[Openswan Users] Installing Openswan on CentOs

Vigyan Kaushik vkaushikdll at gmail.com
Thu Aug 25 13:38:30 EDT 2011 

Thanks Kevin.. this is very helpful.

On Wed, Aug 24, 2011 at 1:52 PM, Kevin Keane <kkeane at 4nettech.com> wrote:

> The routing changes really have little to do with OpenVPN or with IPsec;
> they are needed whenever you put your VPN on a machine that isn’t your
> default gateway. That is one of the reasons why it is generally best to
> connect routers with a VPN, instead of putting the VPN endpoint on a machine
> behind a router. That said, IPsec doesn’t really establish a VPN the way
> OpenVPN does; it simply encrypts the TCP/IP traffic between the two peers.
> Everything else, including forwarding to a private subnet behind the other
> IPsec peer, really works more like classic TCP/IP than like a more
> traditional VPN.****
>
> ** **
>
> IPsec really connects machines more than users. Machines can be identified
> with a preshared key, or with a certificate. Also, you need to get the
> various encryption parameters right. I would recommend that you read up on
> how IPsec works; you will need to have a good understanding of the two
> phases, of aggressive mode and main mode, etc. to troubleshoot. Once you
> have a firm understanding of how IPsec works, read the various README.xxx
> files that come with openswan to get started (you may need to install the
> openswan-doc package. Then you can find it in
> /usr/share/doc/packages/openswan-doc). One word of caution: I found that the
> documentation isn’t always perfect, especially because RedHat made
> substantial changes to how certificates are managed.****
>
> ** **
>
> There is a way to use IPsec to connect road warriors – users. You would
> first get IPsec to work machine-to-machine, and then you’d set up XAUTH.
> That works on top of the actual encrypted channel, though.****
>
> ** **
>
> In the end, you are probably best off not to think of IPsec as a VPN at
> all, but rather as a mechanism to encrypt TCP/IP traffic (and to route
> traffic from subnets behind the machines through the encrypted connection).
> ****
>
> ** **
>
> *From:* Vigyan Kaushik [mailto:vkaushikdll at gmail.com]
> *Sent:* Wednesday, August 24, 2011 9:18 AM
>
> *To:* Kevin Keane
> *Cc:* users at openswan.org
> *Subject:* Re: [Openswan Users] Installing Openswan on CentOs****
>
> ** **
>
> Thanks Kevin.. I will make these changes. Now how do I create they Keys or
> User that will connect to my VPN server?
>
> Also do I need any routing changes as well.. I have used openvpn and there
> I had to make some change in Ip Tables to route request from VPN server to
> the server in the local network. Something similar here?****
>
> On Tue, Aug 23, 2011 at 9:30 PM, Kevin Keane <subscription at kkeane.com>
> wrote:****
>
> For the NETKEY errors, you need to edit /etc/sysctl.conf, and then reboot.
> ****
>
>  ****
>
> You need to change the following line:****
>
>  ****
>
> net.ipv4.ip_forward = 1****
>
>  ****
>
> (the default is 0; ipsec needs 1).****
>
>  ****
>
> You need to add the following lines at the end.****
>
>  ****
>
> # for ipsec, configure some additional settings****
>
> net.ipv4.conf.all.accept_redirects = 0****
>
> net.ipv4.conf.all.send_redirects = 0****
>
> net.ipv4.conf.default.accept_redirects = 0****
>
> net.ipv4.conf.default.send_redirects = 0****
>
>  ****
>
> Ignore the DNS errors. That is only relevant if you want to use OE.****
>
>  ****
>
> *From:* Vigyan Kaushik [mailto:vkaushikdll at gmail.com]
> *Sent:* Tuesday, August 23, 2011 3:44 PM
> *To:* Kevin Keane
> *Cc:* users at openswan.org
> *Subject:* Re: [Openswan Users] Installing Openswan on CentOs****
>
>  ****
>
> Yes.. I can see it now.. I am using trixbox (freepbx) bundled centos.
>
> So now how do I setup the keys etc.. below is the latest output.
>
> [trixbox1.localdomain ~]# ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.6.21/K2.6.18-164.11.1.el5 (netkey)
> Checking for IPsec support in kernel                            [OK]
> *NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]*
>
>   Please disable /proc/sys/net/ipv4/conf/*/send_redirects
>   or NETKEY will cause the sending of bogus ICMP redirects!
> *
> NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]*
>
>   Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
>   or NETKEY will accept bogus ICMP redirects!
>
> Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
>
> Opportunistic Encryption DNS checks:
>   * Looking for TXT in forward dns zone: trixbox1.localdomain    [MISSING]
> *
>  *  Does the machine have at least one non-private address?      [FAILED]*
>
> [trixbox1.localdomain ~]# uname -a
> Linux trixbox1.localdomain 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20 07:39:04
> EST 2010 i686 i686 i386 GNU/Linux
>
> ****
>
> On Tue, Aug 23, 2011 at 3:05 PM, Kevin Keane <subscription at kkeane.com>
> wrote:****
>
> Try “service ipsec start”. That will start the ipsec daemon (pluto), and
> may also load some kernel modules.****
>
>  ****
>
> If that doesn’t help: Which version of CentOS and what kernel are you
> running? Use the command “uname –a”.****
>
>  ****
>
> I just set up openswan on two CentOS 5.6 servers. I didn’t need any special
> configuration for the kernel. One instance used the stock CentOS kernel, the
> other used a Rackspace kernel.****
>
>  ****
>
> Everything else in your output looks good; you can ignore the remaining
> items. The DNS entries are only needed for opportunistic encryption.****
>
>  ****
>
> *From:* users-bounces at openswan.org [mailto:users-bounces at openswan.org] *On
> Behalf Of *Vigyan Kaushik
> *Sent:* Tuesday, August 23, 2011 11:54 AM
> *To:* users at openswan.org
> *Subject:* [Openswan Users] Installing Openswan on CentOs****
>
>  ****
>
> Hi All,
>
> I am installing Openswan for IPSec VPN connection from my iphone and ipad.
> I can not find a good detailed documentation on the openswan install so I
> tried using Yum to install the package in my Centos 5.
>
>
> After installing if I run ipsec verify, I am not seeing the status of
> majorty things OK which means, I may have to setup/configure it further...
> One of the check is about the Kernel support. Can you please see the output
> below and suggest something?
>
>
> [trixbox1.localdomain ~]# ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.6.21/K(no kernel code presently loaded)
> Checking for IPsec support in kernel                            [FAILED]
> Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> Checking that pluto is running                                  [FAILED]
>   whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
> Two or more interfaces found, checking IP forwarding            [FAILED]
>   whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
> Checking NAT and MASQUERADEing
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
>
> Opportunistic Encryption DNS checks:
>    Looking for TXT in forward dns zone: trixbox1.localdomain    [MISSING]
>    Does the machine have at least one non-private address?      [FAILED]
>
> Thanks,
> VK****
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155**
> **
>
>  ****
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155**
> **
>
> ** **
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110825/fd0fc7f9/attachment.html

More information about the Users mailing list