[Openswan Users] 3des, sha1 & icmp on openswan
Paul Wouters
paul at xelerance.com
Thu Jul 3 14:50:24 EDT 2008
> Can you please tell me if this is way to configure openswan to use 3des & sha1? Also, to use
> Preshared key instead of Certificates?
You did not specify phase1 vs phase2 crypto options. You might also want esp=3des-sha1
> In ipsec.conf, I have done the following: Is it correct?
"correct" is hard to say, as both ends just need to agree. There are other options
that can make a difference. DH group (modp), PFS, Aggressive vs Main Mode, compression,
etc.
Paul
>
> ____________________________________________________________________________________________________________
>
>
> conn sample
>
> # # Left security gateway, subnet behind it, nexthop toward right.
>
> authby=secret
>
> left=192.168.3.38
>
> # leftsubnet=172.16.0.0/24
>
> # leftnexthop=10.22.33.44
>
> # # Right security gateway, subnet behind it, nexthop toward left.
>
> right=10.8.10.244
>
> # rightsubnet=192.168.0.0/24
>
> # rightnexthop=10.101.102.103
>
> ike=3des-sha1
>
> # # To authorize this connection, but not actually start it,
>
> # # at startup, uncomment this.
>
> auto=add
>
>
> ____________________________________________________________________________________________________________
>
>
>
>
> Is there a way to configure openswan not to send certificates to my ipsec peer? I want it to use
> Preshared key. I have removed the RSA key detail from the /etc/ipsec.secrets and just added the
> following line in it. But, still, it seems to send a certificate and my ipsec peer complains of “No
> certificate”.
>
>
>
> 192.168.x.x 192.168.x.x : PSK "secret”
>
>
>
> Any help is greatly appreciated.
>
>
>
> Thanks,
>
> Rajitha.
>
>
>
> From: Rajitha Reddy
> Sent: Thursday, July 03, 2008 10:48 AM
> To: 'scharles'
> Cc: users at openswan.org
> Subject: 3des, sha1 & icmp on openswan
>
>
>
> Hi,
>
>
>
> I have my ipsec configured to use 3des, sha1, icmp. Do you know how I can configure openswan to use
> 3des, sha1, icmp?
>
>
>
> Thanks again for your help.
>
>
>
> - Rajitha.
>
>
>
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Rajitha Reddy
> Sent: Wednesday, July 02, 2008 3:57 PM
> To: scharles; 'Gbenga'; users at lists.openswan.org
> Subject: Re: [Openswan Users] cant load /etc/ipsec.conf
>
>
>
> Yes, I created the file /etc/ipsec.d/examples/no_oe.conf and restarted ipsec.
>
>
>
> I could bring up my connection. Thanks so much for that.
>
>
>
> Regards,
>
> Rajitha.
>
>
>
> From: scharles [mailto:scharles at ventusnetworks.com]
> Sent: Wednesday, July 02, 2008 1:56 PM
> To: Rajitha Reddy; 'Gbenga'; users at lists.openswan.org
> Subject: RE: [Openswan Users] cant load /etc/ipsec.conf
>
>
>
> Please create that file “/etc/ipsec.d/examples/no_oe.conf” – and restart ipsec
>
>
>
> Simon Charles
>
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Rajitha Reddy
> Sent: Wednesday, July 02, 2008 3:38 PM
> To: Gbenga; users at lists.openswan.org
> Subject: [Openswan Users] cant load /etc/ipsec.conf
>
>
>
> Hi,
>
>
>
> I cant seem to load /etc/ipsec.conf which has my connection name. Since it cant load ipsec.conf, it
> cannot identify the connection name when I do: “ ipsec auto --up connname” Any help will be greatly
> appreciated.
>
>
>
> ipsec auto --add aragon
>
> can not load config '/etc/ipsec.conf': /etc/ipsec.d/examples/no_oe.conf:1: can not open include
> filename: '/etc/ipsec.d/examples/no_oe.conf' [
>
> ]
>
>
>
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Rajitha Reddy
> Sent: Tuesday, July 01, 2008 5:28 PM
> To: Gbenga; users at lists.openswan.org
> Subject: Re: [Openswan Users] Question on installing Openswan
>
>
>
> That’s great! Thanks for the information.
