[Openswan Users] really basic peer-to-peer setup
Alan McKay
alan.mckay at gmail.com
Fri May 3 17:24:50 UTC 2013
Hey folks,
I'm a first-timer here and trying to get a really basic peer-to-peer,
shared secret VPN going so that both sides can see all the nodes on
the subnets behind each. I have found lots of examples out there but
just can't get it working.
I've got 2 firewalls - iptables turned off at the moment for
debugging. 2 subnets - one behind each firewall. Want each subnet
to see the other (and each firewall to see the other subnet).
But the most basic problem of all seems to me to be : where the heck
are the OpenSWAN Docs?
I've found some very limited info here :
https://github.com/xelerance/Openswan/wiki
And a bit more in the openswan-doc package on my Ubuntu 13.04 system.
I would love very much to read the fine manual - if only I could find it!
One problem it seems to me is that there is no ipsec interface being generated :
root at solexa1:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1e:68:8e:31:b8
inet addr:192.168.160.11 Bcast:192.168.160.255 Mask:255.255.255.0
inet6 addr: fe80::21e:68ff:fe8e:31b8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3776749 errors:0 dropped:0 overruns:0 frame:0
TX packets:4395845 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:804331744 (804.3 MB) TX bytes:2851976359 (2.8 GB)
Interrupt:18 Memory:dffe0000-e0000000
eth1 Link encap:Ethernet HWaddr 00:1e:68:8e:31:b9
inet addr:10.246.159.41 Bcast:10.246.159.255 Mask:255.255.255.0
inet6 addr: fe80::21e:68ff:fe8e:31b9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4275701 errors:0 dropped:10 overruns:0 frame:0
TX packets:124407 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:428881173 (428.8 MB) TX bytes:16268514 (16.2 MB)
Interrupt:19 Memory:dffa0000-dffc0000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:952990 errors:0 dropped:0 overruns:0 frame:0
TX packets:952990 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:198635180 (198.6 MB) TX bytes:198635180 (198.6 MB)
root at solexa1:~#
When I do this check it says I'm active :
root at firewall03:/etc/shorewall# ipsec auto --up 'bioinformatics'
117 "bioinformatics" #3: STATE_QUICK_I1: initiate
004 "bioinformatics" #3: STATE_QUICK_I2: sent QI2, IPsec SA
established tunnel mode {ESP=>0xd4b15434 <0x3ed5c10e
xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Verify has a failed and I have not been able to find any good info in
google on what to think about that.
root at solexa1:~# ipsec auto --up 'bioinformatics'
117 "bioinformatics" #6: STATE_QUICK_I1: initiate
004 "bioinformatics" #6: STATE_QUICK_I2: sent QI2, IPsec SA
established tunnel mode {ESP=>0xaab61616 <0x438b59fb
xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
root at firewall03:/etc/shorewall# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.8.0-19-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Warning: ignored obsolete keyword forwardcontrol
--
“Don't eat anything you've ever seen advertised on TV”
- Michael Pollan, author of "In Defense of Food"
More information about the Users
mailing list