[Openswan Users] Openswan Xl2tpd error when connecting VPN
Mateen Fugawala
mateen.fugawala at hotmail.com
Fri Jan 21 14:03:08 EST 2011
Can someone please help me verify if my ipsec.conf is correct. Here is what
I am trying to do.
I am running fedora 14 on a VM. My host is a Win 7 machine with an ADSL
connection with the ip range 192.168.1.x. I want to configure open swan to
be able to connect to communicate with my host machine and access file share
and local lan. I have got all the necessary settings done. But still there
are no tunnels up. I am using PSK. My auth directory is in
/etc/ppp/chap-secrets. And PSK is /etc/ipsec.d/ipsec.secrets. When I
connect to vpn using windows 7 as the host to open swan I use 192.168.1.11
which is my fedora 14 ip and connection method as L2TP I am not able to get
the connection.
config setup
nat_traversal=yes
nhelpers=0
protostack=netkey
virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/24,%v4:172.16.0.0/12
oe=off
#include /etc/ipsec/ipsec.d/examples/no_oe.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.1.11
leftprotoport=17/1701
rightprotoport=17/0
-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of users-request at openswan.org
Sent: Friday, January 21, 2011 10:28 PM
To: users at openswan.org
Subject: Users Digest, Vol 86, Issue 41
Send Users mailing list submissions to
users at openswan.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.openswan.org/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
users-request at openswan.org
You can reach the person managing the list at
users-owner at openswan.org
When replying, please edit your Subject line so it is more specific than
"Re: Contents of Users digest..."
Today's Topics:
1. Re: ipsec newhostkey --configdir broken ??? (Michael H. Warfield)
2. Openswan Xl2tpd error when connecting VPN on (Mateen Fugawala)
3. About SPD, SADB database. (Le Ngoc Son)
----------------------------------------------------------------------
Message: 1
Date: Fri, 21 Jan 2011 09:50:54 -0500
From: "Michael H. Warfield" <mhw at WittsEnd.com>
Subject: Re: [Openswan Users] ipsec newhostkey --configdir broken ???
To: Greg Scott <GregScott at Infrasupport.com>
Cc: mhw at WittsEnd.com, users at openswan.org
Message-ID: <1295621454.5875.31.camel at canyon.wittsend.com>
Content-Type: text/plain; charset="utf-8"
On Fri, 2011-01-21 at 09:40 -0500, Michael H. Warfield wrote:
> On Wed, 2011-01-19 at 16:20 -0600, Greg Scott wrote:
> > I ended up working around the problem by installing a Fedora RPM.
> > That system is running Fedora 12, and Red Hat has a 2.6.29-1 RPM for
> > Fedora 12. So that's what I ended up with. But first, I removed
> > 2.6.32 and installed 2.6.31 from source. ipsec newhostkey with
> > --configdir switch did not fail with 2.6.31, but it also finished
> > immediately and didn't generate anything. So I removed 2.6.31 and
> > installed the Fedora RPM and all worked as expected.
>
> 1) Fedora 12 is EOL and you should be using something more up to date.
>
> 2) You can get the 2.6.31 rpm from the F14 repos.
>
> 3) If you want to rebuild from source but want it to match the Fedora
> configuration, download the source RPM and install that and then
> install the newer source in the rpmbuild/SOURCES directory and update
> the rpmbuild/SPECS/openswan.spec file for the new version and rebuild
> it that way. I do that routinely. Once in a while it will get bitchy
> about one patch or another but that generally just means it's a fix
> that got incorporated so I just disable the patch and go again. I
> don't think I ran into that at all from 2.6.31 to 2.6.32 though. I
> think that will rebuild cleanly.
Sorry, I should have added that, if you want the F14 srpm and you really
don't want to upgrade to F13 or F14, I would recommend just pulling it with
yumdownloader...
yumdownloader --releasever=14 --source openswan
Then rebuild it on your system with...
"rpmbuild --rebuild openswan-2.6.31-1.fc14.src.rpm"
If you have all the other pieces you need (you should if you were able to
compile it from source before) that should succeed and you'll have
2.6.31 rpms for F12. In that case, go ahead and install the .srpm and then
the 2.6.32 sources and rebuild as described above. Should go smoothly.
