[Openswan Users] cant load /etc/ipsec.conf

Rajitha Reddy RReddy at mocana.com
Wed Jul 2 15:37:53 EDT 2008


Hi,

I cant seem to load /etc/ipsec.conf which has my connection name. Since it cant load ipsec.conf, it cannot identify the connection name when I do: “ ipsec auto --up connname”  Any help will be greatly appreciated.

ipsec auto --add aragon
can not load config '/etc/ipsec.conf': /etc/ipsec.d/examples/no_oe.conf:1: can not open include filename: '/etc/ipsec.d/examples/no_oe.conf' [
]

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Rajitha Reddy
Sent: Tuesday, July 01, 2008 5:28 PM
To: Gbenga; users at lists.openswan.org
Subject: Re: [Openswan Users] Question on installing Openswan

That’s great! Thanks for the information.

Except for Opportunistic Encryption DNS checks, I have successfully removed the other errors.

I would like to first get my IPSEC client working with Openswan. And then try out the XAuth feature.

To do that, I added the SA on my Client and edited /etc/ipsec.conf with the right laddr and raddr.  But, the problem is that its not recognizing my connection on the left addr.

If I execute “ipsec auto --up sample” , I see the following error:

000 initiating all conns with alias='sample'
021 no connection named "sample"

I don’t think its referring to /etc/ipsec.conf because even if I remove the file from there, it doesn’t matter to it and it still gives the same error. I think its referring to some other location. Can you please guide me here..?
________________________________
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable *debug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
        # OE is now off by default. Uncomment and change to on, to enable.
        OE=off
        # which IPsec stack to use. netkey,klips,mast,auto or none
        protostack=netkey


# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
                left=192.x.x.x
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
                right=x.x.x.x
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
                auto=start

include /etc/ipsec.d/examples/no_oe.conf
________________________________

Thanks,
Rajitha.

From: Gbenga [mailto:stjames08 at yahoo.co.uk]
Sent: Tuesday, July 01, 2008 4:34 PM
To: users at lists.openswan.org
Cc: Rajitha Reddy
Subject: Re: [Openswan Users] Question on installing Openswan

Hi Rajitha,

Please make sure to copy the list so that some other folks with the same issue in the future can see the resolution. I made the earlier mistake by not including the list address.

Ofcourse you can use Openswan as xauth server. I have one set up.. works fine.

If you search the list archives you will see solutions on the same problem. You have to enable certain kernel parameters. To remove the errors will do:

echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/default/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/eth1/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/lo/send_redirects

Do the same for  everything under "/proc/sys/net/ipv4/conf/*/accept_redirects"



To get ride of the Opportunistic Encryption DNS checks: You will have to include the following in your /etc/ipsec.conf (preferably at the end of the file)



include /etc/ipsec.d/examples/no_oe.conf



You should read up more from http://wiki.openswan.org

Rgds,
Gbenga



Hi Gbenga,

Thanks so much for the immediate response. Truly appreciate it.

With full pathname, I could verify if IPSEC is installed properly or not.. although it does give a failure in certain components:

[root at rreddy-fc5 openswan-2.6.14]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                                              [OK]
Linux Openswan U2.6.14/K2.6.19-1.2288.2.4.fc5smp (netkey)
Checking for IPsec support in kernel                                                       [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)                             [OK]
Checking that pluto is running                                                                    [OK]
Checking for 'ip' command                                                                           [OK]
Checking for 'iptables' command                                                              [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: rreddy-fc5.mocana.local  [MISSING]
   Does the machine have at least one non-private address?         [FAILED]


So, I have a question if I can use Openswan as an Xauth server to test my  ipsec XAuth Client? Can you please let me know about it?

Thanks again,
Rajitha.

From: Gbenga [mailto:stjames08 at yahoo.co.uk]
Sent: Tuesday, July 01, 2008 3:51 PM
To: Rajitha Reddy
Subject: Re: [Openswan Users] Question on installing Openswan

Hi Rajitha,

Next time you should provide more details, but it looks like the ipsec binary is not in your path. The way you install Openswan, it will be installed under /usr/local/sbin/ipsec. So you either do one of two things:

export PATH=$PATH:/usr/local/bin:/usr/local/sbin

or

run ipsec with full pathname e.g /usr/local/sbin/ipsec verify.

Rgds,
Gbenga


Hi,

I have a question on installing and configuring Openswan. I would like to use openswan as an XAUTH Server.

I have downloaded  openswan-2.6.14.tar.gz onto a linux box (2.6.19-1.2288.2.4.fc5smp). Under the folder openswan-2.6.14, I did the following:

1. make programs
2. make install

The installation guide then said to verify the installation by:

ipsec verify

But I get an error as follows:

-bash: ipsec: command not found

Can you please help me with this?

Thanks so much for your time.

Regards,
Rajitha.

________________________________
Not happy with your email address?
Get the one you really want<http://uk.docs.yahoo.com/ymail/new.html> - millions of new email addresses available now at Yahoo!<http://uk.docs.yahoo.com/ymail/new.html>

________________________________
Not happy with your email address?
Get the one you really want<http://uk.docs.yahoo.com/ymail/new.html> - millions of new email addresses available now at Yahoo!<http://uk.docs.yahoo.com/ymail/new.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080702/ce8799df/attachment-0001.html 


More information about the Users mailing list