[Openswan Users] Subnets conmunication?
Peter McGill
petermcgill at goco.net
Tue Jun 5 15:06:52 EDT 2007
That's not it, there should be lot's more pluto lines, and
No kernel etc... Lines.
Try this.
grep -e 'pluto' /var/log/secure
Peter McGill
> -----Original Message-----
> From: IT Dept. [mailto:it at technovation.com.sv]
> Sent: June 5, 2007 3:00 PM
> To: petermcgill at goco.net
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] Subnets conmunication?
>
> Here is:
>
>
> Jun 5 13:58:02 vpn syslogd 1.4.1#17ubuntu7: restart.
> Jun 5 13:58:02 vpn kernel: Cannot find map file.
> Jun 5 13:58:02 vpn kernel: No module symbols loaded - kernel
> modules not
> enabled.
> Jun 5 13:58:02 vpn kernel: Bootdata ok (command line is
> root=/dev/sda1 ro
> 3)
> Jun 5 13:58:02 vpn kernel: Linux version 2.6.16.29-xen
> (shand at endor) (gcc
> version 3.4.4 20050314 (prerelease) (Debian 3.4.3-13)) #3 SMP
> Sun Oct 15
> 13:15:34 BST 2006
> Jun 5 13:58:02 vpn kernel: BIOS-provided physical RAM map:
> Jun 5 13:58:02 vpn kernel: Xen: 0000000000000000 - 000000001f000000
> (usable)
> Jun 5 13:58:02 vpn kernel: On node 0 totalpages: 126976
> Jun 5 13:58:02 vpn kernel: DMA zone: 126976 pages, LIFO batch:31
> Jun 5 13:58:02 vpn kernel: DMA32 zone: 0 pages, LIFO batch:0
> Jun 5 13:58:02 vpn kernel: Normal zone: 0 pages, LIFO batch:0
> Jun 5 13:58:02 vpn kernel: HighMem zone: 0 pages, LIFO batch:0
> Jun 5 13:58:02 vpn kernel: No mptable found.
> Jun 5 13:58:02 vpn kernel: Built 1 zonelists
> Jun 5 13:58:02 vpn kernel: Kernel command line: root=/dev/sda1 ro 3
> Jun 5 13:58:02 vpn kernel: Initializing CPU#0
> Jun 5 13:58:02 vpn kernel: PID hash table entries: 2048
> (order: 11, 65536
> bytes)
> Jun 5 13:58:02 vpn kernel: Xen reported: 1795.496 MHz processor.
> Jun 5 13:58:02 vpn kernel: Dentry cache hash table entries:
> 65536 (order:
> 7, 524288 bytes)
> Jun 5 13:58:02 vpn kernel: Inode-cache hash table entries:
> 32768 (order: 6,
> 262144 bytes)
> Jun 5 13:58:02 vpn kernel: Software IO TLB disabled
> Jun 5 13:58:02 vpn kernel: Memory: 483452k/507904k available
> (1918k kernel
> code, 15628k reserved, 809k data, 168k init)
> Jun 5 13:58:02 vpn kernel: Calibrating delay using timer
> specific routine..
> 3592.77 BogoMIPS (lpj=17963870)
> Jun 5 13:58:02 vpn kernel: Security Framework v1.0.0 initialized
> Jun 5 13:58:02 vpn kernel: Capability LSM initialized
> Jun 5 13:58:02 vpn ipsec__plutorun: 104
> "branch_40_to_centralbw_50" #1:
> STATE_MAIN_I1: initiate
> Jun 5 13:58:02 vpn ipsec__plutorun: ...could not start conn
> "branch_40_to_centralbw_50"
> Jun 5 13:58:02 vpn kernel: Mount-cache hash table entries: 256
> Jun 5 13:58:02 vpn kernel: CPU: L1 I Cache: 64K (64
> bytes/line), D cache
> 64K (64 bytes/line)
> Jun 5 13:58:02 vpn kernel: CPU: L2 Cache: 1024K (64 bytes/line)
> Jun 5 13:58:02 vpn kernel: Brought up 1 CPUs
> Jun 5 13:58:02 vpn kernel: migration_cost=0
> Jun 5 13:58:02 vpn kernel: checking if image is initramfs... it is
> Jun 5 13:58:02 vpn kernel: Freeing initrd memory: 1859k freed
> Jun 5 13:58:02 vpn kernel: DMI not present or invalid.
> Jun 5 13:58:02 vpn kernel: Grant table initialized
> Jun 5 13:58:02 vpn kernel: NET: Registered protocol family 16
> Jun 5 13:58:02 vpn kernel: Initializing CPU#1
> Jun 5 13:58:02 vpn kernel: migration_cost=967
> Jun 5 13:58:02 vpn kernel: Brought up 2 CPUs
> Jun 5 13:58:02 vpn kernel: PCI: setting up Xen PCI frontend stub
> Jun 5 13:58:02 vpn kernel: ACPI: Subsystem revision 20060127
> Jun 5 13:58:02 vpn kernel: ACPI: Interpreter disabled.
> Jun 5 13:58:02 vpn kernel: Linux Plug and Play Support v0.97
> (c) Adam Belay
> Jun 5 13:58:02 vpn kernel: pnp: PnP ACPI: disabled
> Jun 5 13:58:02 vpn kernel: xen_mem: Initialising balloon driver.
> Jun 5 13:58:02 vpn kernel: PCI: System does not support PCI
> Jun 5 13:58:02 vpn kernel: PCI: System does not support PCI
> Jun 5 13:58:02 vpn kernel: pnp: the driver 'system' has been
> registered
> Jun 5 13:58:02 vpn kernel: IA-32 Microcode Update Driver: v1.14-xen
> <tigran at veritas.com>
> Jun 5 13:58:02 vpn kernel: IA32 emulation $Id: sys_ia32.c,v
> 1.32 2002/03/24
> 13:02:28 ak Exp $
> Jun 5 13:58:02 vpn kernel: audit: initializing netlink
> socket (disabled)
> Jun 5 13:58:02 vpn kernel: audit(1181069856.905:1): initialized
> Jun 5 13:58:02 vpn kernel: VFS: Disk quotas dquot_6.5.1
> Jun 5 13:58:02 vpn kernel: Dquot-cache hash table entries:
> 512 (order 0,
> 4096 bytes)
> Jun 5 13:58:02 vpn kernel: Initializing Cryptographic API
> Jun 5 13:58:02 vpn kernel: io scheduler noop registered
> Jun 5 13:58:02 vpn kernel: io scheduler anticipatory registered
> Jun 5 13:58:02 vpn kernel: io scheduler deadline registered
> Jun 5 13:58:02 vpn kernel: io scheduler cfq registered (default)
> Jun 5 13:58:02 vpn kernel: rtc: IRQ 8 is not free.
> Jun 5 13:58:02 vpn kernel: Non-volatile memory driver v1.2
> Jun 5 13:58:02 vpn kernel: pnp: the driver 'i8042 kbd' has
> been registered
> Jun 5 13:58:02 vpn kernel: pnp: the driver 'i8042 aux' has
> been registered
> Jun 5 13:58:02 vpn kernel: pnp: the driver 'i8042 kbd' has been
> unregistered
> Jun 5 13:58:02 vpn kernel: pnp: the driver 'i8042 aux' has been
> unregistered
> Jun 5 13:58:02 vpn kernel: PNP: No PS/2 controller found.
> Probing ports
> directly.
> Jun 5 13:58:02 vpn kernel: i8042.c: No controller found.
> Jun 5 13:58:02 vpn kernel: RAMDISK driver initialized: 16
> RAM disks of
> 16384K size 1024 blocksize
> Jun 5 13:58:02 vpn kernel: loop: loaded (max 8 devices)
> Jun 5 13:58:02 vpn kernel: Xen virtual console successfully
> installed as
> tty1
> Jun 5 13:58:02 vpn kernel: Event-channel device installed.
> Jun 5 13:58:02 vpn kernel: netfront: Initialising virtual
> ethernet driver.
> Jun 5 13:58:02 vpn kernel: Uniform Multi-Platform E-IDE
> driver Revision:
> 7.00alpha2
> Jun 5 13:58:02 vpn kernel: ide: Assuming 50MHz system bus
> speed for PIO
> modes; override with idebus=xx
> Jun 5 13:58:02 vpn kernel: pnp: the driver 'ide' has been registered
> Jun 5 13:58:02 vpn kernel: mice: PS/2 mouse device common
> for all mice
> Jun 5 13:58:02 vpn kernel: md: md driver 0.90.3 MAX_MD_DEVS=256,
> MD_SB_DISKS=27
> Jun 5 13:58:02 vpn kernel: md: bitmap version 4.39
> Jun 5 13:58:02 vpn kernel: NET: Registered protocol family 2
> Jun 5 13:58:02 vpn kernel: netfront: device eth0 has
> flipping receive path.
