[Openswan Users] Difficulties

Michael H. Warfield mhw at WittsEnd.com
Mon Jun 15 10:59:19 EDT 2009

On Mon, 2009-06-15 at 10:22 -0300, João Kuchnier wrote:
> Hi Paul,

> On Wed, 10 Jun 2009, João Kuchnier wrote:

> > > --> OK, but I encountered this errors while compiling...

> #Your email client's method of quoting is very unreadable to me, just
> so
> #you know...

> Sorry, but I'm using Gmail

	Recurse back to stock joke about "here's a nickel kid, get yourself a
better mailler".

> > > #make programs install
> > > #In file included
> from /home/administrador/openswan-2.6.21/include/certs.h:23,
> > > #
> from /home/administrador/openswan-2.6.21/lib/libopenswan/id.c:40:
> > > #/home/administrador/openswan-2.6.21/include/secrets.h:19:41:
> error: gmp.h: No such file or directory

> #Install gmp-devel / libgmp3-dev

> --> OK. I installed other three packages too: flex, xmlto and bison.
> --> Now I'm facing another problem:

> root at vpn:~/openswan-2.6.21# /etc/init.d/ipsec restart
> ipsec_setup: Stopping Openswan IPsec...
> ipsec_setup: Starting Openswan IPsec 2.6.21...
> ipsec_setup: No KLIPS support found while requested, desperately
> falling back to netkey
> ipsec_setup: NETKEY support found. Use protostack=netkey
> in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to
> continue with NETKEY

> I used the protostack=netkey option in ipsec.conf but the VPN seems
> not to start

> root at vpn-lyra:~/openswan-2.6.21# /etc/init.d/ipsec restart
> ipsec_setup: Stopping Openswan IPsec...
> ipsec_setup: Starting Openswan IPsec U2.6.21/K2.6.24-19-server...
> ipsec_setup: multiple ip addresses, using on eth0
> It stops here...

	What do you mean "it stops here"?  Does it hang or return you to the
command prompt?  I'm not sure what distro you're running this from but
you need to provide some logs from /var/log/secure.

> Running "ipsec verify"

> Checking your system to see if IPsec got installed and started
> correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.6.21/K2.6.24-19-server (netkey)
> Checking for IPsec support in kernel                            [OK]
> NETKEY detected, testing for disabled ICMP send_redirects

>   Please disable /proc/sys/net/ipv4/conf/*/send_redirects
>   or NETKEY will cause the sending of bogus ICMP redirects!

	This is really a non-fatal problem but something you probably should

> NETKEY detected, testing for disabled ICMP accept_redirects
>   Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
>   or NETKEY will accept bogus ICMP redirects!

	Again, non fatal but probably should fix.  At worst, this would cause
some unpredictable behavior under certain circumstances.

	Again, I don't know what distro you are running (I run mostly Fedora
and CentOS on my production systems)...  Add the following lines
to /etc/sysctl.conf:

net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_redirects = 0

	Now run sysctl -p

	Now rerun the "ipsec verify" command and those "FAILED" results should
be gone.

> Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing                              
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption Support

	Nothing here showed any reason for the VPN not to start.  You need to
provide some logs just for openers.

> #Paul

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20090615/f03bc121/attachment.bin 

More information about the Users mailing list