LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 09-09-2010, 04:19 AM   #1
woshizhuzi
LQ Newbie
 
Registered: Sep 2010
Posts: 3

Rep: Reputation: 0
ipsec configration problem


i install openswan in my rhel6 as a testee and freebsd as a tester
my ipsec.conf is
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
crlcheckinterval="180"
strictcrlpolicy=no
interfaces=%defaultroute
protostack=netkey
plutostderrlog=/var/log/pluto.log
plutodebug=all
pluto=no
nat_traversal=yes
# virtual_private=
"/etc/ipsec.conf" 55L, 1487C
conn %default
ikelifetime="60m"
keylife="20m"
rekeymargin="3m"
keyingtries=1
phase2=esp
ike=aes128-sha-modp1024
esp=aes128-sha1
phase2alg=3des-sha1-96
authby=secret
ikev2=yes
rekey=yes
keyexchange=ike
conn host-host
connaddrfamily=ipv6
right=2001:0db8:0001:0001::1234
rightnexthop=%defaultroute
rightid=2001:0db8:0001:0001::1234
left=2001:0db8:000f:0001::1
leftnexthop=%defaultroute
leftid=2001:0db8:000f:0001::1
type=transport
compress=no

but when i execute the command "ipsec verify "
it say:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.24/K2.6.32-66.el6.i686 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [FAILED]
Pluto listening for NAT-T on udp 4500 [FAILED]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'curl' command for CRL fetching [OK]
Opportunistic Encryption Support [DISABLED]

when i execute the command " ipsec auto --add host-host"
it say:
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
023 address family inconsistency in this connection=10 host=10/nexthop=2
037 attempt to load incomplete connection



does anyone can help me , i am a newcomer to ipsec;

thank you in advance;
 
Old 09-16-2010, 01:25 PM   #2
julienr78
LQ Newbie
 
Registered: Sep 2010
Posts: 9

Rep: Reputation: 1
First, I would check to make sure port 500 and 4500 are open...

and also make sure that there is at least one empty line before (carriage return)

"conn host-host"

and indent everything under "conn host-host" by one tab...

connaddrfamily=ipv6
right=2001:0db8:0001:0001::1234
rightnexthop=%defaultroute
rightid=2001:0db8:0001:0001::1234
left=2001:0db8:000f:0001::1
leftnexthop=%defaultroute
leftid=2001:0db8:000f:0001::1
type=transport
compress=no
 
Old 09-16-2010, 01:31 PM   #3
julienr78
LQ Newbie
 
Registered: Sep 2010
Posts: 9

Rep: Reputation: 1
Also, your userland and kernel modules are not the same version....
Linux Openswan U2.6.24/K2.6.32-66.el6.i686 (netkey)..

Not sure what 2.6.32-66.el6.i686 is, the latest is 2.6.28
 
Old 11-16-2010, 06:30 PM   #4
ctcconnections
LQ Newbie
 
Registered: Nov 2010
Posts: 1

Rep: Reputation: 0
Runing Centos 5.5 x64
I found this forum helpful whenever I'm stumped. Well I got stumped and could not find any meaningful help configuring openswan for IPSec to connect a client with our network.

After installing openswan-2.6.31. I spent many hours trying to resolve the error below when attempting to establish an IPSec tunnel. I found installing openswan-2.6.30 fixed this error.

Error "030 messge from whack contains bad string"

Below find the steps used to setup openswan on centos 5.5 x64

Download openswan-2.6.30.tar.gz from openswan website --- forum rules prohibit entering the download url as of this posting.

# tar -xzf openswan-2.6.30.tar.gz
# cd openswan-2.6.30
# make programs
# make install

KLIPS install for 2.0, 2.2, 2.4 or 2.6 kernels (2.6.18-194.3.1.el5-x86_64)

# export KERNELSRC=/usr/src/kernels/2.6.18-194.3.1.el5-x86_64/
# make module
# make module_install
# depmod -a
# modprobe ipsec
# service ipsec start
# chkconfig ipsec on
# ipsec verify

Other Errors/Fixes

NETKEY detected, testing for disabled ICMP send_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!

Run
# sudo sysctl -a | grep 'ipv4.conf.*redirect'

Should list the variables you need to set. (Note: set them all to 0). in /etc/sysctl.conf

Copy the errors onto /etc/sysctl.conf and set all variables to 0
# vi /etc/sysctl.conf

To process changes
# sysctl -p

# ipsec restart


IPtables Rules

# **********************************
#
# Simples IPSec Rules The first step is to allow IPsec packets (IKE on UDP port 500 plus ESP, protocol 50)
# in and out of your gateway Allow IPsec IKE negotiations.
# Also this makes sure the UDP 500 and 4500 and TCP 4500 ports are all open.
#
# **********************************
-A RH-Firewall-1-OUTPUT -p udp --dport 500 --sport 500 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4500 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4500 -j ACCEPT
# **********************************
#
# ESP encryption and authentication
#
# **********************************
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-OUTPUT -p 50 -j ACCEPT
# **********************************

Good luck
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vpn-ipsec : Failed to parse config setup portion of ipsec.conf hari85 Linux - Newbie 1 07-17-2010 08:12 PM
problem in configration telnet sma88 Linux - Server 10 05-17-2010 05:58 AM
Sound configration problem(Creative Sound Blaster® 5.1). truereda Mandriva 6 09-14-2009 05:12 PM
MRTG configration problem Dogar Linux - Software 6 06-03-2008 09:26 AM
problem with SSI configration on apache 2.0 garfield Linux - Newbie 0 10-12-2002 05:32 AM


All times are GMT -5. The time now is 04:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration