[Openswan Users] Openswan 2.5.17 doesn't work
Milan Lesnik
milan.lesnik at uni-mb.si
Mon Mar 3 07:27:15 EST 2008
Hi
My setup (klips 2.5.17, pluto 2.5.17, kernel 2.6.19.7):
ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
protostack=klips
# overridemtu=1300
myid=@v-debian.uni-mb.si
# strictcrlpolicy=yes
rp_filter=0
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug="none"
plutodebug="control"
# plutodebug="parsing emitting control klips"
interfaces="ipsec0=eth0"
# interfaces=%defaultroute
nat_traversal=yes
uniqueids=no
fragicmp=yes
forwardcontrol=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
include /etc/ipsec.d/*.conf
/etc/ipsec.d/no_oe.conf
conn unimb
type=transport
aggrmode=no
rekey=no
rekeymargin=2m
ikelifetime=9h
keylife=2h
leftrsasigkey=%cert
rightrsasigkey=%cert
authby=rsasig
pfs=no
dpddelay=30
dpdtimeout=120
dpdaction=clear
left=164.8.1.116
leftnexthop=164.8.1.1
leftprotoport=17/1701
leftcert=v-debian-uni-mb-si-cert.pem
right=%any
rightprotoport=17/1701
auto=add
keyingtries=3
compress=yes
disablearrivalcheck=no
failureshunt=drop
rightsubnet=vhost:%no,%priv
rightid="C=SI, ST=Slovenia, ..."
leftid="C=SI, ST=Slovenia, ..."
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
I establish an IPSEC connection but tunnel doesn't work.
Here are commands eroute and route.
v-debian:~# /usr/local/sbin/ipsec eroute
0 164.8.1.116/32 -> 192.168.2.3/32:1701 =>
comp0xdf5c at 82.149.5.181:17
Eroute doesn't show a suitable tunnel - it is tunnel but port 1701 is missing.
v-debian:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.3 164.8.1.1 255.255.255.255 UGH 0 0 0 ipsec0
164.8.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
164.8.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
0.0.0.0 164.8.1.1 0.0.0.0 UG 0 0 0 eth0
Route points to 192.168.2.3 and not to public address of the nat box.
If I use same setup, same client, same firewall under openswan 2.4.12 (klips
2.4.12, pluto 2.4.12, kernel 2.6.18.4) everything works. Commands eroute and
route show working tunnel:
v-debian:~# /usr/local/sbin/ipsec eroute
0 164.8.1.116/32:1701 -> 82.149.5.181/32:1701 =>
comp0xc96b at 82.149.5.181:17
v-debian:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
82.149.5.181 164.8.1.1 255.255.255.255 UGH 0 0 0 ipsec0
164.8.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
164.8.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
0.0.0.0 164.8.1.1 0.0.0.0 UG 0 0 0 eth0
What is wrong or what am I missing?
Also another problem (I disable netkey options in kernel) during startup
(openswan 2.4.12 works even with netkey code):
v-debian:~# /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec 2.5.17...
ipsec_setup: FATAL ERROR: Both KLIPS and NETKEY IPsec code is present in kernel
ipsec_setup: OOPS, should have aborted! Broken shell!
Only workaround is manually load ipsec module and then startup ipsec.
Regards Milan
--
----------------------------------------------------------------------
|Milan Lesnik, system manager |http://rcum.uni-mb.si/~milan |
|University Computer Centre, Maribor |http://www.uni-mb.si/ |
|Tel: +386 2 2355 300 |email: milan.lesnik at uni-mb.si |
|Fax: +386 2 2355 316 |DECMail-Slovenia: rcum::milan |
----------------------------------------------------------------------
| UNIX was not designed to be a secure OS - Sysadmin, June 97 |
----------------------------------------------------------------------
More information about the Users
mailing list