[Openswan Users] Trying to get basics down

Chris cjdl01 at brokensolstice.com
Wed May 18 17:19:24 EDT 2011 

Okay,

I have been fussing with this for some time now, and I even bought the  
PACT Openswan book, and read every word up to and through chapter 4 --  
  but this is still not working for me.

I don't know how much of my misunderstanding is due to things being  
outdated, how much is due to the differences of ipsec implementation  
from distro to distro, and how much of it is me just missing the  
mark... but I'm no noob to linux.

Anyway,

I made a test environment with 4 machines on my own network -- no nat  
anywhere.  The network is 10.5.5.0/24 -- acting as my test "Internet".  
  The left machine is connected via crossover cable to a computer,  
leftcomp1.  The right machine is connected via crossover cable to a  
computer, rightcomp1.
I am using Debian Squeeze.  I installed openswan.  I put this in my  
sysctl.conf:

net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0

I setup my ipsec.conf as on page 82:
config setup
         protostack=netkey
         interfaces=%defaultroute

conn %default
     authby=rsasig

conn west-east
     left=10.5.5.126
     right=10.5.5.134
     type=tunnel
      
leftrsasigkey=0sAwEAAcs7JqTAxnSomeLongStringTakenFromShowHostKey....    
rightrsasigkey=0sAwEAAarDoUWtx/0d7j+X6iKKNKmaeySomeLongStringTakenFromShowHostKey...
     auto=start

At this point, I'm not using KLIPS, because I couldn't find a package  
for Debian for this, and I just want to get this thing working... I  
didn't want to have to compile a custom kernel.  I don't even know if  
KLIPS is recommended anymore (though it is encouraged in the book).

So, I start up ipsec like so:  /etc/init.d/ipsec start

It starts with  no complaints, but when I issue:  ipsec verify
I get:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                              [OK]
Pluto listening for NAT-T on udp 4500                           [FAILED]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

I don't understand the failures here.  I'm not using NAT, so I don't  
know why Pluto is looking for it.  I enabled ip forwarding, so I don't  
know why that is failing either.  I cannot find any help on this  
anywhere, least of all the deiban forums.  The wiki  page that Paul  
was nice enough to publish, doesn't include this sort of information  
-- even though I tried it.  I also tried the most basic setup on the  
openswan wiki -- which likewise didn't work.  I think that perhaps  
these failures are getting in my way.

Could someone please lend a hand? How do I get rid of these failures?

Thank you.

-Chris

More information about the Users mailing list