[Swan] (no subject)

Paul Wouters pwouters at redhat.com
Sun Feb 17 22:32:31 EET 2013 

On Sun, 17 Feb 2013, Alex wrote:

> I have an fc18 install with the default openswan that I'm trying to
> get running. I've had little success with other resources to get this
> working, and I understand the project has been migrated to libreswan?
>
> The config for my fc18 server was migrated from a working fc14
> openswan install, but I can't get the same config working on fc18. I
> believe at the time I had to compile it without NSS support, but I
> don't remember specifically. I'm hoping someone is familiar with the
> differences between fc14 and fc18 openswan, and can guide me here.
> Should I be using the latest libreswan instead?

If you were using certificates and used a non-NSS version, you need
to migrate the certifiactes into the nss database.

You can do that using:

certutil -N -d /etc/ipsec.d
<hit return twice>
pk12util -i yourpkcs.p12 -d /etc/ipsec.d

If you don't have the .p12 file but have separate cacert, cert and key,
the easiest might be to create a .p12 file using openssl:

openssl pkcs12 -export -out yourpkcs.p12 -inkey privateKey.key -in \
certificate.crt -certfile CACert.crt

> Openswan U2.6.38/K3.7.6-201.fc18.x86_64 (netkey)
> See `ipsec --copyright' for copyright information.
> Checking for IPsec support in kernel                    [OK]
> NETKEY: Testing XFRM related proc values
>         ICMP default/send_redirects                    [NOT DISABLED]
>  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will
> cause act on or cause sending of bogus ICMP redirects!
>         ICMP default/accept_redirects                  [NOT DISABLED]
>  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will
> cause act on or cause sending of bogus ICMP redirects!

You probably want to add to /etc/sysctl.conf:

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

> conn VPN-HQ-XO
>        auto=start
>        right=XXX.YYY.193.42
>        rightnexthop=XXX.YYY.193.41
>        rightsubnet=192.168.1.0/24
>        rightid="@C=US, ST=New Jersey, L=My Town, O=My Company Inc,
> CN=cyclops.example.com"
>        rightcert=remotecerts/cyclops.crt

Change that to rightcert=cyclops (assuming your "friendly name" in the
pkcs12 export is set to "cyclops".

>        left=NNN.MMM.72.6
>        leftnexthop=NNN.MMM.72.5
>        leftsubnet=AAA.BBB.16.0/27
>        leftid="@C=US, ST=New Jersey, L=My Town, O=My Company Inc,
> CN=orion.example.com"
>        leftcert=remotecerts/orion.crt

Same for this one.

> conn VPN-HQ-XO-2
>        auto=start
>        right=XXX.YYY.193.42
>        rightnexthop=XXX.YYY.193.41
>        rightsubnet=192.168.1.0/24
>        rightid="@C=US, ST=New Jersey, L=My Town, O=My Company Inc,
> CN=cyclops.example.com"
>        rightcert=remotecerts/cyclops.crt
>        left=NNN.MMM.72.6
>        leftnexthop=NNN.MMM.72.5
>        leftsubnet=BBB.CCC.218.96/28
>        leftid="@C=US, ST=New Jersey, L=My Town, O=My Company Inc,
> CN=orion.example.com"
>        leftcert=remotecerts/orion.crt

And this one.

The instructions apply to the openswan in fedora as well as for
libreswan.

Paul

More information about the Swan mailing list