I'm attempting to get OpenSwan up and running. Post-install documentation says to look for hostkeys, or if you have none, create them. When searching the right and left keys both get the same result:
# ipsec showhostkey --left
ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
ipsec showhostkey "/etc/ipsec.secrets" line 2: Modulus keyword not found where expected in RSA key No keys found
Connecting two networks with ipsec on this manual [URL] The two networks are connected, everything works, the question is as follows: For a gateway to multiple subnets, I have access to only one subnet is listed in / etc/sysconfig/network-scripts/ifcfg-ipsec0 DSTNET = 192.168.2.0/24. How do I get access to all the subnets?
View 2 Replies View RelatedI am using latest updated Fedora 13 (presently kernel-2.6.34.7-56.fc13.i686).
kernel imklog error messages fills my hard disk again and again, /var/log/messages file becomes more than 5Gb daily.
the /var/log/messages file contains following entries:
Sep 27 10:35:09 arun kernel: imklog 4.4.2, log source = /proc/kmsg started.
Sep 27 10:35:09 arun rsyslogd: [origin software="rsyslogd" swVersion="4.4.2" x-pid="1083" x-info="http://www.rsyslog.com"] (re)start
Sep 27 10:35:09 arun atd[19007]: File a0000b0145c567 is in wrong format - aborting
[Code]....
I think, I can stop kernel logging from /etc/rsyslog.conf, but I wanted to know the real problem.
I have been having trouble with installing ATI drivers on my box. I have tried the repository way and that fails due to checksum differences. I want to try the command line way but. every time I run the installer it acts like it worked, then when I close it by clicking Okay I get a message that says the compile has failed.
I am wondering if there is a kernel setting that needs to be changed? The output error log has the following output:
tmp/ati.hXMXES Package build failed [Error] Generate Package - error generating package : SuSE/SUSE112-AMD64
I've upgraded to 11.04 and now Evolution doesn't work right. It shows there are unread messages in my inbox, but when I click on it, it says "Error Generating Message List" at the bottom, with an exclamation mark in a red circle. When I click on that, it says "database disk image is malformed". I've uninstalled and reinstalled Evolution, but get the same message.
View 4 Replies View RelatedI am planning on setting up a 4x1TB RAID5 with mdadm under Ubuntu 9.10. I tried installing mdadm using "sudo apt-get install mdadm", all worked fine except for the following error: Code: Generating array device nodes... /var/lib/dpkg/info/mdadm.postinst: 170: /dev/MAKEDEV: not found failed. The end result is the /dev/md0 device has not been created, as can be seen here:
Code: windsok@beer:~$ mdadm --detail /dev/md0 mdadm: cannot open /dev/md0: No such file or directory After googling, I found the following bug which describes the issue: [URL] However it was reported way back in April 2009, and it does not look like it will be fixed any time soon, so I was wondering if anyone knows a workaround for this bug, to get me up and running?
I have an IPsec VPN between 2 Ubuntu 10.04.1 Boxes which is working perfectly. However I cannot get any traffic to route down the VPN link.Interestingly, when checking the routing table, there isn't even a route list for the remote network. This is the same on both sides. Also there isn't an ipsec0 interface listed either.However, when a the command "sudo service ipsec status" is ran, it definately shows the tunnel is up and connected.
View 1 Replies View RelatedI install openswan on rhel6 and when i execute the command "service ipsec start "
it say:
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
ipsec_setup: Openswan IPsec apparently already active, start aborted
[Code].....
I want to setup firewall protection with iptables to support IPSec tunnels. That is, the firewall will drop anything from any host if it is not from an established IPSec tunnel. And it will accept anything (any protocols) if it's from an IPSec tunnel.
That is, I need also to open up ping to make ping work. But if I open up icmp, I cannot prevent pings from hosts that's outside my IPSec tunnels. This defeats my purpose.So if my purpose is to allow "anything" within the tunnel and disallow/drop anything outside the IPSec tunnels, how should I setup the iptables rules?
I've set up two security associations(in and out) on two hosts, and then set up two policies per host that should filter traffic to those SA's. Yet when I try to ping one host from the other I get no response, meaning that the filters on one side work and drop unprotected packets, but both hosts are configured to communicate using ipsec. Can anyone point me in the right direction?
Code:
ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)"
[code]...
I am getting this error when I try to bring up IPSec Tunnel.Starting connection with command /usr/sbin/ipsec auto --up 'paycode-to-vivacom' ..
104 "paycode-to-vivacom" #7: STATE_MAIN_I1: initiate
003 "paycode-to-vivacom" #7: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
003 "paycode-to-vivacom" #7: ignoring Vendor ID payload [FRAGMENTATION c0000000]
[code]....
