Re: [rlug] Problema Openswan

Mon, 24 Apr 2006 00:56:50 -0700 

lonely wolf wrote:

On 04/23/2006 11:51 PM, nelu wrote:


Buna ziua, (mai precis buna seara :) )
Nu reusesc sa fac un tunel intre doua masini cu openswan sau mai bine zis nu stiu ce gresesc sau ce nu fac bine... Am folosit slackware 10.2 (cu kernelul default din distributie 2.4.31) si openswan 2.4.4,s-a instalat fara nici o problema conform cu instructiunile din fisierul INSTALL din "kit" (make programs install si make KERNELSRC=/usr/src/linux-2.4.31 module minstall) 

#ipsec verify:
Checking your system to see if IPsec got installed and started correctly: 
Version check and ipsec on-path                                 [OK]
Linux Openswan 2.4.4 (klips)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support [DISABLED] 


fisierele de configurare:
#cat /etc/ipsec.conf
config setup
       interfaces=%defaultroute

conn test-test
               left=86.104.96.xxx
               leftsubnet=10.0.0.0/24
               leftnexthop=%defaultroute
               right=82.76.32.yyy
               rightsubnet=192.168.0.0/24
               rightnexthop=%defaultroute
               authby=secret
               auto=start
include /etc/ipsec.d/examples/no_oe.conf

#cat /et/ipsec.secrets
86.104.96.xxx 82.76.32.yyy : PSK "my_key_xxxxxxxxxxxxxxxxxxxxxxx"

ipsec.conf si ipsec.secrets sunt identice pe ambele masini

# ipsec look pare ok pe ambele masini...
fireant Sun Apr 23 23:34:17 EEST 2006
10.0.0.0/24        -> 192.168.0.0/24     => %trap (0)
ipsec0->eth0 mtu=16260(1500)->1500
Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 86.104.96.xx3 0.0.0.0 UG 0 0 0 eth0 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0 192.168.0.0 86.104.96.xx3 255.255.255.0 UG 0 0 0 ipsec0 86.104.96.xx2 0.0.0.0 255.255.255.192 U 0 0 0 eth0 86.104.96.xx2 0.0.0.0 255.255.255.192 U 0 0 0 ipsec0 

# ipsec setup status pe ambele masini spune acelasi lucru...
IPsec running  - pluto pid: 15749
pluto pid 15749
1 tunnels up

desi pare sa fie functional nu pot da ping prin tunel...
nu exista nici un fel de firewall pe cele doua masini
Stie cineva ce gresesc? trebuie sa aplic vreun patch sau sa mai configurez ceva? 

Multumesc pentru timpul acordat,


Tot ce ai povestit pare OK.
1. cum testezi?
am incercat sa vad daca dau ping (de ex de pe masina cu clasa 10.0.0.0 am dat ping catre un ip din clasa 192.168.0.0), nu am stiut cum sa fac altfel... si am inteles ca se initializeaza tunelul abia cand incepe sa fie facut trafic prin el deci m-am gandit ca ping ar rezolva si testarea si traficul ca sa fie initializat tunelul 
2. ai dat drumul din firewall la pachetele ESP ?
nu am nici un fel de firewall sunt 2 masini de test, inca nu sunt in productie 
3. Ce zice /var/log/secure ? Ar trebui sa ai ceva de genul
pluto[2748]: "test-test" #8754: STATE_QUICK_R2: IPsec SA established {ESP=>0x6453257a <0x07ae2d4d xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none} 
daca ai, aproape sigur fie testezi gresit, fie ai un firewall pe drum.

Aici cred ca este problema, nu am asa ceva in loguri
daca dau ipsec auto --down test-test si apoi incerc repornirea manual primesc: 

[EMAIL PROTECTED]:/var/log# ipsec auto --up test-test
104 "test-test" #6: STATE_MAIN_I1: initiate
010 "test-test" #6: STATE_MAIN_I1: retransmission; will wait 20s for response 010 "test-test" #6: STATE_MAIN_I1: retransmission; will wait 40s for response 010 "test-test" #6: STATE_MAIN_I1: retransmission; will wait 40s for response 010 "test-test" #6: STATE_MAIN_I1: retransmission; will wait 40s for response 010 "test-test" #6: STATE_MAIN_I1: retransmission; will wait 40s for response 
... si tot asa mai departe

[EMAIL PROTECTED]:/var/log# cat var/log/secure
Apr 24 10:44:17 fireant pluto[5856]: "test-test": terminating SAs using this connection Apr 24 10:44:17 fireant pluto[5856]: "test-test" #15: deleting state (STATE_MAIN_R1) Apr 24 10:44:17 fireant pluto[5856]: "test-test" #6: deleting state (STATE_MAIN_I1) Apr 24 10:44:17 fireant pluto[5856]: "test-test" #14: deleting state (STATE_MAIN_R1) 
Apr 24 10:44:21 fireant pluto[5856]: "test-test" #16: initiating Main Mode
Apr 24 10:44:50 fireant pluto[5856]: packet from 82.76.32.yyy:500: received Vendor ID payload [Openswan (this version) 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR] Apr 24 10:44:50 fireant pluto[5856]: packet from 82.76.32.yyy:500: received Vendor ID payload [Dead Peer Detection] Apr 24 10:44:50 fireant pluto[5856]: "test-test" #17: responding to Main Mode Apr 24 10:44:50 fireant pluto[5856]: "test-test" #17: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Apr 24 10:44:50 fireant pluto[5856]: "test-test" #17: STATE_MAIN_R1: sent MR1, expecting MI2 

_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug

Raspunde prin e-mail lui