[Openswan Users] Installing Openswan on CentOs

Kevin Keane kkeane at 4nettech.com
Wed Aug 24 13:52:20 EDT 2011 

The routing changes really have little to do with OpenVPN or with IPsec;
they are needed whenever you put your VPN on a machine that isn't your
default gateway. That is one of the reasons why it is generally best to
connect routers with a VPN, instead of putting the VPN endpoint on a machine
behind a router. That said, IPsec doesn't really establish a VPN the way
OpenVPN does; it simply encrypts the TCP/IP traffic between the two peers.
Everything else, including forwarding to a private subnet behind the other
IPsec peer, really works more like classic TCP/IP than like a more
traditional VPN.

 

IPsec really connects machines more than users. Machines can be identified
with a preshared key, or with a certificate. Also, you need to get the
various encryption parameters right. I would recommend that you read up on
how IPsec works; you will need to have a good understanding of the two
phases, of aggressive mode and main mode, etc. to troubleshoot. Once you
have a firm understanding of how IPsec works, read the various README.xxx
files that come with openswan to get started (you may need to install the
openswan-doc package. Then you can find it in
/usr/share/doc/packages/openswan-doc). One word of caution: I found that the
documentation isn't always perfect, especially because RedHat made
substantial changes to how certificates are managed.

 

There is a way to use IPsec to connect road warriors - users. You would
first get IPsec to work machine-to-machine, and then you'd set up XAUTH.
That works on top of the actual encrypted channel, though.

 

In the end, you are probably best off not to think of IPsec as a VPN at all,
but rather as a mechanism to encrypt TCP/IP traffic (and to route traffic
from subnets behind the machines through the encrypted connection).

 

From: Vigyan Kaushik [mailto:vkaushikdll at gmail.com] 
Sent: Wednesday, August 24, 2011 9:18 AM
To: Kevin Keane
Cc: users at openswan.org
Subject: Re: [Openswan Users] Installing Openswan on CentOs

 

Thanks Kevin.. I will make these changes. Now how do I create they Keys or
User that will connect to my VPN server?

Also do I need any routing changes as well.. I have used openvpn and there I
had to make some change in Ip Tables to route request from VPN server to the
server in the local network. Something similar here?

On Tue, Aug 23, 2011 at 9:30 PM, Kevin Keane <subscription at kkeane.com>
wrote:

For the NETKEY errors, you need to edit /etc/sysctl.conf, and then reboot.

 

You need to change the following line:

 

net.ipv4.ip_forward = 1

 

(the default is 0; ipsec needs 1).

 

You need to add the following lines at the end.

 

# for ipsec, configure some additional settings

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.default.send_redirects = 0

 

Ignore the DNS errors. That is only relevant if you want to use OE.

 

From: Vigyan Kaushik [mailto:vkaushikdll at gmail.com] 
Sent: Tuesday, August 23, 2011 3:44 PM
To: Kevin Keane
Cc: users at openswan.org
Subject: Re: [Openswan Users] Installing Openswan on CentOs

 

Yes.. I can see it now.. I am using trixbox (freepbx) bundled centos. 

So now how do I setup the keys etc.. below is the latest output.

[trixbox1.localdomain ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.21/K2.6.18-164.11.1.el5 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                              
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: trixbox1.localdomain    [MISSING]
   Does the machine have at least one non-private address?      [FAILED]

[trixbox1.localdomain ~]# uname -a
Linux trixbox1.localdomain 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20 07:39:04
EST 2010 i686 i686 i386 GNU/Linux



On Tue, Aug 23, 2011 at 3:05 PM, Kevin Keane <subscription at kkeane.com>
wrote:

Try "service ipsec start". That will start the ipsec daemon (pluto), and may
also load some kernel modules.

 

If that doesn't help: Which version of CentOS and what kernel are you
running? Use the command "uname -a".

 

I just set up openswan on two CentOS 5.6 servers. I didn't need any special
configuration for the kernel. One instance used the stock CentOS kernel, the
other used a Rackspace kernel.

 

Everything else in your output looks good; you can ignore the remaining
items. The DNS entries are only needed for opportunistic encryption.

 

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Vigyan Kaushik
Sent: Tuesday, August 23, 2011 11:54 AM
To: users at openswan.org
Subject: [Openswan Users] Installing Openswan on CentOs

 

Hi All,

I am installing Openswan for IPSec VPN connection from my iphone and ipad. I
can not find a good detailed documentation on the openswan install so I
tried using Yum to install the package in my Centos 5.


After installing if I run ipsec verify, I am not seeing the status of
majorty things OK which means, I may have to setup/configure it further...
One of the check is about the Kernel support. Can you please see the output
below and suggest something?


[trixbox1.localdomain ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.21/K(no kernel code presently loaded)
Checking for IPsec support in kernel                            [FAILED]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [FAILED]
  whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Two or more interfaces found, checking IP forwarding            [FAILED]
  whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking NAT and MASQUERADEing                              
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: trixbox1.localdomain    [MISSING]
   Does the machine have at least one non-private address?      [FAILED]

Thanks,
VK


_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

 


_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110824/3b25a1cf/attachment-0001.html

More information about the Users mailing list