[Openswan Users] Fedora with netkey and freeswan with klips

Bob Miller bob at computerisms.ca
Sun Jan 16 04:46:04 EST 2011


On Sun, 2011-01-16 at 05:54 +0000, Alex wrote:
> Hi,
> 
> > I dont' use klips, so I can't say for sure, but I would expect them to
> > still be able to work...
> 
> So your inclination is that this wouldn't be a cause for why they aren't
> connecting, correct?

Correct.  but it is just an inclination.

> 
> 'ipsec verify' shows everything is okay, I believe:
> 
> root at fc14 ~]# ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.6.31/K2.6.35.10-74.fc14.x86_64 (netkey)
> Checking for IPsec support in kernel                            [OK]
> SAref kernel support                                            [N/A]
> NETKEY detected, testing for disabled ICMP send_redirects       [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
> Checking that pluto is running                                  [OK]
> Pluto listening for IKE on udp 500                              [OK]
> Pluto listening for NAT-T on udp 4500                           [FAILED]
> Two or more interfaces found, checking IP forwarding            [FAILED]
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption Support                                [DISABLED]

I see you have subnets in your config, that probably means you need ip
forwarding.  But I doubt that is why you are not connecting...

> There are only a handful of other informational messages in the log files:
> 
> Jan 15 16:01:19 fc14 ipsec_setup: ...Openswan IPsec started
> Jan 15 16:01:19 fc14 pluto: adjusting ipsec.d to /etc/ipsec.d
> Jan 15 16:01:19 fc14 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
> Jan 15 16:01:19 fc14 ipsec__plutorun: 002 loading certificate from
> myhost.example.com 
> Jan 15 16:01:19 fc14 ipsec__plutorun: 002 loading certificate from
> myhost1.example.com 
> Jan 15 16:01:19 fc14 ipsec__plutorun: 002 added connection description
> "VPN-MYNET-REMNET"
> Jan 15 16:01:19 fc14 ipsec__plutorun: 002 loading certificate from
> myhost.example.com 
> Jan 15 16:01:19 fc14 ipsec__plutorun: 002 loading certificate from
> myhost1.example.com 
> Jan 15 16:01:20 fc14 ipsec__plutorun: 104 "VPN-MYNET-REMNET" #1: STATE_MAIN_I1:
> initiate

Are you are sure your boxes are talking to each other?  iptables
blocking port 500 maybe?  

> 
> Should I just increase the logging and look for something additional, or is
> there a more procedural way to determine where the problem is?

Almost never.  If you got something that needs more debugging, you got
real problems...

> > encrypting/sending and decrypting/receiving in the kernel and does not
> > provide the virtual interface to work with.  My understanding is you
> > need to compile your openswan with klips support if you want to use
> > it.  
> 
> Does that affect functionality, and how the configuration should be written, or
> just how it operates internally?

Hmm.. I think there are a few netkey-only or klips-only config options,
but you would have to check the man page.  With klips you get an ipsec0
interface to write your iptables rules for, with netkey, you have to
mark your esp packets.  There is probably more to know, but I can't help
much here.
> 
> Thanks again,
> Alex
> 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Bob Miller
334-7117/660-5315
http://computerisms.ca
bob at computerisms.ca
Network, Internet, Server,
and Open Source Solutions



More information about the Users mailing list