[Openswan Users] 3des, sha1 & icmp on openswan

Rajitha Reddy RReddy at mocana.com
Thu Jul 3 14:35:48 EDT 2008


Hi,

Can you please tell me if this is way to configure openswan to use 3des & sha1? Also, to use Preshared key instead of Certificates?

In ipsec.conf, I have done the following: Is it correct?
________________________________
conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
                  authby=secret
                  left=192.168.3.38
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
                right=10.8.10.244
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
                ike=3des-sha1
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
                auto=add
________________________________

Is there a way to configure openswan not to send certificates to my ipsec peer? I want it to use Preshared key. I have removed the RSA key detail from the /etc/ipsec.secrets and just added the following line in it. But, still, it seems to send a certificate and my ipsec peer complains of “No certificate”.

192.168.x.x  192.168.x.x : PSK "secret”

Any help is greatly appreciated.

Thanks,
Rajitha.

From: Rajitha Reddy
Sent: Thursday, July 03, 2008 10:48 AM
To: 'scharles'
Cc: users at openswan.org
Subject: 3des, sha1 & icmp on openswan

Hi,

I have my ipsec configured to use 3des, sha1, icmp. Do you know how I can configure openswan to use 3des, sha1, icmp?

Thanks again for your help.

- Rajitha.

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Rajitha Reddy
Sent: Wednesday, July 02, 2008 3:57 PM
To: scharles; 'Gbenga'; users at lists.openswan.org
Subject: Re: [Openswan Users] cant load /etc/ipsec.conf

Yes, I created the file /etc/ipsec.d/examples/no_oe.conf and restarted ipsec.

I could bring up my connection. Thanks so much for that.

Regards,
Rajitha.

From: scharles [mailto:scharles at ventusnetworks.com]
Sent: Wednesday, July 02, 2008 1:56 PM
To: Rajitha Reddy; 'Gbenga'; users at lists.openswan.org
Subject: RE: [Openswan Users] cant load /etc/ipsec.conf

Please create that file “/etc/ipsec.d/examples/no_oe.conf” – and restart ipsec

Simon Charles
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Rajitha Reddy
Sent: Wednesday, July 02, 2008 3:38 PM
To: Gbenga; users at lists.openswan.org
Subject: [Openswan Users] cant load /etc/ipsec.conf

Hi,

I cant seem to load /etc/ipsec.conf which has my connection name. Since it cant load ipsec.conf, it cannot identify the connection name when I do: “ ipsec auto --up connname”  Any help will be greatly appreciated.

ipsec auto --add aragon
can not load config '/etc/ipsec.conf': /etc/ipsec.d/examples/no_oe.conf:1: can not open include filename: '/etc/ipsec.d/examples/no_oe.conf' [
]

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Rajitha Reddy
Sent: Tuesday, July 01, 2008 5:28 PM
To: Gbenga; users at lists.openswan.org
Subject: Re: [Openswan Users] Question on installing Openswan

That’s great! Thanks for the information.

Except for Opportunistic Encryption DNS checks, I have successfully removed the other errors.

I would like to first get my IPSEC client working with Openswan. And then try out the XAuth feature.

To do that, I added the SA on my Client and edited /etc/ipsec.conf with the right laddr and raddr.  But, the problem is that its not recognizing my connection on the left addr.

If I execute “ipsec auto --up sample” , I see the following error:

000 initiating all conns with alias='sample'
021 no connection named "sample"

I don’t think its referring to /etc/ipsec.conf because even if I remove the file from there, it doesn’t matter to it and it still gives the same error. I think its referring to some other location. Can you please guide me here..?
________________________________
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable *debug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
        # OE is now off by default. Uncomment and change to on, to enable.
        OE=off
        # which IPsec stack to use. netkey,klips,mast,auto or none
        protostack=netkey


# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
                left=192.x.x.x
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
                right=x.x.x.x
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
                auto=start

include /etc/ipsec.d/examples/no_oe.conf
________________________________

Thanks,
Rajitha.