> Jun 5 13:58:02 vpn kernel: IP route cache hash table
> entries: 4096 (order:
> 3, 32768 bytes)
> Jun 5 13:58:02 vpn kernel: TCP established hash table entries: 16384
> (order: 6, 262144 bytes)
> Jun 5 13:58:02 vpn kernel: TCP bind hash table entries:
> 16384 (order: 6,
> 262144 bytes)
> Jun 5 13:58:02 vpn kernel: TCP: Hash tables configured
> (established 16384
> bind 16384)
> Jun 5 13:58:02 vpn kernel: TCP reno registered
> Jun 5 13:58:02 vpn kernel: NET: Registered protocol family 1
> Jun 5 13:58:02 vpn kernel: NET: Registered protocol family 17
> Jun 5 13:58:02 vpn kernel: Registering block device major 8
> Jun 5 13:58:02 vpn kernel: kjournald starting. Commit
> interval 5 seconds
> Jun 5 13:58:02 vpn kernel: EXT3-fs: mounted filesystem with
> ordered data
> mode.
> Jun 5 13:58:02 vpn kernel: NET: Registered protocol family 10
> Jun 5 13:58:02 vpn kernel: lo: Disabled Privacy Extensions
> Jun 5 13:58:02 vpn kernel: IPv6 over IPv4 tunneling driver
> Jun 5 13:58:02 vpn kernel: pnp: the driver 'parport_pc' has
> been registered
> Jun 5 13:58:02 vpn kernel: lp: driver loaded but no devices found
> Jun 5 13:58:02 vpn kernel: Adding 999416k swap on /dev/sda2.
> Priority:-1
> extents:1 across:999416k
> Jun 5 13:58:02 vpn kernel: EXT3 FS on sda1, internal journal
> Jun 5 13:58:02 vpn kernel: device-mapper: 4.5.0-ioctl (2005-10-04)
> initialised: dm-devel at redhat.com
> Jun 5 13:58:02 vpn kernel: NET: Registered protocol family 15
> Jun 5 13:58:02 vpn kernel: Initializing IPsec netlink socket
> Jun 5 13:58:02 vpn ipsec__plutorun: 029
> "centralbw_50_to_branch_40": cannot
> initiate connection without knowing peer IP address (kind=CK_TEMPLATE)
> Jun 5 13:58:02 vpn ipsec__plutorun: ...could not start conn
> "centralbw_50_to_branch_40"
> Jun 5 13:58:03 vpn kernel: eth0: no IPv6 routers present
> Jun 5 13:58:03 vpn ipsec_setup: Openswan IPsec apparently
> already running,
> start aborted
> Jun 5 13:58:03 vpn /usr/sbin/cron[1554]: (CRON) INFO (pidfile fd = 3)
> Jun 5 13:58:03 vpn /usr/sbin/cron[1555]: (CRON) STARTUP (fork ok)
> Jun 5 13:58:03 vpn /usr/sbin/cron[1555]: (CRON) INFO
> (Running @reboot jobs)
>
> Hector
>
>
> -----Mensaje original-----
> De: Peter McGill [mailto:petermcgill at goco.net]
> Enviado el: Martes, 05 de Junio de 2007 12:55 p.m.
> Para: 'IT Dept.'
> CC: users at openswan.org
> Asunto: RE: [Openswan Users] Subnets conmunication?
>
> > -----Original Message-----
> > From: IT Dept. [mailto:it at technovation.com.sv]
> > Sent: June 5, 2007 2:43 PM
> > To: petermcgill at goco.net
> > Cc: users at openswan.org
> > Subject: RE: [Openswan Users] Subnets conmunication?
> >
> > root at vpn:~# ipsec version
> > Linux Openswan U2.4.4/K2.6.16.29-xen (netkey)
> > See `ipsec --copyright' for copyright information.
> > root at vpn:~#
> >
> > root at vpn:~# ipsec verify
> > Checking your system to see if IPsec got installed and
> > started correctly:
> > Version check and ipsec on-path [OK]
> > Linux Openswan U2.4.4/K2.6.16.29-xen (netkey)
> > Checking for IPsec support in kernel [OK]
> > Checking for RSA private key (/etc/ipsec.secrets) [OK]
> > Checking that pluto is running [OK]
> > Two or more interfaces found, checking IP forwarding [OK]
> > Checking NAT and MASQUERADEing
> [N/A]
> > Checking for 'ip' command [OK]
> > Checking for 'iptables' command [OK]
> > Checking for 'setkey' command for NETKEY IPsec stack support [OK]
> > Opportunistic Encryption Support
> > [DISABLED]
> > root at vpn:~#
> >
> > root at vpn:~# ipsec eroute
> > /usr/lib/ipsec/eroute: NETKEY does not support eroute table.
