LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-27-2004, 10:30 AM   #1
twsnnva
Member
 
Registered: Oct 2003
Location: Newport News, Va
Distribution: Debian
Posts: 246

Rep: Reputation: 30
Help configuring ipsec VPN


I'm trying to establish a vpn between two locations, and having some problems. I'm calling the local location left and the remote right. The right location is running smoothwall and smoothwall reports that everything is good on it's end. Ipsec is running

Right Setup

/etc/ipsec.conf
Code:
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        plutowait=no
        uniqueids=yes

conn %default
        keyingtries=0

conn net
        left=68.0.1.1
        leftsubnet=10.10.65.0/24
        leftnexthop=%defaultroute
        right=68.230.1.1
        rightsubnet=192.168.1.0/24
        rightnexthop=%defaultroute
        compress=no
        auto=start
/etc/ipsec.secrets
Code:
68.0.1.1 68.230.1.1 : PSK "pass"
The left location is running debian sarge with openswan. This is also the router/firewall for this network. The debian kernel already has ipsec support so no patches should be required. Also, this setup does not like the plutowait, plutostart, and plutoload options under the config section of the ipsec.conf. According to openswan this has been removed so that's expected. Here are the config files for the left location.

Left Setup

/etc/ipsec.conf
Code:
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        uniqueids=yes

conn %default
        keyingtries=0

conn net
        left=68.0.1.1
        leftsubnet=10.10.65.0/24
        leftnexthop=%defaultroute
        right=68.230.1.1
        rightsubnet=192.168.1.0/24
        rightnexthop=%defaultroute
        compress=no
        auto=start
/etc/ipsec.secrets
Code:
68.0.1.1 68.230.1.1 : PSK "pass"
output of "route" with ipsec stopped.
Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
localnet        *               255.255.255.0   U     0      0        0 eth0
10.10.66.0      *               255.255.255.0   U     0      0        0 eth1
68.0.16.0       *               255.255.240.0   U     0      0        0 eth2
default         ip68-0-16-1.hr. 0.0.0.0         UG    0      0        0 eth2
to ensure that there are no firewall problems i reset iptables with this script
Code:
#!/bin/sh

IPTCMD="/sbin/iptables"
PUB="eth2"
PRV="eth0"
DMZ="eth1"


$IPTCMD -F
$IPTCMD -X
$IPTCMD -F -t nat
$IPTCMD -P INPUT ACCEPT
$IPTCMD -P OUTPUT ACCEPT
$IPTCMD -P FORWARD ACCEPT
$IPTCMD -t nat -A POSTROUTING -o $PUB -d ! 192.168.1.0/24 -j MASQUERADE
Here's the problem. When I start ipsec (/etc/init.d/ipsec start) I lose all network connectivity to and from this system. Now the output of "route" looks like this.

Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
localnet        *               255.255.255.0   U     0      0        0 eth0
192.168.1.0     68.0.16.1       255.255.255.0   UG    0      0        0 eth2
10.10.66.0      *               255.255.255.0   U     0      0        0 eth1
68.0.16.0       *               255.255.240.0   U     0      0        0 eth2
default         68.0.16.1       128.0.0.0       UG    0      0        0 eth2
128.0.0.0       68.0.16.1       128.0.0.0       UG    0      0        0 eth2
default         68.0.16.1       0.0.0.0         UG    0      0        0 eth2
Syslog shows
Code:
Dec 27 10:50:47 lightning ipsec_setup: ...Openswan IPsec stopped
Dec 27 10:50:47 lightning ipsec_setup: Stopping Openswan IPsec...
Dec 27 10:50:47 lightning ipsec_setup: KLIPS ipsec0 on eth2 68.0.1.1/255.255.240.0 broadcast 68.0.31.255
Dec 27 10:50:47 lightning ipsec_setup: ...Openswan IPsec started
Dec 27 10:50:47 lightning ipsec_setup: Starting Openswan IPsec U2.2.0/K2.4.27...
Dec 27 10:50:49 lightning ipsec__plutorun: 104 "net" #1: STATE_MAIN_I1: initiate
Dec 27 10:50:49 lightning ipsec__plutorun: ...could not start conn "net"
I have read elsewhere that changing interfaces=%defaultroute to interfaces="ipsec0=eth2" in ipsec.conf may fix some problems. When I do this
I do not lose the network connection to the system but the vpn connection is not made and syslog reports:


