[Openswan Users] 3des, sha1 & icmp on openswan

Paul Wouters paul at xelerance.com
Thu Jul 3 14:50:24 EDT 2008


> Can you please tell me if this is way to configure openswan to use 3des & sha1? Also, to use
> Preshared key instead of Certificates?

You did not specify phase1 vs phase2 crypto options. You might also want esp=3des-sha1

> In ipsec.conf, I have done the following: Is it correct?

"correct" is hard to say, as both ends just need to agree. There are other options
that can make a difference. DH group (modp), PFS, Aggressive vs Main Mode, compression,
etc.

Paul

> 
> ____________________________________________________________________________________________________________
> 
> 
> conn sample
> 
> #               # Left security gateway, subnet behind it, nexthop toward right.
> 
>                   authby=secret
> 
>                   left=192.168.3.38
> 
> #               leftsubnet=172.16.0.0/24
> 
> #               leftnexthop=10.22.33.44
> 
> #               # Right security gateway, subnet behind it, nexthop toward left.
> 
>                 right=10.8.10.244
> 
> #               rightsubnet=192.168.0.0/24
> 
> #               rightnexthop=10.101.102.103
> 
>                 ike=3des-sha1
> 
> #               # To authorize this connection, but not actually start it,
> 
> #               # at startup, uncomment this.
> 
>                 auto=add
> 
> 
> ____________________________________________________________________________________________________________
> 
> 
>  
> 
> Is there a way to configure openswan not to send certificates to my ipsec peer? I want it to use
> Preshared key. I have removed the RSA key detail from the /etc/ipsec.secrets and just added the
> following line in it. But, still, it seems to send a certificate and my ipsec peer complains of “No
> certificate”.
> 
>  
> 
> 192.168.x.x  192.168.x.x : PSK "secret”
> 
>  
> 
> Any help is greatly appreciated.
> 
>  
> 
> Thanks,
> 
> Rajitha.
> 
>  
> 
> From: Rajitha Reddy
> Sent: Thursday, July 03, 2008 10:48 AM
> To: 'scharles'
> Cc: users at openswan.org
> Subject: 3des, sha1 & icmp on openswan
> 
>  
> 
> Hi,
> 
>  
> 
> I have my ipsec configured to use 3des, sha1, icmp. Do you know how I can configure openswan to use
> 3des, sha1, icmp?
> 
>  
> 
> Thanks again for your help.
> 
>  
> 
> - Rajitha.
> 
>  
> 
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Rajitha Reddy
> Sent: Wednesday, July 02, 2008 3:57 PM
> To: scharles; 'Gbenga'; users at lists.openswan.org
> Subject: Re: [Openswan Users] cant load /etc/ipsec.conf
> 
>  
> 
> Yes, I created the file /etc/ipsec.d/examples/no_oe.conf and restarted ipsec.
> 
>  
> 
> I could bring up my connection. Thanks so much for that.
> 
>  
> 
> Regards,
> 
> Rajitha.
> 
>  
> 
> From: scharles [mailto:scharles at ventusnetworks.com]
> Sent: Wednesday, July 02, 2008 1:56 PM
> To: Rajitha Reddy; 'Gbenga'; users at lists.openswan.org
> Subject: RE: [Openswan Users] cant load /etc/ipsec.conf
> 
>  
> 
> Please create that file “/etc/ipsec.d/examples/no_oe.conf” – and restart ipsec
> 
>  
> 
> Simon Charles
> 
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Rajitha Reddy
> Sent: Wednesday, July 02, 2008 3:38 PM
> To: Gbenga; users at lists.openswan.org
> Subject: [Openswan Users] cant load /etc/ipsec.conf
> 
>  
> 
> Hi,
> 
>  
> 
> I cant seem to load /etc/ipsec.conf which has my connection name. Since it cant load ipsec.conf, it
> cannot identify the connection name when I do: “ ipsec auto --up connname”  Any help will be greatly
> appreciated.
> 
>  
> 
> ipsec auto --add aragon
> 
> can not load config '/etc/ipsec.conf': /etc/ipsec.d/examples/no_oe.conf:1: can not open include
> filename: '/etc/ipsec.d/examples/no_oe.conf' [
> 
> ]
> 
>  
> 
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Rajitha Reddy
> Sent: Tuesday, July 01, 2008 5:28 PM
> To: Gbenga; users at lists.openswan.org
> Subject: Re: [Openswan Users] Question on installing Openswan
> 
>  
> 
> That’s great! Thanks for the information.
> 
>  
> 
> Except for Opportunistic Encryption DNS checks, I have successfully removed the other errors.
> 
>  
> 
> I would like to first get my IPSEC client working with Openswan. And then try out the XAuth feature.
> 
>  
> 
> To do that, I added the SA on my Client and edited /etc/ipsec.conf with the right laddr and raddr.
>  But, the problem is that its not recognizing my connection on the left addr.
