[Openswan Users] Openswan on Ubuntu 8.10
openswan at thefeds.net
openswan at thefeds.net
Mon Jan 5 08:45:36 EST 2009
I had to add protostack=netkey to ipsec.conf to get openswan to start on
CentOS 5.0. Without that it would start on the second attempt, but not the
first.
Tim
On Mon, 5 Jan 2009, Richard de Rivaz wrote:
> Hi
>
> I wonder if anyone has example config files that work with Netkey?
>
> Regards Richard
>
>
> Richard de Rivaz wrote:
>> Hi
>>
>> I am trying to use Openswan on Ubuntu to create an ipsec vpn but so far do not seem able to get Openswan to startup correctly. 'ipsec verify' produces the following:
>>
>> Checking your system to see if IPsec got installed and started correctly:
>> Version check and ipsec on-path [OK]
>> Linux Openswan U2.4.12/K2.6.27-9-generic (netkey)
>> Checking for IPsec support in kernel [OK]
>> NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
>>
>> Please disable /proc/sys/net/ipv4/conf/*/send_redirects
>> or NETKEY will cause the sending of bogus ICMP redirects!
>>
>> NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
>>
>> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
>> or NETKEY will accept bogus ICMP redirects!
>>
>> Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
>> ipsec showhostkey: no default key in "/etc/ipsec.secrets"
>> Checking that pluto is running [FAILED]
>> whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>> Two or more interfaces found, checking IP forwarding [FAILED]
>> whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>> Checking NAT and MASQUERADEing [N/A]
>> whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>> Checking for 'ip' command [OK]
>> Checking for 'iptables' command [OK]
>> Opportunistic Encryption Support [DISABLED]
>>
>>
>> sysctl.conf is as follows:
>>
>> #
>> # /etc/sysctl.conf - Configuration file for setting system variables
>> # See /etc/sysctl.d/ for additional system variables.
>> # See sysctl.conf (5) for information.
>> #
>>
>> #kernel.domainname = example.com
>>
>> # Uncomment the following to stop low-level messages on console
>> #kernel.printk = 4 4 1 7
>>
>> ##############################################################3
>> # Functions previously found in netbase
>> #
>>
>> # Uncomment the next two lines to enable Spoof protection (reverse-path filter)
>> # Turn on Source Address Verification in all interfaces to
>> # prevent some spoofing attacks
>> net.ipv4.conf.default.rp_filter = 0
>> net.ipv4.conf.all.rp_filter = 1
>>
>> # Uncomment the next line to enable TCP/IP SYN cookies
>> # This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167),
>> # and is not recommended.
>> net.ipv4.tcp_syncookies = 1
>>
>> # Uncomment the next line to enable packet forwarding for IPv4
>> net.ipv4.ip_forward = 1
>>
>> # Uncomment the next line to enable packet forwarding for IPv6
>> net.ipv6.conf.all.forwarding=1
>>
>>
>> ###################################################################
>> # Additional settings - these settings can improve the network
>> # security of the host and prevent against some network attacks
>> # including spoofing attacks and man in the middle attacks through
>> # redirection. Some network environments, however, require that these
>> # settings are disabled so review and enable them as needed.
>> #
>> # Ignore ICMP broadcasts
>> net.ipv4.icmp_echo_ignore_broadcasts = 1
>> #
>> # Ignore bogus ICMP errors
>> net.ipv4.icmp_ignore_bogus_error_responses = 1
>> #
>> # Do not accept ICMP redirects (prevent MITM attacks)
>> net.ipv4.conf.all.accept_redirects = 0
>> net.ipv6.conf.all.accept_redirects = 0
>> # _or_
>> # Accept ICMP redirects only for gateways listed in our default
>> # gateway list (enabled by default)
>> net.ipv4.conf.all.secure_redirects = 0
>> #
>> # Do not send ICMP redirects (we are not a router)
>> net.ipv4.conf.all.send_redirects = 0
>> #
>> # Do not accept IP source route packets (we are not a router)
>> net.ipv4.conf.all.accept_source_route = 0
>> net.ipv6.conf.all.accept_source_route = 0
>> #
>> # Log Martian Packets
>> net.ipv4.conf.all.log_martians = 1
>> #
>> # The contents of /proc/<pid>/maps and smaps files are only visible to
>> # readers that are allowed to ptrace() the process
>> sys.kernel.maps_protect = 1
>>
>> I would be grateful for any help in getting Openswan to work on Ubuntu 8.10
>>
>> Regards Richard
>> --
>>
>> Richard de Rivaz
>> MDR Interfaces Ltd
>> Computer Control Specialists
>>
>> Tel: +44(0)1825 790294 Fax: +44(0)1825 790119
>> Reg in England No. 1577056 Directors: R de Rivaz Z de Rivaz
>> Reg Address: Little Bridge House, Danehill, Sussex RH17 7JD
>>
>> http://www.mdr.co.uk
>
-------------- next part --------------
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list