Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[VPN] - Ipsec, Racoon, Openswan with checkpoint firewall
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jacques_h
n00b
n00b


Joined: 16 May 2005
Posts: 71
PostPosted: Mon Dec 10, 2007 9:42 pm    Post subject: [VPN] - Ipsec, Racoon, Openswan with checkpoint firewall Reply with quote
Hello,

I try to etablish my VPN connexion from Home to Office.

At Office we've an checkpoint access.
At Home I've my Gentoo box ;) with a lot of vpn tools and ipsec utilities.

Perhaps somebody has already configure a similar configuration.

First I try using the Gnome networkmanager (vpn) but no success... it's too easy to works ;)
Next I try vpnc and openswan, I read a lot of documentations about this...but no result.

below some informations about my configuration files and log file.

== my conf files ==
Code:

# cat /etc/ipsec/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $

# This file:  /usr/share/doc/openswan-2.4.9/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug=none

conn checkpoint
        keyexchange=ike
        aggrmode=no
        auth=esp
        ike=3des-md5
        esp=3des-md5
        pfs=no
        compress=no
        left=192.168.0.1
        right=XXXXXXXX
        authby=secret
        auto=start


# Add connections here

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf


Code:
# cat /etc/ipsec/ipsec.secrets
192.168.0.1 XXX.XXX.XXX.XXX: PSK "mypassword"


Code:
/var/log/message

Dec 10 22:29:37 dali ipsec_setup: ...Openswan IPsec stopped
Dec 10 22:29:37 dali ipsec_setup: Starting Openswan IPsec U2.4.9/K2.6.23-gentoo-r3...
Dec 10 22:29:37 dali ipsec_setup: NETKEY on eth1 192.168.0.1/255.255.255.0 broadcast 192.168.0.255
Dec 10 22:29:37 dali ipsec__plutorun: Unknown default RSA hostkey scheme, not generating a default hostkey
Dec 10 22:29:37 dali ipsec_setup: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Dec 10 22:29:37 dali ipsec__plutorun: Starting Pluto subsystem...
Dec 10 22:29:37 dali pluto[23039]: Starting Pluto (Openswan Version 2.4.9 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE_]{vKgCoOI)
Dec 10 22:29:37 dali pluto[23039]: Setting NAT-Traversal port-4500 floating to off
Dec 10 22:29:37 dali pluto[23039]:    port floating activation criteria nat_t=0/port_fload=1
Dec 10 22:29:37 dali pluto[23039]:   including NAT-Traversal patch (Version 0.6c) [disabled]
Dec 10 22:29:37 dali pluto[23039]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Dec 10 22:29:37 dali pluto[23039]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Dec 10 22:29:37 dali pluto[23039]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Dec 10 22:29:37 dali pluto[23039]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 10 22:29:37 dali pluto[23039]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Dec 10 22:29:37 dali pluto[23039]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Dec 10 22:29:37 dali pluto[23039]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Dec 10 22:29:37 dali pluto[23039]: starting up 1 cryptographic helpers
Dec 10 22:29:37 dali pluto[23039]: started helper pid=23040 (fd:6)
Dec 10 22:29:37 dali pluto[23039]: Using NETKEY IPsec interface code on 2.6.23-gentoo-r3
Dec 10 22:29:37 dali ipsec_setup: ...Openswan IPsec started
Dec 10 22:29:37 dali pluto[23039]: FATAL ERROR: Failed to bind bcast socket in init_netlink() - Perhaps kernel has no CONFIG_XFRM_USER support. Errno 2: No such file or directory
Dec 10 22:29:37 dali ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Dec 10 22:29:37 dali ipsec__plutorun: ...could not add conn "checkpoint"
Dec 10 22:29:37 dali ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Dec 10 22:29:37 dali ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Dec 10 22:29:37 dali ipsec__plutorun: ...could not route conn "checkpoint"
Dec 10 22:29:37 dali ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Dec 10 22:29:37 dali ipsec__plutorun: ...could not start conn "checkpoint"
Dec 10 22:29:47 dali rc-scripts: ERROR: wrong args ( _autorestart ) error status 1
Dec 10 22:29:47 dali rc-scripts: Usage: ipsec { start|stop|restart }
Dec 10 22:29:47 dali rc-scripts:        ipsec without arguments for full help


==part kernel config ==
Code:
# zcat /proc/config.gz | grep -i net | grep -v \#
CONFIG_NET=y
CONFIG_NET_KEY=y
CONFIG_INET=y
CONFIG_NET_IPIP=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=y
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_NETFILTER=y
CONFIG_BRIDGE_NETFILTER=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NET_SCH_FIFO=y
CONFIG_SCSI_NETLINK=y
CONFIG_NETDEVICES=y
CONFIG_NET_ETHERNET=y
CONFIG_NETDEV_1000=y
CONFIG_NETDEV_10000=y
CONFIG_NETXEN_NIC=m
CONFIG_USB_USBNET_MII=m
CONFIG_USB_USBNET=m
CONFIG_USB_NET_AX8817X=m
CONFIG_USB_NET_CDCETHER=m
CONFIG_USB_NET_GL620A=m
CONFIG_USB_NET_NET1080=m
CONFIG_USB_NET_PLUSB=m
CONFIG_USB_NET_ZAURUS=m
CONFIG_USB_SERIAL_OMNINET=m
CONFIG_USB_GADGET_NET2280=y
CONFIG_USB_NET2280=m
CONFIG_NET_DMA=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y


THANKS for your help
Back to top
View user's profile Send private message
Wormo
Retired Dev
Retired Dev


Joined: 29 Nov 2004
Posts: 526
Location: SB County California
PostPosted: Sun Dec 23, 2007 5:45 am    Post subject: Reply with quote
Probably you have figured this out by now, but you are missing a couple kernel options:
CONFIG_XFRM
CONFIG_XFRM_USER
Back to top
View user's profile Send private message
jacques_h
n00b
n00b


Joined: 16 May 2005
Posts: 71
PostPosted: Mon Dec 24, 2007 11:51 am    Post subject: Reply with quote
no, i've already set this option.

# zcat /proc/config.gz | grep CONFIG_XFRM
CONFIG_XFRM=y
CONFIG_XFRM_USER=m
# CONFIG_XFRM_SUB_POLICY is not set
# CONFIG_XFRM_MIGRATE is not set

...
Back to top
View user's profile Send private message
Wormo
Retired Dev
Retired Dev


Joined: 29 Nov 2004
Posts: 526
Location: SB County California
PostPosted: Mon Dec 24, 2007 11:53 pm    Post subject: Reply with quote
I notice xfrm_user is a module; is it getting automatically loaded?

I remember having to modprobe some modules in an ipsec startup on one system (not gentoo, but still...)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy