[Openswan Users] Fedora with netkey and freeswan with klips

Alex mysqlstudent at gmail.com
Sun Jan 16 00:54:18 EST 2011 

Hi,

> I dont' use klips, so I can't say for sure, but I would expect them to
> still be able to work...

So your inclination is that this wouldn't be a cause for why they aren't
connecting, correct?

> > There don't appear to be any error messages in the logs on either side; the
> > systems just don't connect.
> 
> This is probably a poor generalization, but if there are no errors, I
> would expect that to mean the software is behaving exactly as it is
> configured to do.  

There is logging information, just nothing that appears to indicate an error
with connecting, except for the netkey/klips messages.

'ipsec verify' shows everything is okay, I believe:

root at fc14 ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.31/K2.6.35.10-74.fc14.x86_64 (netkey)
Checking for IPsec support in kernel                            [OK]
SAref kernel support                                            [N/A]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                              [OK]
Pluto listening for NAT-T on udp 4500                           [FAILED]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

I have oe and NAT-T intentionally disabled.

In hopes my ipsec.conf will help, I've included it below. In this version,
protostack is commented out, but I've tried with it uncommented as well.

config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=all
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        nat_traversal=no
        interfaces=%defaultroute
        uniqueids=yes
        #protostack=netkey
        #virtual_private=
        oe=off
        # Enable this if you see "failed to find any available worker"
        nhelpers=0

conn %default
        auto=add
        keyingtries=0
        disablearrivalcheck=no
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        pfs=yes
        compress=no
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        type=tunnel
        authby=rsasig
        esp=aes
        ike=aes

conn VPN-MYNET-REMNET
        auto=start
        left=68.XXX.YYY.42
        leftnexthop=68.XXX.YYY.41
        leftsubnet=192.168.1.0/24
        leftid="@C=US, ST=XXX, L=MMMM, O=Acme Inc, CN=myhost.example.com"
        leftcert="myhost.example.com"
        right=65.XXX.YYY.6
        rightnexthop=65.XXX.YYY.5
        rightsubnet=64.XX.YY.0/27
        rightid="@C=US, ST=XXX, L=MMMM, O=Acme Inc, CN=myhost1.example.com"
        rightcert="myhost1.example.com"

> Generally a connection from openswan makes a small handful of lines in
> your auth.log (or maybe security.log or some such on RH systems?).  You

Yes, I do see some logging information, but just nothing that indicates where it
gave up trying to connect, or why. There is a line about fips having a problem,
but I don't believe that's really an error?

Jan 15 16:01:19 fc14 ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set
in /proc/sys/crypto/fips_enabled

There are only a handful of other informational messages in the log files:

Jan 15 16:01:19 fc14 ipsec_setup: ...Openswan IPsec started
Jan 15 16:01:19 fc14 pluto: adjusting ipsec.d to /etc/ipsec.d
Jan 15 16:01:19 fc14 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Jan 15 16:01:19 fc14 ipsec__plutorun: 002 loading certificate from
myhost.example.com 
Jan 15 16:01:19 fc14 ipsec__plutorun: 002 loading certificate from
myhost1.example.com 
Jan 15 16:01:19 fc14 ipsec__plutorun: 002 added connection description
"VPN-MYNET-REMNET"
Jan 15 16:01:19 fc14 ipsec__plutorun: 002 loading certificate from
myhost.example.com 
Jan 15 16:01:19 fc14 ipsec__plutorun: 002 loading certificate from
myhost1.example.com 
Jan 15 16:01:20 fc14 ipsec__plutorun: 104 "VPN-MYNET-REMNET" #1: STATE_MAIN_I1:
initiate

Should I just increase the logging and look for something additional, or is
there a more procedural way to determine where the problem is?

> encrypting/sending and decrypting/receiving in the kernel and does not
> provide the virtual interface to work with.  My understanding is you
> need to compile your openswan with klips support if you want to use
> it.  

Does that affect functionality, and how the configuration should be written, or
just how it operates internally?

Thanks again,
Alex

More information about the Users mailing list