[Openswan Users] OpenSwan on ubuntu

Hammad raohammad at gmail.com
Sun Dec 5 03:46:10 EST 2010


Hi All,

Just for the sake of completion of this thread. IPSec is not supported by
VPS vendors who are based on openVZ as explained below.
I shifted my server to Amazon EC2 and their custom packages solved all
problems in first go..

[root at xxxxx~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.27/K2.6.34.7-56.40.amzn1.i686 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                              [OK]
Pluto listening for NAT-T on udp 4500                           [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

Thank you all for your help and fruitful discussion.

Regards,


On Sat, Dec 4, 2010 at 9:07 PM, Michael H. Warfield <mhw at wittsend.com>wrote:

> On Sat, 2010-12-04 at 20:09 +0500, Hammad wrote:
> > Hi Laurent,
> > You are right, packages come from my hosting company...
> > Does it make a difference?
>
> So this VPS is a virtual machine hosted by them, correct?  In that case,
> you are probably screwed.  Contact them about VPN service.  You probably
> can not do kernel level IPSec, not with an OpenVZ VM at least.  To the
> best of my knowledge, OpenVZ / Virtuoso does not support IPsec in a
> container and everything I'm reading on the net even up to last July
> backs that up.  I though I saw Kir post something to the OpenVZ list
> more recently but I haven't been able to find it.
>
> There's a little more about this in Wikipedia:
>
> http://en.wikipedia.org/wiki/OpenVZ
>
> Look under "Limitations".
>
> A little more discussion is present in this thread from the OpenVZ
> mailing list...
>
> http://www.mail-archive.com/users@openvz.org/msg03250.html
>
> I believe that OpenVPN would work for you, however, as that's a user
> space routed VPN solution that doesn't require any kernel modules.  If
> you are trying to connect to an established IPsec gateway, you may want
> to look into VPNC, which is IPSec purely in user space but it's designed
> to interface to Cisco ASAs and similar XAUTH / Aggressive mode devices.
>
> This article certainly indicates you could use OpenVPN or VPNC:
>
> http://wiki.openvz.org/VPN_via_the_TUN/TAP_device
>
> Both of them operation based on the TUN / TAP interfaces.  But you may
> still need support from the hosting provider to get access to the
> tun/tap modules.
>
> > Regards,
> > Hammad
>
> Regards,
> Mike
>
> > On 12/4/10, Laurent Caron <lcaron at unix-scripts.info> wrote:
> > > Hi
> > >
> > > Are u Sure The kernel package comes from redhat and not your virtual
> server
> > > hosting company?
> > >
> > >
> > >
> > > Le 4 déc. 2010 à 14:30, Hammad <raohammad at gmail.com> a écrit :
> > >
> > >> Hi,
> > >>
> > >> Now thats a bit disturbing... I have now CentOS but still the same
> > >> /lib/modules/.... is missing. Its a fresh installation
> > >>
> > >> Mike: How did you cater this situation? Any ideas?
> > >>
> > >> [root at vps ~]# service ipsec start
> > >> ipsec_setup: FATAL: Could not load
> > >> /lib/modules/2.6.18-028stab068.9/modules.dep: No such file or
> directory
> > >> ipsec_setup: Starting Openswan IPsec 2.6.21...
> > >> ipsec_setup: multiple ip addresses, using  127.0.0.1 on venet0
> > >>
> > >> [root at vps ~]# uname -a
> > >> Linux vps.flexilogix.com 2.6.18-028stab068.9 #1 SMP Tue Mar 30
> 17:22:31
> > >> MSD 2010 i686 athlon i386 GNU/Linux
> > >>
> > >>
> > >> [root at vps ~]# ipsec verify
> > >> Checking your system to see if IPsec got installed and started
> correctly:
> > >> Version check and ipsec on-path                                 [OK]
> > >> Linux Openswan U2.6.21/K(no kernel code presently loaded)
> > >> Checking for IPsec support in kernel
>  [FAILED]
> > >> Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> > >> Checking that pluto is running
>  [FAILED]
> > >>   whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
> > >> Checking for 'ip' command                                       [OK]
> > >> Checking for 'iptables' command                                 [OK]
> > >>
> > >> Opportunistic Encryption DNS checks:
> > >>    Looking for TXT in forward dns zone: vps.flexilogix.com
>  [MISSING]
> > >>    Does the machine have at least one non-private address?      [OK]
> > >>    Looking for TXT in reverse dns zone: 20.69.65.216.in-addr.arpa.
> > >> [MISSING]
> > >>
> > >> Regards,
> > >> Hammad
> > >>
> > >> On Sat, Dec 4, 2010 at 9:51 AM, Hammad <raohammad at gmail.com> wrote:
> > >> Hi Paul,
> > >> No its not a custom compiled (by me) in fact I bought VPS and this is
> the
> > >> ubuntu version I got (jaunty 9.0.4).
> > >>
> > >> Hi Mike,
> > >>
> > >>
> > >> > WARNING: Couldn't open directory /lib/modules/2.6.18-
> > >> 028stab068.9: No
> > >> > such file or directory
> > >>
> > >> I overcame this problem. I 'd    2.6.18-028stab059.6   directory in
> place
> > >> but not the one mentioned in error; I created a soft-link with same
> name
> > >> pointing to actual dir and installation succeeded well ;)
> > >>
> > >>
> > >> So our problem is again back to original, ipsec is not supported by
> > >> kernel...
> > >>
> > >>
> > >> > Are you currently actively running and OpenVZ kernel on that
> machine?
> > >>
> > >> I suppose yes this VPS is using OpenVZ.
