[Openswan Users] Users Digest, Vol 85, Issue 31

Dave H thegenrlftw at gmail.com
Thu Dec 16 01:01:11 EST 2010


sorry disregard my previous email.  i have researched this some more and
found this does not effect openswan.  still, good info to know for the
future.
-dave



On Thu, Dec 16, 2010 at 12:47 AM, Dave H <thegenrlftw at gmail.com> wrote:

> i recently came across this and i'm certainly not a developer, but was
> still concerned with this info.
>
> http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
>
> does anybody know if this effects openswan or strongswan?  ill cc this on
> the IRC channel for IRC users convience.
>
> -dave
>
>
>
>
> On Wed, Dec 15, 2010 at 7:30 PM, <users-request at openswan.org> wrote:
>
>> Send Users mailing list submissions to
>>        users at openswan.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>        http://lists.openswan.org/mailman/listinfo/users
>> or, via email, send a message with subject or body 'help' to
>>        users-request at openswan.org
>>
>> You can reach the person managing the list at
>>        users-owner at openswan.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Users digest..."
>>
>>
>> Today's Topics:
>>
>>   1. Re: openswan + certificates + xl2tpd + no suitable connection
>>      error (Paul Wouters)
>>   2. Re: OpenSwan on ubuntu (Michael H. Warfield)
>>   3. Please help to resolve the issue with xl2tpd (Rustam)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Wed, 15 Dec 2010 14:56:25 -0500 (EST)
>> From: Paul Wouters <paul at xelerance.com>
>> Subject: Re: [Openswan Users] openswan + certificates + xl2tpd + no
>>        suitable connection error
>> To: Adam Sienkiewicz <adamsienkiewicz78 at gmail.com>
>> Cc: users at openswan.org
>> Message-ID: <alpine.LFD.1.10.1012151453020.28717 at newtla.xelerance.com>
>> Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed
>>
>> On Wed, 15 Dec 2010, Adam Sienkiewicz wrote:
>>
>> > Subject: Re: [Openswan Users] openswan + certificates + xl2tpd + no
>> suitable
>> >     connection error
>>
>> > 000 Dec 08 18:59:19 2010, 1024 RSA Key AwEAAc+Lo (no private key), until
>> Nov 22 07:59:02 2020 ok
>> > 000??????? ID_DER_ASN1_DN 'C=PL, ST=cos, O=name1, OU=it, CN=vpntest, E=
>> myname at wp.pl'
>> > 000??????? Issuer 'C=PL, ST=cos, L=Cieszyn, O=name1, OU=it, CN=myCA, E=
>> myname at wp.pl'
>>
>> Have you tried matching up the RDN's better? I see L= is used in the
>> CAcert, but not in
>> the host cert.
>>
>> It seems you're going wrong in the matching of the cert.
>>
>> Paul
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Wed, 15 Dec 2010 17:53:11 -0500
>> From: "Michael H. Warfield" <mhw at WittsEnd.com>
>> Subject: Re: [Openswan Users] OpenSwan on ubuntu
>> To: Hammad <raohammad at gmail.com>
>> Cc: mhw at WittsEnd.com, "users at openswan.org" <users at openswan.org>
>> Message-ID: <1292453591.5194.343.camel at canyon.wittsend.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> On Sun, 2010-12-05 at 13:46 +0500, Hammad wrote:
>> > Hi All,
>> >
>> > Just for the sake of completion of this thread. IPSec is not supported
>> > by
>> > VPS vendors who are based on openVZ as explained below.
>> > I shifted my server to Amazon EC2 and their custom packages solved all
>> > problems in first go..
>>
>> Just for completeness too and for the record, while I know this does not
>> help out the OP with that original hosting outfit who is probably stuck
>> on RHEL5 w/ a 2.6.18 kernel and OpenVZ, it does now appear that Pavel
>> has enabled IPSec in an OpenVZ container under 2.6.32.  I see a check-in
>> to that effect, 7 days ago, but it has not reached a release, and no
>> sign of it ever appearing in a 2.6.18 kernel, the branch of which is
>> labeled "frozen".
