First things first. I'm an experienced MSoft guy which means I'm a Linux newbie. I've setup a few Mitel 5.6 and 6.0 servers. I like them. A lot.
The one thing that has never been consistent on my e-smith servers has been VPN. Sometimes I can connect and other times not. No one has ever given a good reason why I can't vpn in all the time.
This is the one thing that causes me fear about deploying e-smith as solution. Now I have a client that wants a VPN and I'm not sure e-smith is up to it.
So everyone says freeswan. Well I loaded it. I'm going through the configs, but when I do a service ipsec start I get no IP traffice at all going through my e-smith gateway. The text is all here - can someone tell me what I'm doing wrong?
Also, I want to be able to have Microsoft clients come into my box using L2TP instead of PPTP - can I actually do that with Freeswan?
login as: root
Sent username "root"
[root@e-smith root]# cd freeswan2.04-2.4.2.0-18-7/
[root@e-smith freeswan2.04-2.4.2.0-18-7]# ls
freeswan-module-2.04_x509_1.4.8_2.4.20_18.7-0.i386.rpm
freeswan-userland-2.04_x509_1.4.8_2.4.20_18.7-0.i386.rpm
[root@e-smith freeswan2.04-2.4.2.0-18-7]# rpm -Uvh freeswan-module-2.04_x509_1.4.8_2.4.20_18.7-0.i386.rpm
Preparing... ########################################### [100%]
1:freeswan-module ########################################### [100%]
do not forget to install the userland utilities
[root@e-smith freeswan2.04-2.4.2.0-18-7]# rpm -Uvh --nodeps freeswan-userland-2.04_x509_1.4.8_2.4.20_18.7-0.i386.rpm
Preparing... ########################################### [100%]
1:freeswan-userland ########################################### [100%]
invoke "service ipsec start" or reboot to begin
[root@e-smith freeswan2.04-2.4.2.0-18-7]# service ipsec start
ipsec_setup: Starting FreeS/WAN IPsec 2.04...
ipsec_setup: insmod: ipsec: no module by that name found
ipsec_setup: modprobe: Can't locate module af_key
ipsec_setup: insmod failed, but found matching template module 3ca2c21c.
ipsec_setup: Copying /lib/modules/2.4.20-18.7/kernel/net/ipsec/3ca2c21c to /lib/modules/2.4.20-18.7/kernel/net/ipsec/ipsec.o.
ipsec_setup: /sbin/insmod /lib/modules/2.4.20-18.7/kernel/net/ipsec/ipsec.o
ipsec_setup: Using /lib/modules/2.4.20-18.7/kernel/net/ipsec/ipsec.o
ipsec_setup: Symbol version prefix ''
ipsec_setup: WARNING: changing route filtering on eth1 (changing /proc/sys/net/ipv4/conf/eth1/rp_filter from 1 to 0)
[root@e-smith freeswan2.04-2.4.2.0-18-7]# service ipsec stop
ipsec_setup: Stopping FreeS/WAN IPsec...
[root@e-smith freeswan2.04-2.4.2.0-18-7]# ipsec newhostkey --output /etc/ipsec.secrets --hostname e-smith.pc-man.com
[root@e-smith freeswan2.04-2.4.2.0-18-7]# service ipsec start
ipsec_setup: Starting FreeS/WAN IPsec 2.04...
ipsec_setup: Using /lib/modules/2.4.20-18.7/kernel/net/ipsec/ipsec.o
[root@e-smith freeswan2.04-2.4.2.0-18-7]# service ipsec stop
ipsec_setup: Stopping FreeS/WAN IPsec...
[root@e-smith freeswan2.04-2.4.2.0-18-7]# service ipsec start ipsec_setup: Starting FreeS/WAN IPsec 2.04...
ipsec_setup: Using /lib/modules/2.4.20-18.7/kernel/net/ipsec/ipsec.o
[root@e-smith freeswan2.04-2.4.2.0-18-7]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux FreeS/WAN 2.04
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Opportunistic Encryption DNS checks:
Looking for TXT in forward map: e-smith [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse map: 51.164.34.68.in-addr.arpa. [MISSING]
[root@e-smith freeswan2.04-2.4.2.0-18-7]# ping
www.usip.eduping: unknown host
www.usip.edu[root@e-smith freeswan2.04-2.4.2.0-18-7]# service ipsec stop
ipsec_setup: Stopping FreeS/WAN IPsec...
[root@e-smith freeswan2.04-2.4.2.0-18-7]# ipsec auto --status
whack: Pluto is not running (no "/var/run/pluto.ctl")
[root@e-smith freeswan2.04-2.4.2.0-18-7]# service ipsec start
ipsec_setup: Starting FreeS/WAN IPsec 2.04...
ipsec_setup: Using /lib/modules/2.4.20-18.7/kernel/net/ipsec/ipsec.o
[root@e-smith freeswan2.04-2.4.2.0-18-7]# ipsec auto --status
000 interface ipsec0/eth1 68.34.164.51
000 %myid = (none)
000 debug none
000
000 "block": 68.34.164.51[%myid]---68.34.160.1...%group; unrouted; eroute owner: #0
000 "block": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "block": policy: TUNNEL+PFS+GROUP+GROUTED+REJECT+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth1;
000 "block": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear": 68.34.164.51[%myid]---68.34.160.1...%group; unrouted; eroute owner: #0
000 "clear": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear": policy: TUNNEL+PFS+GROUP+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth1;
000 "clear": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear-or-private": 68.34.164.51[%myid]---68.34.160.1...%opportunisticgroup; unrouted; eroute owner: #0
000 "clear-or-private": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "clear-or-private": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+GROUP+PASS+failurePASS+lKOD+rKOD; prio: 32,0; interface: eth1;
000 "clear-or-private": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "packetdefault": 0.0.0.0/0===68.34.164.51[%myid]---68.34.160.1...%opportunistic; prospective erouted; eroute owner: #0
000 "packetdefault": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "packetdefault": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failurePASS+lKOD+rKOD; prio: 0,0; interface: eth1;
000 "packetdefault": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private": 68.34.164.51[%myid]---68.34.160.1...%opportunisticgroup; unrouted; eroute owner: #0
000 "private": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "private": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+GROUP+failureDROP+lKOD+rKOD; prio: 32,0; interface: eth1;
000 "private": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear": 68.34.164.51[%myid]---68.34.160.1...%opportunisticgroup; unrouted; eroute owner: #0
000 "private-or-clear": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "private-or-clear": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+GROUP+failurePASS+lKOD+rKOD; prio: 32,0; interface: eth1;
000 "private-or-clear": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear#0.0.0.0/0": 68.34.164.51[%myid]---68.34.160.1...%opportunistic; unrouted; eroute owner: #0
000 "private-or-clear#0.0.0.0/0": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "private-or-clear#0.0.0.0/0": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failurePASS+lKOD+rKOD; prio: 32,0; interface: eth1;
000 "private-or-clear#0.0.0.0/0": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000
[root@e-smith freeswan2.04-2.4.2.0-18-7]#
0 Replies
1280 Views