Configuração do Openswan site-to-site

1. Configuração do Openswan site-to-site

snak-hat
(usa CentOS)

Enviado em 16/02/2015 - 15:46h

Olá, boa tade.
Pessoal estou configurando uma vpn com openswan no CentOS 6.4, estou seguindo esse link
http://www.netadm.com.br/?p=711
só que eu não estou conseguindo.
Estou pesquisando bastante, mas anda não resolvi meu problema.
vejam a minha configuração para ver se estou errando algo.

 [root@linux2 ~]# ifconfig 

eth0      Link encap:Ethernet  Endereço de HW 08:00:27:30:DA:C2  

          inet end.: 10.30.30.50  Bcast:10.30.30.255  Masc:255.255.255.0

          endereço inet6: fe80::a00:27ff:fe30:dac2/64 Escopo:Link

          UP BROADCASTRUNNING MULTICAST  MTU:1500  Métrica:1

          RX packets:3892 errors:0 dropped:0 overruns:0 frame:0

          TX packets:2634 errors:0 dropped:0 overruns:0 carrier:0

          colisões:0 txqueuelen:1000 

          RX bytes:1312555 (1.2 MiB)  TX bytes:454582 (443.9 KiB)



eth1      Link encap:Ethernet  Endereço de HW 08:00:27:B6:B4:B0  

          inet end.: 99.99.99.99  Bcast:99.99.99.255  Masc:255.255.255.0

          endereço inet6: fe80::a00:27ff:feb6:b4b0/64 Escopo:Link

          UP BROADCASTRUNNING MULTICAST  MTU:1500  Métrica:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0

          colisões:0 txqueuelen:1000 

          RX bytes:0 (0.0 b)  TX bytes:720 (720.0 b)



lo        Link encap:Loopback Local  

          inet end.: 127.0.0.1  Masc:255.0.0.0

          endereço inet6: ::1/128 Escopo:Máquina

          UP LOOPBACKRUNNING  MTU:16436  Métrica:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          colisões:0 txqueuelen:0 

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

[root@linux2 ~]# route -n

Tabela de Roteamento IP do Kernel

Destino         Roteador        MáscaraGen.    Opções Métrica Ref   Uso Iface

99.99.99.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1

200.200.200.0   10.30.30.1      255.255.255.0   UG    0      0        0 eth0

10.30.30.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0

169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0

169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0        0 eth1

0.0.0.0         10.30.30.1      0.0.0.0         UG    0      0        0 eth0

[root@linux2 ~]# vim /etc/ipsec.conf 

# /etc/ipsec.conf - Openswan IPsec configuration file

#

# Manual:     ipsec.conf.5

#

# Please place your own config files in /etc/ipsec.d/ ending in .conf



version 2.0     # conforms to second version of ipsec.conf specification



# basic configuration

config setup

        # Debug-logging controls:  "none" for (almost) none, "all" for lots.

        # klipsdebug=none

        # plutodebug="control parsing"

        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey

        protostack=netkey

        nat_traversal=yes

        virtual_private=

        oe=off

        # Enable this if you see "failed to find any available worker"

        # nhelpers=0



#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.

#include /etc/ipsec.d/*.conf

#



conn tunnel

   left=10.30.30.50

   leftsubnet=99.99.99.0/24

   leftnexthop=10.30.30.1

   right=10.10.10.60

   rightsubnet=200.200.200.0/24

   rightnexthop=10.10.10.1

   pfs=yes

   type=tunnel

   authby=secret

   auto=start

[root@linux2 ~]# ipsec verify

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path                                 [OK]

Linux Openswan U2.6.32/K2.6.32-358.el6.i686 (netkey)

Checking for IPsec support in kernel                            [OK]

 SAref kernel support                                           [N/A]

 NETKEY:  Testing for disabled ICMP send_redirects              [OK]

NETKEY detected, testing for disabled ICMP accept_redirects     [OK]

Testing against enforced SElinux mode                           [OK]

Checking that pluto is running                                  [OK]

 Pluto listening for IKE on udp 500                             [FAILED]

  Cannot execute command "lsof -i UDP:500": Arquivo ou diretório não encontrado

 Pluto listening for NAT-T on udp 4500                          [FAILED]

  Cannot execute command "lsof -i UDP:4500": Arquivo ou diretório não encontrado

Two or more interfaces found, checking IP forwarding            [OK]

Checking NAT and MASQUERADEing                                  [OK]

Checking for 'ip' command                                       [OK]

Checking /bin/sh is not /bin/dash                               [OK]

Checking for 'iptables' command                                 [OK]

Opportunistic Encryption Support                                [DISABLED]

[root@linux2 ~]#



[root@linux2 ~]# vim /etc/ipsec.secrets 

include /etc/ipsec.d/*.secrets

10.10.10.60 10.30.30.50: PSK "teste"

0 0

Quote

2. Estou verificando e faltava o lsof que o centOS não tinha instalado.

snak-hat
(usa CentOS)

Enviado em 16/02/2015 - 17:12h

Nos aqrauivos de log ele esta me retornando isso.

será que esta Certo ?

[root@linux-1 ~]# tailf /var/log/messages 

Feb 16 17:11:13 linux-1 ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

Feb 16 17:11:13 linux-1 ipsec_setup: ...Openswan IPsec started

Feb 16 17:11:13 linux-1 pluto: adjusting ipsec.d to /etc/ipsec.d

Feb 16 17:11:13 linux-1 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d

Feb 16 17:11:13 linux-1 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

Feb 16 17:11:13 linux-1 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

Feb 16 17:11:13 linux-1 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

Feb 16 17:11:13 linux-1 ipsec__plutorun: 002 added connection description "tunnel"

Feb 16 17:11:13 linux-1 ipsec__plutorun: 003 no secrets filename matched "/etc/ipsec.d/*.secrets"

Feb 16 17:11:13 linux-1 ipsec__plutorun: 104 "tunnel" #1: STATE_MAIN_I1: initiate

[root@linux2 ~]# ipsec verify

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path                                 [OK]

Linux Openswan U2.6.32/K2.6.32-358.el6.i686 (netkey)

Checking for IPsec support in kernel                            [OK]

 SAref kernel support                                           [N/A]

 NETKEY:  Testing for disabled ICMP send_redirects              [OK]

NETKEY detected, testing for disabled ICMP accept_redirects     [OK]

Testing against enforced SElinux mode                           [OK]

Checking that pluto is running                                  [OK]

 Pluto listening for IKE on udp 500                             [OK]

 Pluto listening for NAT-T on udp 4500                          [OK]

Two or more interfaces found, checking IP forwarding            [OK]

Checking NAT and MASQUERADEing                                  [OK]

Checking for 'ip' command                                       [OK]

Checking /bin/sh is not /bin/dash                               [OK]

Checking for 'iptables' command                                 [OK]

Opportunistic Encryption Support                                [DISABLED]