[Openswan Users] OpenSwan on ubuntu
Michael H. Warfield
mhw at WittsEnd.com
Wed Dec 15 17:53:11 EST 2010
On Sun, 2010-12-05 at 13:46 +0500, Hammad wrote:
> Hi All,
>
> Just for the sake of completion of this thread. IPSec is not supported
> by
> VPS vendors who are based on openVZ as explained below.
> I shifted my server to Amazon EC2 and their custom packages solved all
> problems in first go..
Just for completeness too and for the record, while I know this does not
help out the OP with that original hosting outfit who is probably stuck
on RHEL5 w/ a 2.6.18 kernel and OpenVZ, it does now appear that Pavel
has enabled IPSec in an OpenVZ container under 2.6.32. I see a check-in
to that effect, 7 days ago, but it has not reached a release, and no
sign of it ever appearing in a 2.6.18 kernel, the branch of which is
labeled "frozen".
http://git.openvz.org/?p=linux-2.6.32-openvz;a=summary
So there's hope there for the future.
Regards,
Mike
> [root at xxxxx~]# ipsec verify
> Checking your system to see if IPsec got installed and started
> correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.27/K2.6.34.7-56.40.amzn1.i686 (netkey)
> Checking for IPsec support in kernel [OK]
> NETKEY detected, testing for disabled ICMP send_redirects [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
> Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [OK]
> Pluto listening for NAT-T on udp 4500 [OK]
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support
> [DISABLED]
>
> Thank you all for your help and fruitful discussion.
>
> Regards,
>
>
> On Sat, Dec 4, 2010 at 9:07 PM, Michael H. Warfield
> <mhw at wittsend.com>wrote:
>
> > On Sat, 2010-12-04 at 20:09 +0500, Hammad wrote:
> > > Hi Laurent,
> > > You are right, packages come from my hosting company...
> > > Does it make a difference?
> >
> > So this VPS is a virtual machine hosted by them, correct? In that
> case,
> > you are probably screwed. Contact them about VPN service. You
> probably
> > can not do kernel level IPSec, not with an OpenVZ VM at least. To
> the
> > best of my knowledge, OpenVZ / Virtuoso does not support IPsec in a
> > container and everything I'm reading on the net even up to last July
> > backs that up. I though I saw Kir post something to the OpenVZ list
> > more recently but I haven't been able to find it.
> >
> > There's a little more about this in Wikipedia:
> >
> > http://en.wikipedia.org/wiki/OpenVZ
> >
> > Look under "Limitations".
> >
> > A little more discussion is present in this thread from the OpenVZ
> > mailing list...
> >
> > http://www.mail-archive.com/users@openvz.org/msg03250.html
> >
> > I believe that OpenVPN would work for you, however, as that's a user
> > space routed VPN solution that doesn't require any kernel modules.
> If
> > you are trying to connect to an established IPsec gateway, you may
> want
> > to look into VPNC, which is IPSec purely in user space but it's
> designed
> > to interface to Cisco ASAs and similar XAUTH / Aggressive mode
> devices.
> >
> > This article certainly indicates you could use OpenVPN or VPNC:
> >
> > http://wiki.openvz.org/VPN_via_the_TUN/TAP_device
> >
> > Both of them operation based on the TUN / TAP interfaces. But you
> may
> > still need support from the hosting provider to get access to the
> > tun/tap modules.
> >
> > > Regards,
> > > Hammad
> >
> > Regards,
> > Mike
> >
> > > On 12/4/10, Laurent Caron <lcaron at unix-scripts.info> wrote:
> > > > Hi
> > > >
> > > > Are u Sure The kernel package comes from redhat and not your
> virtual
> > server
> > > > hosting company?
> > > >
> > > >
> > > >
> > > > Le 4 déc. 2010 à 14:30, Hammad <raohammad at gmail.com> a écrit :
> > > >
> > > >> Hi,
> > > >>
> > > >> Now thats a bit disturbing... I have now CentOS but still the
> same
> > > >> /lib/modules/.... is missing. Its a fresh installation
> > > >>
> > > >> Mike: How did you cater this situation? Any ideas?
> > > >>
> > > >> [root at vps ~]# service ipsec start
> > > >> ipsec_setup: FATAL: Could not load
> > > >> /lib/modules/2.6.18-028stab068.9/modules.dep: No such file or
> > directory
> > > >> ipsec_setup: Starting Openswan IPsec 2.6.21...
