Aun no consigo conectar mis equipos :(
Estoy terminando, reiniciando y finalmente corriendo ipsec verify y me muestra lo siguiente. *shell# /etc/init.d/openvpn restart* Apagando openvpn: [ OK ] Iniciando openvpn: [ OK ] *shell# /etc/init.d/xl2tpd restart* Stopping xl2tpd: [ OK ] Starting xl2tpd: [ OK ] *shell# /etc/init.d/ipsec restart* ipsec_setup: Stopping Openswan IPsec... ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-573.7.1.el6.x86_64... ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled *shell# ipsec verify* Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.32/K2.6.32-573.7.1.el6.x86_64 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] *Checking that pluto is running [FAILED]* * whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")* *Two or more interfaces found, checking IP forwarding [FAILED]* * whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")* Checking NAT and MASQUERADEing [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [WARNING] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED] Les dejo toda mi configuracion: eth0 --> ip publica ISP eth1 --> ip: 10.1.0.1, segmento: 10.1.0.0/24 tun0 --> ip: 10.8.0.1, p-t-p:10.8.0.2, segmento: 10.8.0.0/24 *shell# ls -l /etc/openvpn/* keys/ server.conf ipp.txt easy-rsa/ *shell# cat /etc/openvpn/server.conf* ; local 10.1.0.1 port 1194 proto tcp dev tun0 ca keys/ca.crt cert keys/server.crt key keys/server.key # This file should be kept secret dh keys/dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 10.1.0.1" push "dhcp-option DNS 8.8.8.8" keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log verb 3 *shell# cat /etc/ipsec.conf* version 2.0 # conforms to second version of ipsec.conf specification config setup dumpdir=/var/run/pluto/ klipsdebug=none plutodebug="control" plutostderrlog=/var/log/pluto.log protostack=netkey nat_traversal=yes virtual_private=%v4:10.8.0.0/24 oe=off nhelpers=0 include /etc/ipsec.d/*.conf *shell# /etc/ipsec.d/l2tp_psk.conf * conn L2TP-PSK authby=secret pfs=no auto=add keyingtries=3 rekey=no type=transport forceencaps=yes right=%any rightsubnet=vhost:%any,%priv rightprotoport=17/0 left=%defaultroute leftprotoport=17/1701 dpddelay=10 dpdtimeout=90 dpdaction=clear ike=aes256-sha1;modp1024! phase2alg=aes256-sha1;modp1024 *shell# catwc /etc/ipsec.d/ipsec.secrets * : RSA { Modulus: 0xcc.... PublicExponent: 0x03 PrivateExponent: 0x4c... Prime1: 0x4c... Prime2: 0x4c... Exponent1: 0x4c... Exponent2: 0x4c... Coefficient: 0x4c... CKAIDNSS: 0x4c... } 10.8.0.1 %any: PSK "miclave" *shell# cat /etc/xl2tpd/xl2tpd.conf* [global] listen-addr = 10.8.0.1 force userspace = yes [lns default] ip range = 10.8.0.50-10.8.0.100 local ip = 10.8.0.2 refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes *shell# cat /etc/ppp/options.xl2tpd* ipcp-accept-local ipcp-accept-remote ms-dns 10.1.0.1 ms-dns 8.8.8.8 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000 logfile /var/log/ppp.log *shell# catwc /etc/ppp/chap-secrets* usuario1 * "clave1" 10.8.0.5 usuario2 * "clave2" 10.8.0.6 Saludos ! El 3 de noviembre de 2015, 13:25, Ricardo <harisel...@gmail.com> escribió: > gracias! ahora tenemos toda la info > > Enviado desde mi iPhone > > > El 3 nov 2015, a las 17:34, angel jauregui <darkdiabl...