[Openswan Users] OpenSWAN to SonicWALL problems
Peter McGill
petermcgill at goco.net
Mon Jan 26 11:10:32 EST 2009
Chris,
I see a number of other problems.
> + _________________________ ipsec_verify
> + ipsec verify --nocolour
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.14/K2.6.27.5-41.fc9.i686 (netkey)
> Checking for IPsec support in kernel [OK]
> NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
>
> Please disable /proc/sys/net/ipv4/conf/*/send_redirects
> or NETKEY will cause the sending of bogus ICMP redirects!
>
> NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
>
> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
> or NETKEY will accept bogus ICMP redirects!
>
> Checking for RSA private key (/etc/ipsec.secrets) [OK]
> Checking that pluto is running [OK]
> Pluto not listening on port udp 500. Check interfaces defintion in
> ipsec.conf.Two or more interfaces found, checking IP forwarding
> [FAILED]
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support [DISABLED]
Pluto not listening on port udp 500 and no IP forwarding, see below.
> + _________________________ /proc/sys/net/ipv4/ip_forward
> + cat /proc/sys/net/ipv4/ip_forward
> 0
Fix this in your startup scripts usually edit /etc/sysctl.conf:
net.ipv4.ip_forward = 1
Apply the changes:
sysctl -p /etc/sysctl.conf
> + _________________________ klog
> + sed -n '1151,$p' /var/log/messages
> + egrep -i 'ipsec|klips|pluto'
> + case "$1" in
> + cat
> Jan 26 09:36:38 localhost ipsec_setup: Starting Openswan IPsec
> U2.6.14/K2.6.27.5-41.fc9.i686...
> Jan 26 09:36:38 localhost ipsec_setup:
> Jan 26 09:36:38 localhost ipsec_setup:
> Jan 26 09:36:38 localhost setroubleshoot: SELinux is preventing logger
> (ipsec_mgmt_t) "write" to log (devlog_t). For complete SELinux messages.
> run sealert -l 68eff3d4-9eec-4f59-91c1-4d0cde3d88a2
> Jan 26 09:36:39 localhost setroubleshoot: SELinux is preventing logger
> (ipsec_mgmt_t) "write" to log (devlog_t). For complete SELinux messages.
> run sealert -l 68eff3d4-9eec-4f59-91c1-4d0cde3d88a2
> Jan 26 09:36:39 localhost setroubleshoot: SELinux is preventing logger
> (ipsec_mgmt_t) "write" to log (devlog_t). For complete SELinux messages.
> run sealert -l 68eff3d4-9eec-4f59-91c1-4d0cde3d88a2
> Jan 26 09:36:39 localhost setroubleshoot: SELinux is preventing logger
> (ipsec_mgmt_t) "write" to log (devlog_t). For complete SELinux messages.
> run sealert -l 68eff3d4-9eec-4f59-91c1-4d0cde3d88a2
> Jan 26 09:36:40 localhost setroubleshoot: SELinux is preventing logger
> (ipsec_mgmt_t) "write" to log (devlog_t). For complete SELinux messages.
> run sealert -l 68eff3d4-9eec-4f59-91c1-4d0cde3d88a2
> Jan 26 09:36:40 localhost setroubleshoot: SELinux is preventing auto
> (ipsec_mgmt_t) "execute_no_trans" to /bin/bash (shell_exec_t). For
> complete SELinux messages. run sealert -l
> 12b4c94d-97f6-41cb-886f-048b26a24b1f
> Jan 26 09:36:40 localhost setroubleshoot: SELinux is preventing logger
> (ipsec_mgmt_t) "write" to log (devlog_t). For complete SELinux messages.
> run sealert -l 68eff3d4-9eec-4f59-91c1-4d0cde3d88a2
> Jan 26 09:36:40 localhost setroubleshoot: SELinux is preventing auto
> (ipsec_mgmt_t) "execute_no_trans" to /bin/bash (shell_exec_t). For
> complete SELinux messages. run sealert -l
> 12b4c94d-97f6-41cb-886f-048b26a24b1f
> Jan 26 09:36:41 localhost setroubleshoot: SELinux is preventing logger
> (ipsec_mgmt_t) "write" to log (devlog_t). For complete SELinux messages.