>
>
>
> Except for Opportunistic Encryption DNS checks, I have successfully removed the other errors.
>
>
>
> I would like to first get my IPSEC client working with Openswan. And then try out the XAuth feature.
>
>
>
> To do that, I added the SA on my Client and edited /etc/ipsec.conf with the right laddr and raddr.
> But, the problem is that its not recognizing my connection on the left addr.
>
>
>
> If I execute “ipsec auto --up sample” , I see the following error:
>
>
>
> 000 initiating all conns with alias='sample'
>
> 021 no connection named "sample"
>
>
>
> I don’t think its referring to /etc/ipsec.conf because even if I remove the file from there, it
> doesn’t matter to it and it still gives the same error. I think its referring to some other location.
> Can you please guide me here..?
>
>
> ____________________________________________________________________________________________________________
>
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
>
> # RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
>
>
>
> # This file: /usr/local/share/doc/openswan/ipsec.conf-sample
>
> #
>
> # Manual: ipsec.conf.5
>
>
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
>
>
> # basic configuration
>
> config setup
>
> # plutodebug / klipsdebug = "all", "none" or a combation from below:
>
> # "raw crypt parsing emitting control klips pfkey natt x509 private"
>
> # eg:
>
> # plutodebug="control parsing"
>
> #
>
> # Only enable *debug=all if you are a developer
>
> #
>
> # NAT-TRAVERSAL support, see README.NAT-Traversal
>
> nat_traversal=yes
>
> # exclude networks used on server side by adding %v4:!a.b.c.0/24
>
> #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>
> # OE is now off by default. Uncomment and change to on, to enable.
>
> OE=off
>
> # which IPsec stack to use. netkey,klips,mast,auto or none
>
> protostack=netkey
>
>
>
>
>
> # Add connections here
>
>
>
> # sample VPN connection
>
> # for more examples, see /etc/ipsec.d/examples/
>
> conn sample
>
> # # Left security gateway, subnet behind it, nexthop toward right.
>
> left=192.x.x.x
>
> # leftsubnet=172.16.0.0/24
>
> # leftnexthop=10.22.33.44
>
> # # Right security gateway, subnet behind it, nexthop toward left.
>
> right=x.x.x.x
>
> # rightsubnet=192.168.0.0/24
>
> # rightnexthop=10.101.102.103
>
> # # To authorize this connection, but not actually start it,
>
> # # at startup, uncomment this.
>
> auto=start
>
>
>
> include /etc/ipsec.d/examples/no_oe.conf
>
>
> ____________________________________________________________________________________________________________
>
>
>
>
> Thanks,
>
> Rajitha.
>
>
>
> From: Gbenga [mailto:stjames08 at yahoo.co.uk]
> Sent: Tuesday, July 01, 2008 4:34 PM
> To: users at lists.openswan.org
> Cc: Rajitha Reddy
> Subject: Re: [Openswan Users] Question on installing Openswan
>
>
>
> Hi Rajitha,
>
>
>
> Please make sure to copy the list so that some other folks with the same issue in the future can see
> the resolution. I made the earlier mistake by not including the list address.
>
>
>
> Ofcourse you can use Openswan as xauth server. I have one set up.. works fine.
>
>
>
> If you search the list archives you will see solutions on the same problem. You have to enable
> certain kernel parameters. To remove the errors will do:
>
>
>
> echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
>
> echo "0" > /proc/sys/net/ipv4/conf/default/send_redirects
>
> echo "0" > /proc/sys/net/ipv4/conf/eth0/send_redirects
>
> echo "0" > /proc/sys/net/ipv4/conf/eth1/send_redirects
>
> echo "0" > /proc/sys/net/ipv4/conf/lo/send_redirects
>
>
>
> Do the same for everything under "/proc/sys/net/ipv4/conf/*/accept_redirects"
>
>
>
> To get ride of the Opportunistic Encryption DNS checks: You will have to include the following in
> your /etc/ipsec.conf (preferably at the end of the file)
>
>
>
> include /etc/ipsec.d/examples/no_oe.conf
>
>
>
> You should read up more from http://wiki.openswan.org
>
>
>
> Rgds,
>
> Gbenga
>
>
>
>
>
>
>
> Hi Gbenga,
>
>
>
> Thanks so much for the immediate response. Truly appreciate it.
