[Openswan Users] 3des, sha1 & icmp on openswan (Rajitha Reddy

Mohamed Mydeen.A mohamedmydeen.a at jasmin-infotech.com
Mon Jul 7 00:59:35 EDT 2008


Hi,

You can see the following two files and try. Hope, this should work for you.


-----------------ipsec.secrets----------------------------------------------
117.97.141.134 @56.89.247.82 : PSK "jasmin12345"



-----------------ipsec.conf-------------------------------------------------

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $

# This file:  /usr/share/doc/packages/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	# "raw crypt parsing emitting control klips pfkey natt x509 private"
	# eg:
	# plutodebug="control parsing"
	#
	# Only enable klipsdebug=all if you are a developer
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	# nat_traversal=yes
	# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
	#
	# Certificate Revocation List handling:
	#crlcheckinterval=600
	#strictcrlpolicy=yes
	#
	# Change rp_filter setting? (default is 0, disabled)
	# See also setting in the /etc/sysctl.conf file!
	#rp_filter=%unchanged
	#
	# Workaround to setup all tunnels immediately, since the new default
	# of "plutowait=no" causes "Resource temporarily unavailable" errors
	# for the first connect attempt over each tunnel, that is delayed to
	# be established later / on demand.
	#
	plutowait=yes
	interfaces=%defaultroute

# default settings for connections
conn %default
	# keyingtries default to %forever
	#keyingtries=3
	# Sig keys (default: %dnsondemand)
	leftrsasigkey=%cert
	rightrsasigkey=%cert
	# Lifetimes, defaults are 1h/8hrs
	#ikelifetime=20m
	#keylife=1h
	#rekeymargin=8m
	authby=secret
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

# Add connections here

# sample VPN connection
#conn sample
#		# Left security gateway, subnet behind it, nexthop toward
right.
#		left=10.0.0.1
#		leftsubnet=172.16.0.0/24
#		leftnexthop=10.22.33.44
#		# Right security gateway, subnet behind it, nexthop toward
left.
#		right=10.12.12.1
#		rightsubnet=192.168.0.0/24
#		rightnexthop=10.101.102.103
#		# To authorize this connection, but not actually start it, 
#		# at startup, uncomment this.
#		#auto=start

conn openswan
	leftsubnet=117.97.141.134/32
	left=117.97.141.134
	right=56.89.247.82
	rightid=@56.89.247.82
	rightsubnet=172.16.0.0/16
	keyexchange=ike
	ike=3des-sha1-modp1024	
	auth=esp
	esp=3des-sha1	
	type=tunnel	
	auto=start
	pfs=yes
	dpddelay=30
	dpdtimeout=120
	dpdaction=hold

Regards,

Mohamed Mydeen A

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of users-request at openswan.org
Sent: Friday, July 04, 2008 12:08 AM
To: users at openswan.org
Subject: Users Digest, Vol 56, Issue 11

Send Users mailing list submissions to
	users at openswan.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.openswan.org/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
	users-request at openswan.org

You can reach the person managing the list at
	users-owner at openswan.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Users digest..."


Today's Topics:

   1. Re: 3des, sha1 & icmp on openswan (Rajitha Reddy)


----------------------------------------------------------------------

Message: 1
Date: Thu, 3 Jul 2008 11:35:48 -0700
From: Rajitha Reddy <RReddy at mocana.com>
Subject: Re: [Openswan Users] 3des, sha1 & icmp on openswan
To: scharles <scharles at ventusnetworks.com>
Cc: "users at openswan.org" <users at openswan.org>
Message-ID:
	<50DADDE6B33B1B47904E685AAFDC182410174A83E4 at yugi.mocana.local>
Content-Type: text/plain; charset="utf-8"

Hi,

Can you please tell me if this is way to configure openswan to use 3des &
sha1? Also, to use Preshared key instead of Certificates?

