[Openswan Users] Difficulties

João Kuchnier joao.kuchnier at gmail.com
Wed Jun 10 07:51:33 EDT 2009 

On Tue, 9 Jun 2009, João Kuchnier wrote:

> Both tunnels establish, so my guess is this is a firewalling or
> routing issues. Are you excluding packets that are going to be
> tunneled from getting NAT'ed?
> --> Like I said on the first e-mail (I lost it too), I have a firewall with two zones, tunnels an hosts to both subnets on that end.
> Everythin coming from or going to that end is accepted on firewall an nat'ed to the DMZ Openswan server.
>
> --> On the Openswan server there is another firewall (shorewall to) nat'ing some specific packages for two other servers on DMZ.
> --> /etc/shorewall/rules is like this: DNAT net net:192.168.1.x tcp 2xxx


But you might not be excluding all NAT ranges you are trying to tunnel?

--> I don't think so, but I will try to figure it out with the
shorewall users list.

> --> maybe this is the problem at all
> Jun  5 16:03:43 conn2 ipsec_setup: Starting Openswan IPsec 2.4.9...
> Could use an update to openswan 2.4.14.
> --> I'm using an Ubuntu Server 8.10. This version is the newest on available in repositories...


Debian/ubuntu needs to learn not to ship ancient versions. I suggest you
upgrade to 2.4.14.

--> I downloaded the 2.6.21 version...

> What does 'ipsec verify' say?
> --> ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                             	[OK]
>
> Linux Openswan U2.4.9/K2.6.24-19-server (netkey)
> Checking for IPsec support in kernel                        	[OK]
> NETKEY detected, testing for disabled ICMP send_redirects   	[FAILED]
>   Please disable */proc/sys/net/ipv4/conf/**/send_redirects
>
>   or NETKEY will cause the sending of bogus ICMP redirects!
> NETKEY detected, testing for disabled ICMP accept_redirects 	[FAILED]
>   Please disable */proc/sys/net/ipv4/conf/**/accept_redirects
>   or NETKEY will accept bogus ICMP redirects!


Fix those. grab a recent openswan-2.6.x release and check
programs/examples/sysctl.conf.in
to see the entries you need to have.

--> OK, but I encountered this errors while compiling...

#make programs install

#In file included from /home/administrador/openswan-2.6.21/include/certs.h:23,
#                 from
/home/administrador/openswan-2.6.21/lib/libopenswan/id.c:40:
#/home/administrador/openswan-2.6.21/include/secrets.h:19:41: error:
gmp.h: No such file or directory
#In file included from /home/administrador/openswan-2.6.21/include/certs.h:23,
#                 from
/home/administrador/openswan-2.6.21/lib/libopenswan/id.c:40:
#/home/administrador/openswan-2.6.21/include/secrets.h:37: error:
expected specifier-qualifier-list before ‘MP_INT’
#/home/administrador/openswan-2.6.21/include/secrets.h:45: error:
expected specifier-qualifier-list before ‘MP_INT’
#make[3]: *** [id.o] Error 1
#make[3]: Leaving directory
`/home/administrador/openswan-2.6.21/OBJ.linux.i386/lib/libopenswan'
#make[2]: *** [programs] Error 1
#make[2]: Leaving directory
`/home/administrador/openswan-2.6.21/OBJ.linux.i386/lib'
#make[1]: *** [programs] Error 1
#make[1]: Leaving directory `/home/administrador/openswan-2.6.21/OBJ.linux.i386'
#make: *** [programs] Error 2

--> I find out that I need to install gmp development package. I
installed, but I'm still getting the same error...

João K.
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090610/ec46fab7/attachment-0001.html

More information about the Users mailing list