Configuração do Openswan site-to-site

1. Configuração do Openswan site-to-site

Anonymou
snak-hat

(usa CentOS)

Enviado em 16/02/2015 - 15:46h

Olá, boa tade.
Pessoal estou configurando uma vpn com openswan no CentOS 6.4, estou seguindo esse link
http://www.netadm.com.br/?p=711
só que eu não estou conseguindo.
Estou pesquisando bastante, mas anda não resolvi meu problema.
vejam a minha configuração para ver se estou errando algo.
 [root@linux2 ~]# ifconfig 
eth0 Link encap:Ethernet Endereço de HW 08:00:27:30:DA:C2
inet end.: 10.30.30.50 Bcast:10.30.30.255 Masc:255.255.255.0
endereço inet6: fe80::a00:27ff:fe30:dac2/64 Escopo:Link
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:3892 errors:0 dropped:0 overruns:0 frame:0
TX packets:2634 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:1000
RX bytes:1312555 (1.2 MiB) TX bytes:454582 (443.9 KiB)

eth1 Link encap:Ethernet Endereço de HW 08:00:27:B6:B4:B0
inet end.: 99.99.99.99 Bcast:99.99.99.255 Masc:255.255.255.0
endereço inet6: fe80::a00:27ff:feb6:b4b0/64 Escopo:Link
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:720 (720.0 b)

lo Link encap:Loopback Local
inet end.: 127.0.0.1 Masc:255.0.0.0
endereço inet6: ::1/128 Escopo:Máquina
UP LOOPBACKRUNNING MTU:16436 Métrica:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[root@linux2 ~]# route -n
Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface
99.99.99.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
200.200.200.0 10.30.30.1 255.255.255.0 UG 0 0 0 eth0
10.30.30.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1
0.0.0.0 10.30.30.1 0.0.0.0 UG 0 0 0 eth0

[root@linux2 ~]# vim /etc/ipsec.conf 
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
#include /etc/ipsec.d/*.conf
#

conn tunnel
left=10.30.30.50
leftsubnet=99.99.99.0/24
leftnexthop=10.30.30.1
right=10.10.10.60
rightsubnet=200.200.200.0/24
rightnexthop=10.10.10.1
pfs=yes
type=tunnel
authby=secret
auto=start

[root@linux2 ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-358.el6.i686 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Testing against enforced SElinux mode [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [FAILED]
Cannot execute command "lsof -i UDP:500": Arquivo ou diretório não encontrado
Pluto listening for NAT-T on udp 4500 [FAILED]
Cannot execute command "lsof -i UDP:4500": Arquivo ou diretório não encontrado
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
[root@linux2 ~]#


[root@linux2 ~]# vim /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
10.10.10.60 10.30.30.50: PSK "teste"



  


2. Estou verificando e faltava o lsof que o centOS não tinha instalado.

Anonymou
snak-hat

(usa CentOS)

Enviado em 16/02/2015 - 17:12h

Nos aqrauivos de log ele esta me retornando isso.
será que esta Certo ?
[root@linux-1 ~]# tailf /var/log/messages
Feb 16 17:11:13 linux-1 ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
Feb 16 17:11:13 linux-1 ipsec_setup: ...Openswan IPsec started
Feb 16 17:11:13 linux-1 pluto: adjusting ipsec.d to /etc/ipsec.d
Feb 16 17:11:13 linux-1 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Feb 16 17:11:13 linux-1 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
Feb 16 17:11:13 linux-1 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
Feb 16 17:11:13 linux-1 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
Feb 16 17:11:13 linux-1 ipsec__plutorun: 002 added connection description "tunnel"
Feb 16 17:11:13 linux-1 ipsec__plutorun: 003 no secrets filename matched "/etc/ipsec.d/*.secrets"
Feb 16 17:11:13 linux-1 ipsec__plutorun: 104 "tunnel" #1: STATE_MAIN_I1: initiate
[root@linux2 ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-358.el6.i686 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Testing against enforced SElinux mode [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]



3. Re: Configuração do Openswan site-to-site

Estefanio Brunhara
stefaniobrunhara

(usa CentOS)

Enviado em 17/09/2015 - 18:29h

Eu fiz as mesma configurações porém, estava achando que não estava funcionando, porque não conseguia pingar o outro lado, como sempre faço quando instalo a openvpn, no caso do ipsec você só pinga com ping -I 192.168.15.253 192.168.0.254. E seu firewall como está ?

Você já tentou dar um ping -I IP_maq IP_destino ?

Aqui tem todos os links onde postei minhas duvidas

https://lists.openswan.org/pipermail/users/2015-September/023416.html
http://www.mandrivabrasil.org/forum/index.php?topic=14161.msg95015#new
http://centosbr.org/modules/newbb/viewtopic.php?topic_id=4292&forum=26&post_id=18383#forumpo...
https://www.centos.org/forums/viewtopic.php?f=16&t=53895
http://www.vivaolinux.com.br/topico/servidores-VPN/Centos-63-ipsec-site-to-site-aguardando-fase-2-ph...







Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts