Re: [rlug] openswan net-to-net problem

Mon, 11 Jun 2007 07:07:25 -0700 

Linux User wrote:

> >sper ca ai pe undeva si "type=tunnel" si "authby=rsasig"
>
>




ok, hai ca am mai facut unele ajustari. Inca nu functioneaza dar e 
ceva mai

bine:

[EMAIL PROTECTED] ~]# /etc/rc.d/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec 2.4.8...

[EMAIL PROTECTED] ~]# /etc/rc.d/init.d/ipsec status
IPsec running  - pluto pid: 5424
pluto pid 5424
2 tunnels up
[EMAIL PROTECTED] ~]#

Idem si pe masina nx cu acelasi mesaj la ipsec status ...

De ce 2 tunnels UP? cu ifconfig nu vad nici un tunel!

pe kernel 2.6 nu mai vezi cu ifconfig tunelele ipsec. ai nevoie de 
setkey pt asta




In syslog pe masina mail vad:
Jun 11 16:18:26 mail kernel: NET: Registered protocol family 15
Jun 11 16:18:26 mail kernel: hw_random: RNG not detected
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Jun 11 16:18:26 mail ipsec_setup: NETKEY on eth0 
1.2.3.4/255.255.255.0broadcast

1.2.3.255 mtu 1410
Jun 11 16:18:26 mail ipsec_setup: ...Openswan IPsec started
Jun 11 16:18:26 mail ipsec_setup: Starting Openswan IPsec 2.4.8...
Jun 11 16:18:28 mail ipsec__plutorun: 104 "mail-to-nx" #2: STATE_MAIN_I1:
initiate

Jun 11 16:18:28 mail ipsec__plutorun: ...could not start conn 
"mail-to-nx"


In syslog pe masina nx vad:
Jun 11 19:31:33 nx kernel: NET: Registered protocol family 15

Jun 11 19:31:33 nx ipsec_setup: NETKEY on eth0 
5.6.7.8/255.255.255.0broadcast

5.6.7.255 mtu 1410
Jun 11 19:31:33 nx ipsec_setup: ...Openswan IPsec started
Jun 11 19:31:33 nx ipsec_setup: Starting Openswan IPsec 2.4.8...
Jun 11 19:31:35 nx ipsec__plutorun: 104 "mail-to-nx" #1: STATE_MAIN_I1:
initiate
Jun 11 19:31:35 nx ipsec__plutorun: ...could not start conn "mail-to-nx"

ai o eroare ...




Mai jos, ai si ipsec.conf-ul ajustat:
[...]
       overridemtu=1410

eu de asta n-am avut nevoie niciodata


      [...]


Acum ce nu mai e in regula? In afara de "hw_random: RNG not detected" 
si de

nat_traversal=yes pe care pot sa-l trec pe no (fara nici un efect) eu
altceva nu vad ce as putea sa mai modific.

       keyexchange=ike
       keylife=12h
       keyingtries=0
       esp=3des-md5-96
       auth=esp
       pfs=no



Any ideas?

vezi ipsec barf si logurile. "could not start" de obicei rimeaza cu 
eroare de configurare.
ps; vezi ca parserul e destul de idiot si se crizeaza la chestii gen 
nerespectarea indentarii sau "#" ( comment ) in alta coloana decit crede 
el ca e bine



--
Quote from the Boss: "Teamwork is a lot of people doing what I say."
(Marketing executive, Citrix Corporation)


_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug






















					Raspunde prin e-mail lui