[Openswan Users] Openswan doesn't open any port to listen.
Mohsen B.Sarmadi
mohsen.bsarmadi at gmail.com
Fri Nov 22 21:07:12 UTC 2013
Dear All,
I am using a EC2 Ubuntu 12.04 LTS instance in AWS. Openswan doesn't open
any port to listen.
Please help me to run my server, I can't find out what 's wrong.
I used this manual: https://help.ubuntu.com/community/L2TPServer
$ cat /etc/ipsec.conf
config setup
nat_traversal=yes
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
#contains the networks that are allowed as subnet= for the remote
client. In other words, the address ranges that may live behind a NAT
router through which a client connects.
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
# Apple iOS doesn't send delete notify so we need dead peer detection
# to detect vanishing clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
# Set ikelifetime and keylife to same defaults windows has
ikelifetime=8h
keylife=1h
type=transport
# Replace IP address with your local IP (private, behind NAT IP is okay
as well)
left=127.0.0.1
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
#force all to be nat'ed. because of iOS
forceencaps=yes
$ sudo cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
# this file is managed with debconf and will contain the automatically
created RSA keys
#include /var/lib/openswan/ipsec.secrets.inc
127.0.0.1 %any: PSK "PASSWORD"
$ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.2.0-54-virtual (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
$ cat /etc/xl2tpd/xl2tpd.conf
[global] ; Global parameters:
ipsec saref = no
[lns default] ; Our fallthrough LNS definition
ip range = 10.152.2.2-10.152.2.254
local ip = 10.152.2.1
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
unix authentication = yes
$ cat /etc/ppp/options.xl2tpd
refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
login
~$ sudo cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
user1 l2tpd PASSWORD *
user2 l2tpd PASSWORD *
$ nmap localhost
Starting Nmap 5.21 ( http://nmap.org ) at 2013-11-22 21:01 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00080s latency).
Hostname localhost resolves to 2 IPs. Only scanned 127.0.0.1
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
9000/tcp open cslistener
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
Here is the log:
Nov 22 21:03:07 ip-10-185-160-186 ipsec_setup: Stopping Openswan IPsec...
Nov 22 21:03:09 ip-10-185-160-186 kernel: [1536360.687719] NET:
Unregistered protocol family 15
Nov 22 21:03:09 ip-10-185-160-186 ipsec_setup: ...Openswan IPsec stopped
Nov 22 21:03:09 ip-10-185-160-186 kernel: [1536360.737201] NET: Registered
protocol family 15
Nov 22 21:03:09 ip-10-185-160-186 ipsec_setup: Starting Openswan IPsec
U2.6.37/K3.2.0-54-virtual...
Nov 22 21:03:09 ip-10-185-160-186 ipsec_setup: Using NETKEY(XFRM) stack
Nov 22 21:03:09 ip-10-185-160-186 kernel: [1536360.836489] Initializing
XFRM netlink socket
Nov 22 21:03:09 ip-10-185-160-186 ipsec_setup: ...Openswan IPsec started
Nov 22 21:03:09 ip-10-185-160-186 xl2tpd[3002]: death_handler: Fatal signal
15 received
Nov 22 21:03:09 ip-10-185-160-186 ipsec__plutorun: adjusting ipsec.d to
/etc/ipsec.d
Nov 22 21:03:09 ip-10-185-160-186 pluto: adjusting ipsec.d to /etc/ipsec.d
Nov 22 21:03:09 ip-10-185-160-186 ipsec__plutorun: 002 added connection
description "L2TP-PSK-NAT"
Nov 22 21:03:09 ip-10-185-160-186 ipsec__plutorun: 002 added connection
description "L2TP-PSK-noNAT"
Nov 22 21:03:10 ip-10-185-160-186 xl2tpd[3500]: IPsec SAref does not work
with L2TP kernel mode yet, enabling forceuserspace=yes
Nov 22 21:03:10 ip-10-185-160-186 xl2tpd[3500]: setsockopt recvref[30]:
Protocol not available
Nov 22 21:03:10 ip-10-185-160-186 xl2tpd[3500]: This binary does not
support kernel L2TP.
Nov 22 21:03:10 ip-10-185-160-186 xl2tpd[3501]: xl2tpd version xl2tpd-1.3.1
started on ip-10-185-160-186 PID:3501
Nov 22 21:03:10 ip-10-185-160-186 xl2tpd[3501]: Written by Mark Spencer,
Copyright (C) 1998, Adtran, Inc.
Nov 22 21:03:10 ip-10-185-160-186 xl2tpd[3501]: Forked by Scott Balmos and
David Stipp, (C) 2001
Nov 22 21:03:10 ip-10-185-160-186 xl2tpd[3501]: Inherited by Jeff McAdams,
(C) 2002
Nov 22 21:03:10 ip-10-185-160-186 xl2tpd[3501]: Forked again by Xelerance (
www.xelerance.com) (C) 2006
Nov 22 21:03:10 ip-10-185-160-186 xl2tpd[3501]: Listening on IP address
0.0.0.0, port 1701
please give me hint,
Thanks
Regards
Mohsen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131122/4e75529a/attachment.html>
More information about the Users
mailing list