> 
>  
> 
> If I execute “ipsec auto --up sample” , I see the following error:
> 
>  
> 
> 000 initiating all conns with alias='sample'
> 
> 021 no connection named "sample"
> 
>  
> 
> I don’t think its referring to /etc/ipsec.conf because even if I remove the file from there, it
> doesn’t matter to it and it still gives the same error. I think its referring to some other location.
> Can you please guide me here..?
> 
> 
> ____________________________________________________________________________________________________________
> 
> 
> # /etc/ipsec.conf - Openswan IPsec configuration file
> 
> # RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
> 
>  
> 
> # This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
> 
> #
> 
> # Manual:     ipsec.conf.5
> 
>  
> 
> version 2.0     # conforms to second version of ipsec.conf specification
> 
>  
> 
> # basic configuration
> 
> config setup
> 
>         # plutodebug / klipsdebug = "all", "none" or a combation from below:
> 
>         # "raw crypt parsing emitting control klips pfkey natt x509 private"
> 
>         # eg:
> 
>         # plutodebug="control parsing"
> 
>         #
> 
>         # Only enable *debug=all if you are a developer
> 
>         #
> 
>         # NAT-TRAVERSAL support, see README.NAT-Traversal
> 
>         nat_traversal=yes
> 
>         # exclude networks used on server side by adding %v4:!a.b.c.0/24
> 
>         #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> 
>         # OE is now off by default. Uncomment and change to on, to enable.
> 
>         OE=off
> 
>         # which IPsec stack to use. netkey,klips,mast,auto or none
> 
>         protostack=netkey
> 
>  
> 
>  
> 
> # Add connections here
> 
>  
> 
> # sample VPN connection
> 
> # for more examples, see /etc/ipsec.d/examples/
> 
> conn sample
> 
> #               # Left security gateway, subnet behind it, nexthop toward right.
> 
>                 left=192.x.x.x
> 
> #               leftsubnet=172.16.0.0/24
> 
> #               leftnexthop=10.22.33.44
> 
> #               # Right security gateway, subnet behind it, nexthop toward left.
> 
>                 right=x.x.x.x
> 
> #               rightsubnet=192.168.0.0/24
> 
> #               rightnexthop=10.101.102.103
> 
> #               # To authorize this connection, but not actually start it,
> 
> #               # at startup, uncomment this.
> 
>                 auto=start
> 
>  
> 
> include /etc/ipsec.d/examples/no_oe.conf
> 
> 
> ____________________________________________________________________________________________________________
> 
> 
>  
> 
> Thanks,
> 
> Rajitha.
> 
>  
> 
> From: Gbenga [mailto:stjames08 at yahoo.co.uk]
> Sent: Tuesday, July 01, 2008 4:34 PM
> To: users at lists.openswan.org
> Cc: Rajitha Reddy
> Subject: Re: [Openswan Users] Question on installing Openswan
> 
>  
> 
> Hi Rajitha,
> 
>  
> 
> Please make sure to copy the list so that some other folks with the same issue in the future can see
> the resolution. I made the earlier mistake by not including the list address.
> 
>  
> 
> Ofcourse you can use Openswan as xauth server. I have one set up.. works fine.
> 
>  
> 
> If you search the list archives you will see solutions on the same problem. You have to enable
> certain kernel parameters. To remove the errors will do:
> 
>  
> 
> echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
> 
> echo "0" > /proc/sys/net/ipv4/conf/default/send_redirects
> 
> echo "0" > /proc/sys/net/ipv4/conf/eth0/send_redirects
> 
> echo "0" > /proc/sys/net/ipv4/conf/eth1/send_redirects
> 
> echo "0" > /proc/sys/net/ipv4/conf/lo/send_redirects
> 
>  
> 
> Do the same for  everything under "/proc/sys/net/ipv4/conf/*/accept_redirects"
> 
>  
> 
> To get ride of the Opportunistic Encryption DNS checks: You will have to include the following in
> your /etc/ipsec.conf (preferably at the end of the file)
> 
>  
> 
> include /etc/ipsec.d/examples/no_oe.conf
> 
>  
> 
> You should read up more from http://wiki.openswan.org
> 
>  
> 
> Rgds,
> 
> Gbenga
> 
>  
> 
>  
> 
>  
> 
> Hi Gbenga,
> 
>  
> 
> Thanks so much for the immediate response. Truly appreciate it.
> 
>  
> 
> With full pathname, I could verify if IPSEC is installed properly or not.. although it does give a
> failure in certain components:
> 
>  
> 
> [root at rreddy-fc5 openswan-2.6.14]# ipsec verify
> 
> Checking your system to see if IPsec got installed and started correctly:
