engelinzivil71 Geschrieben 29. Juni 2009 Teilen Geschrieben 29. Juni 2009 Hallo,, ich habe ein Problem, werde aus dem IPsec/Openswan Gemisch nicht wirklich schlau. ich verstehe nicht, warum die sa nicht aufgebaut wird hat jemand eine ahnung ?? Ich habe mir ein kleines netz aufgebaut openswanA <---> router <---> openswanB dirk@ubuvmsrv04:/tmp$ sudo ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan 2.6.22 (klips) Checking for IPsec support in kernel [OK] KLIPS detected, checking for NAT Traversal support [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [FAILED] Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED] Konfig openswanA: version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup interfaces="ipsec0=eth1" klipsdebug=none plutodebug=none oe=off protostack=klips # Add connections here conn %default keyingtries=0 authby=secret conn lan leftid=10.0.0.1 left=10.0.0.1 leftsubnet=172.16.0.0/22 leftnexthop=10.0.0.2 right=10.0.1.1 rightid=10.1.1 rightsubnet=172.16.4.0/22 auto=start type=tunnel openswanB version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup interfaces="ipsec0=eth1" klipsdebug=none plutodebug=none # Do not set debug options to debug configuration issues! oe=off # which IPsec stack to use. netkey,klips,mast,auto or none protostack=klips # Add connections here conn %default keyingtries=0 authby=secret # sample VPN connection # for more examples, see /etc/ipsec.d/examples/ conn lan leftid=10.0.1.1 left=10.0.1.1 leftsubnet=172.16.4.0/22 leftnexthop=10.0.1.2 rightid=10.0.0.1 right=10.0.0.1 rightsubnet=172.16.0.0/22 auto=start type=tunnel output openswanA ipsec auto status: 000 using kernel interface: klips 000 interface ipsec0/eth1 10.0.0.1 000 %myid = (none) 000 debug none 000 000 virtual_private (%priv): 000 - allowed 0 subnets: 000 - disallowed 0 subnets: 000 WARNING: Either virtual_private= was not specified, or there was a syntax 000 error in that line. 'left/rightsubnet=%priv' will not work! 000 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 "lan": 172.16.0.0/22===10.0.0.1<10.0.0.1>[+S=C]---10.0.0.2...10.0.1.1<10.0.1.1>[10.1.1.0,+S=C]===172.16.4.0/22; prospective ero 000 "lan": myip=unset; hisip=unset; 000 "lan": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "lan": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 22,22; interface: eth1; 000 "lan": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 000 #1: "lan":500 STATE_MAIN_I1 (sent MI1, expecting MR1); none in -1s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #1: pending Phase 2 for "lan" replacing #0 000 output von openswanB 000 using kernel interface: klips 000 interface ipsec0/eth1 10.0.1.1 000 %myid = (none) 000 debug none 000 000 virtual_private (%priv): 000 - allowed 0 subnets: 000 - disallowed 0 subnets: 000 WARNING: Either virtual_private= was not specified, or there was a syntax 000 error in that line. 'left/rightsubnet=%priv' will not work! 000 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 "lan": 172.16.4.0/22===10.0.1.1<10.0.1.1>[+S=C]---10.0.1.2...10.0.0.1<10.0.0.1>[+S=C]===172.16.0.0/22; prospective erouted; eroute owner: #0 000 "lan": myip=unset; hisip=unset; 000 "lan": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "lan": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 22,22; interface: eth1; 000 "lan": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 000 #1: "lan":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 0s; nodpd; idle; import:admin initiate 000 #1: pending Phase 2 for "lan" replacing #0 000 #1: pending Phase 2 for "lan" replacing #0 000 Zitieren Link zu diesem Kommentar Auf anderen Seiten teilen Mehr Optionen zum Teilen...
Amstelchen Geschrieben 29. Juni 2009 Teilen Geschrieben 29. Juni 2009 Two or more interfaces found, checking IP forwarding [FAILED] abhängig davon, welcher host denn nun für VPN respektive IPSec arbeiten soll, muss dort zwingend IP-forwarding aktiviert sein. How to enable IP Forwarding in Linux | MDLog:/sysadmin werde aus dem IPsec/Openswan Gemisch nicht wirklich schlau Quick HOWTO : Ch35 : Configuring Linux VPNs - Linux Home Networking s'Amstel Zitieren Link zu diesem Kommentar Auf anderen Seiten teilen Mehr Optionen zum Teilen...
Empfohlene Beiträge
Dein Kommentar
Du kannst jetzt schreiben und Dich später registrieren. Wenn Du ein Konto hast, melde Dich jetzt an, um unter Deinem Benutzernamen zu schreiben.