[Openswan Users] really basic peer-to-peer setup

Alan McKay alan.mckay at gmail.com
Fri May 3 18:07:35 UTC 2013 

On Fri, May 3, 2013 at 1:41 PM, Simon Deziel <simon at xelerance.com> wrote:
> This should give you a list of the man pages:
>   dpkg -L openswan| grep man

Aha, that was rather stupid of me.  I found only these which were not
very helpful :

root at firewall03:/etc/shorewall# man openswan
No manual entry for openswan
root at firewall03:/etc/shorewall# man -k openswan
ipsec__copyright (8) - prints Openswan copyright
ipsec__realsetup (8) - internal routine to start Openswan.
ipsec_look (8)       - get a quick summary of Openswan status

> You can enable forwarding with:
>
>  sysctl net.ipv4.ip_forward=1
>
> And add it to /etc/sysctl.conf to have it setup on each reboot.

I forgot to mention that I already found this and it still reports the
same thing.  And the googling I had done there were a lot of hits that
came up and said "that is nothing to worry about".   Seems odd to me
that it would not be something to worry about.

root at solexa1:~# cat /proc/sys/net/ipv4/conf/*/forwarding
1
1
1
1
1
root at solexa1:~# ls !$
ls /proc/sys/net/ipv4/conf/*/forwarding
/proc/sys/net/ipv4/conf/all/forwarding
/proc/sys/net/ipv4/conf/default/forwarding
/proc/sys/net/ipv4/conf/eth0/forwarding
/proc/sys/net/ipv4/conf/eth1/forwarding
/proc/sys/net/ipv4/conf/lo/forwarding
root at solexa1:~#

I'm also wondering about this error when I restart :
root at solexa1:~# /etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
Warning: ignored obsolete keyword forwardcontrol
ipsec_setup: Starting Openswan IPsec 2.6.37...
ipsec_setup: No KLIPS support found while requested, desperately
falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in
/etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue
with NETKEY
ipsec_setup: Warning: ignored obsolete keyword forwardcontrol


And finally, what should I be able to ping and from where?  Right now
I'm trying from the firewalls.  I have this :

(imagine this all one one line)
192.168.160.0/24 --- Switch --- (192.168.160.11-LinuxBox-10.246.159.41)
----- Intranet 10.0.0.0
---- (10.242.182.88-LinuxBox-172.30.0.1) ---- Switch

Right now I don't have any nodes at the 2nd site so it ends at the
switch.  Simply because I want to have my VPN running before I start
moving gear over there otherwise I can't move the gear.   So I'm
trying to ping from 10.242.182.88 (firewall03) over to 192.168.160.10
which is on the other subnet on the left (behind solexa1 /
10.246.159.41)

And I am just not sure how to start debugging this since it is showing
the tunnel is up, and forwarding is on ...

root at firewall03:/etc/shorewall# ping 192.168.160.10
PING 192.168.160.10 (192.168.160.10) 56(84) bytes of data.
^C
--- 192.168.160.10 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2015ms

root at firewall03:/etc/shorewall# ssh !$
ssh 192.168.160.10
^C
root at firewall03:/etc/shorewall#

Oh but here is the output of "look"

root at solexa1:~# ipsec look
Warning: ignored obsolete keyword forwardcontrol
solexa1 Fri May  3 14:06:37 EDT 2013
XFRM state:
src 10.242.182.88 dst 10.246.159.41
	proto esp spi 0xfd714993 reqid 16385 mode tunnel
	replay-window 32 flag af-unspec
	auth-trunc hmac(sha1) 0x5e82ad2189e1c0b7d457a00356386cd89a93979a 96
	enc cbc(aes) 0xe821bf4be3afa8232018736e6cc75a1eed04b80eda195562535a0902b9c2b9dd
src 10.246.159.41 dst 10.242.182.88
	proto esp spi 0x8d0f2aee reqid 16385 mode tunnel
	replay-window 32 flag af-unspec
	auth-trunc hmac(sha1) 0xa355768e6dd7ad7383157ebd8cc0a435f96c9fef 96
	enc cbc(aes) 0xe609399474365e14b1b41a867ce87c93960c9a2649530aa59c32d382878b746d
XFRM policy:
src 192.168.160.0/24 dst 172.30.0.0/24
	dir out priority 2344
	tmpl src 10.246.159.41 dst 10.242.182.88
		proto esp reqid 16385 mode tunnel
src 172.30.0.0/24 dst 192.168.160.0/24
	dir fwd priority 2344
	tmpl src 10.242.182.88 dst 10.246.159.41
		proto esp reqid 16385 mode tunnel
src 172.30.0.0/24 dst 192.168.160.0/24
	dir in priority 2344
	tmpl src 10.242.182.88 dst 10.246.159.41
		proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
	socket out priority 0
src ::/0 dst ::/0
	socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0
XFRM done
IPSEC mangle TABLES
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
NEW_IPSEC_CONN mangle TABLES
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ROUTING TABLES
default via 10.246.159.1 dev eth1  metric 100
10.246.159.0/24 dev eth1  proto kernel  scope link  src 10.246.159.41
fe80::/64 dev eth1  proto kernel  metric 256
root at solexa1:~#


-- 
“Don't eat anything you've ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

More information about the Users mailing list