> > >>
> > >>
> > >> > What version are you at?  From there site, it looks like
> 028stab070.14
> > >> > is the latest in the RHEL/CentOS stable 2.6.18 line.
> > >>
> > >> # uname -a
> > >> Linux vps.flexilogix.com 2.6.18-028stab068.9 #1 SMP Tue Mar 30
> 17:22:31
> > >> MSD 2010 i686 GNU/Linux
> > >>
> > >> > You must have built that Openswan 2.6.31 package yourself, the
> latest
> > >> > RHEL/CentOS 5.x Openswan is 2.6.21.  Did you merely compile it or
> > >> > actually build your own rpms?
> > >>
> > >> Yes, I actually compiled openswan 2,6,31 from sources
> > >>
> > >> I've come to know from Ubuntu Support groups that there is no ipsec
> > >> package for ubuntu jaunty 9.0.4 and its no more updated since Oct 23
> 2010.
> > >> So I suppose its the time to switch back to CentOS that is my actual
> > >> playground...
> > >>
> > >> Thanks for your help all.
> > >> Hammad ( aka Hammond :) )
> > >>
> > >>
> > >> On Sat, Dec 4, 2010 at 2:32 AM, Michael H. Warfield <mhw at wittsend.com
> >
> > >> wrote:
> > >> Paul (and Hammond),
> > >>
> > >> On Fri, 2010-12-03 at 11:49 -0500, Paul Wouters wrote:
> > >> > On Fri, 3 Dec 2010, Hammad wrote:
> > >> >
> > >> > > Here is the output of commands...
> > >> > > root at vps:/usr/local# modprobe ipsec
> > >> > > WARNING: Deprecated config file /etc/modprobe.conf, all config
> files
> > >> > > belong into /etc/modprobe.d/.
> > >> > > FATAL: Module ipsec not found.
> > >> > >
> > >> > > root at vps:/usr/local# modprobe af_key
> > >> > > WARNING: Deprecated config file /etc/modprobe.conf, all config
> files
> > >> > > belong into /etc/modprobe.d/.
> > >> > > FATAL: Module af_key not found.
> > >> > >
> > >> > > root at vps:/usr/local# ipsec --version
> > >> > > Linux Openswan U2.6.31/K(no kernel code presently loaded)
> > >> > > See `ipsec --copyright' for copyright information.
> > >>
> > >> > Your kernel has no IPsec support. Perhaps you are missing the right
> > >> > modules directory, or support
> > >> > was not compiled on that kernel. Seems like this is a
> non-distribution,
> > >> > custom built kernel?
> > >>
> > >> It doesn't show up in this last message but in an earlier post I saw
> > >> this...
> > >>
> > >> > WARNING: Couldn't open directory /lib/modules/2.6.18-028stab068.9:
> No
> > >> > such file or directory
> > >>
> > >> That tells me two things.
> > >>
> > >> 1) He's running an OpenVZ kernel.  That's one of their revision
> strings
> > >> and that's one of their releases for the RHEL distro.  Not too
> terribly
> > >> old but back several clicks.
> > >>
> > >> 2) He was, at that time, running on a kernel which had been updated
> > >> (possibly by a mainline distro kernel or possibly by a newer OpenVZ
> > >> kernel) and the running kernel had been uninstalled by yum so the
> > >> modules directory no longer existed.
> > >>
> > >> Now...  That being said...  Prior to swapping all of my OpenVZ VM's (>
> 3
> > >> dozen) over to LXC to get back on a more current kernel with in-tree
> > >> container virtualization, I was an extensive user of OpenVZ.  Those
> > >> kernels certainly do have IPsec compiled in as modules.  I've used it.
> > >>
> > >> Hammond,
> > >>
> > >> Are you currently actively running and OpenVZ kernel on that machine?
> > >>
> > >> What version are you at?  From there site, it looks like 028stab070.14
> > >> is the latest in the RHEL/CentOS stable 2.6.18 line.
> > >>
> > >> What are you running (uname -a) and what do you have installed?
> > >>
> > >> Did you install it from their site with yum or downloaded it or build
> a
> > >> custom build (which I often had done with newer releases)?  (One flaw
> > >> with their yum repo is that it doesn't properly setup the install only
> > >> and a couple of other conditions to prevent removing the running
> > >> kernel).
> > >>
> > >> You must have built that Openswan 2.6.31 package yourself, the latest
> > >> RHEL/CentOS 5.x Openswan is 2.6.21.  Did you merely compile it or
> > >> actually build your own rpms?
> > >>
> > >> What's in your grub.conf file and are you running on the latest kernel
> > >> which was installed?
> > >>
> > >> > Paul
> > >>
> > >> Regards,
> > >> Mike
> > >> --
> > >> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
> > >>   /\/\|=mhw=|\/\/          | (678) 463-0932 |
> > >> http://www.wittsend.com/mhw/
> > >>   NIC whois: MHW9          | An optimist believes we live in the best
> of
> > >> all
> > >>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of
> it!
> > >>
> > >>
> > >> _______________________________________________
> > >> Users at openswan.org
> > >> http://lists.openswan.org/mailman/listinfo/users
> > >> Micropayments:
> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > >> Building and Integrating Virtual Private Networks with Openswan:
> > >>
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> > >
> >
>
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>   /\/\|=mhw=|\/\/          | (678) 463-0932 |
> http://www.wittsend.com/mhw/
>   NIC whois: MHW9          | An optimist believes we live in the best of
> all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101205/33b04dd1/attachment-0001.html 


More information about the Users mailing list