[Openswan Users] Can somebody please help me get started?

Joseph Commisso commisj at cs.sunyit.edu
Thu Oct 14 17:24:15 CEST 2004

I have compiled linux kernel 2.4.27 with openswan 2.2.0 and natt patch.
The way I did it was using directions for freeswan 1.95 and here is what I
did specifically:
I have a text based installation, so in /usr/src/linux, I typed "make
Then I typed "make config"
Once I went through all the configuration questions, I typed "make dep"
Then I typed "make clean"
Then I put openswan in /usr/src/openswan-2.2.0 directory.
I edited Makefile.inc to have the correct path for PUBDIR and INC_MANDIR
and I changed

Then I typed "make ogo" and went through all the configuration questions
again and chose "yes" for all the openswan questions (I also chose "yes"
to many of the crypto questions at the end).

Then I typed "make install"
And finally I typed "make bzImage"
Then I installed my new kernel. I hope I haven't forgotten anything.

My problem is that I think that openswan is installed ok, but I don't know
how to configure it for my needs.

We have a static ip at our main location and I was going to see if we
could get a stable connection, that is always on using a Verizon DSL or
cable DHCP connection to save money on the static ip. We will have the
main location as static though. So does anybody have any
experience with this type of setup? If you think it won't be stable, I'll
recommend we get another static ip for our other 2 locations. We are only
going to have one main location with 2 remote locations in all. Each
location has a gateway server with a firewall using iptables. The
os is the linux os from openna.com and I am using their book, but they
don't support openswan, so I am asking here for some help in getting this
up and running, please.
I have spent a lot of time on this and that's why I am asking here. I am
hoping you will tell me that this is simple from here and easy! I have
_not_ added any changes in my iptables to allow UDP port 500 or
protocol 50 or 51. I was waiting until I found that was a problem. I would
like to use RSA private keys for authentication, so maybe the DNS checks
below are unnecessary? Please tell me because I don't know or what to do
about them.

[root at henry ]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                   [OK]
Linux Openswan cvs2002Mar11_19:19:03 (klips)
Checking for IPsec support in kernel                              [OK]
Checking for RSA private key (/etc/ipsec.secrets)                 [OK]
Checking that pluto is running                                    [FAILED]
whack: Pluto is not running (no "/var/run/pluto.ctl")
Two or more interfaces found, checking IP forwarding              [FAILED]
whack: Pluto is not running (no "/var/run/pluto.ctl")
Checking NAT and MASQUERADEing                                    [OK]
Checking for 'ip' command                                         [OK]
Checking for 'iptables' command                                   [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: henry.tahan.com           [MISSING]
   Does the machine have at least one non-private address?          [OK]
   Looking for TXT in reverse dns zone: [MISSING]
[root at henry ]#

I have edited my /etc/ipsec.conf, but I don't know if it is correct for a
road warrior.

[root at henry etc]# cat ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for
        # klipsdebug=none
        # plutodebug="control parsing"

# Add connections here

# sample VPN connection
        conn george
                # Left security gateway, subnet behind it, next hop toward
                # Right security gateway, subnet behind it, next hop
toward left.
                # To authorize this connection, but not actually start it,
at startup,
                # uncomment this.

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
[root at henry etc]#

Thanks in advance!
Joe Commisso

More information about the Users mailing list