> > Go figure.
> > This was how I built from source:
>
> > cp openswan-2.6.32.tar.gz /usr/local/src cd /usr/local/src tar zxvf
> > openswan-2.6.32.tar.gz cd openswan-2.6.32 make USE_LIBNSS=true
> > programs install
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> That's probably where you are getting some mismatches between things.
> Look in the source rpm spec file and how they configure and build it.
> This will end up putting things in /usr/local and look for things in
> the wrong directories compared to the Fedora locations.
>
> > I have a hunch when I built from source, I didn't get in whatever I
> > needed for that NSS database and that was the root of my troubles.
>
> > Is there any documentation for how to use this new NSS database? I
> > still don't know how to import and export keys to/from
> > hostkey.secrets and this complicates firewall replacements and made
> > my life more stressful today.
>
> Yeah, this pretty much sucks royally. NSS is such a PITA that I
> typically just rebuild the RPM and disable NSS and FIPS checking since
> I need neither of them. I understand the motivation behind Fedora and
> RH moving to this (unified crypto and key management, FIPS compliance,
> etc, etc, etc) but someone should have given some serious thought to
> smooth migration of existing sites. At one point (and I hope like
> hell it's not still true) you could not "import" existing private keys
> into the NSS database. At least I never got it to work and there are
> articles (old at this point) that claim it was broken scattered on the
net.
> Yeah, that move was poorly thought out. Regenerating stacks and
> stacks of certificates on dozens of machines just because I couldn't
> import their exiting private key was NOT AN OPTION for me. Maybe
> they've fixed that and maybe it works smoother now. I would love to
> be corrected on this, PLEASE. I know, what I should do is go back and
> retest now with the latest nss tools. Maybe I'll do that today myself.
>
> Have you read the document README.nss?
>
> /usr/share/doc/openswan-doc-2.6.32/README.nss
>
> You'll find lots of good information in there. Certainly, from the
> sounds of the section on "Migrating Certificates" it would sound like
> you can simply export the key and cert to a .p12 pkcs12 file and then
> import it into the database, but I wasn't able to get that to work, at
> least not early on. It may actually work now.
>
> > thanks
>
> > - Greg Scott
>
> Regards,
> Mike
>
> ________________________________
> >
> > From: users-bounces at openswan.org on behalf of Greg Scott
> > Sent: Wed 1/19/2011 2:37 PM
> > To: users at openswan.org
> > Subject: [Openswan Users] ipsec newhostkey --configdir broken ???
> >
> >
> >
> > I'm in a world of hurt. I am trying to setup openswan 2.6.32 on a live
system that died. This is an install from source. I build a new empty nss
database in /etc/ipsec.d like this:
> >
> > certutil -N -d /etc/ipsec.d
> >
> > and then try to generate a new hostkey, like this:
> >
> > ipsec newhostkey --configdir /etc/ipsec.d \ --output
> > /etc/ipsec.d/hostkey.secrets \ --verbose \ --hostname xxx-fw
> >
> > This fails with:
> >
> > /usr/local/libexec/ipsec/rsasigkey: unrecognized option '--configdir'
> >
> > So I do ipsec newhostkey without any --configdir parameter. This runs
to completion and generates a good hostkey.secrets file. But I have a hunch
it never populates any of the .db files in any nss database.
> >
> > Later on when I start everything up, I see this in /ver/log/secure:
> >
> > Jan 19 13:37:00 localhost pluto[13939]: "colo-hqmirror" #2: unable
> > to locate my private key for RSA Signatur
> >
> > And I'll bet that's because it's trying to read the key from that nss
database, which doesn't get populated because that --configdir parameter
seems to be broken. This worked for at least 18 months and several
installations with different versions. But now it breaks with 2.6.32. Or
what am I doing wrong?
