[Openswan Users] Installing Openswan on CentOs
Kevin Keane
kkeane at 4nettech.com
Wed Aug 24 13:52:20 EDT 2011
The routing changes really have little to do with OpenVPN or with IPsec;
they are needed whenever you put your VPN on a machine that isn't your
default gateway. That is one of the reasons why it is generally best to
connect routers with a VPN, instead of putting the VPN endpoint on a machine
behind a router. That said, IPsec doesn't really establish a VPN the way
OpenVPN does; it simply encrypts the TCP/IP traffic between the two peers.
Everything else, including forwarding to a private subnet behind the other
IPsec peer, really works more like classic TCP/IP than like a more
traditional VPN.
IPsec really connects machines more than users. Machines can be identified
with a preshared key, or with a certificate. Also, you need to get the
various encryption parameters right. I would recommend that you read up on
how IPsec works; you will need to have a good understanding of the two
phases, of aggressive mode and main mode, etc. to troubleshoot. Once you
have a firm understanding of how IPsec works, read the various README.xxx
files that come with openswan to get started (you may need to install the
openswan-doc package. Then you can find it in
/usr/share/doc/packages/openswan-doc). One word of caution: I found that the
documentation isn't always perfect, especially because RedHat made
substantial changes to how certificates are managed.
There is a way to use IPsec to connect road warriors - users. You would
first get IPsec to work machine-to-machine, and then you'd set up XAUTH.
That works on top of the actual encrypted channel, though.
In the end, you are probably best off not to think of IPsec as a VPN at all,
but rather as a mechanism to encrypt TCP/IP traffic (and to route traffic
from subnets behind the machines through the encrypted connection).
From: Vigyan Kaushik [mailto:vkaushikdll at gmail.com]
Sent: Wednesday, August 24, 2011 9:18 AM
To: Kevin Keane
Cc: users at openswan.org
Subject: Re: [Openswan Users] Installing Openswan on CentOs
Thanks Kevin.. I will make these changes. Now how do I create they Keys or
User that will connect to my VPN server?
Also do I need any routing changes as well.. I have used openvpn and there I
had to make some change in Ip Tables to route request from VPN server to the
server in the local network. Something similar here?
On Tue, Aug 23, 2011 at 9:30 PM, Kevin Keane <subscription at kkeane.com>
wrote:
For the NETKEY errors, you need to edit /etc/sysctl.conf, and then reboot.
You need to change the following line:
net.ipv4.ip_forward = 1
(the default is 0; ipsec needs 1).
You need to add the following lines at the end.
# for ipsec, configure some additional settings
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
Ignore the DNS errors. That is only relevant if you want to use OE.
From: Vigyan Kaushik [mailto:vkaushikdll at gmail.com]
Sent: Tuesday, August 23, 2011 3:44 PM
To: Kevin Keane
Cc: users at openswan.org
Subject: Re: [Openswan Users] Installing Openswan on CentOs
Yes.. I can see it now.. I am using trixbox (freepbx) bundled centos.
So now how do I setup the keys etc.. below is the latest output.
[trixbox1.localdomain ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.21/K2.6.18-164.11.1.el5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: trixbox1.localdomain [MISSING]
Does the machine have at least one non-private address? [FAILED]
[trixbox1.localdomain ~]# uname -a
Linux trixbox1.localdomain 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20 07:39:04
EST 2010 i686 i686 i386 GNU/Linux
On Tue, Aug 23, 2011 at 3:05 PM, Kevin Keane <subscription at kkeane.com>
wrote:
Try "service ipsec start". That will start the ipsec daemon (pluto), and may
also load some kernel modules.
If that doesn't help: Which version of CentOS and what kernel are you
running? Use the command "uname -a".
I just set up openswan on two CentOS 5.6 servers. I didn't need any special
configuration for the kernel. One instance used the stock CentOS kernel, the
other used a Rackspace kernel.
Everything else in your output looks good; you can ignore the remaining
items. The DNS entries are only needed for opportunistic encryption.
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Vigyan Kaushik
Sent: Tuesday, August 23, 2011 11:54 AM
To: users at openswan.org
Subject: [Openswan Users] Installing Openswan on CentOs
Hi All,
I am installing Openswan for IPSec VPN connection from my iphone and ipad. I
can not find a good detailed documentation on the openswan install so I
tried using Yum to install the package in my Centos 5.
After installing if I run ipsec verify, I am not seeing the status of
majorty things OK which means, I may have to setup/configure it further...
One of the check is about the Kernel support. Can you please see the output
below and suggest something?
[trixbox1.localdomain ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.21/K(no kernel code presently loaded)
Checking for IPsec support in kernel [FAILED]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [FAILED]
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Two or more interfaces found, checking IP forwarding [FAILED]
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: trixbox1.localdomain [MISSING]
Does the machine have at least one non-private address? [FAILED]
Thanks,
VK
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110824/3b25a1cf/attachment-0001.html
More information about the Users
mailing list