Thanks for the input! I didn't see that mentioned anywhere before. After having created the directory and ran depmod -a the directory now received some content.
root@vps1703 [/]# ll /lib/modules/2.6.32-042stab090.3/ total 48 drwxr-xr-x 2 root root 4096 Jun 27 16:02 ./ drwxr-xr-x 3 root root 4096 Jun 27 01:17 ../ -rw-r--r-- 1 root root 45 Jun 27 16:02 modules.alias -rw-r--r-- 1 root root 69 Jun 27 16:02 modules.ccwmap -rw-r--r-- 1 root root 0 Jun 27 16:02 modules.dep -rw-r--r-- 1 root root 73 Jun 27 16:02 modules.ieee1394map -rw-r--r-- 1 root root 141 Jun 27 16:02 modules.inputmap -rw-r--r-- 1 root root 81 Jun 27 16:02 modules.isapnpmap -rw-r--r-- 1 root root 74 Jun 27 16:02 modules.ofmap -rw-r--r-- 1 root root 99 Jun 27 16:02 modules.pcimap -rw-r--r-- 1 root root 43 Jun 27 16:02 modules.seriomap -rw-r--r-- 1 root root 49 Jun 27 16:02 modules.symbols -rw-r--r-- 1 root root 189 Jun 27 16:02 modules.usbmap Unfortunately the net result is unchanged: root@vps1703 [/]# ipsec setup restart ipsec_setup: Stopping Openswan IPsec... ipsec_setup: Starting Openswan IPsec 2.6.32... ipsec_setup: multiple ip addresses, using 127.0.0.1 on venet0 ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled root@vps1703 [/]# ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.32/K(no kernel code presently loaded) Checking for IPsec support in kernel [FAILED] SAref kernel support [N/A] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [FAILED] Pluto listening for NAT-T on udp 4500 [FAILED] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED] root@vps1703 [/]# On Fri, Jun 27, 2014 at 3:27 PM, Ian <openvz_l...@fishnet.co.uk> wrote: > On 26/06/2014 18:52, Rene C. wrote: >> Going through the whole thing again I fell over this fatal error >> during the ipsec restart: >> >> ipsec_setup: FATAL: Could not load >> /lib/modules/2.6.32-042stab090.3/modules.dep: No such file or >> directory >> >> I installed both openswan xl2tpd though yum (epel repo) but neither >> seem to add anything to /lib/modules. What am I missing? > > Hi, > > I get this error allot between kernel upgrades when using iptables > within containers. I found the fix is to make the directory its > complaining about first, then run depmod -a (all from within the container): > > # mkdir -p /lib/modules/2.6.32-042stab090.3/ > # depmod -a > > Can someone shed a light on why this error occurs? > > It is complaining about a previous kernel version here (Rene states that > stab090.4 is installed below). > > Regards > > Ian > -- > >> >> >> On Thu, Jun 26, 2014 at 2:06 PM, Rene C. <ope...@dokbua.com> wrote: >>> I already upgraded the kernel to the latest before the last test: >>> >>> [root@server14 ~]# uname -a >>> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16 >>> >>> Sorry if I didn't make that very clear >>> >>> On Thu, Jun 26, 2014 at 1:38 PM, Pavel Odintsov >>> <pavel.odint...@gmail.com> wrote: >>>> Hello! >>>> >>>> I'm not sure about your problems but we have few production >>>> installation with this configuration. But we use only up to date >>>> kernels like 90.x series. What kernel you used for tests? >>>> >>>> On Thu, Jun 26, 2014 at 5:28 AM, spameden <spame...@gmail.com> wrote: >>>>> >>>>> >>>>> >>>>> 2014-06-25 22:19 GMT+04:00 Rene C. <ope...