[Swan] (no subject)
Paul Wouters
pwouters at redhat.com
Sun Feb 17 22:32:31 EET 2013
On Sun, 17 Feb 2013, Alex wrote:
> I have an fc18 install with the default openswan that I'm trying to
> get running. I've had little success with other resources to get this
> working, and I understand the project has been migrated to libreswan?
>
> The config for my fc18 server was migrated from a working fc14
> openswan install, but I can't get the same config working on fc18. I
> believe at the time I had to compile it without NSS support, but I
> don't remember specifically. I'm hoping someone is familiar with the
> differences between fc14 and fc18 openswan, and can guide me here.
> Should I be using the latest libreswan instead?
If you were using certificates and used a non-NSS version, you need
to migrate the certifiactes into the nss database.
You can do that using:
certutil -N -d /etc/ipsec.d
<hit return twice>
pk12util -i yourpkcs.p12 -d /etc/ipsec.d
If you don't have the .p12 file but have separate cacert, cert and key,
the easiest might be to create a .p12 file using openssl:
openssl pkcs12 -export -out yourpkcs.p12 -inkey privateKey.key -in \
certificate.crt -certfile CACert.crt
> Openswan U2.6.38/K3.7.6-201.fc18.x86_64 (netkey)
> See `ipsec --copyright' for copyright information.
> Checking for IPsec support in kernel [OK]
> NETKEY: Testing XFRM related proc values
> ICMP default/send_redirects [NOT DISABLED]
> Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will
> cause act on or cause sending of bogus ICMP redirects!
> ICMP default/accept_redirects [NOT DISABLED]
> Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will
> cause act on or cause sending of bogus ICMP redirects!
You probably want to add to /etc/sysctl.conf:
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
> conn VPN-HQ-XO
> auto=start
> right=XXX.YYY.193.42
> rightnexthop=XXX.YYY.193.41
> rightsubnet=192.168.1.0/24
> rightid="@C=US, ST=New Jersey, L=My Town, O=My Company Inc,
> CN=cyclops.example.com"
> rightcert=remotecerts/cyclops.crt
Change that to rightcert=cyclops (assuming your "friendly name" in the
pkcs12 export is set to "cyclops".
> left=NNN.MMM.72.6
> leftnexthop=NNN.MMM.72.5
> leftsubnet=AAA.BBB.16.0/27
> leftid="@C=US, ST=New Jersey, L=My Town, O=My Company Inc,
> CN=orion.example.com"
> leftcert=remotecerts/orion.crt
Same for this one.
> conn VPN-HQ-XO-2
> auto=start
> right=XXX.YYY.193.42
> rightnexthop=XXX.YYY.193.41
> rightsubnet=192.168.1.0/24
> rightid="@C=US, ST=New Jersey, L=My Town, O=My Company Inc,
> CN=cyclops.example.com"
> rightcert=remotecerts/cyclops.crt
> left=NNN.MMM.72.6
> leftnexthop=NNN.MMM.72.5
> leftsubnet=BBB.CCC.218.96/28
> leftid="@C=US, ST=New Jersey, L=My Town, O=My Company Inc,
> CN=orion.example.com"
> leftcert=remotecerts/orion.crt
And this one.
The instructions apply to the openswan in fedora as well as for
libreswan.
Paul
More information about the Swan
mailing list