[Openswan Users] Difficulties
João Kuchnier
joao.kuchnier at gmail.com
Mon Jun 15 12:38:46 EDT 2009
Hi Michael,
Thanks for your help!
I changed options in sysctl.conf. My "ipsec verify":
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.21/K2.6.24-19-server (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
I think VPN is estabilshed. Openswan log:
"conn1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"conn1" #1: Main mode peer ID is ID_IPV4_ADDR: '200.184.163.4'
"conn1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
"conn1" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
"conn2" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW
{using isakmp#1 msgid:12baf275 proposal=3DES(3)_192-MD5(1)_128
pfsgroup=no-pfs}
"conn1" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW
{using isakmp#1 msgid:136cd5e6 proposal=3DES(3)_192-MD5(1)_128
pfsgroup=no-pfs}
"conn2" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
"conn2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x076a6e29 <0xd46295eb xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none
DPD=none}
"conn1" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
"conn1" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x05f8a6d9 <0xa2b8414a xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none
DPD=none}
>
> What do you mean "it stops here"? Does it hang or return you to the
> command prompt? I'm not sure what distro you're running this from but
> you need to provide some logs from /var/log/secure.
>
The cursor stays locked... and it is still locked...
João K.
2009/6/15 Michael H. Warfield <mhw at wittsend.com>:
> On Mon, 2009-06-15 at 10:22 -0300, João Kuchnier wrote:
>> Hi Paul,
>
>> On Wed, 10 Jun 2009, João Kuchnier wrote:
>
>> > > --> OK, but I encountered this errors while compiling...
>
>> #Your email client's method of quoting is very unreadable to me, just
>> so
>> #you know...
>
>> Sorry, but I'm using Gmail
>
> Recurse back to stock joke about "here's a nickel kid, get yourself a
> better mailler".
>
>> > > #make programs install
>> > > #In file included
>> from /home/administrador/openswan-2.6.21/include/certs.h:23,
>> > > #
>> from /home/administrador/openswan-2.6.21/lib/libopenswan/id.c:40:
>> > > #/home/administrador/openswan-2.6.21/include/secrets.h:19:41:
>> error: gmp.h: No such file or directory
>
>> #Install gmp-devel / libgmp3-dev
>
>> --> OK. I installed other three packages too: flex, xmlto and bison.
>> --> Now I'm facing another problem:
>
>> root at vpn:~/openswan-2.6.21# /etc/init.d/ipsec restart
>> ipsec_setup: Stopping Openswan IPsec...
>> ipsec_setup: Starting Openswan IPsec 2.6.21...
>> ipsec_setup: No KLIPS support found while requested, desperately
>> falling back to netkey
>> ipsec_setup: NETKEY support found. Use protostack=netkey
>> in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to
>> continue with NETKEY
>
>> I used the protostack=netkey option in ipsec.conf but the VPN seems
>> not to start
>
>> root at vpn-lyra:~/openswan-2.6.21# /etc/init.d/ipsec restart
>> ipsec_setup: Stopping Openswan IPsec...
>> ipsec_setup: Starting Openswan IPsec U2.6.21/K2.6.24-19-server...
>> ipsec_setup: multiple ip addresses, using 192.168.1.224 on eth0
>> It stops here...
>
> What do you mean "it stops here"? Does it hang or return you to the
> command prompt? I'm not sure what distro you're running this from but
> you need to provide some logs from /var/log/secure.
>
>> Running "ipsec verify"
>
>> Checking your system to see if IPsec got installed and started
>> correctly:
>> Version check and ipsec on-path [OK]
>> Linux Openswan U2.6.21/K2.6.24-19-server (netkey)
>> Checking for IPsec support in kernel [OK]
>> NETKEY detected, testing for disabled ICMP send_redirects
>> [FAILED]
>
>> Please disable /proc/sys/net/ipv4/conf/*/send_redirects
>> or NETKEY will cause the sending of bogus ICMP redirects!
>
> This is really a non-fatal problem but something you probably should
> fix.
>
>> NETKEY detected, testing for disabled ICMP accept_redirects
>> [FAILED]
>>
>> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
>> or NETKEY will accept bogus ICMP redirects!
>
> Again, non fatal but probably should fix. At worst, this would cause
> some unpredictable behavior under certain circumstances.
>
> Again, I don't know what distro you are running (I run mostly Fedora
> and CentOS on my production systems)... Add the following lines
> to /etc/sysctl.conf:
>
> net.ipv4.conf.default.send_redirects = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.default.accept_redirects = 0
> net.ipv4.conf.all.accept_redirects = 0
>
> Now run sysctl -p
>
> Now rerun the "ipsec verify" command and those "FAILED" results should
> be gone.
>
>> Checking for RSA private key (/etc/ipsec.secrets) [OK]
>> Checking that pluto is running [OK]
>> Two or more interfaces found, checking IP forwarding [OK]
>> Checking NAT and MASQUERADEing
>> Checking for 'ip' command [OK]
>> Checking for 'iptables' command [OK]
>> Opportunistic Encryption Support
>> [DISABLED]
>
> Nothing here showed any reason for the VPN not to start. You need to
> provide some logs just for openers.
>
>> #Paul
>
> Mike
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of all
> PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
>
>
More information about the Users
mailing list