@dokbua.com>: >>>>> >>>>>> No, I went in the direction of l2tp as recommended. It both seems more >>>>>> secure and more compatible with both windows and android clients than >>>>>> openvpn. >>>>> >>>>> >>>>> >>>>> 'more secure' ? >>>>> >>>>> did you audit OpenVPN/OpenSSL code? How can you say so. >>>>> >>>>> There are clients for both android and windows for OpenVPN. >>>>> >>>>> Anyways, if you've decided to go with IPSec go over with it, it should >>>>> work >>>>> too. >>>>> >>>>> >>>>>> >>>>>> >>>>>> >>>>>> I still get the "Checking for IPsec support in kernel >>>>>> [FAILED]" error from the check, although the latest openvz >>>>>> kernel is now installed. >>>>>> >>>>>> What can we do to narrow down the cause of this? >>>>> >>>>> >>>>> tbh, I have no idea, had no experience with IPSec setup on OpenVZ, ask the >>>>> guy who've suggested ipsec setup. >>>>> >>>>>> >>>>>> On Mon, Jun 23, 2014 at 7:56 PM, spameden <spame...@gmail.com> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2014-06-23 11:31 GMT+04:00 Rene C. <ope...@dokbua.com>: >>>>>>>> >>>>>>>> Sorry, still stuck: >>>>>>> >>>>>>> >>>>>>> Did you try OpenVPN configuration that I've suggested? >>>>>>> >>>>>>> About IPSEC: not sure, check your syslog logs might give you some tips. >>>>>>>> >>>>>>>> >>>>>>>> [root@server14 ~]# uname -a >>>>>>>> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16 >>>>>>>> 15:13:38 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux >>>>>>>> [root@server14 ~]# for x in tun ppp_async pppol2tp >>>>>>>> xfrm4_mode_transport xfrm4_mode_tunnel xfrm_ipcomp esp4; do lsmod | >>>>>>>> grep $x; done >>>>>>>> xfrm4_mode_tunnel 2019 0 >>>>>>>> tun 19157 0 >>>>>>>> ppp_async 7874 0 >>>>>>>> ppp_generic 25400 3 pppol2tp,pppox,ppp_async >>>>>>>> crc_ccitt 1733 1 ppp_async >>>>>>>> pppol2tp 22749 0 >>>>>>>> pppox 2712 1 pppol2tp >>>>>>>> ppp_generic 25400 3 pppol2tp,pppox,ppp_async >>>>>>>> xfrm4_mode_transport 1465 0 >>>>>>>> xfrm4_mode_tunnel 2019 0 >>>>>>>> xfrm_ipcomp 4626 0 >>>>>>>> esp4 5406 0 >>>>>>>> [root@server14 ~]# vzctl enter 1418 >>>>>>>> entered into CT 1418 >>>>>>>> [root@vps1418 /]# ipsec verify >>>>>>>> Checking your system to see if IPsec got installed and started >>>>>>>> correctly: >>>>>>>> Version check and ipsec on-path [OK] >>>>>>>> Linux Openswan U2.6.32/K(no kernel code presently loaded) >>>>>>>> Checking for IPsec support in kernel [FAILED] >>>>>>>> SAref kernel support [N/A] >>>>>>>> Checking that pluto is running [OK] >>>>>>>> Pluto listening for IKE on udp 500 [FAILED] >>>>>>>> Pluto listening for NAT-T on udp 4500 [FAILED] >>>>>>>> Checking for 'ip' command [OK] >>>>>>>> Checking /bin/sh is not /bin/dash [OK] >>>>>>>> Checking for 'iptables' command [OK] >>>>>>>> Opportunistic Encryption Support [DISABLED] >>>>>>>> >>>>>>>> What am I missing? >>>>>>>> >>>>>>>> On Mon, Jun 23, 2014 at 1:12 AM, Rene C. <ope...@dokbua.com> wrote: >>>>>>>>> Yep, rebooted the container. >>>>>>>>> >>>>>>>>> Here's the modules present: >>>>>>>>> >>>>>>>>> [root@server18 ~]# lsmod >>>>>>>>> Module Size Used by >>>>>>>>> esp4 5406 0 >>>>>>>>> xfrm_ipcomp 4626 0 >>>>>>>>> xfrm4_mode_tunnel 2019 0 >>>>>>>>> pppol2tp 22749 0 >>>>>>>>> pppox 2712 1 pppol2tp >>>>>>>>> ppp_async 7874 0 >>>>>>>>> ppp_generic 25400 3 pppol2tp,pppox,ppp_async >>>>>>>>> slhc 5821 1 ppp_generic >>>>>>>>> crc_ccitt 1733 1 ppp_async >>>>>>>>> vzethdev 8221 0 >>>>>>>>> vznetdev 18952 10 >>>>>>>>> pio_nfs 17576 0 >>>>>>>>> pio_direct 28261 9 >>>>>>>>> pfmt_raw 3213 0 >>>>>>>>> pfmt_ploop1 6320 9 >>>>>>>>> ploop 116096 23 >>>>>>>>> pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1 >>>>>>>>> simfs 4448 0 >>>>>>>>> vzrst 196693 0 >>>>>>>>> vzcpt 148911 1 vzrst >>>>>>>>> nfs 442438 3 pio_nfs,vzrst,vzcpt >>>>>>>>> lockd 