<div dir="ltr">Although not directly related - on a Centos box this will help<div><br></div><div><div># # <a href="http://www.couyon.net/1/post/2013/02/ipsec-on-rhel6centos6-dont-do-it.html">http://www.couyon.net/1/post/2013/02/ipsec-on-rhel6centos6-dont-do-it.html</a></div>
<div>net.ipv4.xfrm4_gc_thresh = 65536</div></div><div><br></div><div>in /etc/sysctl.conf</div><div><br></div><div>Cheers</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 5 November 2013 06:16, Leto <span dir="ltr"><<a href="mailto:letoams@gmail.com" target="_blank">letoams@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div><br><br>sent from a tiny device </div><div class="im"><div><br>On 2013-11-04, at 7:39, "Rishad Ali" <<a href="mailto:rishad.ali@turnkey-instruments.com" target="_blank">rishad.ali@turnkey-instruments.com</a>> wrote:<br>
<br></div><blockquote type="cite"><div><div><p class="MsoNormal"><span style="color:#1f497d">Hi all,<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">I am trying to setup VPN between my dedicated server (centOS) and a another company. I want to terminate VPN on my dedicated server which I access remotely and the other company terminates their VPN on a CISCO firewall.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">(I have been given their </span><span style="color:#1f497d">Internal IP address and external Gateway IP address to setup on openswan.) <u></u><u></u></span></p><p class="MsoNormal">
<span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">My first problem is, I do not have a network behind my server, so what should be my <b>internal IP address</b> in the ipsec.config (should I use the same public IP address for both internal and external )</span></p>
</div></div></blockquote><div><br></div></div>you can just leave out leftsubnet=<div><br></div><div><div class="im"><br><blockquote type="cite"><div><p class="MsoNormal"><span style="color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><br></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Secondly, when I run ipsec verify, below is the output<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p></div></blockquote><div><br></div></div>it's odd that it shows ip</div><div>xfrm is broken on centos. that is normally not a problem. do you have the iproute package installed?</div>
<div><br></div><div><div><div class="h5"><br><blockquote type="cite"><div><p class="MsoNormal"><span style="color:#1f497d">Checking if IPsec got installed and started correctly:<u></u><u></u></span></p><p class="MsoNormal">
<span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Version check and ipsec on-path [OK]<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Openswan U2.6.39/K2.6.32-358.23.2.el6.x86_64 (netkey)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">See `ipsec --copyright' for copyright information.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Checking for IPsec support in kernel [OK]<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"> NETKEY: Testing XFRM related proc values<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"> ICMP default/send_redirects [OK]<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"> ICMP default/accept_redirects [OK]<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"> XFRM larval drop [OK]<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">Hardware random device check [N/A]<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Checking rp_filter [ENABLED]<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"> /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"> /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"> /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Checking that pluto is running [OK]<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"> Pluto listening for IKE on udp 500 [OK]<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"> Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"> Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"> Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"> Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]<u></u><u></u></span></p><p class="MsoNormal"><b><u><span style="color:#1f497d">Checking NAT and MASQUERADEing [TEST INCOMPLETE]<u></u><u></u></span></u></b></p>
<p class="MsoNormal"><b><u><span style="color:#1f497d">Checking 'ip' command [IP XFRM BROKEN]<u></u><u></u></span></u></b></p><p class="MsoNormal"><span style="color:#1f497d">Checking 'iptables' command [OK]<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">It says,<u></u><u></u></span></p><p class="MsoNormal"><b><u><span style="color:#1f497d">Checking NAT and MASQUERADEing [TEST INCOMPLETE]<u></u><u></u></span></u></b></p>
<p class="MsoNormal"><b><u><span style="color:#1f497d">Checking 'ip' command [IP XFRM BROKEN]<u></u><u></u></span></u></b></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">How to fix this?<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Thanks.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p></div>
<br><br></blockquote></div></div><blockquote type="cite"><div><span>_______________________________________________</span><br><span><a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a></span><br>
<span><a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a></span><br><span>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></span><br>
<span>Building and Integrating Virtual Private Networks with Openswan:</span><br><span><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span><br>
</div></blockquote></div></div><br>_______________________________________________<br>
<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div><br></div>