VPn con Openswan

Pablo Silva psilvao en yahoo.com
Mar Abr 4 21:25:32 CLT 2006


Hola!

  He realizado una consulta similar en esta lista,
pero sin exito.

  Te comento que openswan no funciona bien con las
distros redhat, llamese fedora y clones como whitebox
y centos.

  Te puedes contactar directamente con los
desarrolladores por irc al siguiente server

irc.freenode.net 7000 
canal #openswan

  Ellos te van a atender on-line si tienen tiempo, y
te comentaran que tipicamente el kernel para redhat no
viene con klips incluido y bla bla...

  Al menos he tenido noticias que si funciona con
debian, ya que la compilacion del kernel incluye lo
que el equipo desarrollador de openswan necesita para
que opere bien...

  Se que hay un wiki que te dice bla bla acerca de
redhat, trate de seguir los pasos pero sin exito..

  Suerte!

  Pablo

--- Vida Luz <vlal en ideay.net.ni> wrote:

> Hola a todos,
> 
> Tengo instalado el rpm de openswan para FEdora 4,
> quiero establecer el vpn 
> contraun cisco 800, sin embargo tengo todo
> configurado tal y como debe ser 
> segun el manual, pero nos e puede establecer la
> conexion, me envia el 
> siguiente mensaje:ipsec__plutorun: ...could not
> start conn
> "tunnelipsec"
> 
> Yono tengo firewall en el linux, ninguna regla de
> iptables estoy 
> corriendo, no se si necesita algun DNAT o SNAT.
> 
> Espero sus sugerencias.
> 
> Mi configuraciones son:
> 
> ipsec.conf
> =========
> 
> # /etc/ipsec.conf - Openswan IPsec configuration
> file
> 
> version 2.0
> 
> config setup
>          interfaces="ipsec0=eth0"
>          klipsdebug=none
>          plutodebug=none
>          forwardcontrol=yes
> 
> conn tunnelipsec
>          type=tunnel
>          left=165.98.224.82
>          leftsubnet= 172.16.1.0/24
>          right= 165.98.236.214
>          rightsubnet= 172.16.26.0/24
>          esp=3des-md5-96
>          keyexchange=ike
>          pfs=no
>          authby=secret
>          ikelifetime=7800
>          compress=no
>          auto=start
> 
> include /etc/ipsec.d/no_oe.conf
> 
> 
> ipsec.secrets
> 
> =========
> 
> 165.98.224.82 165.98.236.214: PSK "vp17226"
> 
> 
> 
> Configuration for the router is:
> 
> 
> 
> crypto isakmp policy 10
>   encr 3des
>   hash md5
>   authentication pre-share
> crypto isakmp key vp17226 address 165.98.224.82
> !
> !
> crypto ipsec transform-set DICE esp-3des
> esp-sha-hmac
> !
> crypto map DICE 10 ipsec-isakmp
>   set peer 165.98.224.82
>   set transform-set DICE
>   match address 100
> 
> 
> interface Ethernet1
>   description PRIVADA
>   ip address 165.98.236.214 255.255.255.252
>   duplex auto
>   crypto map DICE
> 
> 
> 
> 
> Somebody can help me? I need suggestions.
> 
> 
> 
> Thanks in Advanced.
> 
> Regards.
> 
> 
> 
> 
> Reply Forward
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>   Paul Wouters  You should have more after this.
> Either an error, or a 
> re-transmit. If you se...
>       Mar 28 (6 days ago)
> 
> 
> 
>   Vida Luz Arista  to Paul, ted, users
>    More options   Mar 28 (6 days ago)
> 
> I have the firewall in the linux, the gateway is a
> router and this router 
> don't have firewall.
> 
> I don't see re-transmit in my logs, But I see this
> error en 
> /var/log/message ipsec__plutorun: ...could not start
> conn "tunnelipsec"
> 
> executing ipsec auto --status I have the following
> messages:
> 
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 165.98.224.82
> 000 interface eth1/eth1 172.16.1.1
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES,
> ivlen=8, keysizemin=64, 
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES,
> ivlen=8, keysizemin=192, 
> keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH,
> ivlen=8, 
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL,
> ivlen=0, keysizemin=0, 
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES,
> ivlen=8, keysizemin=128, 
> keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT,
> ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH,
> ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1,
> name=AUTH_ALGORITHM_HMAC_MD5, 
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2,
> name=AUTH_ALGORITHM_HMAC_SHA1, 
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5,
> name=AUTH_ALGORITHM_HMAC_SHA2_256, 
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null),
> keysizemin=0, 
> keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5,
> name=OAKLEY_3DES_CBC, blocksize=8, 
> keydeflen=192
> 000 algorithm IKE encrypt: id=7,
> name=OAKLEY_AES_CBC, blocksize=16, 
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5,
> hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1,
> hashsize=20
> 000 algorithm IKE dh group: id=2,
> name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5,
> name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14,
> name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15,
> name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16,
> name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17,
> name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18,
> name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz}
> :context={0,0,0} 
> trans={0,0,0} attrs={0,0,0}
> 000
> 000 "DICE": 
>
172.16.1.0/24===165.98.224.82...165.98.236.214===172.16.26.0/24;
> 
> prospective erouted; eroute owner: #0
> 000 "DICE":     srcip=unset; dstip=unset;
> srcup=ipsec _updown; dstup=ipsec 
> _updown;
> 000 "DICE":   ike_life: 7800s; ipsec_life: 28800s;
> rekey_margin: 540s; 
> rekey_fuzz: 100%; keyingtries: 0
> 000 "DICE":   policy: PSK+ENCRYPT+TUNNEL+UP; prio:
> 24,24; interface: eth0;
> 000 "DICE":   newest ISAKMP SA: #0; newest IPsec SA:
> #0;
> 000
> 000 #3: "DICE":500 STATE_MAIN_I1 (sent MI1,
> expecting MR1); 
> EVENT_RETRANSMIT in 39s; nodpd
> 000 #3: pending Phase 2 for "DICE" replacing #0
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 
http://mail.yahoo.com 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


Más información sobre la lista de distribución Linux