openswan

[dj_ymep]

    Добрый день.

Есть ubuntu 12.04 x64. Пытаюсь настроить openswan, вроде бы все запускается, но соединение почему-то не стартует. При команде ipsec verify выдает следующие:

Version check and ipsec on-path                                [OK]
Linux Openswan U2.6.37/K3.2.0-35-generic (netkey)
Checking for IPsec support in kernel                           [OK]
 SAref kernel support                                          [N/A]
 NETKEY:  Testing XFRM related proc values                     [OK]
   [OK]
   [OK]
Checking that pluto is running                                 [OK]
 Pluto listening for IKE on udp 500                            [OK]
 Pluto listening for NAT-T on udp 4500                         [FAILED]
Two or more interfaces found, checking IP forwarding           [FAILED]
Checking NAT and MASQUERADEing                                 [OK]
Checking for 'ip' command                                      [OK]
Checking /bin/sh is not /bin/dash                              [WARNING]
Checking for 'iptables' command                                [OK]
Opportunistic Encryption Support                               [DISABLED]

Пытаюсь указать ему явный интерфейс interfaces="ipsec0=eth1" выдает ошибку при перезапуске:
ipsec_setup: interface `ipsec0=eth1' not understood

И почему-то, как я понял, ругается на ключ в log.auth:
Dec 28 15:50:20 gateway-server pluto[5365]: loading secrets from "/etc/ipsec.secrets"
Dec 28 15:50:20 gateway-server pluto[5365]: "/etc/ipsec.secrets" line 11: unterminated string

Вот ipsec.secrets:
aa.aa.aa.aa bb.bb.bb.bb :PSK "ключ"

вот auth.log при старте:
Dec 28 15:50:20 gateway-server ipsec__plutorun: Starting Pluto subsystem...
Dec 28 15:50:20 gateway-server sudo: pam_unix(sudo:session): session closed for user root
Dec 28 15:50:20 gateway-server pluto[5365]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:5365
Dec 28 15:50:20 gateway-server pluto[5365]: LEAK_DETECTIVE support [disabled]
Dec 28 15:50:20 gateway-server pluto[5365]: OCF support for IKE [disabled]
Dec 28 15:50:20 gateway-server pluto[5365]: SAref support [disabled]: Protocol not available
Dec 28 15:50:20 gateway-server pluto[5365]: SAbind support [disabled]: Protocol not available
Dec 28 15:50:20 gateway-server pluto[5365]: NSS support [disabled]
Dec 28 15:50:20 gateway-server pluto[5365]: HAVE_STATSD notification support not compiled in
Dec 28 15:50:20 gateway-server pluto[5365]: Setting NAT-Traversal port-4500 floating to off
Dec 28 15:50:20 gateway-server pluto[5365]:    port floating activation criteria nat_t=0/port_float=1
Dec 28 15:50:20 gateway-server pluto[5365]:    NAT-Traversal support  [disabled]
Dec 28 15:50:20 gateway-server pluto[5365]: using /dev/urandom as source of random entropy
Dec 28 15:50:20 gateway-server pluto[5365]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 28 15:50:20 gateway-server pluto[5365]: no helpers will be started, all cryptographic operations will be done inline
Dec 28 15:50:20 gateway-server pluto[5365]: Using Linux 2.6 IPsec interface code on 3.2.0-35-generic (experimental code)
Dec 28 15:50:20 gateway-server pluto[5365]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Dec 28 15:50:20 gateway-server pluto[5365]: ike_alg_add(): ERROR: Algorithm already exists
Dec 28 15:50:20 gateway-server pluto[5365]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Dec 28 15:50:20 gateway-server pluto[5365]: ike_alg_add(): ERROR: Algorithm already exists
Dec 28 15:50:20 gateway-server pluto[5365]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Dec 28 15:50:20 gateway-server pluto[5365]: ike_alg_add(): ERROR: Algorithm already exists
Dec 28 15:50:20 gateway-server pluto[5365]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Dec 28 15:50:20 gateway-server pluto[5365]: ike_alg_add(): ERROR: Algorithm already exists
Dec 28 15:50:20 gateway-server pluto[5365]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Dec 28 15:50:20 gateway-server pluto[5365]: ike_alg_add(): ERROR: Algorithm already exists
Dec 28 15:50:20 gateway-server pluto[5365]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Dec 28 15:50:20 gateway-server pluto[5365]: Changed path to directory '/etc/ipsec.d/cacerts'
Dec 28 15:50:20 gateway-server pluto[5365]: Changed path to directory '/etc/ipsec.d/aacerts'
Dec 28 15:50:20 gateway-server pluto[5365]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Dec 28 15:50:20 gateway-server pluto[5365]: Changing to directory '/etc/ipsec.d/crls'
Dec 28 15:50:20 gateway-server pluto[5365]:   Warning: empty directory
Dec 28 15:50:20 gateway-server pluto[5365]: added connection description "myconn"
Dec 28 15:50:20 gateway-server pluto[5365]: listening for IKE messages
Dec 28 15:50:20 gateway-server pluto[5365]: adding interface eth1/eth1 192.168.0.240:500
Dec 28 15:50:20 gateway-server pluto[5365]: adding interface eth0/eth0 192.168.10.1:500
Dec 28 15:50:20 gateway-server pluto[5365]: adding interface lo/lo 127.0.0.1:500
Dec 28 15:50:20 gateway-server pluto[5365]: adding interface lo/lo ::1:500
Dec 28 15:50:20 gateway-server pluto[5365]: loading secrets from "/etc/ipsec.secrets"
Dec 28 15:50:20 gateway-server pluto[5365]: "/etc/ipsec.secrets" line 11: unterminated string
Dec 28 15:50:20 gateway-server pluto[5365]: "myconn" #1: initiating Main Mode

и дальше он просто через каждые 2 минуты выводит:
pending Quick Mode with bb.bb.bb.bb "myconn" took too long -- replacing phase 1
Dec 28 15:28:50 gateway-server pluto[4703]: "myconn" #2: initiating Main Mode to replace #1
Dec 28 15:30:50 gateway-server pluto[4703]: pending Quick Mode with bb.bb.bb.bb "myconn" took too long -- replacing phase 1
Dec 28 15:30:50 gateway-server pluto[4703]: "myconn" #3: initiating Main Mode to replace #2
Dec 28 15:32:50 gateway-server pluto[4703]: pending Quick Mode with bb.bb.bb.bb "myconn" took too long -- replacing phase 1
Dec 28 15:32:50 gateway-server pluto[4703]: "myconn" #4: initiating Main Mode to replace #3

Вот мой ipsec.conf:

version 2.0 # conforms to second version of ipsec.conf specification
config setup
   plutodebug=none
   klipsdebug=none
   strictcrlpolicy=no
   interfaces=%defaultroute
   protostack=netkey
   nat_traversal=no
   nhelpers=0
   uniqueids=yes

conn %default
   keyingtries=0
   disablearrivalcheck=no
   leftrsasigkey=%dns
   rightrsasigkey=%dns

conn myconn
   type=tunnel

   left=192.168.0.240
   leftsubnet=192.168.10.0/24
   leftnexthop=192.168.0.1

   right=bb.bb.bb.bb
   rightsubnet=192.168.2.0/24
   rightnexthop=%defaultroute

   keylife=3600s
   keyexchange=ike
   ike=3des-md5-modp1024
   ikelifetime=28800s
   esp=3des-md5
   pfs=yes
   authby=secret
   auto=start
   dpddelay=30
   dpdtimeout=120
   dpdaction=hold


В чем может быть проблема? мучаюсь уже 3 дня.

[djrust]

http://testino.ru/main/linux/121-soedinyaem-dva-i-bolee-serverov-linux-po-ipsec.html

правда не openswap

[dj_ymep]

 Спасибо, буду пробовать.

[alexande]

День добрый
уже второй день бьюсь с openswan

может кто нибудь подсказать как вылечить эту ошибку ?

NETKEY:  Testing XFRM related proc values                      [OK]
        [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

[AnrDaemon]

Как сказано, так и вылечить.

[ArcFi]

alexande, подсказка:

Код: [Выделить]

man sysctl sysctl.conf sysctl.d