I tryng to estabilish a conection between a FC5Openswan and a CISCO pIX, but, i in it for 3 days, and nothing =((
i can close the tunnel, but one side dont ping the other..
my log is crazy
i get it on log:
Code:
Apr 10 17:30:53 chattv01 ipsec_setup: KLIPS ipsec0 on eth0 x.x.x.x/255.255.255.240 broadcast x.x.x.x
Apr 10 17:30:53 chattv01 ipsec_setup: ...Openswan IPsec started
Apr 10 17:30:54 chattv01 ipsec__plutorun: ipsec_auto: fatal error in "packetdefault": %defaultroute requested but not known
Apr 10 17:30:54 chattv01 ipsec__plutorun: 021 no connection named "packetdefault"
Apr 10 17:30:54 chattv01 ipsec__plutorun: ...could not route conn "packetdefault"
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.185:556): avc: denied { read } for pid=12822 comm="ip" name="urandom" dev=tmpfs ino=1999 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.185:557): avc: denied { read write } for pid=12822 comm="ip" name="[27416]" dev=sockfs ino=27416 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.185:558): avc: denied { read write } for pid=12822 comm="ip" name="[27542]" dev=sockfs ino=27542 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 ipsec__plutorun: 104 "acotel-m4u" #1: STATE_MAIN_I1: initiate
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.197:559): avc: denied { read } for pid=12826 comm="ip" name="urandom" dev=tmpfs ino=1999 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Apr 10 17:30:54 chattv01 ipsec__plutorun: ...could not start conn "acotel-m4u"
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.197:560): avc: denied { read write } for pid=12826 comm="ip" name="[27416]" dev=sockfs ino=27416 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.197:561): avc: denied { read write } for pid=12826 comm="ip" name="[27542]" dev=sockfs ino=27542 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.201:562): avc: denied { read } for pid=12827 comm="ip" name="urandom" dev=tmpfs ino=1999 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.201:563): avc: denied { read write } for pid=12827 comm="ip" name="[27416]" dev=sockfs ino=27416 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.201:564): avc: denied { read write } for pid=12827 comm="ip" name="[27542]" dev=sockfs ino=27542 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.201:565): avc: denied { write } for pid=12827 comm="ip" name="flush" dev=proc ino=-268435293 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
Apr 10 17:30:55 chattv01 kernel: audit(1144701055.177:566): avc: denied { read } for pid=12839 comm="ip" name="urandom" dev=tmpfs ino=1999 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Apr 10 17:30:55 chattv01 kernel: audit(1144701055.177:567): avc: denied { read write } for pid=12839 comm="ip" name="[27416]" dev=sockfs ino=27416 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:55 chattv01 kernel: audit(1144701055.177:568): avc: denied { write } for pid=12839 comm="ip" name="flush" dev=proc ino=-268435293 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
I have the config ok, and alread cleared all iptables rules, i have NO FIREWALL in this machine, and i can get icmp reply from every location, except the vpn side.
i get the replis wehn i tcpdump my eth0, but, i cant " see" the repply in sheel, shell tell me is 100% loss packet.
Other side, can recieve my icmps, and reply then.
when other side ping me, i get the requests in the tcpdump eth0, but my machine dont send a reply
My ipsecs.conf is:
Code:
#ipsec auto --up pix route add -net 200.184.147.0 netmask 255.255.255.0 dev ipsec0
# /etc/ipsec.conf - OpenSWAN IPSec configuration file
#The version information is needed for OpenSWAN
version 2.0
# basic configuration
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
# Add connections here
conn acotel-m4u
type= tunnel
right=x.x.x.x
rightnexthop=x.x.x.xGW
left=y.y.y.y
leftsubnet=y.y.y.y/32
leftnexthop=y.y.y.yGW
esp=3des-md5-96
pfs=yes
disablearrivalcheck=yes
authby= secret
keyexchange=ike
auto=start
# Disable Opportunistic Encryption
# essential for inertoperating with Cisco devices
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
# End of config for disabling Opportunistic Encryption
"/etc/ipsec.conf" 57L, 979C
and my ipsec.secret is:
Code:
x.x.x.x y.y.y.y : PSK "key"
corse of the xxx and yyy are the correct ipīs
all modules are ok.
Code:
[root@chattv01 ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.4/K2.6.16-1.2080_FC5smp (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support [DISABLED]
please.. i lost all my hope.. some friend can help me =( i can retribute help whitha brazilian postcard =)
tks guys.