[Openswan Users] OpenSWAN 2.3 and KLIPS 2.6 on RHES4

Randy B randy at pillowfactory.org
Tue Mar 8 19:27:10 CET 2005 

>Are you really sure that you're using KLIPS? Neither RHES3 nor Centos4
>nor the openswan-2.3.0-1rhel rpm contain KLIPS. Can you check with
>"lsmod" if you have a module named "ipsec" loaded?
>
>Bye,
>Bernd.
>
Working a bit more with Bernd, we find that I wasn't using KLIPS - I was 
using af_key.  I spent yesterday getting KLIPS (2.3.1dr3) to compile and 
run on RHES 3.  I spent today trying to get KLIPS running on RHES 3.0 
and CentOS 4.0, and failed.  I can get it up and running, but no matter 
what I do, pluto keeps saying that there are "no public interfaces 
found".  Googling was no help - everyone was misconfigured in a 
different way or had two interfaces with the same IP. 

Here's the configuration I was using (just testing stuff):

192.168.0.0/24 <===== GW =====> 10.0.0.0/8

The 10.x.x.x (right) network is an untrusted network with N 
road-warriors using a common PSK; the 192.168.x.x (left) net contains 
services the road-warriors use (l2tp is involved on the backend, but the 
IPsec stuff is what's not working).

    _*ifconfig:*_
    eth0      Link encap:Ethernet  HWaddr 00:06:5B:05:CD:8A 
              inet addr:10.0.0.1  Bcast:10.255.255.255  Mask:255.0.0.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

    eth1      Link encap:Ethernet  HWaddr 00:06:5B:05:CD:89 
              inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

    lo        Link encap:Local Loopback 
              inet addr:127.0.0.1  Mask:255.0.0.0
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
    _*
    route*_
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref   
    Use Iface
    192.168.0.0     *               255.255.255.0   U     0     
    0        0 eth1
    10.0.0.0        *               255.0.0.0       U     0     
    0        0 eth0
    127.0.0.0       *               255.0.0.0       U     0     
    0        0 lo
    default         192.168.0.1     0.0.0.0         UG    0     
    0        0 eth1

    _*
    ipsec.conf:*_
    version 2.0

    include /etc/ipsec.d/examples/no_oe.conf

    config setup
        interfaces="ipsec0=eth0"
        klipsdebug="eroute esp"
        plutodebug="lifecycle control"
        plutoopts="--interface eth0"
        forwardcontrol=yes
        myid=10.0.0.1

    conn testvpn
        left=10.0.0.1
        leftid=%myid
        leftprotoport=17/0
        right=%any
        rightprotoport=17/1701
        auto=add
        ike=aes,3des
        esp=aes,3des
        authby=secret
        pfs=no 
        dpddelay=15
        dpdtimeout=300
        dpdaction=clear
        keylife=3h
        keyingtries=10
        compress=yes

    The curious/sad/funny thing is, when I'm using KLIPS, pluto comes up
    and says that it can't find any public interfaces ("003 no public
    interfaces found"); it still 'binds' ipsec0 to eth0, but there's
    nothing really listening on that IP (validated with nmap -sU
    10.0.0.1, doesn't show port 500 open).  If I stop ipsec, modprobe
    af_key, and re-start it, everything works perfectly (again,
    validated with nmap and a successful client connection negotiation).

    So, who's going to point out my glaring mistake?  Or could I have
    actually found a problem?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050308/78ff13ba/attachment.htm

More information about the Users mailing list