> > > >> ipsec_setup: multiple ip addresses, using 127.0.0.1 on venet0
> > > >>
> > > >> [root at vps ~]# uname -a
> > > >> Linux vps.flexilogix.com 2.6.18-028stab068.9 #1 SMP Tue Mar 30
> > 17:22:31
> > > >> MSD 2010 i686 athlon i386 GNU/Linux
> > > >>
> > > >>
> > > >> [root at vps ~]# ipsec verify
> > > >> Checking your system to see if IPsec got installed and started
> > correctly:
> > > >> Version check and ipsec on-path
> [OK]
> > > >> Linux Openswan U2.6.21/K(no kernel code presently loaded)
> > > >> Checking for IPsec support in kernel
> > [FAILED]
> > > >> Checking for RSA private key (/etc/ipsec.secrets)
> [OK]
> > > >> Checking that pluto is running
> > [FAILED]
> > > >> whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
> > > >> Checking for 'ip' command
> [OK]
> > > >> Checking for 'iptables' command
> [OK]
> > > >>
> > > >> Opportunistic Encryption DNS checks:
> > > >> Looking for TXT in forward dns zone: vps.flexilogix.com
> > [MISSING]
> > > >> Does the machine have at least one non-private address?
> [OK]
> > > >> Looking for TXT in reverse dns zone:
> 20.69.65.216.in-addr.arpa.
> > > >> [MISSING]
> > > >>
> > > >> Regards,
> > > >> Hammad
> > > >>
> > > >> On Sat, Dec 4, 2010 at 9:51 AM, Hammad <raohammad at gmail.com>
> wrote:
> > > >> Hi Paul,
> > > >> No its not a custom compiled (by me) in fact I bought VPS and
> this is
> > the
> > > >> ubuntu version I got (jaunty 9.0.4).
> > > >>
> > > >> Hi Mike,
> > > >>
> > > >>
> > > >> > WARNING: Couldn't open directory /lib/modules/2.6.18-
> > > >> 028stab068.9: No
> > > >> > such file or directory
> > > >>
> > > >> I overcame this problem. I 'd 2.6.18-028stab059.6
> directory in
> > place
> > > >> but not the one mentioned in error; I created a soft-link with
> same
> > name
> > > >> pointing to actual dir and installation succeeded well ;)
> > > >>
> > > >>
> > > >> So our problem is again back to original, ipsec is not
> supported by
> > > >> kernel...
> > > >>
> > > >>
> > > >> > Are you currently actively running and OpenVZ kernel on that
> > machine?
> > > >>
> > > >> I suppose yes this VPS is using OpenVZ.
> > > >>
> > > >>
> > > >> > What version are you at? From there site, it looks like
> > 028stab070.14
> > > >> > is the latest in the RHEL/CentOS stable 2.6.18 line.
> > > >>
> > > >> # uname -a
> > > >> Linux vps.flexilogix.com 2.6.18-028stab068.9 #1 SMP Tue Mar 30
> > 17:22:31
> > > >> MSD 2010 i686 GNU/Linux
> > > >>
> > > >> > You must have built that Openswan 2.6.31 package yourself,
> the
> > latest
> > > >> > RHEL/CentOS 5.x Openswan is 2.6.21. Did you merely compile
> it or
> > > >> > actually build your own rpms?
> > > >>
> > > >> Yes, I actually compiled openswan 2,6,31 from sources
> > > >>
> > > >> I've come to know from Ubuntu Support groups that there is no
> ipsec
> > > >> package for ubuntu jaunty 9.0.4 and its no more updated since
> Oct 23
> > 2010.
> > > >> So I suppose its the time to switch back to CentOS that is my
> actual
> > > >> playground...
> > > >>
> > > >> Thanks for your help all.
> > > >> Hammad ( aka Hammond :) )
> > > >>
> > > >>
> > > >> On Sat, Dec 4, 2010 at 2:32 AM, Michael H. Warfield
> <mhw at wittsend.com
> > >
> > > >> wrote:
> > > >> Paul (and Hammond),
> > > >>
> > > >> On Fri, 2010-12-03 at 11:49 -0500, Paul Wouters wrote:
> > > >> > On Fri, 3 Dec 2010, Hammad wrote:
> > > >> >
> > > >> > > Here is the output of commands...
> > > >> > > root at vps:/usr/local# modprobe ipsec
> > > >> > > WARNING: Deprecated config file /etc/modprobe.conf, all
> config
> > files
> > > >> > > belong into /etc/modprobe.d/.