> >
> > thanks
> >
> > - Greg Scott
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments:
> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831
> 55
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of
all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part Url :
http://lists.openswan.org/pipermail/users/attachments/20110121/07cf5a4d/atta
chment-0001.bin
------------------------------
Message: 2
Date: Fri, 21 Jan 2011 21:11:35 +0530
From: Mateen Fugawala <mateen.fugawala at hotmail.com>
Subject: [Openswan Users] Openswan Xl2tpd error when connecting VPN
on
To: <users at openswan.org>
Message-ID: <SNT116-DS79C4577277063D03DA1A0F9F80 at phx.gbl>
Content-Type: text/plain; charset="us-ascii"
William,
I have configured openswan to connect from my windows client on L2TP in PSK
mode. However, when I try to connect I am unable to get the connection.
When I do service ipsec status. I get no tunnles up. Could you please guide
me what could be the issue?
Mateen.
-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of users-request at openswan.org
Sent: Friday, January 21, 2011 8:11 PM
To: users at openswan.org
Subject: Users Digest, Vol 86, Issue 40
Send Users mailing list submissions to
users at openswan.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.openswan.org/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
users-request at openswan.org
You can reach the person managing the list at
users-owner at openswan.org
When replying, please edit your Subject line so it is more specific than
"Re: Contents of Users digest..."
Today's Topics:
1. Openswan Xl2tpd error when connecting VPN on fedora 14.
(Mateen Fugawala)
2. Re: Openswan Xl2tpd error when connecting VPN on fedora 14.
(Willie Gillespie)
3. Re: IPsec on Ubuntu Linux Server 8.04 (Hardy) (Kaushal Shriyan)
4. Re: ipsec newhostkey --configdir broken ??? (Michael H. Warfield)
----------------------------------------------------------------------
Message: 1
Date: Fri, 21 Jan 2011 11:34:14 +0530
From: Mateen Fugawala <mateen.fugawala at hotmail.com>
Subject: [Openswan Users] Openswan Xl2tpd error when connecting VPN on
fedora 14.
To: <users at openswan.org>
Message-ID: <SNT116-DS130286D7288B562D953052F9F80 at phx.gbl>
Content-Type: text/plain; charset="us-ascii"
I am facing an issue while configuring Open VPN on my Fedora 14 box. It is
on a VM running VMware Workstation. I am attaching the details of my and
also ipsec verify.
etc/ipsec.conf
/etc/xl2tpd/xl2tpd.conf
/etc/ppp/chap-secrets.
Thanks & Regards,
Mateen Fugawala
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.openswan.org/pipermail/users/attachments/20110121/452bf340/atta
chment-0001.html
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec.conf.txt
Url:
http://lists.openswan.org/pipermail/users/attachments/20110121/452bf340/atta
chment-0004.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec verify status.txt
Url:
http://lists.openswan.org/pipermail/users/attachments/20110121/452bf340/atta
chment-0005.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: XL2TPD.conf.txt
Url:
http://lists.openswan.org/pipermail/users/attachments/20110121/452bf340/atta
chment-0006.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Chap-secrests.txt
Url:
http://lists.openswan.org/pipermail/users/attachments/20110121/452bf340/atta
chment-0007.txt
------------------------------
Message: 2
Date: Thu, 20 Jan 2011 23:55:57 -0700
From: Willie Gillespie <wgillespie+openswan at es2eng.com>
Subject: Re: [Openswan Users] Openswan Xl2tpd error when connecting
VPN on fedora 14.
To: users at openswan.org
Message-ID: <4D392DFD.4060404 at es2eng.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
On 01/20/2011 11:04 PM, Mateen Fugawala wrote:
> I am facing an issue while configuring Open VPN on my Fedora 14 box.
> It is on a VM running VMware Workstation. I am attaching the details
> of my and also ipsec verify.
What's the issue?
