[Openswan Users] freeswan client and Netscreen
danilov
danilov at comstar.ru
Fri Jan 21 16:20:15 CET 2005
Good day.
Help me please.
I am trying to connect my linux box as a client for Netscreen (security gateway) and have a problem.
I think that i am doing something wrong.
The steps for installing freeswan:
1)[root at danilov root]# uname -r
2.4.20-8
2) Get freeswan:
wget ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/`uname -r | tr
-d 'a-wy-z'`/\*
freeswan-userland-2.06_2.4.20_8-0.i386.rpm
freeswan-module-2.06_2.4.20_8-0.i386.rpm
3) I can't get freeswan-rpmsign.asc contents from ftp site
browser says that .../2-4.20-8/freeswan-rpmsign.asc : No such file or directory
4) I got freeswan-allkeys.sign:
[root at danilov root]# cat ./freeswan-allkeys.sig
-----BEGIN PGP MESSAGE-----
Version: 2.6.3ia
iQEVAwUAPlf8WNb67VlG6vzhAQGIvwf+NYTSOtSDTFJYAe/UpWX4WIjiLSMd5TkF
PuO5ZXWMtIIAAPtMRjCjltI7mpCDgcndEvKNiFsbtBMQQG3LL7m2jt/LKLaqDcV9
Z1lvHVCwgonmkVi+vo9tZRJZWsfcKlw4tD/XQAtoEu3bKZOlQEgmHLdC4UJQ9gzD
GG/C56MqEuTcJATGnuFAkeVvPucTZFC1BKPr8nmN1WMFGFIieBl7sJU3HvhgQGTE
e7MBR5Eu9OB+vDPdrcRtFCn+s2I/eIrlAymFQjx/95zmdS4rZYqWeBun3Xax7ZXG
/tykWq7fkrrbj1E7PIsCaYUB/B6Pf/s/mw8YpQJuzT9z8+ssLfNJzQ==
=UKED
-----END PGP MESSAGE-----
and freeswan-sigkey.as:
[root at danilov root]#./freeswan-sigkey.asc
Type Bits/KeyID Date User ID
pub 2047/46EAFCE1 2002/03/29 Linux FreeS/WAN Software Team <build at freeswan.org>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia
mQENAzykykMAAAEH/1zM4b0WlfUaGThfURWKh9nzkKRVkoVFJqSfK2Hcc0bHA+ZO
lkRNMhA5oO9HUZdEvOx8HHW8aR8FLsGRchFn/X4y+8l8lUuYfIbGQsUKj21naFY8
YHLQKBGRhThjRG3rzI7WXLjMdUj/m9MioAsrLhOLxPs9EVZUdj2iws//JVr2epuw
RTfw3nAM+L7/kUJ4IjwMj/2kBslowg2DwfH/hItDMlCTpihj7hZUSVEOa+R3+gRS
eupskit+ZoqSRe8VHR8XkY3AuzLGNb4mqnV9H4btNv932o/Ohp2Vw9k8u8UdvALl
Hb0NYcLqRhZGCkvAs5MM7ttCSwds1vrtWUbq/OEABRG0MkxpbnV4IEZyZWVTL1dB
TiBTb2Z0d2FyZSBUZWFtIDxidWlsZEBmcmVlc3dhbi5vcmc+iQCVAwUQPLMQmsFA
uQPManGZAQEUvwQAurKHtkaxuZZNcrIGy2NxLDDyZhiEY7Gkn7o02dfXHE0o1IEY
+HVzDNICEm0cjjRsisUS0aaAGGPXfCE2/jiI0e1sBhoxeklcIxgjvgahhJAPru/M
6mFfO4bwc6cucSWdWGd73bLSBMjHJEXRPxSg0sY08gFEoC8SpzsjG3IKVKCJAJUD
BRA8pM4XiodGDemd1f0BAT8CA/4m4QDZM8OFBGXbkFEHRB1Uf+DLefFx6gYrdjZ5
hy+gu/0s30AW26dU6FUGYvPtBBzwH5G7Ffnp0S09qMfWejiTf6ZwmlYM7a9D8QmV
D6t7Oazj+NvBvOQlsvf8GlHdb1z+96DJozUFdhSCyG4+bQXcho4oRRfQQWj6oh8X
Dnc8OIkAlQMFEDykzMV30qslsMhxPQEBv5IEALlt7IC0q17yesTQzy6SEDa2WTJl
T6j2yV4P7v6AMuH3aDDWGMBkFcZJnNZV0GlRf4MWHy7Gd3MYciuxcmbgDTv58JaO
e2ZCcLuzACGSHTUPnBpWk/91daBWiNt5PilJlrBgpZf6eU398oAHbGwtlisHFgM1
+SVAWLH1Jam7VfbFiQEVAwUQPKTKQ9b67VlG6vzhAQEsSAf+K7DH7JiKyNPaHVNH
fk/IkFvH4nVNtvAMAaSeuliJqDYhUeWrexc9MoHTaFq00HC88j7n1ZPHN1Unm8vg
VcQ/OkqMzmmjAk0nfbEsqjpCCMGD0/df+D1vtnENq0wswdYy1lmlrKtbPG7dcz33
e1swfA2u3ZIZzbW/U3uMYHPShDALmQ0uSRGudtqnCrhiLCv0rKwOA/bgjE11mcGa