> > root at vpn:~#
>
> The above look ok, we don't need eroute it's just a easy way to check
> Tunnel status. But I will need some log info to determine
> where error is.
>
> egrep -e 'pluto' /var/log/*
> Filter by date/time to only get the recent restart and connections.
>
> > Ill be wait for your help....my boss wanna hang me...LOL
> >
> > Regards
> >
> > Hector
> >
> > -----Mensaje original-----
> > De: Peter McGill [mailto:petermcgill at goco.net]
> > Enviado el: Martes, 05 de Junio de 2007 12:37 p.m.
> > Para: 'IT Dept.'
> > CC: users at openswan.org
> > Asunto: RE: [Openswan Users] Subnets conmunication?
> >
> > > -----Original Message-----
> > > From: IT Dept. [mailto:it at technovation.com.sv]
> > > Sent: June 5, 2007 2:00 PM
> > > To: petermcgill at goco.net
> > > Cc: users at openswan.org
> > > Subject: RE: [Openswan Users] Subnets conmunication?
> > > Importance: High
> > >
> > > Hi again...
> > >
> > > Thanks for the your help....i cant get communication yet.
> > >
> > > Here is my last conf...im only using two branches to
> > > make it more
> > > simple...
> > >
> > > # /etc/ipsec.conf - Openswan IPsec configuration file
> > > # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27
> paul Exp $
> > >
> > > # This file: /usr/share/doc/openswan/ipsec.conf-sample
> > > #
> > > # Manual: ipsec.conf.5
> > >
> > >
> > > version 2.0 # conforms to second version of
> > > ipsec.conf specification
> > >
> > > # basic configuration
> > > config setup
> > > forwardcontrol=yes
> > > nat_traversal=yes
> > > # plutodebug / klipsdebug = "all", "none" or a
> > > combation from below:
> > > # "raw crypt parsing emitting control klips pfkey natt
> > > x509 private"
> > > # eg:
> > > # plutodebug="control parsing"
> > > #
> > > # Only enable klipsdebug=all if you are a developer
> > > #
> > > # NAT-TRAVERSAL support, see README.NAT-Traversal
> > > # nat_traversal=yes
> > > #
> > > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> > >
> > > #Disable Opportunistic Encryption
> > > include /etc/ipsec.d/examples/no_oe.conf
> > >
> > > conn branch_40
> > > also=branch_40_shared
> > > rightsubnet=192.168.40.0/24
> > > auto=start
> > >
> > > conn centralbw_50
> > > also=centralbw_50_shared
> > > rightsubnet=192.168.50.0/24
> > > auto=add
> > >
> > > conn branch_40_to_centralbw_50
> > > also=branch_40_shared
> > > leftsubnet=192.168.50.0/24
> > > rightsubnet=192.168.40.0/24
> > > auto=start
> > >
> > > conn centralbw_50_to_branch_40
> > > also=centralbw_50_shared
> > > leftsubnet=192.168.40.0/24
> > > rightsubnet=192.168.50.0/24
> > > auto=add
> > >
> > > conn branch_40_shared
> > > authby=secret
> > > compress=no
> > > ikelifetime=240m
> > > keyexchange=ike
> > > keylife=60m
> > > left=208.70.149.161
> > > leftnexthop=208.70.149.166
> > > pfs=yes
> > > right=190.53.0.113
> > > rightnexthop=190.53.0.1
> > >
> > > conn centralbw_50_shared
> > > authby=secret
> > > compress=no
> > > ikelifetime=240m
> > > keyexchange=ike
> > > keylife=60m
> > > left=208.70.149.161
> > > leftnexthop=208.70.149.166
> > > pfs=yes
> > > right=%any
> > >
> > >
> > > in auth.log I get that conn branch_40_shared starts fine, but
> > > I need to
> > > manually start conn centralbw_50_shared from the linksys
> > > router, and them
> > > the conn´s between dosent start...
> >
> > First off the shared conn's should never be started, they're not
> > Real conn's just shared information used by other conn's.
> > Also it would be easier to test with the static ip sites,
> rather than
> > Centralbw. With centralbw linksys must initiate the
> > connection for it to
> > work.
> >
> > Show us these outputs.
> > ipsec version
> > ipsec verify
> > ipsec eroute
> >
> > Lastly, restart openswan, and reconnect the linksys tunnels.
> > Get the restart and connect logs by...
> > egrep -e 'pluto' /var/log/*
> > Filter by date/time to only get the recent restart and connections.
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.472 / Virus Database: 269.8.9/832 - Release
> Date: 04/06/2007
> 06:43 p.m.
>
>
More information about the Users
mailing list