[Openswan Users] Users Digest, Vol 85, Issue 31
Dave H
thegenrlftw at gmail.com
Thu Dec 16 00:47:26 EST 2010
i recently came across this and i'm certainly not a developer, but was still
concerned with this info.
http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
does anybody know if this effects openswan or strongswan? ill cc this on
the IRC channel for IRC users convience.
-dave
On Wed, Dec 15, 2010 at 7:30 PM, <users-request at openswan.org> wrote:
> Send Users mailing list submissions to
> users at openswan.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.openswan.org/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
> users-request at openswan.org
>
> You can reach the person managing the list at
> users-owner at openswan.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Users digest..."
>
>
> Today's Topics:
>
> 1. Re: openswan + certificates + xl2tpd + no suitable connection
> error (Paul Wouters)
> 2. Re: OpenSwan on ubuntu (Michael H. Warfield)
> 3. Please help to resolve the issue with xl2tpd (Rustam)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 15 Dec 2010 14:56:25 -0500 (EST)
> From: Paul Wouters <paul at xelerance.com>
> Subject: Re: [Openswan Users] openswan + certificates + xl2tpd + no
> suitable connection error
> To: Adam Sienkiewicz <adamsienkiewicz78 at gmail.com>
> Cc: users at openswan.org
> Message-ID: <alpine.LFD.1.10.1012151453020.28717 at newtla.xelerance.com>
> Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed
>
> On Wed, 15 Dec 2010, Adam Sienkiewicz wrote:
>
> > Subject: Re: [Openswan Users] openswan + certificates + xl2tpd + no
> suitable
> > connection error
>
> > 000 Dec 08 18:59:19 2010, 1024 RSA Key AwEAAc+Lo (no private key), until
> Nov 22 07:59:02 2020 ok
> > 000??????? ID_DER_ASN1_DN 'C=PL, ST=cos, O=name1, OU=it, CN=vpntest, E=
> myname at wp.pl'
> > 000??????? Issuer 'C=PL, ST=cos, L=Cieszyn, O=name1, OU=it, CN=myCA, E=
> myname at wp.pl'
>
> Have you tried matching up the RDN's better? I see L= is used in the
> CAcert, but not in
> the host cert.
>
> It seems you're going wrong in the matching of the cert.
>
> Paul
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 15 Dec 2010 17:53:11 -0500
> From: "Michael H. Warfield" <mhw at WittsEnd.com>
> Subject: Re: [Openswan Users] OpenSwan on ubuntu
> To: Hammad <raohammad at gmail.com>
> Cc: mhw at WittsEnd.com, "users at openswan.org" <users at openswan.org>
> Message-ID: <1292453591.5194.343.camel at canyon.wittsend.com>
> Content-Type: text/plain; charset="utf-8"
>
> On Sun, 2010-12-05 at 13:46 +0500, Hammad wrote:
> > Hi All,
> >
> > Just for the sake of completion of this thread. IPSec is not supported
> > by
> > VPS vendors who are based on openVZ as explained below.
> > I shifted my server to Amazon EC2 and their custom packages solved all
> > problems in first go..
>
> Just for completeness too and for the record, while I know this does not
> help out the OP with that original hosting outfit who is probably stuck
> on RHEL5 w/ a 2.6.18 kernel and OpenVZ, it does now appear that Pavel
> has enabled IPSec in an OpenVZ container under 2.6.32. I see a check-in
> to that effect, 7 days ago, but it has not reached a release, and no
> sign of it ever appearing in a 2.6.18 kernel, the branch of which is
> labeled "frozen".
>
> http://git.openvz.org/?p=linux-2.6.32-openvz;a=summary
>
> So there's hope there for the future.
>
> Regards,
> Mike
>
> > [root at xxxxx~]# ipsec verify
> > Checking your system to see if IPsec got installed and started
> > correctly:
> > Version check and ipsec on-path [OK]
> > Linux Openswan U2.6.27/K2.6.34.7-56.40.amzn1.i686 (netkey)
> > Checking for IPsec support in kernel [OK]
> > NETKEY detected, testing for disabled ICMP send_redirects [OK]
> > NETKEY detected, testing for disabled ICMP accept_redirects [OK]
> > Checking that pluto is running [OK]
> > Pluto listening for IKE on udp 500 [OK]
> > Pluto listening for NAT-T on udp 4500 [OK]
> > Checking for 'ip' command [OK]
> > Checking for 'iptables' command [OK]
> > Opportunistic Encryption Support
> > [DISABLED]
> >
> > Thank you all for your help and fruitful discussion.
