[Openswan Users] OpenSwan on ubuntu

Michael H. Warfield mhw at WittsEnd.com
Sat Dec 4 11:07:38 EST 2010 

On Sat, 2010-12-04 at 20:09 +0500, Hammad wrote: 
> Hi Laurent,
> You are right, packages come from my hosting company...
> Does it make a difference?

So this VPS is a virtual machine hosted by them, correct?  In that case,
you are probably screwed.  Contact them about VPN service.  You probably
can not do kernel level IPSec, not with an OpenVZ VM at least.  To the
best of my knowledge, OpenVZ / Virtuoso does not support IPsec in a
container and everything I'm reading on the net even up to last July
backs that up.  I though I saw Kir post something to the OpenVZ list
more recently but I haven't been able to find it.

There's a little more about this in Wikipedia:

http://en.wikipedia.org/wiki/OpenVZ

Look under "Limitations".

A little more discussion is present in this thread from the OpenVZ
mailing list...

http://www.mail-archive.com/users@openvz.org/msg03250.html

I believe that OpenVPN would work for you, however, as that's a user
space routed VPN solution that doesn't require any kernel modules.  If
you are trying to connect to an established IPsec gateway, you may want
to look into VPNC, which is IPSec purely in user space but it's designed
to interface to Cisco ASAs and similar XAUTH / Aggressive mode devices.

This article certainly indicates you could use OpenVPN or VPNC:

http://wiki.openvz.org/VPN_via_the_TUN/TAP_device

Both of them operation based on the TUN / TAP interfaces.  But you may
still need support from the hosting provider to get access to the
tun/tap modules.