Code:
Dec 27 10:45:12 lightning ipsec_setup: KLIPS ipsec0 on eth2 68.0.1.1/255.255.240.0 broadcast 68.0.31.255
Dec 27 10:45:12 lightning ipsec_setup: ...Openswan IPsec started
Dec 27 10:45:12 lightning ipsec_setup: Starting Openswan IPsec U2.2.0/K2.4.27...
Dec 27 10:45:12 lightning ipsec__plutorun: ipsec_auto: fatal error in "net": %defaultroute requested but not known
Dec 27 10:45:12 lightning ipsec__plutorun: ipsec_auto: fatal error in "packetdefault": %defaultroute requested but not known
Dec 27 10:45:13 lightning ipsec__plutorun: ipsec_auto: fatal error in "block": %defaultroute requested but not known
Dec 27 10:45:13 lightning ipsec__plutorun: ipsec_auto: fatal error in "clear-or-private": %defaultroute requested but not known
Dec 27 10:45:13 lightning ipsec__plutorun: ipsec_auto: fatal error in "clear": %defaultroute requested but not known
Dec 27 10:45:13 lightning ipsec__plutorun: ipsec_auto: fatal error in "private-or-clear": %defaultroute requested but not known
Dec 27 10:45:13 lightning ipsec__plutorun: ipsec_auto: fatal error in "private": %defaultroute requested but not known
Dec 27 10:45:13 lightning ipsec__plutorun: 021 no connection named "packetdefault"
Dec 27 10:45:13 lightning ipsec__plutorun: ...could not route conn "packetdefault"
Dec 27 10:45:13 lightning ipsec__plutorun: 021 no connection named "block"
Dec 27 10:45:13 lightning ipsec__plutorun: ...could not route conn "block"
Dec 27 10:45:13 lightning ipsec__plutorun: 021 no connection named "clear-or-private"
Dec 27 10:45:13 lightning ipsec__plutorun: ...could not route conn "clear-or-private"
Dec 27 10:45:13 lightning ipsec__plutorun: 021 no connection named "clear"
Dec 27 10:45:13 lightning ipsec__plutorun: ...could not route conn "clear"
Dec 27 10:45:13 lightning ipsec__plutorun: 021 no connection named "private-or-clear"
Dec 27 10:45:13 lightning ipsec__plutorun: ...could not route conn "private-or-clear"
Dec 27 10:45:13 lightning ipsec__plutorun: 021 no connection named "private"
Dec 27 10:45:13 lightning ipsec__plutorun: ...could not route conn "private"
Output of "route"
Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
localnet        *               255.255.255.0   U     0      0        0 eth0
10.10.66.0      *               255.255.255.0   U     0      0        0 eth1
68.0.16.0       *               255.255.240.0   U     0      0        0 eth2
default         ip68-0-16-1.hr. 0.0.0.0         UG    0      0        0 eth2
Does anyone have any thoughts as to whats going on?

Last edited by twsnnva; 12-27-2004 at 02:20 PM.
 
Old 12-28-2004, 03:50 PM   #2
twsnnva
Member
 
Registered: Oct 2003
Location: Newport News, Va
Distribution: Debian
Posts: 246

Original Poster
Rep: Reputation: 30
Noone has any ideas?
 
Old 12-31-2004, 12:29 AM   #3
rajsmilesalways
LQ Newbie
 
Registered: Dec 2004
Distribution: fedora,mandrake,redhat,suse
Posts: 3

Rep: Reputation: 0
openswan problem

1. i've installed ipsec tools on fedora core1 kernerl 2.4 and after instalation i've run

"ipsec verify" command i',m getting the following errror can u help me solve it

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.2.0/K(no kernel code presently loaded)
Checking for IPsec support in kernel [FAILED]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
ipsec showhostkey: file `/etc/ipsec.secrets' does not exist
Checking that pluto is running [FAILED]
whack: Pluto is not running (no "/var/run/pluto.ctl")
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]

Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: sechat [MISSING]
Does the machine have at least one non-private address? [FAILED]

2.also not understanding how to run the openswan .tar file , i have untarred it but the next step i'm unable to do i,ve tried goin to the README files but not understanding how to install it into the kernel .
 
Old 02-05-2005, 12:50 AM   #4
Jerre Cope
Member
 
Registered: Oct 2003
Location: Texas (central)
Distribution: ubuntu,Slackware,knoppix
Posts: 323

Rep: Reputation: 37
IPSEC causes loss of Internet Access

Add
forwardcontrol=yes
to the config setup block--even if you already if ipforwarding turned on.
 
Old 03-05-2005, 05:09 AM   #5
nirav.jani
Member
 
Registered: Nov 2004
Location: Hyderabad, India
Distribution: Fedora Core - II, RedHat - 9
Posts: 45

Rep: Reputation: 15
hi there,
just add the "auth= " in both the ipsec.conf files, the value after = should be the algorithm you are using like I am keeping rsasig.
this may be one mistake !
I have successfully established the connection using psk method and ca method.
this answers questions of twsnnva,
while for rajsmilesalways
i would suggest the following commands to untar and install
go to the directory of openswan
suppose
$ > tar -xzvf /home/openswan-X.X.x.tar.gz
then
$ > cd /home/openswan-X.X.X
$ > make programs
$ > make install
this should install the openswan for you, even if your linux kernel version includes openswan, you will be able to install it with this commands.
let me know if you get stucked in between
may be helpful to you
nj
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ipsec vpn Snake007uk Linux - Security 6 10-30-2010 03:43 PM
Setting up IPSec VPN? miscreant Linux - Networking 2 06-14-2010 09:49 PM
IPSEC To implement VPN UltraSoul Solaris / OpenSolaris 7 08-22-2005 02:47 AM
Need help with IPSec VPN securespeed Linux - Networking 3 07-19-2004 12:25 PM
PPTP/IPSEC VPN again cleekjc Linux - Newbie 1 07-31-2003 02:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration