[Openswan Users] VPN setup between dedicated server and CISCO firewall

Rishad Ali rishad.ali at turnkey-instruments.com
Tue Nov 5 09:02:59 UTC 2013 

Hi Leto,

 

Thanks for your reply. When I leave out leftsubnet blank it gives me an error 

# service ipsec start

failed to start openswan IKE daemon - the following error occured:

cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:20: syntax error, unexpected STRING, expecting EOL [network]

 

And when I use the same public IP for both (left and leftsubnet) it gives me the following message (warning)

# service ipsec start

ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.23.2.el6.x86_64...

ipsec_setup: multiple ip addresses, using  88.208.229.225 on eth0

ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

 

Yes, I do have IP route package installed i.e Package iproute-2.6.32-23.el6.x86_64

 

I am still getting the below output for ‘ipsec verify’

# ipsec verify

Checking if IPsec got installed and started correctly:

 

Version check and ipsec on-path                              [OK]

Openswan U2.6.39/K2.6.32-358.23.2.el6.x86_64 (netkey)

See `ipsec --copyright' for copyright information.

Checking for IPsec support in kernel                       [OK]

NETKEY: Testing XFRM related proc values

         ICMP default/send_redirects                            [OK]

         ICMP default/accept_redirects                        [OK]

         XFRM larval drop                                                     [OK]

Hardware random device check                                [N/A]

Checking rp_filter                                                            [ENABLED]

/proc/sys/net/ipv4/conf/default/rp_filter          [ENABLED]

/proc/sys/net/ipv4/conf/lo/rp_filter                     [ENABLED]

/proc/sys/net/ipv4/conf/eth0/rp_filter               [ENABLED]

Checking that pluto is running                                    [OK]

Pluto listening for IKE on udp 500                             [OK]

Pluto listening for IKE on tcp 500                              [NOT IMPLEMENTED]

Pluto listening for IKE/NAT-T on udp 4500            [DISABLED]

Pluto listening for IKE/NAT-T on tcp 4500              [NOT IMPLEMENTED]

Pluto listening for IKE on tcp 10000 (cisco)           [NOT IMPLEMENTED]

Checking NAT and MASQUERADEing                       [TEST INCOMPLETE]

Checking 'ip' command                                                  [IP XFRM BROKEN]

Checking 'iptables' command                                     [OK]

 

ipsec verify: encountered errors

 

 

Thanks for your help

 

 

From: Leto [mailto:letoams at gmail.com] 
Sent: 04 November 2013 19:16
To: Rishad Ali
Cc: <users at lists.openswan.org>
Subject: Re: [Openswan Users] VPN setup between dedicated server and CISCO firewall

 



sent from a tiny device 


On 2013-11-04, at 7:39, "Rishad Ali" <rishad.ali at turnkey-instruments.com> wrote:

	Hi all,

	I am trying to setup VPN between my dedicated server (centOS) and a another company. I want to terminate VPN on my dedicated server which I access remotely and the other company terminates their VPN on a CISCO firewall.

	(I have been given their Internal IP address and external Gateway IP address to setup on openswan.) 

	 

	My first problem is, I do not have a network behind my server, so what should be my internal IP address in the ipsec.config (should I use the same public IP address for both internal and external )

 

you can just leave out leftsubnet=

 





 

 

Secondly, when I run ipsec verify, below is the output

 

 

it's odd that it shows ip

xfrm is broken on centos. that is normally not a problem. do you have the iproute  package installed?

 





Checking if IPsec got installed and started correctly:

 

Version check and ipsec on-path                              [OK]

Openswan U2.6.39/K2.6.32-358.23.2.el6.x86_64 (netkey)

See `ipsec --copyright' for copyright information.

Checking for IPsec support in kernel                        [OK]

NETKEY: Testing XFRM related proc values

         ICMP default/send_redirects                            [OK]

         ICMP default/accept_redirects                        [OK]

         XFRM larval drop                                                     [OK]

Hardware random device check                                [N/A]

Checking rp_filter                                                            [ENABLED]

/proc/sys/net/ipv4/conf/default/rp_filter          [ENABLED]

/proc/sys/net/ipv4/conf/lo/rp_filter                     [ENABLED]

/proc/sys/net/ipv4/conf/eth0/rp_filter               [ENABLED]

Checking that pluto is running                                    [OK]

Pluto listening for IKE on udp 500                             [OK]

Pluto listening for IKE on tcp 500                              [NOT IMPLEMENTED]

Pluto listening for IKE/NAT-T on udp 4500            [DISABLED]

Pluto listening for IKE/NAT-T on tcp 4500             [NOT IMPLEMENTED]

Pluto listening for IKE on tcp 10000 (cisco)           [NOT IMPLEMENTED]

Checking NAT and MASQUERADEing                     [TEST INCOMPLETE]

Checking 'ip' command                                                [IP XFRM BROKEN]

Checking 'iptables' command                                     [OK]

 

It says,

Checking NAT and MASQUERADEing                     [TEST INCOMPLETE]

Checking 'ip' command                                                [IP XFRM BROKEN]

 

How to fix this?

 

Thanks.

 

 

 

	_______________________________________________
	Users at lists.openswan.org
	https://lists.openswan.org/mailman/listinfo/users
	Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
	Building and Integrating Virtual Private Networks with Openswan:
	http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131105/42b6159f/attachment-0001.html>

More information about the Users mailing list