> run sealert -l 68eff3d4-9eec-4f59-91c1-4d0cde3d88a2
> Jan 26 09:36:41 localhost setroubleshoot: SELinux is preventing auto
> (ipsec_mgmt_t) "execute_no_trans" to /bin/bash (shell_exec_t). For
> complete SELinux messages. run sealert -l
> 12b4c94d-97f6-41cb-886f-048b26a24b1f
> Jan 26 09:36:41 localhost setroubleshoot: SELinux is preventing logger
> (ipsec_mgmt_t) "write" to log (devlog_t). For complete SELinux messages.
> run sealert -l 68eff3d4-9eec-4f59-91c1-4d0cde3d88a2
> Jan 26 09:36:41 localhost setroubleshoot: SELinux is preventing auto
> (ipsec_mgmt_t) "execute_no_trans" to /bin/bash (shell_exec_t). For
> complete SELinux messages. run sealert -l
> 12b4c94d-97f6-41cb-886f-048b26a24b1f
> Jan 26 09:36:42 localhost setroubleshoot: SELinux is preventing logger
> (ipsec_mgmt_t) "write" to log (devlog_t). For complete SELinux messages.
> run sealert -l 68eff3d4-9eec-4f59-91c1-4d0cde3d88a2
> Jan 26 09:36:42 localhost setroubleshoot: SELinux is preventing auto
> (ipsec_mgmt_t) "execute_no_trans" to /bin/bash (shell_exec_t). For
> complete SELinux messages. run sealert -l
> 12b4c94d-97f6-41cb-886f-048b26a24b1f
> Jan 26 09:36:42 localhost setroubleshoot: SELinux is preventing logger
> (ipsec_mgmt_t) "write" to log (devlog_t). For complete SELinux messages.
> run sealert -l 68eff3d4-9eec-4f59-91c1-4d0cde3d88a2
SELinux is preventing Openswan from working, either disable SELinux or
apply a policy which works with Openswan. I'm not sure how to do this,
never used SELinux.
> + _________________________ plog
> + sed -n '5,$p' /var/log/secure
> + egrep -i pluto
> + case "$1" in
> + cat
> Jan 26 09:33:17 localhost pluto[20993]: Starting Pluto (Openswan Version
> 2.6.14; Vendor ID OEoSJUweaqAX) pid:20993
> Jan 26 09:33:17 localhost pluto[20993]: Setting NAT-Traversal port-4500
> floating to on
> Jan 26 09:33:17 localhost pluto[20993]: port floating activation
> criteria nat_t=1/port_float=1
> Jan 26 09:33:17 localhost pluto[20993]: including NAT-Traversal patch
> (Version 0.6c)
> Jan 26 09:33:17 localhost pluto[20993]: using /dev/urandom as source of
> random entropy
> Jan 26 09:33:17 localhost pluto[20993]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Jan 26 09:33:17 localhost pluto[20993]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Jan 26 09:33:17 localhost pluto[20993]: ike_alg_register_enc():
> Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> Jan 26 09:33:17 localhost pluto[20993]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> Jan 26 09:33:17 localhost pluto[20993]: ike_alg_register_enc():
> Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Jan 26 09:33:17 localhost pluto[20993]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok (ret=0)
> Jan 26 09:33:17 localhost pluto[20993]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok (ret=0)
> Jan 26 09:33:17 localhost pluto[20993]: starting up 1 cryptographic
helpers
> Jan 26 09:33:17 localhost pluto[21003]: using /dev/urandom as source of
> random entropy
> Jan 26 09:33:17 localhost pluto[20993]: started helper pid=21003 (fd:7)
> Jan 26 09:33:17 localhost pluto[20993]: Using Linux 2.6 IPsec interface
> code on 2.6.27.5-41.fc9.i686 (experimental code)
> Jan 26 09:33:18 localhost pluto[20993]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:33:18 localhost pluto[20993]: ike_alg_register_enc():
> Activating <NULL>: Ok (ret=0)
> Jan 26 09:33:18 localhost pluto[20993]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:33:18 localhost pluto[20993]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:33:18 localhost pluto[20993]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:33:18 localhost pluto[20993]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:33:18 localhost pluto[20993]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:33:18 localhost pluto[20993]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:33:18 localhost pluto[20993]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:33:18 localhost pluto[20993]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:33:18 localhost pluto[20993]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:33:18 localhost pluto[20993]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:33:18 localhost pluto[20993]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:33:18 localhost pluto[20993]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:33:18 localhost pluto[20993]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:33:18 localhost pluto[20993]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:33:18 localhost pluto[20993]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:33:18 localhost pluto[20993]: Could not change to directory