------------------------------
Message: 3
Date: Fri, 21 Jan 2011 15:55:15 +0530
From: Kaushal Shriyan <kaushalshriyan at gmail.com>
Subject: Re: [Openswan Users] IPsec on Ubuntu Linux Server 8.04
(Hardy)
To: Paul Wouters <paul at xelerance.com>
Cc: users at openswan.org
Message-ID:
<AANLkTik-6OiOACTV9obw0z8_sZ19PHbQRKgTq1hKSieS at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
On Tue, Jan 18, 2011 at 8:36 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Tue, 18 Jan 2011, Kaushal Shriyan wrote:
>
> Hi Paul
>>
>> Please have a look at http://paste.ubuntu.com/555411/
>>
>
> initiate on demand from 10.0.0.119:8 to 172.17.6.175:0 proto=1 state:
> fos_start because: acquire
>
> You did not add oe=no in your "config setup" or you removed it? please
> put it back there.
>
> "sonicwall" #1: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
> group=modp1024}
>
> phase1 is up.
>
> "sonicwall" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
> mode
> {ESP=>0x4287be14 <0xc60d8692 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none
> DPD=enabled}
>
> phase2 is up.
>
> but meanwhile you also race with another connection which ends in:
>
> "sonicwall" #4: Oakley Transform [OAKLEY_3DES_CBC (192), OAKLEY_SHA1,
> OAKLEY_GROUP_MODP1024] refused due to strict flag
>
> So it seems the sonic wall might want esp=3des-sha1;modp1024
>
>
> Paul
>
Hi,
Please suggest me a good tutorial to understand IPSec and openswan I am
missing the concepts.
Thanks
Kaushal
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.openswan.org/pipermail/users/attachments/20110121/036c697c/atta
chment-0001.html
------------------------------
Message: 4
Date: Fri, 21 Jan 2011 09:40:49 -0500
From: "Michael H. Warfield" <mhw at WittsEnd.com>
Subject: Re: [Openswan Users] ipsec newhostkey --configdir broken ???
To: Greg Scott <GregScott at Infrasupport.com>
Cc: mhw at WittsEnd.com, users at openswan.org
Message-ID: <1295620849.5875.26.camel at canyon.wittsend.com>
Content-Type: text/plain; charset="utf-8"
On Wed, 2011-01-19 at 16:20 -0600, Greg Scott wrote:
> I ended up working around the problem by installing a Fedora RPM. That
> system is running Fedora 12, and Red Hat has a 2.6.29-1 RPM for Fedora
> 12. So that's what I ended up with. But first, I removed 2.6.32 and
> installed 2.6.31 from source. ipsec newhostkey with --configdir switch
> did not fail with 2.6.31, but it also finished immediately and didn't
> generate anything. So I removed 2.6.31 and installed the Fedora RPM
> and all worked as expected.
1) Fedora 12 is EOL and you should be using something more up to date.
2) You can get the 2.6.31 rpm from the F14 repos.
3) If you want to rebuild from source but want it to match the Fedora
configuration, download the source RPM and install that and then install the
newer source in the rpmbuild/SOURCES directory and update the
rpmbuild/SPECS/openswan.spec file for the new version and rebuild it that
way. I do that routinely. Once in a while it will get bitchy about one
patch or another but that generally just means it's a fix that got
incorporated so I just disable the patch and go again. I don't think I ran
into that at all from 2.6.31 to 2.6.32 though. I think that will rebuild
cleanly.
> Go figure.
> This was how I built from source:
> cp openswan-2.6.32.tar.gz /usr/local/src cd /usr/local/src tar zxvf
> openswan-2.6.32.tar.gz cd openswan-2.6.32 make USE_LIBNSS=true
> programs install
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
That's probably where you are getting some mismatches between things.
Look in the source rpm spec file and how they configure and build it.
This will end up putting things in /usr/local and look for things in the
wrong directories compared to the Fedora locations.
> I have a hunch when I built from source, I didn't get in whatever I
> needed for that NSS database and that was the root of my troubles.
> Is there any documentation for how to use this new NSS database? I
> still don't know how to import and export keys to/from hostkey.secrets
> and this complicates firewall replacements and made my life more
> stressful today.
