[Openswan Users] Trying to get basics down
Vincent Tamet
vincent.tamet at ilimit.net
Thu May 19 12:38:56 EDT 2011
Maybe like what ?
sysctl -p /etc/ipsec.d/examples/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
And if not works with an eth0 and eth1 exemple:
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
----- Mail original -----
De: "Chris Ditri" <grooveman at brokensolstice.com>
À: users at openswan.org
Envoyé: Jeudi 19 Mai 2011 15:33:12
Objet: Re: [Openswan Users] Trying to get basics down
Okay... according to tcpdump, the tunnel has been established:
tcpdump -n -i eth0 |grep -i esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
09:26:34.689663 IP 10.5.5.126 > 10.5.5.134:
ESP(spi=0x7e2eb1cb,seq=0x24), length 148
09:26:34.697211 IP 10.5.5.134 > 10.5.59.126:
ESP(spi=0x0209e228,seq=0x17), length 148
09:26:34.697530 IP 10.5.5.126 > 10.5.5.134:
ESP(spi=0x7e2eb1cb,seq=0x25), length 100
... but I'm still not sure why I'm getting this when I try to verify:
Pluto listening for NAT-T on udp 4500 [FAILED]
Two or more interfaces found, checking IP forwarding [FAILED]
Like I said, there is no nat on my simple network, and IP forwarding
has been enabled on both boxes: net.ipv4.ip_forward = 1 (from
sysctl.conf)
I know this may be rudimentary stuff, but I have looked, and I cannot
find an answer... (though I have seen people with the same problem).
I appreciate the help.
-Chris
Quoting Chris <cjdl01 at brokensolstice.com>:
> Okay,
>
> I have been fussing with this for some time now, and I even bought the
> PACT Openswan book, and read every word up to and through chapter 4 --
> but this is still not working for me.
>
> I don't know how much of my misunderstanding is due to things being
> outdated, how much is due to the differences of ipsec implementation
> from distro to distro, and how much of it is me just missing the
> mark... but I'm no noob to linux.
>
> Anyway,
>
> I made a test environment with 4 machines on my own network -- no nat
> anywhere. The network is 10.5.5.0/24 -- acting as my test "Internet".
> The left machine is connected via crossover cable to a computer,
> leftcomp1. The right machine is connected via crossover cable to a
> computer, rightcomp1.
> I am using Debian Squeeze. I installed openswan. I put this in my
> sysctl.conf:
>
> net.ipv4.conf.default.send_redirects = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.default.accept_redirects = 0
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 0
>
> I setup my ipsec.conf as on page 82:
> config setup
> protostack=netkey
> interfaces=%defaultroute
>
> conn %default
> authby=rsasig
>
> conn west-east
> left=10.5.5.126
> right=10.5.5.134
> type=tunnel
>
> leftrsasigkey=0sAwEAAcs7JqTAxnSomeLongStringTakenFromShowHostKey....
> rightrsasigkey=0sAwEAAarDoUWtx/0d7j+X6iKKNKmaeySomeLongStringTakenFromShowHostKey...
> auto=start
>
> At this point, I'm not using KLIPS, because I couldn't find a package
> for Debian for this, and I just want to get this thing working... I
> didn't want to have to compile a custom kernel. I don't even know if
> KLIPS is recommended anymore (though it is encouraged in the book).
>
> So, I start up ipsec like so: /etc/init.d/ipsec start
>
> It starts with no complaints, but when I issue: ipsec verify
> I get:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)
> Checking for IPsec support in kernel [OK]
> NETKEY detected, testing for disabled ICMP send_redirects [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
> Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [OK]
> Pluto listening for NAT-T on udp 4500 [FAILED]
> Two or more interfaces found, checking IP forwarding [FAILED]
> Checking NAT and MASQUERADEing [N/A]
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support [DISABLED]
>
> I don't understand the failures here. I'm not using NAT, so I don't
> know why Pluto is looking for it. I enabled ip forwarding, so I don't
> know why that is failing either. I cannot find any help on this
> anywhere, least of all the deiban forums. The wiki page that Paul
> was nice enough to publish, doesn't include this sort of information
> -- even though I tried it. I also tried the most basic setup on the
> openswan wiki -- which likewise didn't work. I think that perhaps
> these failures are getting in my way.
>
> Could someone please lend a hand? How do I get rid of these failures?
>
> Thank you.
>
> -Chris
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
--
Reduce spam! Send emails only from your trusted email service --
Avoid entering
a friend's email address on any web site (such as "social-networking"
sites, an
"e-card" service, or page that asks you to "mail to a friend"). RESPECTABLE
SITES WILL NEVER ASK YOU FOR YOUR FRIENDS' OR FAMILY'S EMAIL ADDRESSES.
--Spread the word, add this to your signature block!
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list