>
>
>
> With full pathname, I could verify if IPSEC is installed properly or not.. although it does give a
> failure in certain components:
>
>
>
> [root at rreddy-fc5 openswan-2.6.14]# ipsec verify
>
> Checking your system to see if IPsec got installed and started correctly:
>
> Version check and ipsec on-path [OK]
>
> Linux Openswan U2.6.14/K2.6.19-1.2288.2.4.fc5smp (netkey)
>
> Checking for IPsec support in kernel [OK]
>
> NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
>
>
>
> Please disable /proc/sys/net/ipv4/conf/*/send_redirects
>
> or NETKEY will cause the sending of bogus ICMP redirects!
>
>
>
> NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
>
>
>
> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
>
> or NETKEY will accept bogus ICMP redirects!
>
>
>
> Checking for RSA private key (/etc/ipsec.secrets) [OK]
>
> Checking that pluto is running
> [OK]
>
> Checking for 'ip' command
> [OK]
>
> Checking for 'iptables' command [OK]
>
>
>
> Opportunistic Encryption DNS checks:
>
> Looking for TXT in forward dns zone: rreddy-fc5.mocana.local [MISSING]
>
> Does the machine have at least one non-private address? [FAILED]
>
>
>
>
>
> So, I have a question if I can use Openswan as an Xauth server to test my ipsec XAuth Client? Can
> you please let me know about it?
>
>
>
> Thanks again,
>
> Rajitha.
>
>
>
> From: Gbenga [mailto:stjames08 at yahoo.co.uk]
> Sent: Tuesday, July 01, 2008 3:51 PM
> To: Rajitha Reddy
> Subject: Re: [Openswan Users] Question on installing Openswan
>
>
>
> Hi Rajitha,
>
>
>
> Next time you should provide more details, but it looks like the ipsec binary is not in your path.
> The way you install Openswan, it will be installed under /usr/local/sbin/ipsec. So you either do one
> of two things:
>
>
>
> export PATH=$PATH:/usr/local/bin:/usr/local/sbin
>
>
>
> or
>
>
>
> run ipsec with full pathname e.g /usr/local/sbin/ipsec verify.
>
>
>
> Rgds,
>
> Gbenga
>
>
>
>
>
> Hi,
>
>
>
> I have a question on installing and configuring Openswan. I would like to use openswan as an XAUTH
> Server.
>
>
>
> I have downloaded openswan-2.6.14.tar.gz onto a linux box (2.6.19-1.2288.2.4.fc5smp). Under the
> folder openswan-2.6.14, I did the following:
>
>
>
> 1. make programs
>
> 2. make install
>
>
>
> The installation guide then said to verify the installation by:
>
>
>
> ipsec verify
>
>
>
> But I get an error as follows:
>
>
>
> -bash: ipsec: command not found
>
>
>
> Can you please help me with this?
>
>
>
> Thanks so much for your time.
>
>
>
> Regards,
>
> Rajitha.
>
>
>
>
> ____________________________________________________________________________________________________________
>
>
> Not happy with your email address?
> Get the one you really want - millions of new email addresses available now at Yahoo!
>
>
>
>
> ____________________________________________________________________________________________________________
>
>
> Not happy with your email address?
> Get the one you really want - millions of new email addresses available now at Yahoo!
>
>
> ****************************************************************************
> This message contains confidential and proprietary information of the sender,
> and is intended only for the person(s) to whom it is addressed. Any use,
> distribution, copying or disclosure by any other person is strictly prohibited.
> If you have received this message in error, please notify the e-mail sender
> immediately, and delete the original message without making a copy.
> ****************************************************************************
>
>
> ****************************************************************************
> This message contains confidential and proprietary information of the sender,
> and is intended only for the person(s) to whom it is addressed. Any use,
> distribution, copying or disclosure by any other person is strictly prohibited.
> If you have received this message in error, please notify the e-mail sender
> immediately, and delete the original message without making a copy.
> ****************************************************************************
>
>
>
More information about the Users
mailing list