> > > >> > > FATAL: Module ipsec not found.
> > > >> > >
> > > >> > > root at vps:/usr/local# modprobe af_key
> > > >> > > WARNING: Deprecated config file /etc/modprobe.conf, all
> config
> > files
> > > >> > > belong into /etc/modprobe.d/.
> > > >> > > FATAL: Module af_key not found.
> > > >> > >
> > > >> > > root at vps:/usr/local# ipsec --version
> > > >> > > Linux Openswan U2.6.31/K(no kernel code presently loaded)
> > > >> > > See `ipsec --copyright' for copyright information.
> > > >>
> > > >> > Your kernel has no IPsec support. Perhaps you are missing the
> right
> > > >> > modules directory, or support
> > > >> > was not compiled on that kernel. Seems like this is a
> > non-distribution,
> > > >> > custom built kernel?
> > > >>
> > > >> It doesn't show up in this last message but in an earlier post
> I saw
> > > >> this...
> > > >>
> > > >> > WARNING: Couldn't open
> directory /lib/modules/2.6.18-028stab068.9:
> > No
> > > >> > such file or directory
> > > >>
> > > >> That tells me two things.
> > > >>
> > > >> 1) He's running an OpenVZ kernel. That's one of their revision
> > strings
> > > >> and that's one of their releases for the RHEL distro. Not too
> > terribly
> > > >> old but back several clicks.
> > > >>
> > > >> 2) He was, at that time, running on a kernel which had been
> updated
> > > >> (possibly by a mainline distro kernel or possibly by a newer
> OpenVZ
> > > >> kernel) and the running kernel had been uninstalled by yum so
> the
> > > >> modules directory no longer existed.
> > > >>
> > > >> Now... That being said... Prior to swapping all of my OpenVZ
> VM's (>
> > 3
> > > >> dozen) over to LXC to get back on a more current kernel with
> in-tree
> > > >> container virtualization, I was an extensive user of OpenVZ.
> Those
> > > >> kernels certainly do have IPsec compiled in as modules. I've
> used it.
> > > >>
> > > >> Hammond,
> > > >>
> > > >> Are you currently actively running and OpenVZ kernel on that
> machine?
> > > >>
> > > >> What version are you at? From there site, it looks like
> 028stab070.14
> > > >> is the latest in the RHEL/CentOS stable 2.6.18 line.
> > > >>
> > > >> What are you running (uname -a) and what do you have installed?
> > > >>
> > > >> Did you install it from their site with yum or downloaded it or
> build
> > a
> > > >> custom build (which I often had done with newer releases)?
> (One flaw
> > > >> with their yum repo is that it doesn't properly setup the
> install only
> > > >> and a couple of other conditions to prevent removing the
> running
> > > >> kernel).
> > > >>
> > > >> You must have built that Openswan 2.6.31 package yourself, the
> latest
> > > >> RHEL/CentOS 5.x Openswan is 2.6.21. Did you merely compile it
> or
> > > >> actually build your own rpms?
> > > >>
> > > >> What's in your grub.conf file and are you running on the latest
> kernel
> > > >> which was installed?
> > > >>
> > > >> > Paul
> > > >>
> > > >> Regards,
> > > >> Mike
> > > >> --
> > > >> Michael H. Warfield (AI4NB) | (770) 985-6132 |
> mhw at WittsEnd.com
> > > >> /\/\|=mhw=|\/\/ | (678) 463-0932 |
> > > >> http://www.wittsend.com/mhw/
> > > >> NIC whois: MHW9 | An optimist believes we live in
> the best
> > of
> > > >> all
> > > >> PGP Key: 0x674627FF | possible worlds. A pessimist is
> sure of
> > it!
> > > >>
> > > >>
> > > >> _______________________________________________
> > > >> Users at openswan.org
> > > >> http://lists.openswan.org/mailman/listinfo/users
> > > >> Micropayments:
> > https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > > >> Building and Integrating Virtual Private Networks with
> Openswan:
> > > >>
> >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> > > >
> > >
> >
> > --
> > Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
> > /\/\|=mhw=|\/\/ | (678) 463-0932 |
> > http://www.wittsend.com/mhw/
> > NIC whois: MHW9 | An optimist believes we live in the
> best of
> > all
> > PGP Key: 0x674627FF | possible worlds. A pessimist is sure
> of it!
> >
>
>
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20101215/4550dd4f/attachment.bin
More information about the Users
mailing list