UaS8lNmybaDe25Pnv6Sx9+BmnFbE3aBnW7+UoBbwHfkHIoVNTGV56HexURgFnWEt
KmW2tcsAzHNpQPbTUp8zvegjbV41XOnSvcFyrwibYDcJrmVAR9ZoVjidH++BI3lM
Cf0RaA==
=4VL/
-----END PGP PUBLIC KEY BLOCK-----
5) Install from RPMS:
rpm -ivh freeswan*.rpm
предупреждение: freeswan-module-2.06_2.4.20_8-0.i386.rpm: подпись RSA/MD5 V3:
NOKEY, key ID 5a7e4731
Подготовка... ########################################### [100%]
пакет freeswan-module-2.06_2.4.20_8-0 уже установлен
пакет freeswan-userland-2.06_2.4.20_8-0
6) Start service ipsec:
/sbin/service ipsec start
ipsec_setup: Starting FreeS/WAN IPsec 2.06...
ipsec_setup: Using /lib/modules/2.4.20-8/kernel/net/ipsec/ipsec.o
/sbin/lsmod
Module Size Used by Not tainted
ipsec 269152 3
7) Verify:
/usr/local/sbin/ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux FreeS/WAN 2.06
Checking for IPsec kernel support: found KLIPS [OK]
Checking that pluto is running [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward map: danilov
[MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse map: 99.131.210.195.in-addr.arpa.
[MISSING]
I think that everything ok because i can not use OE
8)I uncomment comment in default file /etc/ipsec.conf
this is main part of config:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for
# klipsdebug=all
# plutodebug=dns
# Add connections here.# sample VPN connection
conn sample
left=10.0.0.1
leftsubnet=172.16.0.0/24
leftnexthop=10.22.33.4
right=10.12.12.1
rightsubnet=192.168.0.0/24
rightnexthop=10.101.102.103
Where i want to restart ipsec i received a message:
/sbin/service ipsec stop
ipsec_setup: (/etc/ipsec.conf, line 34) parameter is not within a section --
`stop' aborted
Interface ipsec0 up, but i can't change params of ipsec in /etc/ipsec.conf
ipsec0 Link encap:Ethernet HWaddr 00:11:11:14:49:22
inet addr:195.210.131.99 Mask:255.255.255.192
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:272 errors:0 dropped:1 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:23608 (23.0 Kb)
I think that syntaxis of my config file wrong
Tell me please what i am doing wrong?
may be field version or something else ?
9) If you have successfully connected client freeswan/openswan
with Netscreen 5GT can you send me right config file for freeswan ?
10) Windows client work properly with Netscreen.
I use aggressive mode and psk and seed.
I know that freeswan do not support
aggressive mode and i can reconfigure nestcreen for main mode
11) If it is interesting for you i can
give public address of Netscreen device and him config.
Thank you.
--
With best regards,
Danilov Dmitry, Moscow,
Comstar telecommunications,
engineer of dept. mpls networks
tel 9561885 danilov at comstar.ru
More information about the Users
mailing list