> >
> > Regards,
> >
> >
> > On Sat, Dec 4, 2010 at 9:07 PM, Michael H. Warfield
> > <mhw at wittsend.com>wrote:
> >
> > > On Sat, 2010-12-04 at 20:09 +0500, Hammad wrote:
> > > > Hi Laurent,
> > > > You are right, packages come from my hosting company...
> > > > Does it make a difference?
> > >
> > > So this VPS is a virtual machine hosted by them, correct? In that
> > case,
> > > you are probably screwed. Contact them about VPN service. You
> > probably
> > > can not do kernel level IPSec, not with an OpenVZ VM at least. To
> > the
> > > best of my knowledge, OpenVZ / Virtuoso does not support IPsec in a
> > > container and everything I'm reading on the net even up to last July
> > > backs that up. I though I saw Kir post something to the OpenVZ list
> > > more recently but I haven't been able to find it.
> > >
> > > There's a little more about this in Wikipedia:
> > >
> > > http://en.wikipedia.org/wiki/OpenVZ
> > >
> > > Look under "Limitations".
> > >
> > > A little more discussion is present in this thread from the OpenVZ
> > > mailing list...
> > >
> > > http://www.mail-archive.com/users@openvz.org/msg03250.html
> > >
> > > I believe that OpenVPN would work for you, however, as that's a user
> > > space routed VPN solution that doesn't require any kernel modules.
> > If
> > > you are trying to connect to an established IPsec gateway, you may
> > want
> > > to look into VPNC, which is IPSec purely in user space but it's
> > designed
> > > to interface to Cisco ASAs and similar XAUTH / Aggressive mode
> > devices.
> > >
> > > This article certainly indicates you could use OpenVPN or VPNC:
> > >
> > > http://wiki.openvz.org/VPN_via_the_TUN/TAP_device
> > >
> > > Both of them operation based on the TUN / TAP interfaces. But you
> > may
> > > still need support from the hosting provider to get access to the
> > > tun/tap modules.
> > >
> > > > Regards,
> > > > Hammad
> > >
> > > Regards,
> > > Mike
> > >
> > > > On 12/4/10, Laurent Caron <lcaron at unix-scripts.info> wrote:
> > > > > Hi
> > > > >
> > > > > Are u Sure The kernel package comes from redhat and not your
> > virtual
> > > server
> > > > > hosting company?
> > > > >
> > > > >
> > > > >
> > > > > Le 4 d?c. 2010 ? 14:30, Hammad <raohammad at gmail.com> a ?crit :
> > > > >
> > > > >> Hi,
> > > > >>
> > > > >> Now thats a bit disturbing... I have now CentOS but still the
> > same
> > > > >> /lib/modules/.... is missing. Its a fresh installation
> > > > >>
> > > > >> Mike: How did you cater this situation? Any ideas?
> > > > >>
> > > > >> [root at vps ~]# service ipsec start
> > > > >> ipsec_setup: FATAL: Could not load
> > > > >> /lib/modules/2.6.18-028stab068.9/modules.dep: No such file or
> > > directory
> > > > >> ipsec_setup: Starting Openswan IPsec 2.6.21...
> > > > >> ipsec_setup: multiple ip addresses, using 127.0.0.1 on venet0
> > > > >>
> > > > >> [root at vps ~]# uname -a
> > > > >> Linux vps.flexilogix.com 2.6.18-028stab068.9 #1 SMP Tue Mar 30
> > > 17:22:31
> > > > >> MSD 2010 i686 athlon i386 GNU/Linux
> > > > >>
> > > > >>
> > > > >> [root at vps ~]# ipsec verify
> > > > >> Checking your system to see if IPsec got installed and started
> > > correctly:
> > > > >> Version check and ipsec on-path
> > [OK]
> > > > >> Linux Openswan U2.6.21/K(no kernel code presently loaded)
> > > > >> Checking for IPsec support in kernel
> > > [FAILED]
> > > > >> Checking for RSA private key (/etc/ipsec.secrets)
> > [OK]
> > > > >> Checking that pluto is running
> > > [FAILED]
> > > > >> whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
> > > > >> Checking for 'ip' command
> > [OK]
> > > > >> Checking for 'iptables' command
> > [OK]
> > > > >>
> > > > >> Opportunistic Encryption DNS checks:
> > > > >> Looking for TXT in forward dns zone: vps.flexilogix.com
> > > [MISSING]
> > > > >> Does the machine have at least one non-private address?
> > [OK]
> > > > >> Looking for TXT in reverse dns zone:
> > 20.69.65.216.in-addr.arpa.
