Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i install openswan in my rhel6 as a testee and freebsd as a tester
my ipsec.conf is
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
crlcheckinterval="180"
strictcrlpolicy=no
interfaces=%defaultroute
protostack=netkey
plutostderrlog=/var/log/pluto.log
plutodebug=all
pluto=no
nat_traversal=yes
# virtual_private=
"/etc/ipsec.conf" 55L, 1487C
conn %default
ikelifetime="60m"
keylife="20m"
rekeymargin="3m"
keyingtries=1
phase2=esp
ike=aes128-sha-modp1024
esp=aes128-sha1
phase2alg=3des-sha1-96
authby=secret
ikev2=yes
rekey=yes
keyexchange=ike
conn host-host
connaddrfamily=ipv6
right=2001:0db8:0001:0001::1234
rightnexthop=%defaultroute
rightid=2001:0db8:0001:0001::1234
left=2001:0db8:000f:0001::1
leftnexthop=%defaultroute
leftid=2001:0db8:000f:0001::1
type=transport
compress=no
but when i execute the command "ipsec verify "
it say:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.24/K2.6.32-66.el6.i686 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [FAILED]
Pluto listening for NAT-T on udp 4500 [FAILED]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'curl' command for CRL fetching [OK]
Opportunistic Encryption Support [DISABLED]
when i execute the command " ipsec auto --add host-host"
it say:
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
023 address family inconsistency in this connection=10 host=10/nexthop=2
037 attempt to load incomplete connection
does anyone can help me , i am a newcomer to ipsec;
Runing Centos 5.5 x64
I found this forum helpful whenever I'm stumped. Well I got stumped and could not find any meaningful help configuring openswan for IPSec to connect a client with our network.
After installing openswan-2.6.31. I spent many hours trying to resolve the error below when attempting to establish an IPSec tunnel. I found installing openswan-2.6.30 fixed this error.
Error "030 messge from whack contains bad string"
Below find the steps used to setup openswan on centos 5.5 x64
Download openswan-2.6.30.tar.gz from openswan website --- forum rules prohibit entering the download url as of this posting.
# tar -xzf openswan-2.6.30.tar.gz
# cd openswan-2.6.30
# make programs
# make install
KLIPS install for 2.0, 2.2, 2.4 or 2.6 kernels (2.6.18-194.3.1.el5-x86_64)
# export KERNELSRC=/usr/src/kernels/2.6.18-194.3.1.el5-x86_64/
# make module
# make module_install
# depmod -a
# modprobe ipsec
# service ipsec start
# chkconfig ipsec on
# ipsec verify
Other Errors/Fixes
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
Run
# sudo sysctl -a | grep 'ipv4.conf.*redirect'
Should list the variables you need to set. (Note: set them all to 0). in /etc/sysctl.conf
Copy the errors onto /etc/sysctl.conf and set all variables to 0
# vi /etc/sysctl.conf
To process changes
# sysctl -p
# ipsec restart
IPtables Rules
# **********************************
#
# Simples IPSec Rules The first step is to allow IPsec packets (IKE on UDP port 500 plus ESP, protocol 50)
# in and out of your gateway Allow IPsec IKE negotiations.
# Also this makes sure the UDP 500 and 4500 and TCP 4500 ports are all open.
#
# **********************************
-A RH-Firewall-1-OUTPUT -p udp --dport 500 --sport 500 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4500 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4500 -j ACCEPT
# **********************************
#
# ESP encryption and authentication
#
# **********************************
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-OUTPUT -p 50 -j ACCEPT
# **********************************
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.