In ipsec.conf, I have done the following: Is it correct?
________________________________
conn sample
#               # Left security gateway, subnet behind it, nexthop toward
right.
                  authby=secret
                  left=192.168.3.38
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward
left.
                right=10.8.10.244
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
                ike=3des-sha1
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
                auto=add
________________________________

Is there a way to configure openswan not to send certificates to my ipsec
peer? I want it to use Preshared key. I have removed the RSA key detail from
the /etc/ipsec.secrets and just added the following line in it. But, still,
it seems to send a certificate and my ipsec peer complains of ?No
certificate?.

192.168.x.x  192.168.x.x : PSK "secret?

Any help is greatly appreciated.

Thanks,
Rajitha.

From: Rajitha Reddy
Sent: Thursday, July 03, 2008 10:48 AM
To: 'scharles'
Cc: users at openswan.org
Subject: 3des, sha1 & icmp on openswan

Hi,

I have my ipsec configured to use 3des, sha1, icmp. Do you know how I can
configure openswan to use 3des, sha1, icmp?

Thanks again for your help.

- Rajitha.

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Rajitha Reddy
Sent: Wednesday, July 02, 2008 3:57 PM
To: scharles; 'Gbenga'; users at lists.openswan.org
Subject: Re: [Openswan Users] cant load /etc/ipsec.conf

Yes, I created the file /etc/ipsec.d/examples/no_oe.conf and restarted
ipsec.

I could bring up my connection. Thanks so much for that.

Regards,
Rajitha.

From: scharles [mailto:scharles at ventusnetworks.com]
Sent: Wednesday, July 02, 2008 1:56 PM
To: Rajitha Reddy; 'Gbenga'; users at lists.openswan.org
Subject: RE: [Openswan Users] cant load /etc/ipsec.conf

Please create that file ?/etc/ipsec.d/examples/no_oe.conf? ? and restart
ipsec

Simon Charles
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Rajitha Reddy
Sent: Wednesday, July 02, 2008 3:38 PM
To: Gbenga; users at lists.openswan.org
Subject: [Openswan Users] cant load /etc/ipsec.conf

Hi,

I cant seem to load /etc/ipsec.conf which has my connection name. Since it
cant load ipsec.conf, it cannot identify the connection name when I do: ?
ipsec auto --up connname?  Any help will be greatly appreciated.

ipsec auto --add aragon
can not load config '/etc/ipsec.conf': /etc/ipsec.d/examples/no_oe.conf:1:
can not open include filename: '/etc/ipsec.d/examples/no_oe.conf' [
]

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Rajitha Reddy
Sent: Tuesday, July 01, 2008 5:28 PM
To: Gbenga; users at lists.openswan.org
Subject: Re: [Openswan Users] Question on installing Openswan

That?s great! Thanks for the information.

Except for Opportunistic Encryption DNS checks, I have successfully removed
the other errors.

I would like to first get my IPSEC client working with Openswan. And then
try out the XAuth feature.

To do that, I added the SA on my Client and edited /etc/ipsec.conf with the
right laddr and raddr.  But, the problem is that its not recognizing my
connection on the left addr.

If I execute ?ipsec auto --up sample? , I see the following error:

000 initiating all conns with alias='sample'
021 no connection named "sample"

I don?t think its referring to /etc/ipsec.conf because even if I remove the
file from there, it doesn?t matter to it and it still gives the same error.
I think its referring to some other location. Can you please guide me
here..?
________________________________
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable *debug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
        # OE is now off by default. Uncomment and change to on, to enable.
        OE=off
        # which IPsec stack to use. netkey,klips,mast,auto or none
        protostack=netkey


# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
conn sample
#               # Left security gateway, subnet behind it, nexthop toward
right.
                left=192.x.x.x
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward
left.
                right=x.x.x.x
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
                auto=start

include /etc/ipsec.d/examples/no_oe.conf
________________________________

Thanks,
Rajitha.

From: Gbenga [mailto:stjames08 at yahoo.co.uk]
Sent: Tuesday, July 01, 2008 4:34 PM
To: users at lists.openswan.org
Cc: Rajitha Reddy
Subject: Re: [Openswan Users] Question on installing Openswan

Hi Rajitha,

Please make sure to copy the list so that some other folks with the same
issue in the future can see the resolution. I made the earlier mistake by
not including the list address.

Ofcourse you can use Openswan as xauth server. I have one set up.. works
fine.

If you search the list archives you will see solutions on the same problem.
You have to enable certain kernel parameters. To remove the errors will do:

echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/default/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/eth1/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/lo/send_redirects

Do the same for  everything under
"/proc/sys/net/ipv4/conf/*/accept_redirects"



To get ride of the Opportunistic Encryption DNS checks: You will have to
include the following in your /etc/ipsec.conf (preferably at the end of the
file)



include /etc/ipsec.d/examples/no_oe.conf



You should read up more from http://wiki.openswan.org

Rgds,
Gbenga



Hi Gbenga,

Thanks so much for the immediate response. Truly appreciate it.

With full pathname, I could verify if IPSEC is installed properly or not..
although it does give a failure in certain components:

[root at rreddy-fc5 openswan-2.6.14]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path
[OK]
Linux Openswan U2.6.14/K2.6.19-1.2288.2.4.fc5smp (netkey)
Checking for IPsec support in kernel
[OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)
[OK]
Checking that pluto is running
[OK]
Checking for 'ip' command
[OK]
Checking for 'iptables' command
[OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: rreddy-fc5.mocana.local  [MISSING]
   Does the machine have at least one non-private address?         [FAILED]


So, I have a question if I can use Openswan as an Xauth server to test my
ipsec XAuth Client? Can you please let me know about it?

Thanks again,
Rajitha.

From: Gbenga [mailto:stjames08 at yahoo.co.uk]
Sent: Tuesday, July 01, 2008 3:51 PM
To: Rajitha Reddy
Subject: Re: [Openswan Users] Question on installing Openswan

Hi Rajitha,

Next time you should provide more details, but it looks like the ipsec
binary is not in your path. The way you install Openswan, it will be
installed under /usr/local/sbin/ipsec. So you either do one of two things:

export PATH=$PATH:/usr/local/bin:/usr/local/sbin

or

run ipsec with full pathname e.g /usr/local/sbin/ipsec verify.

Rgds,
Gbenga


Hi,

I have a question on installing and configuring Openswan. I would like to
use openswan as an XAUTH Server.

I have downloaded  openswan-2.6.14.tar.gz onto a linux box
(2.6.19-1.2288.2.4.fc5smp). Under the folder openswan-2.6.14, I did the
following:

1. make programs
2. make install

The installation guide then said to verify the installation by:

ipsec verify

But I get an error as follows:

-bash: ipsec: command not found

Can you please help me with this?

Thanks so much for your time.

Regards,
Rajitha.

________________________________
Not happy with your email address?
Get the one you really want<http://uk.docs.yahoo.com/ymail/new.html> -
millions of new email addresses available now at
Yahoo!<http://uk.docs.yahoo.com/ymail/new.html>

________________________________
Not happy with your email address?
Get the one you really want<http://uk.docs.yahoo.com/ymail/new.html> -
millions of new email addresses available now at
Yahoo!<http://uk.docs.yahoo.com/ymail/new.html>

****************************************************************************
This message contains confidential and proprietary information of the
sender,
and is intended only for the person(s) to whom it is addressed. Any use,
distribution, copying or disclosure by any other person is strictly
prohibited.
If you have received this message in error, please notify the e-mail sender
immediately, and delete the original message without making a copy.
****************************************************************************

****************************************************************************
This message contains confidential and proprietary information of the
sender,
and is intended only for the person(s) to whom it is addressed. Any use,
distribution, copying or disclosure by any other person is strictly
prohibited.
If you have received this message in error, please notify the e-mail sender
immediately, and delete the original message without making a copy.
****************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.openswan.org/pipermail/users/attachments/20080703/d541fc4e/atta
chment.html 

------------------------------

_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users


End of Users Digest, Vol 56, Issue 11
*************************************




More information about the Users mailing list