[Openswan Users] CentOS 5.3 and klips
Maverick
maverick.pt at gmail.com
Fri Sep 11 12:00:33 EDT 2009
Hi,
I'm now trying with Fedora 11 x86, which has a newer kernel compared to
centos,
and I also moved to openswan-2.6.23, but still no luck :(
Has anyone been sucessfuly at using klips on redhat based systems?
This is what I get when I start the service:
/etc/init.d/ipsec start
/usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled
ipsec_setup: Starting Openswan IPsec 2.6.23...
ipsec_setup: /usr/libexec/ipsec/tncfg: exactly one of
ipsec_setup: '--attach', '--detach', '--create', '--delete' or '--clear'
ipsec_setup: options must be specified.
ipsec_setup: SIOCSIFFLAGS: No such device
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled
The only msgs I got on dmesg after it is:
padlock: VIA PadLock not detected.
padlock: VIA PadLock Hash Engine not detected.
padlock: VIA PadLock not detected.
My kernel is:
2.6.30.5-43.fc11.i686.PAE #1 SMP Thu Aug 27 21:34:36 EDT 2009 i686 i686 i386
GNU/Linux
My /etc/ipsec.conf:
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
klipsdebug="verbose"
#protostack=netkey
protostack=klips
nat_traversal=yes
#virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=0
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
uncomment this.
include /etc/ipsec.d/*.conf
My tunnel config file /etc/ipsec.d/ptin.conf:
conn vi-to-ptin
type=tunnel
authby=secret
left=192.168.2.69
leftsubnet=192.168.2.0/24
leftid=xxx.xxx.xxx.xxx
right=xxx.xxx.xxx.xxx
rightsubnets={10.112.15.3/32, 10.112.15.123/32, 10.112.15.171/32,
10.112.32.94/32, 10.112.64.0/24}
rightid=xxx.xxx.xxx.xxx
keyexchange=ike
ike=aes256-sha1-modp1024
#ike=aes256-sha1-modp1536
esp=aes256-sha1
pfs=yes
auto=add
-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: sábado, 29 de Agosto de 2009 4:24
To: Maverick
Cc: users at openswan.org
Subject: Re: [Openswan Users] CentOS 5.3 and klips
On Sat, 29 Aug 2009, Maverick wrote:
> # /etc/init.d/ipsec start
> /usr/libexec/ipsec/addconn Non-fips mode set in
> /proc/sys/crypto/fips_enabled
> ipsec_setup: Starting Openswan IPsec 2.6.22...
> ipsec_setup: /usr/libexec/ipsec/_startklips: line 138: 22010 Segmentation
> fault ipsec tncfg --attach --virtual $virt --physical $phys
> ipsec_setup: SIOCSIFFLAGS: No such device
> ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
> /proc/sys/crypto/fips_enabled
wow. tuncfg segfaults?
Add dumpdir=/var/run/pluto/ to config setup and make it crash, then run
gdb to see what's up?
Another wild guess, is selinux enabled? Anything in dmesg?
what does ipsec --version say? did klips actually load?
Paul
>
> Any idea?
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: quarta-feira, 26 de Agosto de 2009 21:46
> To: Maverick
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] CentOS 5.3 and klips
>
> On Wed, 26 Aug 2009, Maverick wrote:
>
>> Then I tried with openswan-2.6.22 and I get this:
>>
>> CC [M] /root/openswan-2.6.22/modobj26/ipsec_xmit.o
>> /root/openswan-2.6.22/modobj26/ipsec_xmit.c: In function
> 'ipsec_xmit_send':
>> /root/openswan-2.6.22/modobj26/ipsec_xmit.c:2071: error:
> 'NF_INET_LOCAL_OUT'
>> undeclared (first use in this function)
>
> Change it to NF_IP_LOCAL_OUT.
>
> Paul
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list