>>
>> http://git.openvz.org/?p=linux-2.6.32-openvz;a=summary
>>
>> So there's hope there for the future.
>>
>> Regards,
>> Mike
>>
>> > [root at xxxxx~]# ipsec verify
>> > Checking your system to see if IPsec got installed and started
>> > correctly:
>> > Version check and ipsec on-path                                 [OK]
>> > Linux Openswan U2.6.27/K2.6.34.7-56.40.amzn1.i686 (netkey)
>> > Checking for IPsec support in kernel                            [OK]
>> > NETKEY detected, testing for disabled ICMP send_redirects       [OK]
>> > NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
>> > Checking that pluto is running                                  [OK]
>> > Pluto listening for IKE on udp 500                              [OK]
>> > Pluto listening for NAT-T on udp 4500                           [OK]
>> > Checking for 'ip' command                                       [OK]
>> > Checking for 'iptables' command                                 [OK]
>> > Opportunistic Encryption Support
>> > [DISABLED]
>> >
>> > Thank you all for your help and fruitful discussion.
>> >
>> > Regards,
>> >
>> >
>> > On Sat, Dec 4, 2010 at 9:07 PM, Michael H. Warfield
>> > <mhw at wittsend.com>wrote:
>> >
>> > > On Sat, 2010-12-04 at 20:09 +0500, Hammad wrote:
>> > > > Hi Laurent,
>> > > > You are right, packages come from my hosting company...
>> > > > Does it make a difference?
>> > >
>> > > So this VPS is a virtual machine hosted by them, correct?  In that
>> > case,
>> > > you are probably screwed.  Contact them about VPN service.  You
>> > probably
>> > > can not do kernel level IPSec, not with an OpenVZ VM at least.  To
>> > the
>> > > best of my knowledge, OpenVZ / Virtuoso does not support IPsec in a
>> > > container and everything I'm reading on the net even up to last July
>> > > backs that up.  I though I saw Kir post something to the OpenVZ list
>> > > more recently but I haven't been able to find it.
>> > >
>> > > There's a little more about this in Wikipedia:
>> > >
>> > > http://en.wikipedia.org/wiki/OpenVZ
>> > >
>> > > Look under "Limitations".
>> > >
>> > > A little more discussion is present in this thread from the OpenVZ
>> > > mailing list...
>> > >
>> > > http://www.mail-archive.com/users@openvz.org/msg03250.html
>> > >
>> > > I believe that OpenVPN would work for you, however, as that's a user
>> > > space routed VPN solution that doesn't require any kernel modules.
>> > If
>> > > you are trying to connect to an established IPsec gateway, you may
>> > want
>> > > to look into VPNC, which is IPSec purely in user space but it's
>> > designed
>> > > to interface to Cisco ASAs and similar XAUTH / Aggressive mode
>> > devices.
>> > >
>> > > This article certainly indicates you could use OpenVPN or VPNC:
>> > >
>> > > http://wiki.openvz.org/VPN_via_the_TUN/TAP_device
>> > >
>> > > Both of them operation based on the TUN / TAP interfaces.  But you
>> > may
>> > > still need support from the hosting provider to get access to the
>> > > tun/tap modules.
>> > >
>> > > > Regards,
>> > > > Hammad
>> > >
>> > > Regards,
>> > > Mike
>> > >
>> > > > On 12/4/10, Laurent Caron <lcaron at unix-scripts.info> wrote:
>> > > > > Hi
>> > > > >
>> > > > > Are u Sure The kernel package comes from redhat and not your
>> > virtual
>> > > server
>> > > > > hosting company?
>> > > > >
>> > > > >
>> > > > >
>> > > > > Le 4 d?c. 2010 ? 14:30, Hammad <raohammad at gmail.com> a ?crit :
>> > > > >
>> > > > >> Hi,
>> > > > >>
>> > > > >> Now thats a bit disturbing... I have now CentOS but still the
>> > same
>> > > > >> /lib/modules/.... is missing. Its a fresh installation
>> > > > >>
>> > > > >> Mike: How did you cater this situation? Any ideas?
