[Openswan Users] Installing Openswan on CentOs
Vigyan Kaushik
vkaushikdll at gmail.com
Wed Aug 24 12:18:09 EDT 2011
Thanks Kevin.. I will make these changes. Now how do I create they Keys or
User that will connect to my VPN server?
Also do I need any routing changes as well.. I have used openvpn and there I
had to make some change in Ip Tables to route request from VPN server to the
server in the local network. Something similar here?
On Tue, Aug 23, 2011 at 9:30 PM, Kevin Keane <subscription at kkeane.com>wrote:
> For the NETKEY errors, you need to edit /etc/sysctl.conf, and then reboot.
> ****
>
> ** **
>
> You need to change the following line:****
>
> ** **
>
> net.ipv4.ip_forward = 1****
>
> ** **
>
> (the default is 0; ipsec needs 1).****
>
> ** **
>
> You need to add the following lines at the end.****
>
> ** **
>
> # for ipsec, configure some additional settings****
>
> net.ipv4.conf.all.accept_redirects = 0****
>
> net.ipv4.conf.all.send_redirects = 0****
>
> net.ipv4.conf.default.accept_redirects = 0****
>
> net.ipv4.conf.default.send_redirects = 0****
>
> ** **
>
> Ignore the DNS errors. That is only relevant if you want to use OE.****
>
> ** **
>
> *From:* Vigyan Kaushik [mailto:vkaushikdll at gmail.com]
> *Sent:* Tuesday, August 23, 2011 3:44 PM
> *To:* Kevin Keane
> *Cc:* users at openswan.org
> *Subject:* Re: [Openswan Users] Installing Openswan on CentOs****
>
> ** **
>
> Yes.. I can see it now.. I am using trixbox (freepbx) bundled centos.
>
> So now how do I setup the keys etc.. below is the latest output.
>
> [trixbox1.localdomain ~]# ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.21/K2.6.18-164.11.1.el5 (netkey)
> Checking for IPsec support in kernel [OK]
> *NETKEY detected, testing for disabled ICMP send_redirects [FAILED]*
>
> Please disable /proc/sys/net/ipv4/conf/*/send_redirects
> or NETKEY will cause the sending of bogus ICMP redirects!
> *
> NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]*
>
> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
> or NETKEY will accept bogus ICMP redirects!
>
> Checking for RSA private key (/etc/ipsec.secrets) [OK]
> Checking that pluto is running [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
>
> Opportunistic Encryption DNS checks:
> * Looking for TXT in forward dns zone: trixbox1.localdomain [MISSING]
> *
> * Does the machine have at least one non-private address? [FAILED]*
>
> [trixbox1.localdomain ~]# uname -a
> Linux trixbox1.localdomain 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20 07:39:04
> EST 2010 i686 i686 i386 GNU/Linux
>
>
> ****
>
> On Tue, Aug 23, 2011 at 3:05 PM, Kevin Keane <subscription at kkeane.com>
> wrote:****
>
> Try “service ipsec start”. That will start the ipsec daemon (pluto), and
> may also load some kernel modules.****
>
> ****
>
> If that doesn’t help: Which version of CentOS and what kernel are you
> running? Use the command “uname –a”.****
>
> ****
>
> I just set up openswan on two CentOS 5.6 servers. I didn’t need any special
> configuration for the kernel. One instance used the stock CentOS kernel, the
> other used a Rackspace kernel.****
>
> ****
>
> Everything else in your output looks good; you can ignore the remaining
> items. The DNS entries are only needed for opportunistic encryption.****
>
> ****
>
> *From:* users-bounces at openswan.org [mailto:users-bounces at openswan.org] *On
> Behalf Of *Vigyan Kaushik
> *Sent:* Tuesday, August 23, 2011 11:54 AM
> *To:* users at openswan.org
> *Subject:* [Openswan Users] Installing Openswan on CentOs****
>
> ****
>
> Hi All,
>
> I am installing Openswan for IPSec VPN connection from my iphone and ipad.
> I can not find a good detailed documentation on the openswan install so I
> tried using Yum to install the package in my Centos 5.
>
>
> After installing if I run ipsec verify, I am not seeing the status of
> majorty things OK which means, I may have to setup/configure it further...
> One of the check is about the Kernel support. Can you please see the output
> below and suggest something?
>
>
> [trixbox1.localdomain ~]# ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.21/K(no kernel code presently loaded)
> Checking for IPsec support in kernel [FAILED]
> Checking for RSA private key (/etc/ipsec.secrets) [OK]
> Checking that pluto is running [FAILED]
> whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
> Two or more interfaces found, checking IP forwarding [FAILED]
> whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
> Checking NAT and MASQUERADEing
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
>
> Opportunistic Encryption DNS checks:
> Looking for TXT in forward dns zone: trixbox1.localdomain [MISSING]
> Does the machine have at least one non-private address? [FAILED]
>
> Thanks,
> VK****
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155**
> **
>
> ** **
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110824/1d3f3d22/attachment.html
More information about the Users
mailing list