[Openswan Users] Enabling Manually keyed IPSEC

Gangadharan G - TLS,Chennai gangadharang at hcl.in
Sat Dec 2 09:08:11 EST 2006 

Hi All,
 
I am novice to IPSEC. Please help me by solving my below query.
 
My requirement is to establishing IPSEC between My Tool and the Target
device. 
The keys, that has to used for encryption and authentication,  
will be negotiated through Application protocol(SIP) before enabling IPSEC
in those two machines.
i.e., Manually Keyed IPSEC has to established between two machine on some
particular port 
and the two machines are located in same network.
 
         *************************************
*************************************
         *             My Tool                   *
*                 Target Device        *
         *          ( Fedora Core)             *
<-------------------------------------------->*      (Any Operating System)
*
         *                                            *      Manually keyed
IPSEC         *                                             *
         *   10.101.210.219 (some port) *
*   10.101.210.16 (some port)    *
         *************************************
**************************************       
 
By surfing the Internet, I came to know that Manual Keying can be done
through OpenSWAN.
 
When I tried to enable it, I could not able to do it. I have listed the step
that I have done. 
Please let me know if I have done anything wrong.
 
Operating System       : Fedora Core 4
Linux Kernel version  : 2.6
 
[root at localhost gganga]# uname -a
Linux localhost.localdomain 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005
i686 i686 i386 GNU/Linux

STEP 1)  
                I have installed openSWAN (rpm -r openswan-2.4.4-1.i386.rpm)
 
STEP 2)
                I have started the IPSEC service.
[root at localhost gganga]# service ipsec start
ipsec_setup: Starting Openswan IPsec 2.4.4...
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4/kernel/net/key/af_key.ko 
ipsec_setup: insmod
/lib/modules/2.6.11-1.1369_FC4/kernel/net/ipv4/xfrm4_tunnel.ko 

STEP 3)
                I have verified IPSEC.
[root at localhost gganga]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.4/K2.6.11-1.1369_FC4 (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support                                [DISABLED]

STEP 4)
             I have added connection peer-to-peer in /etc/ipsec.conf.
[root at localhost gganga]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
 
# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
 
version 2.0     # conforms to second version of ipsec.conf specification
 
config setup
        interfaces="ipsec0=eth0"
        klipsdebug=all
        plutodebug=none
        manualstart="net-to-net"
        pluto=yes

conn peer-to-peer
             left=10.101.210.219
             right=10.101.210.16
             keyingtries=4
             spi=0x200 
             esp=3des-md5-96 
 
espenckey=0x00000000_00000000_00000000_00000000_00000000_00000001
             espauthkey=0x000000_00000000_00000000_00000001
 
STEP 5)
              I have tried to enable manual IPSEC.
[root at localhost gganga]# ipsec manual --up peer-to-peer
ipsec manual: fatal error in "peer-to-peer": no IPsec-enabled interfaces
found
 
Please help me regarding this.
 
Thanks in Advance,
Gangadharan.
 
DISCLAIMER 
The contents of this e-mail and any attachment(s) are confidential and intended for the 

named recipient(s) only. It shall not attach any liability on the originator or HCL or its 

affiliates. Any views or opinions presented in this email are solely those of the author and 

may not necessarily reflect the opinions of HCL or its affiliates. Any form of reproduction, 

dissemination, copying, disclosure, modification, distribution and / or publication of this 

message without the prior written consent of the author of this e-mail is strictly 

prohibited. If you have received this email in error please delete it and notify the sender 

immediately. Before opening any mail and attachments please check them for viruses and 

defect.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061202/eeb2e919/attachment.html

More information about the Users mailing list