>> > > > >>
>> > > > >> [root at vps ~]# service ipsec start
>> > > > >> ipsec_setup: FATAL: Could not load
>> > > > >> /lib/modules/2.6.18-028stab068.9/modules.dep: No such file or
>> > > directory
>> > > > >> ipsec_setup: Starting Openswan IPsec 2.6.21...
>> > > > >> ipsec_setup: multiple ip addresses, using  127.0.0.1 on venet0
>> > > > >>
>> > > > >> [root at vps ~]# uname -a
>> > > > >> Linux vps.flexilogix.com 2.6.18-028stab068.9 #1 SMP Tue Mar 30
>> > > 17:22:31
>> > > > >> MSD 2010 i686 athlon i386 GNU/Linux
>> > > > >>
>> > > > >>
>> > > > >> [root at vps ~]# ipsec verify
>> > > > >> Checking your system to see if IPsec got installed and started
>> > > correctly:
>> > > > >> Version check and ipsec on-path
>> > [OK]
>> > > > >> Linux Openswan U2.6.21/K(no kernel code presently loaded)
>> > > > >> Checking for IPsec support in kernel
>> > >  [FAILED]
>> > > > >> Checking for RSA private key (/etc/ipsec.secrets)
>> > [OK]
>> > > > >> Checking that pluto is running
>> > >  [FAILED]
>> > > > >>   whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>> > > > >> Checking for 'ip' command
>> > [OK]
>> > > > >> Checking for 'iptables' command
>> > [OK]
>> > > > >>
>> > > > >> Opportunistic Encryption DNS checks:
>> > > > >>    Looking for TXT in forward dns zone: vps.flexilogix.com
>> > >  [MISSING]
>> > > > >>    Does the machine have at least one non-private address?
>> > [OK]
>> > > > >>    Looking for TXT in reverse dns zone:
>> > 20.69.65.216.in-addr.arpa.
>> > > > >> [MISSING]
>> > > > >>
>> > > > >> Regards,
>> > > > >> Hammad
>> > > > >>
>> > > > >> On Sat, Dec 4, 2010 at 9:51 AM, Hammad <raohammad at gmail.com>
>> > wrote:
>> > > > >> Hi Paul,
>> > > > >> No its not a custom compiled (by me) in fact I bought VPS and
>> > this is
>> > > the
>> > > > >> ubuntu version I got (jaunty 9.0.4).
>> > > > >>
>> > > > >> Hi Mike,
>> > > > >>
>> > > > >>
>> > > > >> > WARNING: Couldn't open directory /lib/modules/2.6.18-
>> > > > >> 028stab068.9: No
>> > > > >> > such file or directory
>> > > > >>
>> > > > >> I overcame this problem. I 'd    2.6.18-028stab059.6
>> > directory in
>> > > place
>> > > > >> but not the one mentioned in error; I created a soft-link with
>> > same
>> > > name
>> > > > >> pointing to actual dir and installation succeeded well ;)
>> > > > >>
>> > > > >>
>> > > > >> So our problem is again back to original, ipsec is not
>> > supported by
>> > > > >> kernel...
>> > > > >>
>> > > > >>
>> > > > >> > Are you currently actively running and OpenVZ kernel on that
>> > > machine?
>> > > > >>
>> > > > >> I suppose yes this VPS is using OpenVZ.
>> > > > >>
>> > > > >>
>> > > > >> > What version are you at?  From there site, it looks like
>> > > 028stab070.14
>> > > > >> > is the latest in the RHEL/CentOS stable 2.6.18 line.
>> > > > >>
>> > > > >> # uname -a
>> > > > >> Linux vps.flexilogix.com 2.6.18-028stab068.9 #1 SMP Tue Mar 30
>> > > 17:22:31
>> > > > >> MSD 2010 i686 GNU/Linux
>> > > > >>
>> > > > >> > You must have built that Openswan 2.6.31 package yourself,
>> > the
>> > > latest
>> > > > >> > RHEL/CentOS 5.x Openswan is 2.6.21.  Did you merely compile
>> > it or
>> > > > >> > actually build your own rpms?