> '/etc/ipsec.d/cacerts': /etc/ipsec.d
> Jan 26 09:33:18 localhost pluto[20993]: Could not change to directory
> '/etc/ipsec.d/aacerts': /etc/ipsec.d
> Jan 26 09:33:18 localhost pluto[20993]: Could not change to directory
> '/etc/ipsec.d/ocspcerts': /etc/ipsec.d
> Jan 26 09:33:18 localhost pluto[20993]: Could not change to directory
> '/etc/ipsec.d/crls'
> Jan 26 09:33:18 localhost pluto[20993]: Changing back to directory
> '/etc/ipsec.d' failed - (2 No such file or directory)
> Jan 26 09:33:18 localhost pluto[20993]: Changing back to directory
> '/etc/ipsec.d' failed - (2 No such file or directory)
> Jan 26 09:33:18 localhost pluto[20993]: added connection description "vo"
> Jan 26 09:33:18 localhost pluto[20993]: added connection description
"vodmz"
> Jan 26 09:33:28 localhost pluto[20993]: shutting down
> Jan 26 09:33:28 localhost pluto[20993]: "vodmz": deleting connection
> Jan 26 09:33:28 localhost pluto[20993]: "vo": deleting connection
> Jan 26 09:33:31 localhost pluto[21368]: Starting Pluto (Openswan Version
> 2.6.14; Vendor ID OEoSJUweaqAX) pid:21368
> Jan 26 09:33:31 localhost pluto[21368]: Setting NAT-Traversal port-4500
> floating to on
> Jan 26 09:33:31 localhost pluto[21368]: port floating activation
> criteria nat_t=1/port_float=1
> Jan 26 09:33:31 localhost pluto[21368]: including NAT-Traversal patch
> (Version 0.6c)
> Jan 26 09:33:31 localhost pluto[21368]: using /dev/urandom as source of
> random entropy
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_enc():
> Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_enc():
> Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok (ret=0)
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok (ret=0)
> Jan 26 09:33:31 localhost pluto[21368]: starting up 1 cryptographic
helpers
> Jan 26 09:33:31 localhost pluto[21371]: using /dev/urandom as source of
> random entropy
> Jan 26 09:33:31 localhost pluto[21368]: started helper pid=21371 (fd:7)
> Jan 26 09:33:31 localhost pluto[21368]: Using Linux 2.6 IPsec interface
> code on 2.6.27.5-41.fc9.i686 (experimental code)
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_enc():
> Activating <NULL>: Ok (ret=0)
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:33:31 localhost pluto[21368]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:33:31 localhost pluto[21368]: Could not change to directory
> '/etc/ipsec.d/cacerts': /etc/ipsec.d
> Jan 26 09:33:31 localhost pluto[21368]: Could not change to directory
> '/etc/ipsec.d/aacerts': /etc/ipsec.d
> Jan 26 09:33:31 localhost pluto[21368]: Could not change to directory
> '/etc/ipsec.d/ocspcerts': /etc/ipsec.d
> Jan 26 09:33:31 localhost pluto[21368]: Could not change to directory
> '/etc/ipsec.d/crls'
> Jan 26 09:33:31 localhost pluto[21368]: Changing back to directory
> '/etc/ipsec.d' failed - (2 No such file or directory)
> Jan 26 09:33:31 localhost pluto[21368]: Changing back to directory
> '/etc/ipsec.d' failed - (2 No such file or directory)
> Jan 26 09:33:31 localhost pluto[21368]: added connection description "vo"
> Jan 26 09:33:31 localhost pluto[21368]: added connection description
"vodmz"
> Jan 26 09:34:10 localhost pluto[21368]: shutting down
> Jan 26 09:34:10 localhost pluto[21368]: "vodmz": deleting connection
> Jan 26 09:34:10 localhost pluto[21368]: "vo": deleting connection
> Jan 26 09:34:12 localhost pluto[21750]: Starting Pluto (Openswan Version
> 2.6.14; Vendor ID OEoSJUweaqAX) pid:21750
> Jan 26 09:34:12 localhost pluto[21750]: Setting NAT-Traversal port-4500
> floating to on
> Jan 26 09:34:12 localhost pluto[21750]: port floating activation
> criteria nat_t=1/port_float=1
> Jan 26 09:34:12 localhost pluto[21750]: including NAT-Traversal patch
> (Version 0.6c)
> Jan 26 09:34:12 localhost pluto[21750]: using /dev/urandom as source of
> random entropy
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_enc():
> Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_enc():
> Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok (ret=0)
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok (ret=0)
> Jan 26 09:34:12 localhost pluto[21750]: starting up 1 cryptographic
helpers
> Jan 26 09:34:12 localhost pluto[21752]: using /dev/urandom as source of
> random entropy
> Jan 26 09:34:12 localhost pluto[21750]: started helper pid=21752 (fd:7)
> Jan 26 09:34:12 localhost pluto[21750]: Using Linux 2.6 IPsec interface
> code on 2.6.27.5-41.fc9.i686 (experimental code)
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_enc():
> Activating <NULL>: Ok (ret=0)
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:34:12 localhost pluto[21750]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:34:12 localhost pluto[21750]: Could not change to directory
> '/etc/ipsec.d/cacerts': /etc/ipsec.d
> Jan 26 09:34:12 localhost pluto[21750]: Could not change to directory
> '/etc/ipsec.d/aacerts': /etc/ipsec.d
> Jan 26 09:34:12 localhost pluto[21750]: Could not change to directory
> '/etc/ipsec.d/ocspcerts': /etc/ipsec.d
> Jan 26 09:34:12 localhost pluto[21750]: Could not change to directory
> '/etc/ipsec.d/crls'
> Jan 26 09:34:12 localhost pluto[21750]: Changing back to directory
> '/etc/ipsec.d' failed - (2 No such file or directory)
> Jan 26 09:34:12 localhost pluto[21750]: Changing back to directory
> '/etc/ipsec.d' failed - (2 No such file or directory)
> Jan 26 09:34:12 localhost pluto[21750]: added connection description "vo"
> Jan 26 09:34:12 localhost pluto[21750]: added connection description
"vodmz"
> Jan 26 09:36:36 localhost pluto[21750]: shutting down
> Jan 26 09:36:36 localhost pluto[21750]: "vodmz": deleting connection
> Jan 26 09:36:36 localhost pluto[21750]: "vo": deleting connection
> Jan 26 09:36:38 localhost pluto[22267]: Starting Pluto (Openswan Version
> 2.6.14; Vendor ID OEoSJUweaqAX) pid:22267
> Jan 26 09:36:38 localhost pluto[22267]: Setting NAT-Traversal port-4500
> floating to on
> Jan 26 09:36:38 localhost pluto[22267]: port floating activation
> criteria nat_t=1/port_float=1
> Jan 26 09:36:38 localhost pluto[22267]: including NAT-Traversal patch
> (Version 0.6c)
> Jan 26 09:36:38 localhost pluto[22267]: using /dev/urandom as source of
> random entropy
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_enc():
> Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_enc():
> Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok (ret=0)
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok (ret=0)
> Jan 26 09:36:38 localhost pluto[22267]: starting up 1 cryptographic
helpers
> Jan 26 09:36:38 localhost pluto[22268]: using /dev/urandom as source of
> random entropy
> Jan 26 09:36:38 localhost pluto[22267]: started helper pid=22268 (fd:7)
> Jan 26 09:36:38 localhost pluto[22267]: Using Linux 2.6 IPsec interface
> code on 2.6.27.5-41.fc9.i686 (experimental code)
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_enc():
> Activating <NULL>: Ok (ret=0)
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_add(): ERROR: Algorithm
> already exists
> Jan 26 09:36:38 localhost pluto[22267]: ike_alg_register_enc():
> Activating <NULL>: FAILED (ret=-17)
> Jan 26 09:36:39 localhost pluto[22267]: Could not change to directory
> '/etc/ipsec.d/cacerts': /etc/ipsec.d
> Jan 26 09:36:39 localhost pluto[22267]: Could not change to directory
> '/etc/ipsec.d/aacerts': /etc/ipsec.d
> Jan 26 09:36:39 localhost pluto[22267]: Could not change to directory
> '/etc/ipsec.d/ocspcerts': /etc/ipsec.d
> Jan 26 09:36:39 localhost pluto[22267]: Could not change to directory
> '/etc/ipsec.d/crls'
> Jan 26 09:36:39 localhost pluto[22267]: Changing back to directory
> '/etc/ipsec.d' failed - (2 No such file or directory)
> Jan 26 09:36:39 localhost pluto[22267]: Changing back to directory
> '/etc/ipsec.d' failed - (2 No such file or directory)
> Jan 26 09:36:39 localhost pluto[22267]: added connection description "vo"
> Jan 26 09:36:39 localhost pluto[22267]: added connection description
"vodmz"
Openswan keeps restarting, possibly due to the failure caused by
SELinux, fix that then see if this problem is fixed.
