[Openswan Users] Configuring openswan on embedded Linux

Andy fs at globalnetit.com
Fri Sep 16 19:04:49 CEST 2005


On Fri, 2005-09-16 at 16:14 -0400, phil at ctekproducts.com wrote:
> Hi,
> 
> I am trying to test Openswan (1.0.10) on an embedded Linux (2.4.26)
> platform. I believe that I have successfully built all Openswan kernel
> and user facilities so my problem is really in configuration. Since my
> environment has more limited shell capabilities than those required
> for many of the scripts, I am trying to use the lower level commands
> to create my configuration.
> 
I'm surprised at that. Is this the Axis system you mentioned before? We
use the shell and busybox utilities from Axis to run Openswan, it all
works fine. What's not working for you?

Your scripts seem to have a lot missing... I don't see any place you set
up the secrets. And I think you'll need something to set the identities
of each end as well.

You have %any in both configs - I don't think that'll work. With a
dynamic address on your embedded box, it'll have to re-initiate the
connection each time the address changes. We hook into the ip-up/ip-down
scripts from ppp to do that.

Do you have any logs from when you run these commands? - that may help
show up anything else that's missing.

If you can run ipsec auto commands, even someplace else, the --showonly
option is helpful - it'll dump the command that would be executed.
Here's an example from one of our remote units, which look to be set up
much the same as yours (this is a unit running openswan 1.0.9 on an i386
processor, 2.4.20 kernel, X.509 authentication):

# ipsec auto --showonly --add XXXX
PATH="/usr/local/sbin:/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin"
export PATH
ipsec whack --name XXXX --encrypt --ike "3des" --esp "3des" --tunnel --pfs --dpdaction "hold" --compress --ikelifetime "28800" --rsasig \
        --host "<server IP>" --client "<remote network>"  --nexthop "%direct" --updown "ipsec _updown" --id "<CN from certificate>"    \
        --to --host "68.246.105.17" --client "<local network>"  --nexthop "68.28.177.10" --updown "ipsec _updown"   --cert "certs/mycert.pem"  \
        --ipseclifetime "86400" --rekeywindow "600" \
        --keyingtries "1"    \
        || exit $?

Here's the ppp interface (dynamic address) as it was when that command
was entered:

# ip add show dev ppp0
55: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 3
    link/ppp 
    inet 68.246.105.17 peer 68.28.177.10/32 scope global ppp0



> My test platform functions as a router and it gets a dynamic IP
> address from the network that it is connected to. On the router's
> client side, it has a LAN with private addresses so it appears as
> follows:
> 
> 192.168.1.0/24 (eth0) <-TEST ROUTER 1-> (ppp0) dynamic IP  
> 
> In order to have a controlled test case, I  built another router to
> act as the other end of my test environment. This device has a network
> interface with a static public address and has a client side LAN with
> private addresses so it appears as follows:
> 
> 192.168.2.0/24 (eth0) <--TEST ROUTER 2--> (eth1)67.12.3.11 
> 
> I have connectivity between 67.12.3.11 and the dynamic address of the
> other router and I have a client device attached to each router so
> that I can generate traffic.
> 
> I have created the following script for TEST ROUTER 1:
> 
> ipsec tncfg --attach --virtual ipsec0 --physical ppp0
> ipsec whack --name tunnel_1 --host 67.12.3.11 --nexthop %direct
> --client 192.168.2.0/24 --to --host %any --client 192.168.1.0/24
> --encrypt -rsasig
> ipsec whack --listen
> ipsec whack --route --name tunnel_1
> ipsec whack --initiate --name tunnel_1
> 
> I have created the following script for TEST ROUTER 2:
> 
> ipsec tncfg --attach --virtual ipsec0 --physical eth1
> ifconfig ipsec0 67.12.3.11
> ipsec whack --name tunnel_1 --host 67.12.3.11 --nexthop %direct
> --client 192.168.2.0/24 --to --host %any --client 192.168.1.0/24
> --encrypt -rsasig
> ipsec whack --listen
> 
> If someone could tell me what steps am I missing in my configuration I
> would greatly appreciate it.





More information about the Users mailing list