# Openswan (roadwarrior)

## stream

Hi,

das Netz sieht folgendermaßen aus:

```

---------------------

| Server  10.0.1.1|

---------------------

            || (eth1)

            ||  (kabelbasierendes Netz)

         -------------------

        | AP 10.0.1.2 |

         -------------------

            :: (wireless)

            ::

Clients (10.0.1.0/24)

```

Zertifikate sind hergestellt worden

Configs am Server:

ipsec.conf

```

version 2.0

config setup

        interfaces="ipsec0=eth1"

        klipsdebug=none

        plutodebug=none

conn %default

        authby=rsasig

        leftrsasigkey=%cert

        left=10.0.1.1

        leftcert=/ca/server.pem        

leftid="/C=DE/ST=www/L=www/O=wlan/OU=wlan/CN=root/emailAddress=root@localhost"

        right=%any

        keyingtries=1

conn wlan

        auto=add

conn wlannet

        leftsubnet=10.0.1.0/24

        auto=add

```

ipsec.secrets

```

: RSA server.pem "kennwort"

```

Start von ipsec

```

 ipsec setup start

 * Starting IPSEC ......

ipsec_setup: Starting Openswan IPsec U2.1.1/K2.6.4...

ipsec_setup: WARNING: setkey not found.                                                                                       [ ok ]

```

In der Ausgabe von ifconfig ist nicht das ipsec Interface zu sehen.

Logs

```

ipsec_setup: Starting Openswan IPsec U2.1.1/K2.6.4...

ipsec_setup: WARNING: setkey not found.

ipsec_setup: KLIPS ipsec0 on eth1 10.0.1.1/255.255.255.0 broadcast 10.0.1.255 

ipsec__plutorun: Starting Pluto subsystem...

pluto[5720]: Starting Pluto (Openswan Version 2.1.1 X.509-1.4.8 PLUTO_USES_KEYRR)

pluto[5720]:   including NAT-Traversal patch (Version 0.6c) [disabled]

pluto[5720]: Using Linux 2.6 IPsec interface code

ipsec_setup: ...Openswan IPsec started

pluto[5720]: Changing to directory '/etc/ipsec/ipsec.d/cacerts'

pluto[5720]:   loaded cacert file 'server.pem' (3479 bytes)

pluto[5720]: Changing to directory '/etc/ipsec/ipsec.d/crls'

pluto[5720]:   loaded crl file 'crl.pem' (483 bytes)

ipsec__plutorun: ipsec_auto: fatal error in "packetdefault": %defaultroute requested but not known

ipsec__plutorun: ipsec_auto: fatal error in "wlannet": ID "%any" cannot have RSA key

ipsec__plutorun: ipsec_auto: fatal error in "block": %defaultroute requested but not known

ipsec__plutorun: ipsec_auto: fatal error in "wlan": ID "%any" cannot have RSA key

ipsec__plutorun: ipsec_auto: fatal error in "clear-or-private": %defaultroute requested but not known

ipsec__plutorun: ipsec_auto: fatal error in "clear": %defaultroute requested but not known

ipsec__plutorun: ipsec_auto: fatal error in "private-or-clear": %defaultroute requested but not known

ipsec__plutorun: ipsec_auto: fatal error in "private": %defaultroute requested but not known

ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 1:  5720 Segmentation fault      /usr/libexec/ipsec/pluto --n 

ofork --secretsfile /etc/ipsec/ipsec.secrets --ipsecdir /etc/ipsec/ipsec.d --debug-none --uniqueids

ipsec__plutorun: whack: is Pluto running?  connect() for "/var/run/pluto.ctl" failed (111 Connection refused)

ipsec__plutorun: ...could not route conn "packetdefault"

ipsec__plutorun: whack: is Pluto running?  connect() for "/var/run/pluto.ctl" failed (111 Connection refused)

ipsec__plutorun: ...could not route conn "block"

ipsec__plutorun: whack: is Pluto running?  connect() for "/var/run/pluto.ctl" failed (111 Connection refused)

ipsec__plutorun: ...could not route conn "clear-or-private"

ipsec__plutorun: whack: is Pluto running?  connect() for "/var/run/pluto.ctl" failed (111 Connection refused)

ipsec__plutorun: ...could not route conn "clear"

ipsec__plutorun: whack: is Pluto running?  connect() for "/var/run/pluto.ctl" failed (111 Connection refused)

ipsec__plutorun: ...could not route conn "private-or-clear"

ipsec__plutorun: whack: is Pluto running?  connect() for "/var/run/pluto.ctl" failed (111 Connection refused)

ipsec__plutorun: ...could not route conn "private"

ipsec__plutorun: !pluto failure!:  exited with error status 139 (signal 11)

ipsec__plutorun: restarting IPsec after pause...

```

ipsec stop

```
ipsec setup stop

 * Stopping IPSEC ......

ipsec_setup: Stopping Openswan IPsec...

ipsec_setup: Removing orphaned /var/run/pluto.pid:                                                                             [ ok ]

```

----------

## slick

Hier mal 2 gute Links zum Thema. Ist zwar FreeSwan aber sollte analog sein.

http://www.heise.de/ct/02/05/220/default.shtml

http://www.heise.de/ct/02/05/216/default.shtml

----------

## stream

Danke für die Links.

Ich habe jetzt mal ipsec verify ausgeführt.

```
Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path                                         [OK]

Linux FreeS/WAN U2.1.1/K2.6.4 (native) (native)

Checking for IPsec support in kernel                                    [OK]

Checking for RSA private key (/etc/ipsec/ipsec.secrets)                 [FAILED

ipsec showhostkey: no default key in "/etc/ipsec/ipsec.secrets"

Checking that pluto is running                                          [FAILED

whack: is Pluto running?  connect() for "/var/run/pluto.ctl" failed (111 Connec

ion refused)

Two or more interfaces found, checking IP forwarding                    [FAILED

whack: is Pluto running?  connect() for "/var/run/pluto.ctl" failed (111 Connec

ion refused)

Checking for 'ip' command                                               [OK]

Checking for 'iptables' command                                         [FAILED

which: no iptables in (/sbin:/usr/bin:/usr/local/sbin:/usr/sbin:/usr/sbin:/sbin

/usr/sbin:/usr/local/bin:/bin:/usr/bin)

Checking for 'setkey' command for native IPsec stack support            [FAILED

which: no setkey in (/sbin:/usr/bin:/usr/local/sbin:/usr/sbin:/usr/sbin:/sbin:/

sr/sbin:/usr/local/bin:/bin:/usr/bin)

Opportunistic Encryption DNS checks:

   Looking for TXT in forward dns zone: server                          [MISSIN

]

Cannot execute command "host -t txt sandra": No such file or directory

   Does the machine have at least one non-private address?              [FAILED

```

RSA private key (/etc/ipsec/ipsec.secrets)                 [FAILED]

Ich hab dazu natürlich mit google und im forum gesucht. Aber leider nichts hilfsreiches gefunden.

Weis jemand was ich da falsch gemacht haben könnte?

[/quote]

----------

## stream

RSA key funktioniert jetzt.

Ich hab aber noch immer das Problem mit pluto

```

Checking for RSA private key (/etc/ipsec/ipsec.secrets)                 [OK]

Checking that pluto is running                                          [FAILED]

whack: is Pluto running?  connect() for "/var/run/pluto.ctl" failed (111 Connection refused)

Two or more interfaces found, checking IP forwarding                    [FAILED]

whack: is Pluto running?  connect() for "/var/run/pluto.ctl" failed (111 Connection refused)

```

----------

## ruth

hi,

also ich persönlich rate dir, dich von freeswan und konsorten zu verabschieden...  :Wink: 

Gründe:

1) besch*** aufzusetzen (das erlebst du ja gerade...)

2) obsolete technologie - nimm das native ipsec stack + kame tools...

3) KLIPS *soll* lt aussagen einiger entwickler ein in

"Software gegossener Haufen Scheisse sein" (so hab ich das mal gelesen, jedenfalls)

fazit:

nimm entweder native ipsec + KAME oder openvpn.

mit beiden lösungen wirst du schneller, leichter und besser zum ziel kommen.

>> das ist jetzt nur meine persönliche meinung, andere haben andere meinungen...

so long

rootshell

----------

## stream

Hallo rootshell,

danke für den Hinweis  :Wink: 

Ich hab mich jetzt für ipsec + KAME entschieden. 

So ganz ohne Probleme gehts aber auch nicht (dafür mache ich einen eigenen Beitrag auf)

----------

