FC5+OpenSwan=HELP PLS

SBZ · 04-10-2006, 03:56 PM

I tryng to estabilish a conection between a FC5Openswan and a CISCO pIX, but, i in it for 3 days, and nothing =((

i can close the tunnel, but one side dont ping the other..

my log is crazy

i get it on log:

Code:

Apr 10 17:30:53 chattv01 ipsec_setup: KLIPS ipsec0 on eth0 x.x.x.x/255.255.255.240 broadcast x.x.x.x
Apr 10 17:30:53 chattv01 ipsec_setup: ...Openswan IPsec started
Apr 10 17:30:54 chattv01 ipsec__plutorun: ipsec_auto: fatal error in "packetdefault": %defaultroute requested but not known
Apr 10 17:30:54 chattv01 ipsec__plutorun: 021 no connection named "packetdefault"
Apr 10 17:30:54 chattv01 ipsec__plutorun: ...could not route conn "packetdefault"
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.185:556): avc:  denied  { read } for  pid=12822 comm="ip" name="urandom" dev=tmpfs ino=1999 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.185:557): avc:  denied  { read write } for  pid=12822 comm="ip" name="[27416]" dev=sockfs ino=27416 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.185:558): avc:  denied  { read write } for  pid=12822 comm="ip" name="[27542]" dev=sockfs ino=27542 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 ipsec__plutorun: 104 "acotel-m4u" #1: STATE_MAIN_I1: initiate
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.197:559): avc:  denied  { read } for  pid=12826 comm="ip" name="urandom" dev=tmpfs ino=1999 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Apr 10 17:30:54 chattv01 ipsec__plutorun: ...could not start conn "acotel-m4u"
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.197:560): avc:  denied  { read write } for  pid=12826 comm="ip" name="[27416]" dev=sockfs ino=27416 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.197:561): avc:  denied  { read write } for  pid=12826 comm="ip" name="[27542]" dev=sockfs ino=27542 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.201:562): avc:  denied  { read } for  pid=12827 comm="ip" name="urandom" dev=tmpfs ino=1999 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.201:563): avc:  denied  { read write } for  pid=12827 comm="ip" name="[27416]" dev=sockfs ino=27416 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.201:564): avc:  denied  { read write } for  pid=12827 comm="ip" name="[27542]" dev=sockfs ino=27542 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.201:565): avc:  denied  { write } for  pid=12827 comm="ip" name="flush" dev=proc ino=-268435293 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
Apr 10 17:30:55 chattv01 kernel: audit(1144701055.177:566): avc:  denied  { read } for  pid=12839 comm="ip" name="urandom" dev=tmpfs ino=1999 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Apr 10 17:30:55 chattv01 kernel: audit(1144701055.177:567): avc:  denied  { read write } for  pid=12839 comm="ip" name="[27416]" dev=sockfs ino=27416 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:55 chattv01 kernel: audit(1144701055.177:568): avc:  denied  { write } for  pid=12839 comm="ip" name="flush" dev=proc ino=-268435293 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file

I have the config ok, and alread cleared all iptables rules, i have NO FIREWALL in this machine, and i can get icmp reply from every location, except the vpn side.

i get the replis wehn i tcpdump my eth0, but, i cant " see" the repply in sheel, shell tell me is 100% loss packet.

Other side, can recieve my icmps, and reply then.

when other side ping me, i get the requests in the tcpdump eth0, but my machine dont send a reply

My ipsecs.conf is:

Code:

#ipsec auto --up pix route add -net 200.184.147.0 netmask 255.255.255.0 dev ipsec0

# /etc/ipsec.conf - OpenSWAN IPSec configuration file

#The version information is needed for OpenSWAN

version 2.0

# basic configuration
config setup
          interfaces="ipsec0=eth0"
          klipsdebug=none
          plutodebug=none




# Add connections here



conn acotel-m4u
        type= tunnel
        right=x.x.x.x
        rightnexthop=x.x.x.xGW
        left=y.y.y.y
        leftsubnet=y.y.y.y/32
        leftnexthop=y.y.y.yGW
        esp=3des-md5-96
        pfs=yes
        disablearrivalcheck=yes
        authby= secret
        keyexchange=ike
        auto=start
# Disable Opportunistic Encryption

# essential for inertoperating with Cisco devices
conn block
          auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore


conn clear-or-private
        auto=ignore



conn clear
        auto=ignore

# End of config for disabling Opportunistic Encryption
"/etc/ipsec.conf" 57L, 979C

and my ipsec.secret is:

Code:

x.x.x.x y.y.y.y : PSK "key"

corse of the xxx and yyy are the correct ip´s

all modules are ok.

Code:

[root@chattv01 ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.4/K2.6.16-1.2080_FC5smp (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support                                [DISABLED]

please.. i lost all my hope.. some friend can help me =( i can retribute help whitha brazilian postcard =)

tks guys.

SBZ · 04-11-2006, 02:08 PM

so? any ideia?

OdinnBurkni · 04-30-2008, 11:20 AM

Hello.
Did you solve this problem? I ask because I'm trying similiar thing with Linux and Cisco ASA box. Right now I'm able to ping from Cisco site but not from Linux site. I was wondering if you solved your problem and would be able to help me out. If not, I'll let you know about how my project is going.

Regards,
Odinn Burkni

datopdog · 04-30-2008, 12:42 PM

It looks like selinux is preventing lots of stuff from happening. those audit messages are generated by selinux policy blocking openswan from accessing files, either turn off selinux or use audit2allow to fix the issues.