>> > > > >>
>> > > > >> Yes, I actually compiled openswan 2,6,31 from sources
>> > > > >>
>> > > > >> I've come to know from Ubuntu Support groups that there is no
>> > ipsec
>> > > > >> package for ubuntu jaunty 9.0.4 and its no more updated since
>> > Oct 23
>> > > 2010.
>> > > > >> So I suppose its the time to switch back to CentOS that is my
>> > actual
>> > > > >> playground...
>> > > > >>
>> > > > >> Thanks for your help all.
>> > > > >> Hammad ( aka Hammond :) )
>> > > > >>
>> > > > >>
>> > > > >> On Sat, Dec 4, 2010 at 2:32 AM, Michael H. Warfield
>> > <mhw at wittsend.com
>> > > >
>> > > > >> wrote:
>> > > > >> Paul (and Hammond),
>> > > > >>
>> > > > >> On Fri, 2010-12-03 at 11:49 -0500, Paul Wouters wrote:
>> > > > >> > On Fri, 3 Dec 2010, Hammad wrote:
>> > > > >> >
>> > > > >> > > Here is the output of commands...
>> > > > >> > > root at vps:/usr/local# modprobe ipsec
>> > > > >> > > WARNING: Deprecated config file /etc/modprobe.conf, all
>> > config
>> > > files
>> > > > >> > > belong into /etc/modprobe.d/.
>> > > > >> > > FATAL: Module ipsec not found.
>> > > > >> > >
>> > > > >> > > root at vps:/usr/local# modprobe af_key
>> > > > >> > > WARNING: Deprecated config file /etc/modprobe.conf, all
>> > config
>> > > files
>> > > > >> > > belong into /etc/modprobe.d/.
>> > > > >> > > FATAL: Module af_key not found.
>> > > > >> > >
>> > > > >> > > root at vps:/usr/local# ipsec --version
>> > > > >> > > Linux Openswan U2.6.31/K(no kernel code presently loaded)
>> > > > >> > > See `ipsec --copyright' for copyright information.
>> > > > >>
>> > > > >> > Your kernel has no IPsec support. Perhaps you are missing the
>> > right
>> > > > >> > modules directory, or support
>> > > > >> > was not compiled on that kernel. Seems like this is a
>> > > non-distribution,
>> > > > >> > custom built kernel?
>> > > > >>
>> > > > >> It doesn't show up in this last message but in an earlier post
>> > I saw
>> > > > >> this...
>> > > > >>
>> > > > >> > WARNING: Couldn't open
>> > directory /lib/modules/2.6.18-028stab068.9:
>> > > No
>> > > > >> > such file or directory
>> > > > >>
>> > > > >> That tells me two things.
>> > > > >>
>> > > > >> 1) He's running an OpenVZ kernel.  That's one of their revision
>> > > strings
>> > > > >> and that's one of their releases for the RHEL distro.  Not too
>> > > terribly
>> > > > >> old but back several clicks.
>> > > > >>
>> > > > >> 2) He was, at that time, running on a kernel which had been
>> > updated
>> > > > >> (possibly by a mainline distro kernel or possibly by a newer
>> > OpenVZ
>> > > > >> kernel) and the running kernel had been uninstalled by yum so
>> > the
>> > > > >> modules directory no longer existed.
>> > > > >>
>> > > > >> Now...  That being said...  Prior to swapping all of my OpenVZ
>> > VM's (>
>> > > 3
>> > > > >> dozen) over to LXC to get back on a more current kernel with
>> > in-tree
>> > > > >> container virtualization, I was an extensive user of OpenVZ.
>> > Those
>> > > > >> kernels certainly do have IPsec compiled in as modules.  I've
>> > used it.
>> > > > >>
>> > > > >> Hammond,
>> > > > >>
>> > > > >> Are you currently actively running and OpenVZ kernel on that
>> > machine?
>> > > > >>
>> > > > >> What version are you at?  From there site, it looks like
>> > 028stab070.14
>> > > > >> is the latest in the RHEL/CentOS stable 2.6.18 line.
>> > > > >>
>> > > > >> What are you running (uname -a) and what do you have installed?