I'm trying to perform a VPN lan to lan IPSEC connection. By my side, I have a server with 2 IP's, i.j.k.l (destined to act as a VPN gateway) and i.j.k.m (the server). I am a newbie. I don't know if this configuration is normal, but it's forced by our partner.
My configuration is:
OS: Fedora release 7 (Moonshine)
OpenSWAN version: Linux Openswan U2.4.7/K2.6.23.17-88.fc7 (netkey)
ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
[Code]...
I've been using IPv6 on my local network and through a Hurricane Electric IPv6 tunnel. I've heard that one of the built in features of IPv6 is encryption, both scrambling the data and authenticating where the traffic came from. I've done some searching and heard of SWAN and Racoon, but some of the stuff I found is old and I would like to know what the easiest/best way to set up IPSEC for IPv6 is.
View 3 Replies View RelatedI had configured IPSEC/L2Tp on my Centos 5.4 gateway machine .For testing i had disabled firewall and Ipsec is working fine.I am able to connect from client etc...Now i want to allow Ipsec and l2tp throught Firewall.here is my Current Working Firewall.Only Openvpn is allowed and is Redirected.
eth0=XXXSTATICIPXXX
eth1=192.168.1.81
OpenVpn IP Range = 172.24.0.16/4
Ipsec Ip Range = 192.168.1.0/24
[Code].....
i would like to establish a VPN connection which can hold either 'two' hosts..and secondly if that's done i would like to go for more number of users..Can i do it using IPSec services??if yes then how?
View 9 Replies View RelatedWhile I successfully configured an IPsec-VPN (I use a similar tho modified setup like this:[URL].. I am now stuck on the next steps. While I can connect to everything I want, I need to configure "access-groups" and/or "users".
The scenario is similar to this: Lets say Host A, B and C allow SSH-Connections and some weird non-standard UDP-Connection from Host-VPN, and are also accessible on other ports with public IP's (like http).
I now want to limit, that an admin-user has access to all of them, while trainee-admin only can access everything on Host B and C, and CEO only can connect via telnet to Host C - and all users can be roadwarriors
(I made this example up to give you an idea what i'm trying to do - hope it makes sense). Now my question is, if someone can point me towards a direction, as I'm quite clueless at the current moment as to what to try. I know that commercial IPsec-Implementations can do this, but can OpenSWAN/... give me something similar?
I have a Ubuntu 10.10 box which i've developed an IPTables Firewall script and is forwarding my ports correctly. This service also runs Openswan VPN Server with 2 VPN's, which is also working well.
I have come across a small snag with excluding the multiple VPN subnets I have from the NAT on this box.
I have the line in my configuration file:
-A POSTROUTING -o eth1 -s 10.172.1.0/24 -d ! 192.168.5.0/24 -j MASQUERADE
Which when added to IPTables does make the VPN come to life. But I can't seem to get it to add the second subnet. Unfortunately, I can't do a blanket exclusion such as 192.168.0.0/16 because the second VPN is on a Class B subnet address which I cannot change.
I had configured OpenVpn on my Server.Is it possible to Configure and run IPSEC simultaneously on the Same server?
View 2 Replies View RelatedAs part of the project I'm working on, I need to set up a server with IPSec authentication only connections to a large number of low bandwidth clients. I'm making use of the PF_KEY interface to populate the keys on the server and while prototyping things I've found that the initial setup is taking longer than I had expected. At the start of my test, entries are being added to the database at a rate of around 30/second, but as time goes on this is dropping significantly. I ran a test up to around 100k entries and by then the rate had dropped to 10/second. It's key to me that if I reboot my server that the Security Associations can be repopulated in a very short period, so I do genuinely need this to be much faster.
Two questions:
1) Does anyone have any experience of running with a large number of SAs set up, and if so what sort of setup rate did you get?
2) Are there things I can do to speed up the provisioning of these SAs? I'd really like to see a rate in the thousands per second.
We've been doing the prototyping on the 2.6 kernel.
I have been trying to setup IPSEC encryption between two linux boxes. I have a server application which runs on Linux Box A and a client application which runs on Linux Box B. The client sends the data to server. I have captured wireshark logs at both server and client end. In the wireshark logs I can see that the Box B send ESP packets to the Box A.
But the server Application running at Box A is is not able to get any packets. If I turn the policy off at Box B, Box B sends normal UDP data packets to Box A, but still the Server Application running at box A doesn't get any packets.( Expected behavior since policy at Box A enforces that all packets coming from Box B should be encrypted.)
If I turn the policy off at Box A and Box B both, the server application receives the unencrypted data which is also expected behavior. But when the policy is turned on at both the boxes the encrypted packets reach the Box A but are not delivered to the server application. If anyone has faced such issue please help me to debug this issue. I have attached the ifconfig and policy settings at Box A and Box B for your reference.
So I need to make an IPsec vpn. I've been told to use Shrew Soft. But I'm completely lost on where to begin. I've gone trough the documentation and stuff but I have no idea what to do next.
