Problem Z Uruchomieniem Ipsec..

[piotrino]

Witam, skonfigurowałem na fedorze ipseca przy próbie startu dostaję taki komunikat:

[root@server /]# /etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
Warning: ignored obsolete keyword (null)
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
ipsec_setup: Starting Openswan IPsec 2.6.25...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
ipsec_setup: Warning: ignored obsolete keyword (null)
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
[root@server /]#

I tu mam pytanie dotyczące -

psec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY

Poszperałem trochę w necie i rozwiązaniem było dopisać do pliku /etc/sysctl.conf-

# Controls IP packet forwarding
net.ipv4.ip_forward = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_redirects = 0

więc je dopisałem i zapisałem to....Ale pomimo tego mam dalej ten sam błąd przy wywołaniu startu ipseca...

Poniżej podaję to:

[root@server etc]# sysctl -a | grep 'ipv4.conf.*redirect'

net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.default.accept_redirects = 1
net.ipv4.conf.default.secure_redirects = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.lo.accept_redirects = 1
net.ipv4.conf.lo.secure_redirects = 1
net.ipv4.conf.lo.send_redirects = 1
net.ipv4.conf.eth0.accept_redirects = 1
net.ipv4.conf.eth0.secure_redirects = 1
net.ipv4.conf.eth0.send_redirects = 1
net.ipv4.conf.wlan0.accept_redirects = 1
net.ipv4.conf.wlan0.secure_redirects = 1
net.ipv4.conf.wlan0.send_redirects = 1
net.ipv4.conf.vboxnet0.accept_redirects = 1
net.ipv4.conf.vboxnet0.secure_redirects = 1
net.ipv4.conf.vboxnet0.send_redirects = 1
net.ipv4.conf.tun0.accept_redirects = 1
net.ipv4.conf.tun0.secure_redirects = 1
net.ipv4.conf.tun0.send_redirects = 1
[root@server etc]# 

W jaki sposób moge rozwiązać ten problem???

Tu podaję poniżej weryfikację ipseca:

[root@server etc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan U2.6.25/K2.6.33.6-147.2.4.fc13.i686.PAE (netkey)
Checking for IPsec support in kernel                        	[OK]
NETKEY detected, testing for disabled ICMP send_redirects   	[FAILED]

 Please disable /proc/sys/net/ipv4/conf/*/send_redirects
 or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects 	[FAILED]

 Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
 or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)           	[OK]
Checking that pluto is running                              	[OK]
Pluto listening for IKE on udp 500                          	[OK]
Pluto listening for NAT-T on udp 4500                       	[OK]
Two or more interfaces found, checking IP forwarding        	[FAILED]
Checking for 'ip' command                                   	[OK]
Checking for 'iptables' command                             	[OK]

Opportunistic Encryption DNS checks:
  Looking for TXT in forward dns zone: server              	[MISSING]
  Does the machine have at least one non-private address?  	[FAILED]
[root@server etc]# 

 

[hello_world]

Rozumiem, że uzywasz openswana

Czy mógłbyś pokazać pliki:

/etc/ipsec.conf

Jeżeli nie ma uzasadnienia forwardowania to go wylącz

Czy zapora przepuszcza port 500 do wymiany kluczy

Czy wymieniales generowales kllucze dla serwera i klienta (nie mowie tu o certyfikatach)

 

[piotrino]

Rozumiem, że uzywasz openswana

Tak

Czy mógłbyś pokazać pliki:

/etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration

config setup
interfaces=%defaultroute
plutodebug=none
forwardcontrol=no
nat_traversal=yes

 virtual_private=%v4:192.168.10.0/24,%v4:172.16.8.0/24,%v4:10.0.0.0/8
conn roadwarrior-l2tp
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior
auth=esp
authby=secret
compress=yes
keyexchange=ike
keyingtries=3
pfs=no
rekey=yes
left=%defaultroute
right=%any
rightsubnet=vhost:%no,%priv
auto=add

 #Disable Opportunistic Encryption
#include /etc/ipsec.d/examples/no_oe.conf

include /etc/ipsec.d/*.conf

 

Jeżeli nie ma uzasadnienia forwardowania to go wylącz

wyłaczyłem

Czy zapora przepuszcza port 500 do wymiany kluczy

przepuszcza

Czy wymieniales generowales kllucze dla serwera i klienta (nie mowie tu o certyfikatach)

Uwierzytelniam użytkowników na razie za pomocą klucza współdzielonego (a pózniej dołacze certyfikaty)

Podaję nową weryfikacje ipseca:

[root@server etc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan U2.6.25/K2.6.33.6-147.2.4.fc13.i686.PAE (netkey)
Checking for IPsec support in kernel                        	[OK]
NETKEY detected, testing for disabled ICMP send_redirects   	[OK]
NETKEY detected, testing for disabled ICMP accept_redirects 	[OK]
Checking for RSA private key (/etc/ipsec.secrets)           	[OK]
Checking that pluto is running                              	[OK]
Pluto listening for IKE on udp 500                          	[OK]
Pluto listening for NAT-T on udp 4500                       	[OK]
Two or more interfaces found, checking IP forwarding        	[FAILED]
Checking for 'ip' command                                   	[OK]
Checking for 'iptables' command                             	[OK]

Opportunistic Encryption DNS checks:
  Looking for TXT in forward dns zone: server              	[MISSING]
  Does the machine have at least one non-private address?  	[FAILED]
[root@server etc]# 

Jeśli chodzi o adres publiczny to nie używam adresów publicznych, tylko prywatne (ma to jakieś znaczenie?)

Chodzi mi o skonfigurowanie servera ipseca na fedorze i poprawne uruchomienie go. W windowsie mam wbudowanego klienta ipseca i już go skonfiguowałem poprawnie....