[Openswan Users] VPN setup between dedicated server and CISCO firewall
Paul Young
paul at arkig.com
Mon Nov 4 21:44:05 UTC 2013
Although not directly related - on a Centos box this will help
# #
http://www.couyon.net/1/post/2013/02/ipsec-on-rhel6centos6-dont-do-it.html
net.ipv4.xfrm4_gc_thresh = 65536
in /etc/sysctl.conf
Cheers
On 5 November 2013 06:16, Leto <letoams at gmail.com> wrote:
>
>
> sent from a tiny device
>
> On 2013-11-04, at 7:39, "Rishad Ali" <rishad.ali at turnkey-instruments.com>
> wrote:
>
> Hi all,
>
> I am trying to setup VPN between my dedicated server (centOS) and a
> another company. I want to terminate VPN on my dedicated server which I
> access remotely and the other company terminates their VPN on a CISCO
> firewall.
>
> (I have been given their Internal IP address and external Gateway IP
> address to setup on openswan.)
>
>
>
> My first problem is, I do not have a network behind my server, so what
> should be my *internal IP address* in the ipsec.config (should I use the
> same public IP address for both internal and external )
>
>
> you can just leave out leftsubnet=
>
>
>
>
>
> Secondly, when I run ipsec verify, below is the output
>
>
>
>
> it's odd that it shows ip
> xfrm is broken on centos. that is normally not a problem. do you have the
> iproute package installed?
>
>
> Checking if IPsec got installed and started correctly:
>
>
>
> Version check and ipsec on-path [OK]
>
> Openswan U2.6.39/K2.6.32-358.23.2.el6.x86_64 (netkey)
>
> See `ipsec --copyright' for copyright information.
>
> Checking for IPsec support in kernel [OK]
>
> NETKEY: Testing XFRM related proc values
>
> ICMP default/send_redirects [OK]
>
> ICMP default/accept_redirects [OK]
>
> XFRM larval drop
> [OK]
>
> Hardware random device check [N/A]
>
> Checking rp_filter
> [ENABLED]
>
> /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
>
> /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
>
> /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
>
> Checking that pluto is running [OK]
>
> Pluto listening for IKE on udp 500 [OK]
>
> Pluto listening for IKE on tcp 500 [NOT
> IMPLEMENTED]
>
> Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]
>
> Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
>
> Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
>
> *Checking NAT and MASQUERADEing [TEST INCOMPLETE]*
>
> *Checking 'ip' command [IP
> XFRM BROKEN]*
>
> Checking 'iptables' command [OK]
>
>
>
> It says,
>
> *Checking NAT and MASQUERADEing [TEST INCOMPLETE]*
>
> *Checking 'ip' command [IP
> XFRM BROKEN]*
>
>
>
> How to fix this?
>
>
>
> Thanks.
>
>
>
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131105/4ab0459c/attachment.html>
More information about the Users
mailing list