martin2002
28.07.07, 21:04
Hi.
Ich habe mir die aktuellste Openswan Version heruntergeladen (Sourcecode)... Kompiliert und Installiert. Das war alles fehlerllos:
vpngate:~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.11.4-21.17-default (netkey)
Checking for IPsec support in kernel [OK]
Hardware RNG detected, testing if used properly [FAILED]
Hardware RNG is present but 'rngd' is not running.
No harware random used!
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Dann habe ich folgende ipsec Konfiguration gemacht:
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
klipsdebug=none
plutodebug=all
uniqueids=yes
forwardcontrol=yes
nat_traversal=no
nhelpers=0
# Add connections here
# sample VPN connections, see /etc/ipsec.d/examples/
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
conn l2tp-cert-orgWIN2KXP
#
# Configuration for one user with the non-updated Windows 2000/XP.
#
#
# Use a certificate. Disable Perfect Forward Secrecy.
#
authby=rsasig
pfs=no
auto=add
# we cannot rekey for %any, let client rekey
rekey=no
# Do not enable the line below. It is implicitely used, and
# specifying it will currently break when using nat-t.
# type=transport. See http://bugs.xelerance.com/view.php?id=466
#
left=192.168.10.253
# or you can use: left=YourIPAddress
leftrsasigkey=%cert
leftcert=vpngate.potsdam.krellmann.net.pem
# Work-around for original (non-updated) Windows 2000/XP clients,
# to support all clients, use leftprotoport=17/%any
leftprotoport=17/%any
#
# The remote user.
#
right=192.168.10.11
rightca=%same
rightrsasigkey=%cert
rightcert=vpngate.trusetal.krellmann.net.pem
rightprotoport=17/1701
# rightsubnet=vhost:%priv,%no
Zum probieren habe ich mir das (right) Zertifikat auf meinem Rechner installiert (XP x64 SP1) und will LOKAL eine Verbindung herstellen (per IPSec-L2TP)
Irgendwas läuft da allerdings schief. Pluto stürtzt einfach ab und startet neu:
Jul 29 00:31:47 vpngate ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 237: 12276 Aborted /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --debug-all --use-auto --uniqueids --nhelpers 0
Jul 29 00:31:47 vpngate ipsec__plutorun: !pluto failure!: exited with error status 134 (signal 6)
Jul 29 00:31:47 vpngate ipsec__plutorun: restarting IPsec after pause...
Jul 29 00:31:47 vpngate pluto[12276]: "l2tp-cert-orgWIN2KXP" #2: ASSERTION FAILED at kernel.c:2237: c->kind == CK_PERMANENT || c->kind == CK_INSTANCE
Kann da jemand was mit anfangen? Ich habe das auf der Openswan Seite als Bug entdeckt, allerdings in der version < 2.4.1 und dort wurde es wohl gelöst. Da denke ich mal, dass es in der 2.4.9 richtig ist...
Das komplette Log ab dem IPSec Start mit debug-all option für Pluto ist nochmal im Anhang als ZIP-Datei.
Danke.
Martin
Ich habe mir die aktuellste Openswan Version heruntergeladen (Sourcecode)... Kompiliert und Installiert. Das war alles fehlerllos:
vpngate:~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.11.4-21.17-default (netkey)
Checking for IPsec support in kernel [OK]
Hardware RNG detected, testing if used properly [FAILED]
Hardware RNG is present but 'rngd' is not running.
No harware random used!
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Dann habe ich folgende ipsec Konfiguration gemacht:
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
klipsdebug=none
plutodebug=all
uniqueids=yes
forwardcontrol=yes
nat_traversal=no
nhelpers=0
# Add connections here
# sample VPN connections, see /etc/ipsec.d/examples/
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
conn l2tp-cert-orgWIN2KXP
#
# Configuration for one user with the non-updated Windows 2000/XP.
#
#
# Use a certificate. Disable Perfect Forward Secrecy.
#
authby=rsasig
pfs=no
auto=add
# we cannot rekey for %any, let client rekey
rekey=no
# Do not enable the line below. It is implicitely used, and
# specifying it will currently break when using nat-t.
# type=transport. See http://bugs.xelerance.com/view.php?id=466
#
left=192.168.10.253
# or you can use: left=YourIPAddress
leftrsasigkey=%cert
leftcert=vpngate.potsdam.krellmann.net.pem
# Work-around for original (non-updated) Windows 2000/XP clients,
# to support all clients, use leftprotoport=17/%any
leftprotoport=17/%any
#
# The remote user.
#
right=192.168.10.11
rightca=%same
rightrsasigkey=%cert
rightcert=vpngate.trusetal.krellmann.net.pem
rightprotoport=17/1701
# rightsubnet=vhost:%priv,%no
Zum probieren habe ich mir das (right) Zertifikat auf meinem Rechner installiert (XP x64 SP1) und will LOKAL eine Verbindung herstellen (per IPSec-L2TP)
Irgendwas läuft da allerdings schief. Pluto stürtzt einfach ab und startet neu:
Jul 29 00:31:47 vpngate ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 237: 12276 Aborted /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --debug-all --use-auto --uniqueids --nhelpers 0
Jul 29 00:31:47 vpngate ipsec__plutorun: !pluto failure!: exited with error status 134 (signal 6)
Jul 29 00:31:47 vpngate ipsec__plutorun: restarting IPsec after pause...
Jul 29 00:31:47 vpngate pluto[12276]: "l2tp-cert-orgWIN2KXP" #2: ASSERTION FAILED at kernel.c:2237: c->kind == CK_PERMANENT || c->kind == CK_INSTANCE
Kann da jemand was mit anfangen? Ich habe das auf der Openswan Seite als Bug entdeckt, allerdings in der version < 2.4.1 und dort wurde es wohl gelöst. Da denke ich mal, dass es in der 2.4.9 richtig ist...
Das komplette Log ab dem IPSec Start mit debug-all option für Pluto ist nochmal im Anhang als ZIP-Datei.
Danke.
Martin