77189 2 vzrst,nfs >>>>>>>>> fscache 55684 1 nfs >>>>>>>>> auth_rpcgss 44949 1 nfs >>>>>>>>> nfs_acl 2663 1 nfs >>>>>>>>> sunrpc 268245 6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl >>>>>>>>> vziolimit 3719 0 >>>>>>>>> vzmon 24462 8 vznetdev,vzrst,vzcpt >>>>>>>>> ip6table_mangle 3669 0 >>>>>>>>> nf_nat_ftp 3523 0 >>>>>>>>> nf_conntrack_ftp 12929 1 nf_nat_ftp >>>>>>>>> iptable_nat 6302 1 >>>>>>>>> nf_nat 23213 3 vzrst,nf_nat_ftp,iptable_nat >>>>>>>>> xt_length 1338 0 >>>>>>>>> xt_hl 1547 0 >>>>>>>>> xt_tcpmss 1623 0 >>>>>>>>> xt_TCPMSS 3461 1 >>>>>>>>> iptable_mangle 3493 0 >>>>>>>>> xt_multiport 2716 0 >>>>>>>>> xt_limit 2134 0 >>>>>>>>> nf_conntrack_ipv4 9946 5 iptable_nat,nf_nat >>>>>>>>> nf_defrag_ipv4 1531 1 nf_conntrack_ipv4 >>>>>>>>> ipt_LOG 6405 0 >>>>>>>>> xt_DSCP 2849 0 >>>>>>>>> xt_dscp 2073 0 >>>>>>>>> ipt_REJECT 2399 12 >>>>>>>>> tun 19157 0 >>>>>>>>> xt_owner 2258 0 >>>>>>>>> vzdquota 55339 0 [permanent] >>>>>>>>> vzevent 2179 1 >>>>>>>>> vzdev 2733 5 >>>>>>>>> vzethdev,vznetdev,vziolimit,vzmon,vzdquota >>>>>>>>> iptable_filter 2937 5 >>>>>>>>> ip_tables 18119 3 >>>>>>>>> iptable_nat,iptable_mangle,iptable_filter >>>>>>>>> ip6t_REJECT 4711 2 >>>>>>>>> nf_conntrack_ipv6 8353 2 >>>>>>>>> nf_defrag_ipv6 11188 1 nf_conntrack_ipv6 >>>>>>>>> xt_state 1508 4 >>>>>>>>> nf_conntrack 80313 9 >>>>>>>>> >>>>>>>>> >>>>>>>>> vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state >>>>>>>>> ip6table_filter 3033 1 >>>>>>>>> ip6_tables 18988 2 ip6table_mangle,ip6table_filter >>>>>>>>> ipv6 322874 1627 >>>>>>>>> vzrst,ip6table_mangle,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6 >>>>>>>>> iTCO_wdt 7147 0 >>>>>>>>> iTCO_vendor_support 3072 1 iTCO_wdt >>>>>>>>> i2c_i801 11375 0 >>>>>>>>> i2c_core 31084 1 i2c_i801 >>>>>>>>> sg 29446 0 >>>>>>>>> lpc_ich 12819 0 >>>>>>>>> mfd_core 1911 1 lpc_ich >>>>>>>>> e1000e 267426 0 >>>>>>>>> ptp 9614 1 e1000e >>>>>>>>> pps_core 11490 1 ptp >>>>>>>>> ext4 419456 11 >>>>>>>>> jbd2 93779 1 ext4 >>>>>>>>> mbcache 8209 1 ext4 >>>>>>>>> sd_mod 39005 6 >>>>>>>>> crc_t10dif 1557 1 sd_mod >>>>>>>>> ahci 42263 4 >>>>>>>>> video 20978 0 >>>>>>>>> output 2425 1 video >>>>>>>>> dm_mirror 14432 0 >>>>>>>>> dm_region_hash 12101 1 dm_mirror >>>>>>>>> dm_log 9946 2 dm_mirror,dm_region_hash >>>>>>>>> dm_mod 84369 19 dm_mirror,dm_log >>>>>>>>> >>>>>>>>> On Mon, Jun 23, 2014 at 12:52 AM, Pavel Odintsov >>>>>>>>> <pavel.odint...@gmail.com> wrote: >>>>>>>>>> Hello! >>>>>>>>>> >>>>>>>>>> IPsec should work from 84.8 kernel according to >>>>>>>>>> https://openvz.org/IPsec but I found explicit reference about IPsec >>>>>>>>>> only in 84.10: >>>>>>>>>> http://openvz.org/Download/kernel/rhel6-testing/042stab084.10 >>>>>>>>>> >>>>>>>>>> Did you restart CT after loading kernel modules for l2tp? >>>>>>>>>> >>>>>>>>>> On Sun, Jun 22, 2014 at 7:05 PM, Rene C. <ope...@dokbua.com> wrote: >>>>>>>>>>> Ok I gave your suggestion a shot, using your link through Google >>>>>>>>>>> translate and >>>>>>>>>>> http://www.maxwhale.com/how-to-install-l2tp-vpn-on-centos/ >>>>>>>>>>> for comparison. >>>>>>>>>>> >>>>>>>>>>> Everything seems to go well until the 'ipsec verify' part when it >>>>>>>>>>> says: >>>>>>>>>>> >>>>>>>>>>> [root@vps1418 /]# ipsec verify >>>>>>>>>>> Checking your system to see if IPsec got installed and started >>>>>>>>>>> correctly: >>>>>>>>>>> Version check and ipsec on-path [OK] >>>>>>>>>>> Linux Openswan U2.6.32/K(no kernel code presently loaded) >>>>>>>>>>> Checking for IPsec support in kernel >>>>>>>>>>> [FAILED] >>>>>>>>>>> SAref kernel support [N/A] >>>>>>>>>>> Checking that pluto is running [OK] >>>>>>>>>>> Pluto listening for IKE on udp 500 >>>>>>>>>>> [FAILED] >>>>>>>>>>> Pluto listening for NAT-T on udp 4500 >>>>>>>>>>> [FAILED] >>>>>>>>>>> Checking for 'ip' command [OK] >>>>>>>>>>> Checking /bin/sh is not /bin/dash [OK] >>>>>>>>>>> Checking for 'iptables' command [OK] >>>>>>>>>>> Opportunistic Encryption Support >>>>>>>>>>> [DISABLED] >>>>>>>>>>> >>>>>>>>>>> I think the biggest problem here is the "Checking for IPsec support >>>>>>>>>>> in >>>>>>>>>>> kernel"? >>>>>>>>>>> >>>>>>>>>>> I use 2.6.32-042stab085.20 - I know it's not the latest kernel, but >>>>>>>>>>> supposedly ipsec support should be in kernels after stab084? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Sat, Jun 21, 2014 at 7:28 PM, Pavel Odintsov >>>>>>>>>>> <pavel.odint...@gmail.com> wrote: >>>>>>>>>>>> Hello! >>>>>>>>>>>> >>>>>>>>>>>> In modern version of OpenVZ you can use l2tp with ipsec support >>>>>>>>>>>> instead OpenVPN: http://habrahabr.ru/company/FastVPS/blog/205162/ >>>>>>>>>>>> (sorry this manual in russian language but it's very simple). It's >>>>>>>>>>>> very useable because you do not need any special clients on >>>>>>>>>>>> Windows >>>>>>>>>>>> hosts. Maybe you can try this? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Sat, Jun 21, 2014 at 2:11 PM, Benjamin Henrion >>>>>>>>>>>> <zoo...@gmail.com> >>>>>>>>>>>> wrote: >>>>>>>>>>>>> On Sat, Jun 21, 2014 at 8:47 AM, Rene C. <ope...@dokbua.com> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> I got the openvpn part itself down, no problem, but getting it >>>>>>>>>>>>>> to >>>>>>>>>>>>>> work >>>>>>>>>>>>>> in a container is a lot of hassle. Many pages, but most are >>>>>>>>>>>>>> outdated >>>>>>>>>>>>>> and things keeps changing. Anyone know how to get it to work >>>>>>>>>>>>>> TODAY? >>>>>>>>>>>>>> >>>>>>>>>>>>>> The server is an otherwise normal server with public ip >>>>>>>>>>>>>> addresses >>>>>>>>>>>>>> and >>>>>>>>>>>>>> works with cpanel, no problem that far. The problem is getting >>>>>>>>>>>>>> an >>>>>>>>>>>>>> openvpn service to work in it. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I've already added the tun device, and I can connect to the >>>>>>>>>>>>>> server >>>>>>>>>>>>>> with the openvpn client, just can't continue from there, so some >>>>>>>>>>>>>> routing is missing. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I've followed the general routing instructions but because >>>>>>>>>>>>>> openvz >>>>>>>>>>>>>> doesn't support MASQ it doesn't work. >>>>>>>>>>>>>> >>>>>>>>>>>>>> - which modules to insmod on the hwnode >>>>>>>>>>>>> >>>>>>>>>>>>> Just make sure "tun" is present in lsmod. >>>>>>>>>>>>> >>>>>>>>>>>>>> - which modules to add into /etc/vz/vz.conf >>>>>>>>>>>>> >>>>>>>>>>>>> The same. "tun" should be part of the list of modules in vz.conf, >>>>>>>>>>>>> so >>>>>>>>>>>>> it gets loaded at vz start. >>>>>>>>>>>>> >>>>>>>>>>>>>> - which modules to add into /etc/vz/<ct>.conf >>>>>>>>>>>>> >>>>>>>>>>>>> And the for the CTID you want to run openvpn access in: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP >>>>>>>>>>>>> >>>>>>>>>>>>> Can you provide openvpn-client debug messages? >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Benjamin Henrion <bhenrion at ffii.org> > > > _______________________________________________ > Users mailing list > Users@openvz.org > https://lists.openvz.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