I can't find anything on the site how to install or configure the shrewsoft shizzle. The only thing I could use is something about ipsec-tools because all the rest is using a graphical interface (which ofc I'm not seeing how I'm using a server edition).
I successfully configured a VPN using IPSec(Openswan) and xl2ptd. While roughly following this guide (among countless others): [URL]
The VPN-Connection works fine, connecting to it is also a swirl, I can reach all that I want in the network, and also the gateway to the Internet works - everything being routed through that VPN.
Now my problem is actually the next steps, and I didn't succeed finding the right result on any possible search:
a) I want to limit, that the VPN-Connection is only used for distinct connections to hosts, that aren't in a "company subnet", but the IP's are publicly available. (Example: The Target-IP 8.8.8.8 allows per iptables, that only my VPN-Host 1.2.3.4 accesses it via SSH, and thus I only can access that Target-IP via SSH when I'm on the VPN). When actually browsing to the ubuntu-website, I want, that NOT the VPN-Connection is used but rather my normal connection (as a reference: i'm on a Windows-Client - not my choice, btw.)
b) I want to have several such "limitations" grouped, and give users 'access-rights' to certain hosts (Examples: Admin gets access to all on all ports Testers get access to some machines on distinct ports CEO gets access only to the mailserver via POP3 or IMAP
Is there any possibility to transport one or two VLANs through a VPN (IPSEC) link on Linux
View 2 Replies View RelatedI have a new install of an OpenSuse 11.3 server and I do not see the IPSec Support option when I use Yast to set that I up. I have the firewall setup with 2 interfaces, one external and one internal and that is all working fine. When I connect via my laptop and connect in via a Cisco IPSec VPN, I get connected, but no traffic goes through.
I did search through the forums, but I don't see any hits related to the issue I'm facing. I installed the ipsec-tools, but I am still not seeing the IPSec Support in the firewall section of Yast that I see noted on many Google Searches. Is there a package or something configuration that is needed to get IPSec Support for VPN setup?
i need to build an ipsec vpn between a linux debian server and a zyxel prestige, The debian server got 2 ethernets connection one for the internal network and the other one is public with a public ip adress.I need to know what i need for the build the tunnel, could you please let me know what i need? Let me explain i have only to configure openswan or i have to configure the iptables or somethings else too? I found this one do you think this would be work for me? [URL]..Is debian a right distro or should i try someone else?
View 2 Replies View RelatedI've no experience with IPSec. I've used many times OpenVPN (with static key or certificates x509).
Could anyone suggest me a good tutorial in order to learn IPSec vpn with Linux?
i have two laptop of ip-address --10.114.12.27 & 10.114.12.28.i have install ipsec-tools & racoon on both laptop.i m using ubuntu os. now i want to use automatic keying by racoon.for this i have put these lines in /etc/racoon/racoon.conf path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address;
[Code]...
and when i usint "racoon -F" and try to ping these two laptop , it is not pinging at all. and alse "racoon -F" does not show any ESP and AH.
I am currently using [URL] to send and receive faxes at work. I need the faxes to be encrypted. They offer public key encryption with PGP 9.8.2 They just need my public key to be compatible with their PGP version. I found a few statements at the GPG site, which may not be true for newer versions of gpg: PGP, Inc. refuses to accept Elgamal keys of type 20 even for encryption.They only support type 16.PGP 5.x does not accept v4 signatures for data material but OpenPGP requests generation of v4 signatures for all kind of data, that's why GnuPG defaults to them. By default, GnuPG encrypts your secret key using the Blowfish symmetric algorithm. Older PGPs will only understand 3DES, CAST5, or IDEA symmetric algorithms. PGP doesn't do Elgamal signing keys at all, so they are not usable with any version. I attempt to avoid using trial and error here, because an incompatible key may provoke loss of crucial information. It is difficult to estimate how long it would take them/me to find out that the key provided was not compatible; but probably it would entail a significant loss for the business.
View 1 Replies View RelatedI've searched through google, and all I can find are instructions on how to set up a L2TP/IPSec VPN that works with macs and iPhones. I'm NOT trying to set up an L2TP/IPSec VPN. I'm trying to set up a pure-ipsec vpn.
The iPhone IPSec client is a built-in cisco client, I believe. I'm staying away from L2TP and PPTP because I need multicast packets to go through. *edit: wow, i just noticed that the title says "8.10 LTS". Oops! I obviously mean "8.04 LTS". Gah, the lack of sleep got to me.
I just got vpnc setup to work with my VPN at work and now I am trying to figure out how to limit the traffic that is routed through the VPN while I'm connected to it. I only want traffic going to the local domain to be routed through the VPN.This is what my vpnc config file looks like:
Code:
IPSec gateway publicdomain.example.com
IPSec ID XXXX
[code]....