> + _________________________ ifconfig-a
> + ifconfig -a
> eth0 Link encap:Ethernet HWaddr 00:1A:A0:49:D6:F0
> inet addr:192.168.15.3 Bcast:192.168.15.255
Mask:255.255.255.0
> inet6 addr: fe80::21a:a0ff:fe49:d6f0/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:437205 errors:0 dropped:0 overruns:0 frame:0
> TX packets:382402 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:392714376 (374.5 MiB) TX bytes:73748413 (70.3 MiB)
> Interrupt:16
>
> + _________________________ ipsec/conf
> + ipsec _keycensor
> + ipsec _include /etc/ipsec.conf
>
> #< /etc/ipsec.conf 1
> # /etc/ipsec.conf - Openswan IPsec configuration file
> #
> # Manual: ipsec.conf.5
> #
> # Please place your own config files in /etc/ipsec.d/ ending in .conf
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> # klipsdebug=none
> # plutodebug="control parsing"
> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
> protostack=netkey
> nat_traversal=yes
>
>
> #< /etc/ipsec.d/ipsec.conf 1
> conn vo
> also=vocommon
> rightsubnet=192.168.10.0/24
> auto=start
>
> conn vodmz
> also=vocommon
> rightsubnet=192.168.8.0/24
> auto=start
>
> conn vocommon
> type=tunnel
> left=%defaultroute
> leftid=@jingluo
> leftsourceip=192.168.200.56
> leftsubnet=192.168.200.56/32
> rightid=@vo
> right=67.220.126.196
> keyingtries=0
> pfs=yes
> authby=secret
> auth=esp
> ike=aes256-sha1
> esp=aes256-sha1
> keyexchange=ike
>
> conn block
> auto=ignore
>
> conn private
> auto=ignore
>
> conn private-or-clear
> auto=ignore
>
> conn clear-or-private
> auto=ignore
>
> conn clear
> auto=ignore
>
> conn packetdefault
> auto=ignore
>
> #> /etc/ipsec.conf 19
Which side of the tunnel is this system on, jingluo or vo?
What IPSec device is on the other end?
> + _________________________ ipsec/secrets
> + ipsec _include /etc/ipsec.secrets
> + ipsec _secretcensor
>
> #< /etc/ipsec.secrets 1
>
> #< /etc/ipsec.d/ipsec.secrets 1
> @jingluo @vo : PSK "[sums to 3db3...]"
>
> #> /etc/ipsec.secrets 2
You cannot identify a PSK with id's you must use IP addresses.
RSA keys are better, more flexible if you can use them.
Peter
Chris Garrigues wrote:
> Peter McGill wrote:
>> Chris,
>>
>> It appears that you still have opportunistic encryption on.
>> > + ipsec verify
>> > Opportunistic Encryption DNS checks:
>> > Looking for TXT in forward dns zone: localhost.localdomain
>> [MISSING]
>> > Does the machine have at least one non-private address?
>> [FAILED]
>>
>> I don't see anywhere that you've turned opportunistic encryption off.
>> ipsec.conf:
>> config setup
>> oe=off # Openswan 2.6.x only
>>
>> or
>>
>> include /etc/ipsec.d/examples/no_oe.conf
> Apparently that wasn't enough. We must have something else wrong as well.
>
> --
> Chris Garrigues
> Senior System Administrator
> Ph: (512) 961-6808
> chris.garrigues at SteepRockInc.com <mailto:chris.garrigues at SteepRockInc.com>
>
More information about the Users
mailing list