> 
> Version check and ipsec on-path                                                              [OK]
> 
> Linux Openswan U2.6.14/K2.6.19-1.2288.2.4.fc5smp (netkey)
> 
> Checking for IPsec support in kernel                                                       [OK]
> 
> NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]
> 
>  
> 
>   Please disable /proc/sys/net/ipv4/conf/*/send_redirects
> 
>   or NETKEY will cause the sending of bogus ICMP redirects!
> 
>  
> 
> NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]
> 
>  
> 
>   Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
> 
>   or NETKEY will accept bogus ICMP redirects!
> 
>  
> 
> Checking for RSA private key (/etc/ipsec.secrets)                             [OK]
> 
> Checking that pluto is running                                                                   
> [OK]
> 
> Checking for 'ip' command                                                                          
> [OK]
> 
> Checking for 'iptables' command                                                              [OK]
> 
>  
> 
> Opportunistic Encryption DNS checks:
> 
>    Looking for TXT in forward dns zone: rreddy-fc5.mocana.local  [MISSING]
> 
>    Does the machine have at least one non-private address?         [FAILED]
> 
>  
> 
>  
> 
> So, I have a question if I can use Openswan as an Xauth server to test my  ipsec XAuth Client? Can
> you please let me know about it?
> 
>  
> 
> Thanks again,
> 
> Rajitha.
> 
>  
> 
> From: Gbenga [mailto:stjames08 at yahoo.co.uk]
> Sent: Tuesday, July 01, 2008 3:51 PM
> To: Rajitha Reddy
> Subject: Re: [Openswan Users] Question on installing Openswan
> 
>  
> 
> Hi Rajitha,
> 
>  
> 
> Next time you should provide more details, but it looks like the ipsec binary is not in your path.
> The way you install Openswan, it will be installed under /usr/local/sbin/ipsec. So you either do one
> of two things:
> 
>  
> 
> export PATH=$PATH:/usr/local/bin:/usr/local/sbin
> 
>  
> 
> or
> 
>  
> 
> run ipsec with full pathname e.g /usr/local/sbin/ipsec verify.
> 
>  
> 
> Rgds,
> 
> Gbenga
> 
>  
> 
>  
> 
> Hi,
> 
>  
> 
> I have a question on installing and configuring Openswan. I would like to use openswan as an XAUTH
> Server.
> 
>  
> 
> I have downloaded  openswan-2.6.14.tar.gz onto a linux box (2.6.19-1.2288.2.4.fc5smp). Under the
> folder openswan-2.6.14, I did the following:
> 
>  
> 
> 1. make programs
> 
> 2. make install
> 
>  
> 
> The installation guide then said to verify the installation by:
> 
>  
> 
> ipsec verify
> 
>  
> 
> But I get an error as follows:
> 
>  
> 
> -bash: ipsec: command not found
> 
>  
> 
> Can you please help me with this?
> 
>  
> 
> Thanks so much for your time.
> 
>  
> 
> Regards,
> 
> Rajitha.
> 
>  
> 
> 
> ____________________________________________________________________________________________________________
> 
> 
> Not happy with your email address?
> Get the one you really want - millions of new email addresses available now at Yahoo!
> 
>  
> 
> 
> ____________________________________________________________________________________________________________
> 
> 
> Not happy with your email address?
> Get the one you really want - millions of new email addresses available now at Yahoo!
> 
> 
> ****************************************************************************
> This message contains confidential and proprietary information of the sender,
> and is intended only for the person(s) to whom it is addressed. Any use,
> distribution, copying or disclosure by any other person is strictly prohibited.
> If you have received this message in error, please notify the e-mail sender
> immediately, and delete the original message without making a copy.
> ****************************************************************************
> 
> 
> ****************************************************************************
> This message contains confidential and proprietary information of the sender,
> and is intended only for the person(s) to whom it is addressed. Any use,
> distribution, copying or disclosure by any other person is strictly prohibited.
> If you have received this message in error, please notify the e-mail sender
> immediately, and delete the original message without making a copy.
> ****************************************************************************
> 
> 
>


More information about the Users mailing list