[Openswan Users] questions from newbie (should be simple)
Xiaoming Yu
xiaoming at us.ibm.com
Wed Jun 16 11:54:54 CEST 2004
I just installed the openswan version 2.1.2 on my Fedora with kernel 2.6.5.
I have two basic questions regarding this process. I am even new to the
freeswan project, so bear with me if my questions are naive. Thanks in
advance.
First, I also downloaded the two patches listed on the web site, one for
kernel, one for NAT-T. I really need the nat-t one. I used patch command in
/usr/src/linux. Looks like for nat-t patch, no message shows up (not sure
if it means success or not). But for the kernel one, I got this error
message
[root at vpn linux]# patch -p1 < openswan-2.1.2.kern.patch
can't find file to patch at input line 4
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|packaging/utils/kernelpatch 2.4
|--- linux/Documentation/Configure.help.orig Fri Dec 21 12:41:53 2001
|+++ linux/Documentation/Configure.help Mon Jul 29 16:35:32 2002
Also when I did service ipsec restart, i saw this message in the security
log. Does the disabled flag means the patch is not there, or somehow i
should enable it. This could be related to the question above about patch
command.
Jun 16 10:37:16 vpn ipsec__plutorun: Starting Plutosubsystem...
Jun 16 10:37:16 vpn pluto[4666]: Starting Pluto (Openswan Version 2.1.2
X.509-1.4.8 PLUTO_USES_KEYRR)
Jun 16 10:37:16 vpn pluto[4666]: including NAT-Traversal patch (Version
0.6c) [disabled]
Second question. When I did ipsec verify, I saw this. I assume the two
missing is ok, meaning I cannot do opportunitic encryption. How about the
N/A? Is it OK too?
[root at vpn linux]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.1.2/K2.6.5-1.358 (native) (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
[N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for native IPsec stacksupport [OK]
Opportunistic Encryption DNS checks: Looking for TXT in forward dns zone:
hostname.domain [MISSING]
Does the machine have at least one non-private address?
[OK]
Looking for TXT in reverse dns zone:122.109.10.9.in-addr.arpa.
[MISSING]
Again, really appreciate your time and comments.
Xiaoming
More information about the Users
mailing list