> > > > >> [MISSING]
> > > > >>
> > > > >> Regards,
> > > > >> Hammad
> > > > >>
> > > > >> On Sat, Dec 4, 2010 at 9:51 AM, Hammad <raohammad at gmail.com>
> > wrote:
> > > > >> Hi Paul,
> > > > >> No its not a custom compiled (by me) in fact I bought VPS and
> > this is
> > > the
> > > > >> ubuntu version I got (jaunty 9.0.4).
> > > > >>
> > > > >> Hi Mike,
> > > > >>
> > > > >>
> > > > >> > WARNING: Couldn't open directory /lib/modules/2.6.18-
> > > > >> 028stab068.9: No
> > > > >> > such file or directory
> > > > >>
> > > > >> I overcame this problem. I 'd 2.6.18-028stab059.6
> > directory in
> > > place
> > > > >> but not the one mentioned in error; I created a soft-link with
> > same
> > > name
> > > > >> pointing to actual dir and installation succeeded well ;)
> > > > >>
> > > > >>
> > > > >> So our problem is again back to original, ipsec is not
> > supported by
> > > > >> kernel...
> > > > >>
> > > > >>
> > > > >> > Are you currently actively running and OpenVZ kernel on that
> > > machine?
> > > > >>
> > > > >> I suppose yes this VPS is using OpenVZ.
> > > > >>
> > > > >>
> > > > >> > What version are you at? From there site, it looks like
> > > 028stab070.14
> > > > >> > is the latest in the RHEL/CentOS stable 2.6.18 line.
> > > > >>
> > > > >> # uname -a
> > > > >> Linux vps.flexilogix.com 2.6.18-028stab068.9 #1 SMP Tue Mar 30
> > > 17:22:31
> > > > >> MSD 2010 i686 GNU/Linux
> > > > >>
> > > > >> > You must have built that Openswan 2.6.31 package yourself,
> > the
> > > latest
> > > > >> > RHEL/CentOS 5.x Openswan is 2.6.21. Did you merely compile
> > it or
> > > > >> > actually build your own rpms?
> > > > >>
> > > > >> Yes, I actually compiled openswan 2,6,31 from sources
> > > > >>
> > > > >> I've come to know from Ubuntu Support groups that there is no
> > ipsec
> > > > >> package for ubuntu jaunty 9.0.4 and its no more updated since
> > Oct 23
> > > 2010.
> > > > >> So I suppose its the time to switch back to CentOS that is my
> > actual
> > > > >> playground...
> > > > >>
> > > > >> Thanks for your help all.
> > > > >> Hammad ( aka Hammond :) )
> > > > >>
> > > > >>
> > > > >> On Sat, Dec 4, 2010 at 2:32 AM, Michael H. Warfield
> > <mhw at wittsend.com
> > > >
> > > > >> wrote:
> > > > >> Paul (and Hammond),
> > > > >>
> > > > >> On Fri, 2010-12-03 at 11:49 -0500, Paul Wouters wrote:
> > > > >> > On Fri, 3 Dec 2010, Hammad wrote:
> > > > >> >
> > > > >> > > Here is the output of commands...
> > > > >> > > root at vps:/usr/local# modprobe ipsec
> > > > >> > > WARNING: Deprecated config file /etc/modprobe.conf, all
> > config
> > > files
> > > > >> > > belong into /etc/modprobe.d/.
> > > > >> > > FATAL: Module ipsec not found.
> > > > >> > >
> > > > >> > > root at vps:/usr/local# modprobe af_key
> > > > >> > > WARNING: Deprecated config file /etc/modprobe.conf, all
> > config
> > > files
> > > > >> > > belong into /etc/modprobe.d/.
> > > > >> > > FATAL: Module af_key not found.
> > > > >> > >
> > > > >> > > root at vps:/usr/local# ipsec --version
> > > > >> > > Linux Openswan U2.6.31/K(no kernel code presently loaded)
> > > > >> > > See `ipsec --copyright' for copyright information.
> > > > >>
> > > > >> > Your kernel has no IPsec support. Perhaps you are missing the
> > right
> > > > >> > modules directory, or support
> > > > >> > was not compiled on that kernel. Seems like this is a
> > > non-distribution,
> > > > >> > custom built kernel?
> > > > >>
> > > > >> It doesn't show up in this last message but in an earlier post
> > I saw
> > > > >> this...
> > > > >>
> > > > >> > WARNING: Couldn't open
> > directory /lib/modules/2.6.18-028stab068.9:
> > > No
> > > > >> > such file or directory
> > > > >>
> > > > >> That tells me two things.
> > > > >>
> > > > >> 1) He's running an OpenVZ kernel. That's one of their revision
> > > strings
> > > > >> and that's one of their releases for the RHEL distro. Not too
> > > terribly
> > > > >> old but back several clicks.