> Regards,
> Hammad

Regards,
Mike

> On 12/4/10, Laurent Caron <lcaron at unix-scripts.info> wrote:
> > Hi
> >
> > Are u Sure The kernel package comes from redhat and not your virtual server
> > hosting company?
> >
> >
> >
> > Le 4 déc. 2010 à 14:30, Hammad <raohammad at gmail.com> a écrit :
> >
> >> Hi,
> >>
> >> Now thats a bit disturbing... I have now CentOS but still the same
> >> /lib/modules/.... is missing. Its a fresh installation
> >>
> >> Mike: How did you cater this situation? Any ideas?
> >>
> >> [root at vps ~]# service ipsec start
> >> ipsec_setup: FATAL: Could not load
> >> /lib/modules/2.6.18-028stab068.9/modules.dep: No such file or directory
> >> ipsec_setup: Starting Openswan IPsec 2.6.21...
> >> ipsec_setup: multiple ip addresses, using  127.0.0.1 on venet0
> >>
> >> [root at vps ~]# uname -a
> >> Linux vps.flexilogix.com 2.6.18-028stab068.9 #1 SMP Tue Mar 30 17:22:31
> >> MSD 2010 i686 athlon i386 GNU/Linux
> >>
> >>
> >> [root at vps ~]# ipsec verify
> >> Checking your system to see if IPsec got installed and started correctly:
> >> Version check and ipsec on-path                                 [OK]
> >> Linux Openswan U2.6.21/K(no kernel code presently loaded)
> >> Checking for IPsec support in kernel                            [FAILED]
> >> Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> >> Checking that pluto is running                                  [FAILED]
> >>   whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
> >> Checking for 'ip' command                                       [OK]
> >> Checking for 'iptables' command                                 [OK]
> >>
> >> Opportunistic Encryption DNS checks:
> >>    Looking for TXT in forward dns zone: vps.flexilogix.com      [MISSING]
> >>    Does the machine have at least one non-private address?      [OK]
> >>    Looking for TXT in reverse dns zone: 20.69.65.216.in-addr.arpa.
> >> [MISSING]
> >>
> >> Regards,
> >> Hammad
> >>
> >> On Sat, Dec 4, 2010 at 9:51 AM, Hammad <raohammad at gmail.com> wrote:
> >> Hi Paul,
> >> No its not a custom compiled (by me) in fact I bought VPS and this is the
> >> ubuntu version I got (jaunty 9.0.4).
> >>
> >> Hi Mike,
> >>
> >>
> >> > WARNING: Couldn't open directory /lib/modules/2.6.18-
> >> 028stab068.9: No
> >> > such file or directory
> >>
> >> I overcame this problem. I 'd    2.6.18-028stab059.6   directory in place
> >> but not the one mentioned in error; I created a soft-link with same name
> >> pointing to actual dir and installation succeeded well ;)
> >>
> >>
> >> So our problem is again back to original, ipsec is not supported by
> >> kernel...
> >>
> >>
> >> > Are you currently actively running and OpenVZ kernel on that machine?
> >>
> >> I suppose yes this VPS is using OpenVZ.
> >>
> >>
> >> > What version are you at?  From there site, it looks like 028stab070.14
> >> > is the latest in the RHEL/CentOS stable 2.6.18 line.
> >>
> >> # uname -a
> >> Linux vps.flexilogix.com 2.6.18-028stab068.9 #1 SMP Tue Mar 30 17:22:31
> >> MSD 2010 i686 GNU/Linux
> >>
> >> > You must have built that Openswan 2.6.31 package yourself, the latest
> >> > RHEL/CentOS 5.x Openswan is 2.6.21.  Did you merely compile it or
> >> > actually build your own rpms?
> >>
> >> Yes, I actually compiled openswan 2,6,31 from sources
> >>
> >> I've come to know from Ubuntu Support groups that there is no ipsec
> >> package for ubuntu jaunty 9.0.4 and its no more updated since Oct 23 2010.
> >> So I suppose its the time to switch back to CentOS that is my actual
> >> playground...
> >>
> >> Thanks for your help all.
> >> Hammad ( aka Hammond :) )
> >>
> >>
> >> On Sat, Dec 4, 2010 at 2:32 AM, Michael H. Warfield <mhw at wittsend.com>
> >> wrote:
> >> Paul (and Hammond),
> >>
> >> On Fri, 2010-12-03 at 11:49 -0500, Paul Wouters wrote:
> >> > On Fri, 3 Dec 2010, Hammad wrote:
> >> >
> >> > > Here is the output of commands...
> >> > > root at vps:/usr/local# modprobe ipsec
> >> > > WARNING: Deprecated config file /etc/modprobe.conf, all config files
> >> > > belong into /etc/modprobe.d/.
> >> > > FATAL: Module ipsec not found.
> >> > >
> >> > > root at vps:/usr/local# modprobe af_key
> >> > > WARNING: Deprecated config file /etc/modprobe.conf, all config files
> >> > > belong into /etc/modprobe.d/.
> >> > > FATAL: Module af_key not found.
> >> > >
> >> > > root at vps:/usr/local# ipsec --version
> >> > > Linux Openswan U2.6.31/K(no kernel code presently loaded)
> >> > > See `ipsec --copyright' for copyright information.
> >>
> >> > Your kernel has no IPsec support. Perhaps you are missing the right
> >> > modules directory, or support
> >> > was not compiled on that kernel. Seems like this is a non-distribution,
> >> > custom built kernel?
> >>
> >> It doesn't show up in this last message but in an earlier post I saw
> >> this...
> >>
> >> > WARNING: Couldn't open directory /lib/modules/2.6.18-028stab068.9: No
> >> > such file or directory
> >>
> >> That tells me two things.
> >>
> >> 1) He's running an OpenVZ kernel.  That's one of their revision strings
> >> and that's one of their releases for the RHEL distro.  Not too terribly
> >> old but back several clicks.
> >>
> >> 2) He was, at that time, running on a kernel which had been updated
> >> (possibly by a mainline distro kernel or possibly by a newer OpenVZ
> >> kernel) and the running kernel had been uninstalled by yum so the
> >> modules directory no longer existed.
> >>
> >> Now...  That being said...  Prior to swapping all of my OpenVZ VM's (> 3
> >> dozen) over to LXC to get back on a more current kernel with in-tree
> >> container virtualization, I was an extensive user of OpenVZ.  Those
> >> kernels certainly do have IPsec compiled in as modules.  I've used it.
> >>
> >> Hammond,
> >>
> >> Are you currently actively running and OpenVZ kernel on that machine?
> >>
> >> What version are you at?  From there site, it looks like 028stab070.14
> >> is the latest in the RHEL/CentOS stable 2.6.18 line.
> >>
> >> What are you running (uname -a) and what do you have installed?
> >>
> >> Did you install it from their site with yum or downloaded it or build a
> >> custom build (which I often had done with newer releases)?  (One flaw
> >> with their yum repo is that it doesn't properly setup the install only
> >> and a couple of other conditions to prevent removing the running
> >> kernel).
> >>
> >> You must have built that Openswan 2.6.31 package yourself, the latest
> >> RHEL/CentOS 5.x Openswan is 2.6.21.  Did you merely compile it or
> >> actually build your own rpms?
> >>
> >> What's in your grub.conf file and are you running on the latest kernel
> >> which was installed?
> >>
> >> > Paul
> >>
> >> Regards,
> >> Mike
> >> --
> >> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
> >>   /\/\|=mhw=|\/\/          | (678) 463-0932 |
> >> http://www.wittsend.com/mhw/
> >>   NIC whois: MHW9          | An optimist believes we live in the best of
> >> all
> >>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> >>
> >>
> >> _______________________________________________
> >> Users at openswan.org
> >> http://lists.openswan.org/mailman/listinfo/users
> >> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> >> Building and Integrating Virtual Private Networks with Openswan:
> >> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20101204/37577527/attachment-0001.bin

More information about the Users mailing list