[Openswan Users] Installing Openswan on CentOs

Kevin Keane subscription at kkeane.com
Tue Aug 23 21:30:51 EDT 2011 

For the NETKEY errors, you need to edit /etc/sysctl.conf, and then reboot.

You need to change the following line:

net.ipv4.ip_forward = 1

(the default is 0; ipsec needs 1).

You need to add the following lines at the end.

# for ipsec, configure some additional settings
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0

Ignore the DNS errors. That is only relevant if you want to use OE.

From: Vigyan Kaushik [mailto:vkaushikdll at gmail.com]
Sent: Tuesday, August 23, 2011 3:44 PM
To: Kevin Keane
Cc: users at openswan.org
Subject: Re: [Openswan Users] Installing Openswan on CentOs

Yes.. I can see it now.. I am using trixbox (freepbx) bundled centos.

So now how do I setup the keys etc.. below is the latest output.

[trixbox1.localdomain ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.21/K2.6.18-164.11.1.el5 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: trixbox1.localdomain    [MISSING]
   Does the machine have at least one non-private address?      [FAILED]

[trixbox1.localdomain ~]# uname -a
Linux trixbox1.localdomain 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20 07:39:04 EST 2010 i686 i686 i386 GNU/Linux


On Tue, Aug 23, 2011 at 3:05 PM, Kevin Keane <subscription at kkeane.com<mailto:subscription at kkeane.com>> wrote:
Try "service ipsec start". That will start the ipsec daemon (pluto), and may also load some kernel modules.

If that doesn't help: Which version of CentOS and what kernel are you running? Use the command "uname -a".

I just set up openswan on two CentOS 5.6 servers. I didn't need any special configuration for the kernel. One instance used the stock CentOS kernel, the other used a Rackspace kernel.

Everything else in your output looks good; you can ignore the remaining items. The DNS entries are only needed for opportunistic encryption.

From: users-bounces at openswan.org<mailto:users-bounces at openswan.org> [mailto:users-bounces at openswan.org<mailto:users-bounces at openswan.org>] On Behalf Of Vigyan Kaushik
Sent: Tuesday, August 23, 2011 11:54 AM
To: users at openswan.org<mailto:users at openswan.org>
Subject: [Openswan Users] Installing Openswan on CentOs

Hi All,

I am installing Openswan for IPSec VPN connection from my iphone and ipad. I can not find a good detailed documentation on the openswan install so I tried using Yum to install the package in my Centos 5.


After installing if I run ipsec verify, I am not seeing the status of majorty things OK which means, I may have to setup/configure it further... One of the check is about the Kernel support. Can you please see the output below and suggest something?


[trixbox1.localdomain ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.21/K(no kernel code presently loaded)
Checking for IPsec support in kernel                            [FAILED]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [FAILED]
  whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Two or more interfaces found, checking IP forwarding            [FAILED]
  whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: trixbox1.localdomain    [MISSING]
   Does the machine have at least one non-private address?      [FAILED]

Thanks,
VK

_______________________________________________
Users at openswan.org<mailto:Users at openswan.org>
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110823/b2b00f20/attachment-0001.html

More information about the Users mailing list