Yeah, this pretty much sucks royally. NSS is such a PITA that I typically
just rebuild the RPM and disable NSS and FIPS checking since I need neither
of them. I understand the motivation behind Fedora and RH moving to this
(unified crypto and key management, FIPS compliance, etc, etc, etc) but
someone should have given some serious thought to smooth migration of
existing sites. At one point (and I hope like hell it's not still true) you
could not "import" existing private keys into the NSS database. At least I
never got it to work and there are articles (old at this point) that claim
it was broken scattered on the net.
Yeah, that move was poorly thought out. Regenerating stacks and stacks of
certificates on dozens of machines just because I couldn't import their
exiting private key was NOT AN OPTION for me. Maybe they've fixed that and
maybe it works smoother now. I would love to be corrected on this, PLEASE.
I know, what I should do is go back and retest now with the latest nss
tools. Maybe I'll do that today myself.
Have you read the document README.nss?
/usr/share/doc/openswan-doc-2.6.32/README.nss
You'll find lots of good information in there. Certainly, from the sounds
of the section on "Migrating Certificates" it would sound like you can
simply export the key and cert to a .p12 pkcs12 file and then import it into
the database, but I wasn't able to get that to work, at least not early on.
It may actually work now.
> thanks
> - Greg Scott
Regards,
Mike
________________________________
>
> From: users-bounces at openswan.org on behalf of Greg Scott
> Sent: Wed 1/19/2011 2:37 PM
> To: users at openswan.org
> Subject: [Openswan Users] ipsec newhostkey --configdir broken ???
>
>
>
> I'm in a world of hurt. I am trying to setup openswan 2.6.32 on a
> live
system that died. This is an install from source. I build a new empty nss
database in /etc/ipsec.d like this:
>
> certutil -N -d /etc/ipsec.d
>
> and then try to generate a new hostkey, like this:
>
> ipsec newhostkey --configdir /etc/ipsec.d \ --output
> /etc/ipsec.d/hostkey.secrets \ --verbose \ --hostname xxx-fw
>
> This fails with:
>
> /usr/local/libexec/ipsec/rsasigkey: unrecognized option '--configdir'
>
> So I do ipsec newhostkey without any --configdir parameter. This runs
> to
completion and generates a good hostkey.secrets file. But I have a hunch it
never populates any of the .db files in any nss database.
>
> Later on when I start everything up, I see this in /ver/log/secure:
>
> Jan 19 13:37:00 localhost pluto[13939]: "colo-hqmirror" #2: unable to
> locate my private key for RSA Signatur
>
> And I'll bet that's because it's trying to read the key from that nss
database, which doesn't get populated because that --configdir parameter
seems to be broken. This worked for at least 18 months and several
installations with different versions. But now it breaks with 2.6.32. Or
what am I doing wrong?
>
> thanks
>
> - Greg Scott
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of
all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part Url :
http://lists.openswan.org/pipermail/users/attachments/20110121/9772a3cb/atta
chment.bin
------------------------------
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
End of Users Digest, Vol 86, Issue 40
*************************************
------------------------------
Message: 3
Date: Fri, 14 Jan 2011 17:19:10 +0700
From: Le Ngoc Son <lnson at fit.hcmuns.edu.vn>
Subject: [Openswan Users] About SPD, SADB database.
To: users at openswan.org
Message-ID:
<AANLkTinugRMN2wzpLxmBp6hMPi3kR1ioy80QD50ONUA2 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi all,
I have a question about entries of SPD, SA database.
In my understanding, when Openswan starts, it will read the ipsec.conf to
find the IPSEC interesting traffic then record them in SPD database. Beside,
it also records two VPN endpoints in SA database (SADB) after finishing the
VPN establishment.
So, if one of two above endpoints is shutdown, the SA entries of this VPN
connection in SADB still exist, or will be deleted ?
LNSon.
================================================
Le Ngoc Son,
Computer Network and Telecommunication Department, Faculty of Information
Technology, Natural Sciences University, National University of HCM City,
Vietnam.
Email: lnson at fit.hcmuns.edu.vn , lnsonvn at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.openswan.org/pipermail/users/attachments/20110114/e2a5e4f1/atta
chment.html
------------------------------
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
End of Users Digest, Vol 86, Issue 41
*************************************
More information about the Users
mailing list