Veröffentlicht 29. Juni 200916 j Hallo,, ich habe ein Problem, werde aus dem IPsec/Openswan Gemisch nicht wirklich schlau. ich verstehe nicht, warum die sa nicht aufgebaut wird hat jemand eine ahnung ?? Ich habe mir ein kleines netz aufgebaut openswanA <---> router <---> openswanB dirk@ubuvmsrv04:/tmp$ sudo ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan 2.6.22 (klips) Checking for IPsec support in kernel [OK] KLIPS detected, checking for NAT Traversal support [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [FAILED] Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED] Konfig openswanA: version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup interfaces="ipsec0=eth1" klipsdebug=none plutodebug=none oe=off protostack=klips # Add connections here conn %default keyingtries=0 authby=secret conn lan leftid=10.0.0.1 left=10.0.0.1 leftsubnet=172.16.0.0/22 leftnexthop=10.0.0.2 right=10.0.1.1 rightid=10.1.1 rightsubnet=172.16.4.0/22 auto=start type=tunnel openswanB version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup interfaces="ipsec0=eth1" klipsdebug=none plutodebug=none # Do not set debug options to debug configuration issues! oe=off # which IPsec stack to use. netkey,klips,mast,auto or none protostack=klips # Add connections here conn %default keyingtries=0 authby=secret # sample VPN connection # for more examples, see /etc/ipsec.d/examples/ conn lan leftid=10.0.1.1 left=10.0.1.1 leftsubnet=172.16.4.0/22 leftnexthop=10.0.1.2 rightid=10.0.0.1 right=10.0.0.1 rightsubnet=172.16.0.0/22 auto=start type=tunnel output openswanA ipsec auto status: 000 using kernel interface: klips 000 interface ipsec0/eth1 10.0.0.1 000 %myid = (none) 000 debug none 000 000 virtual_private (%priv): 000 - allowed 0 subnets: 000 - disallowed 0 subnets: 000 WARNING: Either virtual_private= was not specified, or there was a syntax 000 error in that line. 'left/rightsubnet=%priv' will not work! 000 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 "lan": 172.16.0.0/22===10.0.0.1<10.0.0.1>[+S=C]---10.0.0.2...10.0.1.1<10.0.1.1>[10.1.1.0,+S=C]===172.16.4.0/22; prospective ero 000 "lan": myip=unset; hisip=unset; 000 "lan": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "lan": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 22,22; interface: eth1; 000 "lan": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 000 #1: "lan":500 STATE_MAIN_I1 (sent MI1, expecting MR1); none in -1s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #1: pending Phase 2 for "lan" replacing #0 000 output von openswanB 000 using kernel interface: klips 000 interface ipsec0/eth1 10.0.1.1 000 %myid = (none) 000 debug none 000 000 virtual_private (%priv): 000 - allowed 0 subnets: 000 - disallowed 0 subnets: 000 WARNING: Either virtual_private= was not specified, or there was a syntax 000 error in that line. 'left/rightsubnet=%priv' will not work! 000 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 "lan": 172.16.4.0/22===10.0.1.1<10.0.1.1>[+S=C]---10.0.1.2...10.0.0.1<10.0.0.1>[+S=C]===172.16.0.0/22; prospective erouted; eroute owner: #0 000 "lan": myip=unset; hisip=unset; 000 "lan": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "lan": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 22,22; interface: eth1; 000 "lan": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 000 #1: "lan":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 0s; nodpd; idle; import:admin initiate 000 #1: pending Phase 2 for "lan" replacing #0 000 #1: pending Phase 2 for "lan" replacing #0 000
29. Juni 200916 j Two or more interfaces found, checking IP forwarding [FAILED] abhängig davon, welcher host denn nun für VPN respektive IPSec arbeiten soll, muss dort zwingend IP-forwarding aktiviert sein. How to enable IP Forwarding in Linux | MDLog:/sysadmin werde aus dem IPsec/Openswan Gemisch nicht wirklich schlau Quick HOWTO : Ch35 : Configuring Linux VPNs - Linux Home Networking s'Amstel
Archiv
Dieses Thema wurde archiviert und kann nicht mehr beantwortet werden.