> > > > >>
> > > > >> 2) He was, at that time, running on a kernel which had been
> > updated
> > > > >> (possibly by a mainline distro kernel or possibly by a newer
> > OpenVZ
> > > > >> kernel) and the running kernel had been uninstalled by yum so
> > the
> > > > >> modules directory no longer existed.
> > > > >>
> > > > >> Now... That being said... Prior to swapping all of my OpenVZ
> > VM's (>
> > > 3
> > > > >> dozen) over to LXC to get back on a more current kernel with
> > in-tree
> > > > >> container virtualization, I was an extensive user of OpenVZ.
> > Those
> > > > >> kernels certainly do have IPsec compiled in as modules. I've
> > used it.
> > > > >>
> > > > >> Hammond,
> > > > >>
> > > > >> Are you currently actively running and OpenVZ kernel on that
> > machine?
> > > > >>
> > > > >> What version are you at? From there site, it looks like
> > 028stab070.14
> > > > >> is the latest in the RHEL/CentOS stable 2.6.18 line.
> > > > >>
> > > > >> What are you running (uname -a) and what do you have installed?
> > > > >>
> > > > >> Did you install it from their site with yum or downloaded it or
> > build
> > > a
> > > > >> custom build (which I often had done with newer releases)?
> > (One flaw
> > > > >> with their yum repo is that it doesn't properly setup the
> > install only
> > > > >> and a couple of other conditions to prevent removing the
> > running
> > > > >> kernel).
> > > > >>
> > > > >> You must have built that Openswan 2.6.31 package yourself, the
> > latest
> > > > >> RHEL/CentOS 5.x Openswan is 2.6.21. Did you merely compile it
> > or
> > > > >> actually build your own rpms?
> > > > >>
> > > > >> What's in your grub.conf file and are you running on the latest
> > kernel
> > > > >> which was installed?
> > > > >>
> > > > >> > Paul
> > > > >>
> > > > >> Regards,
> > > > >> Mike
> > > > >> --
> > > > >> Michael H. Warfield (AI4NB) | (770) 985-6132 |
> > mhw at WittsEnd.com
> > > > >> /\/\|=mhw=|\/\/ | (678) 463-0932 |
> > > > >> http://www.wittsend.com/mhw/
> > > > >> NIC whois: MHW9 | An optimist believes we live in
> > the best
> > > of
> > > > >> all
> > > > >> PGP Key: 0x674627FF | possible worlds. A pessimist is
> > sure of
> > > it!
> > > > >>
> > > > >>
> > > > >> _______________________________________________
> > > > >> Users at openswan.org
> > > > >> http://lists.openswan.org/mailman/listinfo/users
> > > > >> Micropayments:
> > > https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > > > >> Building and Integrating Virtual Private Networks with
> > Openswan:
> > > > >>
> > >
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> > > > >
> > > >
> > >
> > > --
> > > Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
> > > /\/\|=mhw=|\/\/ | (678) 463-0932 |
> > > http://www.wittsend.com/mhw/
> > > NIC whois: MHW9 | An optimist believes we live in the
> > best of
> > > all
> > > PGP Key: 0x674627FF | possible worlds. A pessimist is sure
> > of it!
> > >
> >
> >
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 |
> http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of
> all
> PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 482 bytes
> Desc: This is a digitally signed message part
> Url :
> http://lists.openswan.org/pipermail/users/attachments/20101215/4550dd4f/attachment-0001.bin
>
> ------------------------------
>
> Message: 3
> Date: Wed, 15 Dec 2010 08:14:39 +0500
> From: Rustam <rfhamzin at gmail.com>
> Subject: [Openswan Users] Please help to resolve the issue with xl2tpd
> To: users at openswan.org
> Message-ID: <87326139.20101215081439 at gmail.com>
> Content-Type: text/plain; charset="windows-1251"
>
>
>
> Installed and configured the xl2tpd on Slackware 13.1.
> Everything works fine, but confused by the fact that this development
> not registering Call-Station (called party server l2tp) and CLID (caller)
> with client authentication L2TP.
>
> What should I do??How do I fix this??Please help!
> I attach a screenshot with the syslog
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: Snap_2010.12.png
> Type: image/png
> Size: 181739 bytes
> Desc: not available
> Url :
> http://lists.openswan.org/pipermail/users/attachments/20101215/7e64adac/attachment.png
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: Snap_2010.121.jpg
> Type: image/jpeg
> Size: 103904 bytes
> Desc: not available
> Url :
> http://lists.openswan.org/pipermail/users/attachments/20101215/7e64adac/attachment.jpg
>
> ------------------------------
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
>
> End of Users Digest, Vol 85, Issue 31
> *************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101216/2bc4ccce/attachment-0001.html
More information about the Users
mailing list