[Swan] (no subject)

Alex mysqlstudent at gmail.com
Sun Feb 17 21:03:09 EET 2013


Hi,

I have an fc18 install with the default openswan that I'm trying to
get running. I've had little success with other resources to get this
working, and I understand the project has been migrated to libreswan?

The config for my fc18 server was migrated from a working fc14
openswan install, but I can't get the same config working on fc18. I
believe at the time I had to compile it without NSS support, but I
don't remember specifically. I'm hoping someone is familiar with the
differences between fc14 and fc18 openswan, and can guide me here.
Should I be using the latest libreswan instead?

When running ipsec verify on the fc18 host, I receive the following:

# ipsec verify
Checking if IPsec got installed and started correctly:

Version check and ipsec on-path                         [OK]
Openswan U2.6.38/K3.7.6-201.fc18.x86_64 (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [NOT DISABLED]
  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will
cause act on or cause sending of bogus ICMP redirects!
         ICMP default/accept_redirects                  [NOT DISABLED]
  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will
cause act on or cause sending of bogus ICMP redirects!
         XFRM larval drop                               [OK]
Hardware random device check                            [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [FAILED]
Checking NAT and MASQUERADEing                          [TEST INCOMPLETE]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]

ipsec verify: encountered errors

The ipsec process is running, but pluto is not. I don't recall having
to start that manually. There appears to be so many problems with the
config, I'm really not sure where to go from here. Paul has been very
helpful in the past, so I'm hoping he's around to help?

Here is the config I'm using for this net-to-net vpn:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=all
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        nat_traversal=no
        interfaces=%defaultroute
        uniqueids=yes
        protostack=netkey
        #virtual_private=
        oe=off
        # Enable this if you see "failed to find any available worker"
        nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/"
#include /etc/ipsec.d/*.conf

conn %default
        auto=add
        keyingtries=0
        disablearrivalcheck=no
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        pfs=yes
        compress=no
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        type=tunnel
        authby=rsasig
        esp=aes
        ike=aes

conn VPN-HQ-XO
        auto=start
        right=XXX.YYY.193.42
        rightnexthop=XXX.YYY.193.41
        rightsubnet=192.168.1.0/24
        rightid="@C=US, ST=New Jersey, L=My Town, O=My Company Inc,
CN=cyclops.example.com"
        rightcert=remotecerts/cyclops.crt
        left=NNN.MMM.72.6
        leftnexthop=NNN.MMM.72.5
        leftsubnet=AAA.BBB.16.0/27
        leftid="@C=US, ST=New Jersey, L=My Town, O=My Company Inc,
CN=orion.example.com"
        leftcert=remotecerts/orion.crt

conn VPN-HQ-XO-2
        auto=start
        right=XXX.YYY.193.42
        rightnexthop=XXX.YYY.193.41
        rightsubnet=192.168.1.0/24
        rightid="@C=US, ST=New Jersey, L=My Town, O=My Company Inc,
CN=cyclops.example.com"
        rightcert=remotecerts/cyclops.crt
        left=NNN.MMM.72.6
        leftnexthop=NNN.MMM.72.5
        leftsubnet=BBB.CCC.218.96/28
        leftid="@C=US, ST=New Jersey, L=My Town, O=My Company Inc,
CN=orion.example.com"
        leftcert=remotecerts/orion.crt

# Disable Opportunistic Encryption
# include /etc/ipsec.d/no_oe.conf

Thanks,
Alex


More information about the Swan mailing list