From: Gbenga [mailto:stjames08 at yahoo.co.uk]
Sent: Tuesday, July 01, 2008 4:34 PM
To: users at lists.openswan.org
Cc: Rajitha Reddy
Subject: Re: [Openswan Users] Question on installing Openswan

Hi Rajitha,

Please make sure to copy the list so that some other folks with the same issue in the future can see the resolution. I made the earlier mistake by not including the list address.

Ofcourse you can use Openswan as xauth server. I have one set up.. works fine.

If you search the list archives you will see solutions on the same problem. You have to enable certain kernel parameters. To remove the errors will do:

echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/default/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/eth1/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/lo/send_redirects

Do the same for  everything under "/proc/sys/net/ipv4/conf/*/accept_redirects"



To get ride of the Opportunistic Encryption DNS checks: You will have to include the following in your /etc/ipsec.conf (preferably at the end of the file)



include /etc/ipsec.d/examples/no_oe.conf



You should read up more from http://wiki.openswan.org

Rgds,
Gbenga



Hi Gbenga,

Thanks so much for the immediate response. Truly appreciate it.

With full pathname, I could verify if IPSEC is installed properly or not.. although it does give a failure in certain components:

[root at rreddy-fc5 openswan-2.6.14]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                                              [OK]
Linux Openswan U2.6.14/K2.6.19-1.2288.2.4.fc5smp (netkey)
Checking for IPsec support in kernel                                                       [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)                             [OK]
Checking that pluto is running                                                                    [OK]
Checking for 'ip' command                                                                           [OK]
Checking for 'iptables' command                                                              [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: rreddy-fc5.mocana.local  [MISSING]
   Does the machine have at least one non-private address?         [FAILED]


So, I have a question if I can use Openswan as an Xauth server to test my  ipsec XAuth Client? Can you please let me know about it?

Thanks again,
Rajitha.

From: Gbenga [mailto:stjames08 at yahoo.co.uk]
Sent: Tuesday, July 01, 2008 3:51 PM
To: Rajitha Reddy
Subject: Re: [Openswan Users] Question on installing Openswan

Hi Rajitha,

Next time you should provide more details, but it looks like the ipsec binary is not in your path. The way you install Openswan, it will be installed under /usr/local/sbin/ipsec. So you either do one of two things:

export PATH=$PATH:/usr/local/bin:/usr/local/sbin

or

run ipsec with full pathname e.g /usr/local/sbin/ipsec verify.

Rgds,
Gbenga


Hi,

I have a question on installing and configuring Openswan. I would like to use openswan as an XAUTH Server.

I have downloaded  openswan-2.6.14.tar.gz onto a linux box (2.6.19-1.2288.2.4.fc5smp). Under the folder openswan-2.6.14, I did the following:

1. make programs
2. make install

The installation guide then said to verify the installation by:

ipsec verify

But I get an error as follows:

-bash: ipsec: command not found

Can you please help me with this?

Thanks so much for your time.

Regards,
Rajitha.

________________________________
Not happy with your email address?
Get the one you really want<http://uk.docs.yahoo.com/ymail/new.html> - millions of new email addresses available now at Yahoo!<http://uk.docs.yahoo.com/ymail/new.html>

________________________________
Not happy with your email address?
Get the one you really want<http://uk.docs.yahoo.com/ymail/new.html> - millions of new email addresses available now at Yahoo!<http://uk.docs.yahoo.com/ymail/new.html>

****************************************************************************
This message contains confidential and proprietary information of the sender,
and is intended only for the person(s) to whom it is addressed. Any use,
distribution, copying or disclosure by any other person is strictly prohibited.
If you have received this message in error, please notify the e-mail sender
immediately, and delete the original message without making a copy.
****************************************************************************

****************************************************************************
This message contains confidential and proprietary information of the sender,
and is intended only for the person(s) to whom it is addressed. Any use,
distribution, copying or disclosure by any other person is strictly prohibited.
If you have received this message in error, please notify the e-mail sender
immediately, and delete the original message without making a copy.
****************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080703/d541fc4e/attachment-0001.html 


More information about the Users mailing list