>> > > > >>
>> > > > >> Did you install it from their site with yum or downloaded it or
>> > build
>> > > a
>> > > > >> custom build (which I often had done with newer releases)?
>> > (One flaw
>> > > > >> with their yum repo is that it doesn't properly setup the
>> > install only
>> > > > >> and a couple of other conditions to prevent removing the
>> > running
>> > > > >> kernel).
>> > > > >>
>> > > > >> You must have built that Openswan 2.6.31 package yourself, the
>> > latest
>> > > > >> RHEL/CentOS 5.x Openswan is 2.6.21.  Did you merely compile it
>> > or
>> > > > >> actually build your own rpms?
>> > > > >>
>> > > > >> What's in your grub.conf file and are you running on the latest
>> > kernel
>> > > > >> which was installed?
>> > > > >>
>> > > > >> > Paul
>> > > > >>
>> > > > >> Regards,
>> > > > >> Mike
>> > > > >> --
>> > > > >> Michael H. Warfield (AI4NB) | (770) 985-6132 |
>> > mhw at WittsEnd.com
>> > > > >>   /\/\|=mhw=|\/\/          | (678) 463-0932 |
>> > > > >> http://www.wittsend.com/mhw/
>> > > > >>   NIC whois: MHW9          | An optimist believes we live in
>> > the best
>> > > of
>> > > > >> all
>> > > > >>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is
>> > sure of
>> > > it!
>> > > > >>
>> > > > >>
>> > > > >> _______________________________________________
>> > > > >> Users at openswan.org
>> > > > >> http://lists.openswan.org/mailman/listinfo/users
>> > > > >> Micropayments:
>> > > https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> > > > >> Building and Integrating Virtual Private Networks with
>> > Openswan:
>> > > > >>
>> > >
>> >
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>> > > > >
>> > > >
>> > >
>> > > --
>> > > Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>> > >   /\/\|=mhw=|\/\/          | (678) 463-0932 |
>> > > http://www.wittsend.com/mhw/
>> > >   NIC whois: MHW9          | An optimist believes we live in the
>> > best of
>> > > all
>> > >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure
>> > of it!
>> > >
>> >
>> >
>> --
>> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>>   /\/\|=mhw=|\/\/          | (678) 463-0932 |
>> http://www.wittsend.com/mhw/
>>   NIC whois: MHW9          | An optimist believes we live in the best of
>> all
>>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: not available
>> Type: application/pgp-signature
>> Size: 482 bytes
>> Desc: This is a digitally signed message part
>> Url :
>> http://lists.openswan.org/pipermail/users/attachments/20101215/4550dd4f/attachment-0001.bin
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Wed, 15 Dec 2010 08:14:39 +0500
>> From: Rustam <rfhamzin at gmail.com>
>> Subject: [Openswan Users] Please help to resolve the issue with xl2tpd
>> To: users at openswan.org
>> Message-ID: <87326139.20101215081439 at gmail.com>
>> Content-Type: text/plain; charset="windows-1251"
>>
>>
>>
>>  Installed and configured the xl2tpd on Slackware 13.1.
>>  Everything works fine, but confused by the fact that this development
>>  not registering Call-Station (called party server l2tp) and CLID (caller)
>> with client authentication L2TP.
>>
>>  What should I do??How do I fix this??Please help!
>>  I attach a screenshot with the syslog
>>
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: Snap_2010.12.png
>> Type: image/png
>> Size: 181739 bytes
>> Desc: not available
>> Url :
>> http://lists.openswan.org/pipermail/users/attachments/20101215/7e64adac/attachment.png
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: Snap_2010.121.jpg
>> Type: image/jpeg
>> Size: 103904 bytes
>> Desc: not available
>> Url :
>> http://lists.openswan.org/pipermail/users/attachments/20101215/7e64adac/attachment.jpg
>>
>> ------------------------------
>>
>> _______________________________________________
>> Users mailing list
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>>
>>
>> End of Users Digest, Vol 85, Issue 31
>> *************************************
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101216/a34780e4/attachment-0001.html 


More information about the Users mailing list