificates are managed.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">There is a way to use IPsec to connect road warriors – users. You would first get IPsec to work machine-to-machine, and then you’d set up XAUTH. That works on top of the actual encrypted channel, though.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">In the end, you are probably best off not to think of IPsec as a VPN at all, but rather as a mechanism to encrypt TCP/IP traffic (and to route traffic from subnets behind the machines through the encrypted connection).<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"><u></u> <u></u></span></p><div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt"><div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> Vigyan Kaushik [mailto:<a href="mailto:vkaushikdll@gmail.com" target="_blank">vkaushikdll@gmail.com</a>] <br><b>Sent:</b> Wednesday, August 24, 2011 9:18 AM</span></p>
<div><div></div><div class="h5"><br><b>To:</b> Kevin Keane<br><b>Cc:</b> <a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a><br><b>Subject:</b> Re: [Openswan Users] Installing Openswan on CentOs<u></u><u></u></div>
</div><p></p></div></div><div><div></div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal" style="margin-bottom:12.0pt">Thanks Kevin.. I will make these changes. Now how do I create they Keys or User that will connect to my VPN server?<br>
<br>Also do I need any routing changes as well.. I have used openvpn and there I had to make some change in Ip Tables to route request from VPN server to the server in the local network. Something similar here?<u></u><u></u></p>
<div><p class="MsoNormal">On Tue, Aug 23, 2011 at 9:30 PM, Kevin Keane <<a href="mailto:subscription@kkeane.com" target="_blank">subscription@kkeane.com</a>> wrote:<u></u><u></u></p><div><div><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">For the NETKEY errors, you need to edit /etc/sysctl.conf, and then reboot.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">You need to change the following line:</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">net.ipv4.ip_forward = 1</span><u></u><u></u></p><p class="MsoNormal">
<span style="font-size:11.0pt;color:#1F497D"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">(the default is 0; ipsec needs 1).</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">You need to add the following lines at the end.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"># for ipsec, configure some additional settings</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">net.ipv4.conf.all.accept_redirects = 0</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">net.ipv4.conf.all.send_redirects = 0</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">net.ipv4.conf.default.accept_redirects = 0</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">net.ipv4.conf.default.send_redirects = 0</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Ignore the DNS errors. That is only relevant if you want to use OE.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span><u></u><u></u></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt"><div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> Vigyan Kaushik [mailto:<a href="mailto:vkaushikdll@gmail.com" target="_blank">vkaushikdll@gmail.com</a>] <br>
<b>Sent:</b> Tuesday, August 23, 2011 3:44 PM<br><b>To:</b> Kevin Keane<br><b>Cc:</b> <a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a><br><b>Subject:</b> Re: [Openswan Users] Installing Openswan on CentOs</span><u></u><u></u></p>
</div></div><div><div><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal" style="margin-bottom:12.0pt">Yes.. I can see it now.. I am using trixbox (freepbx) bundled centos. <br><br>So now how do I setup the keys etc.. below is the latest output.<br>
<br>[trixbox1.localdomain ~]# ipsec verify<br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]<br>Linux Openswan U2.6.21/K2.6.18-164.11.1.el5 (netkey)<br>
Checking for IPsec support in kernel [OK]<br><b>NETKEY detected, testing for disabled ICMP send_redirects [FAILED]</b><br><br> Please disable /proc/sys/net/ipv4/conf/*/send_redirects<br> or NETKEY will cause the sending of bogus ICMP redirects!<br>
<b><br>NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]</b><br><br> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects<br> or NETKEY will accept bogus ICMP redirects!<br><br>Checking for RSA private key (/etc/ipsec.secrets) [OK]<br>
Checking that pluto is running [OK]<br>Two or more interfaces found, checking IP forwarding [OK]<br>Checking NAT and MASQUERADEing <br>Checking for 'ip' command [OK]<br>
Checking for 'iptables' command [OK]<br><br>Opportunistic Encryption DNS checks:<br> <b> Looking for TXT in forward dns zone: trixbox1.localdomain [MISSING]</b><br> <b> Does the machine have at least one non-private address? [FAILED]</b><br>
<br>[trixbox1.localdomain ~]# uname -a<br>Linux trixbox1.localdomain 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20 07:39:04 EST 2010 i686 i686 i386 GNU/Linux<br><br><u></u><u></u></p><div><p class="MsoNormal">On Tue, Aug 23, 2011 at 3:05 PM, Kevin Keane <<a href="mailto:subscription@kkeane.com" target="_blank">subscription@kkeane.com</a>> wrote:<u></u><u></u></p>
<div><div><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Try “service ipsec start”. That will start the ipsec daemon (pluto), and may also load some kernel modules.</span><u></u><u></u></p><p class="MsoNormal">
<span style="font-size:11.0pt;color:#1F497D"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">If that doesn’t help: Which version of CentOS and what kernel are you running? Use the command “uname –a”.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">I just set up openswan on two CentOS 5.6 servers. I didn’t need any special configuration for the kernel. One instance used the stock CentOS kernel, the other used a Rackspace kernel.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Everything else in your output looks good; you can ignore the remaining items. The DNS entries are only needed for opportunistic encryption.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span><u></u><u></u></p><div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt"><div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> <a href="mailto:users-bounces@openswan.org" target="_blank">users-bounces@openswan.org</a> [mailto:<a href="mailto:users-bounces@openswan.org" target="_blank">users-bounces@openswan.org</a>] <b>On Behalf Of </b>Vigyan Kaushik<br>
<b>Sent:</b> Tuesday, August 23, 2011 11:54 AM<br><b>To:</b> <a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a><br><b>Subject:</b> [Openswan Users] Installing Openswan on CentOs</span><u></u><u></u></p>
</div></div><div><div><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal">Hi All,<br><br>I am installing Openswan for IPSec VPN connection from my iphone and ipad. I can not find a good detailed documentation on the openswan install so I tried using Yum to install the package in my Centos 5.<br>
<br><br>After installing if I run ipsec verify, I am not seeing the status of majorty things OK which means, I may have to setup/configure it further... One of the check is about the Kernel support. Can you please see the output below and suggest something?<br>
<br><br>[trixbox1.localdomain ~]# ipsec verify<br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]<br>Linux Openswan U2.6.21/K(no kernel code presently loaded)<br>
Checking for IPsec support in kernel [FAILED]<br>Checking for RSA private key (/etc/ipsec.secrets) [OK]<br>Checking that pluto is running [FAILED]<br>
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")<br>Two or more interfaces found, checking IP forwarding [FAILED]<br> whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")<br>
Checking NAT and MASQUERADEing <br>Checking for 'ip' command [OK]<br>Checking for 'iptables' command [OK]<br>
<br>Opportunistic Encryption DNS checks:<br> Looking for TXT in forward dns zone: trixbox1.localdomain [MISSING]<br> Does the machine have at least one non-private address? [FAILED]<br><br>Thanks,<br>VK<u></u><u></u></p>
</div></div></div></div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>_______________________________________________<br><a href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a><br><a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><u></u><u></u></p></div><p class="MsoNormal"> <u></u><u></u></p>
</div></div></div></div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>_______________________________________________<br><a href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a><br><a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><u></u><u></u></p></div><p class="MsoNormal"><u></u> <u></u></p>
</div></div></div></div></div><br>_______________________________________________<br>
<a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div><br>