@gmail.com> > escribió: > > > > Tengo las reglas en mi IPTables sobre: Forwarding entre el segmento de > > 10.8.0.0/24 (la VPN) y mi segmento de red 10.1.0.0/24. > > > > Tengo tambien la regla de NATEO (POSTROUTING) donde todo lo que venga del > > segmento VPN hacia afuera se enmascare, y lo que vaya del segmento VPN > > hacia mi red se enmascare, y viceversa. > > > > Tengo 2 tarjetas de red en el server: > > > > eth0 --> al ISP > > eth1 --> al switch (red local). > > > > shell# cat /etc/init.d/firewall > > INET= eth0 > > RED=eth1 > > VPN=tun0 > > iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -d 10.1.0.0/24 -o > > $RED -j MASQUERADE > > iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $INET -j > MASQUERADE > > iptables -t nat -A POSTROUTING -d 10.8.0.0/24 -o $VPN -j > MASQUERADE > > iptables -t nat -A POSTROUTING -d 10.1.0.0/24 -o $RED -j > MASQUERADE > > iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o $INET -j > MASQUERADE > > > > > > Saludos ! > > > > El 3 de noviembre de 2015, 10:14, Ricardo Martinez <harisel...@gmail.com > > > > escribió: > > > >> Perdona la brevedad de antes, estaba con el mvl. > >> > >> Te he indicado UDP, porque es el protocolo por defecto. > >> > >> Observo que has modificado el protocolo por TCP. > >> > >> Has mapeado tu router para que acepte ese tipo de conexiones ¿? ( port > >> forwarding ). Si no la petición, desde "fuera" le llega al router de > donde > >> se encuentra tu servidor de openvpn, pero el router no sabe que hacer > con > >> ella, ni a que equipo pasarsela. > >> > >> Por lo que indicas, creo que no has mapeado el Router. > >> > >> Saludos! ;) > >> > >> El 3 de noviembre de 2015, 16:31, angel jauregui < > darkdiabl...@gmail.com> > >> escribió: > >> > >>> router ?? udp ??... > >>> > >>> Estoy usando TCP amigo... y a que te refieres con mapearlo ? no se > supone > >>> que con la linea de* push "route 10.1.0.1 255.255.255.0"* deberia > bastar > >> ?? > >>> > >>> Saludos ! > >>> > >>> 2015-11-03 9:01 GMT-06:00 Ricardo <harisel...@gmail.com>: > >>> > >>>> y el mapeo del router con el puerto udp ? > >>>> > >>>> a mí se me olvida mucho ;) > >>>> > >>>> Enviado desde mi iPhone > >>>> > >>>>>> El 3 nov 2015, a las 15:46, angel jauregui <darkdiabl...@gmail.com> > >>>>> escribió: > >>>>> > >>>>> Buen dia Lista... > >>>>> > >>>>> Levante hace unas semanas el servicio OpenVPN lo configure de una > >>> manera > >>>>> simple pero al intentar conectar mis equipos desde el exterior no lo > >>>>> logro... > >>>>> > >>>>> *shell# cat /etc/openvpn/server.conf* > >>>>> port 1194 > >>>>> proto tcp > >>>>> dev tun0 > >>>>> ca ca.crt > >>>>> cert server.crt > >>>>> key server.key # This file should be kept secret > >>>>> dh dh2048.pem > >>>>> server 10.8.0.0 255.255.255.0 > >>>>> ifconfig-pool-persist ipp.txt > >>>>> push "route 10.1.0.1 255.255.255.0" > >>>>> keepalive 10 120 > >>>>> comp-lzo > >>>>> persist-key > >>>>> persist-tun > >>>>> status openvpn-status.log > >>>>> log openvpn.log > >>>>> log-append openvpn.log > >>>>> verb 3 > >>>>> > >>>>> Al intentar conectar un equipo desde afuera me registra el siguiente > >>> log: > >>>>> > >>>>> 189.157.177.190 --> Es mi IP Dinámica fuera de la oficina. > >>>>> 10.1.0.1 --> es mi server > >>>>> > >>>>> *shell# tail -f /etc/openvpn/openvpn.log* > >>>>> Mon Nov 2 16:57:21 2015 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 > >>>>> Mon Nov 2 16:57:21 2015 IFCONFIG POOL LIST > >>>>> Mon Nov 2 16:57:21 2015 MULTI: TCP INIT maxclients=1024 > >> maxevents=1028 > >>>>> Mon Nov 2 16:57:21 2015 Initialization Sequence Completed > >>>>> Tue Nov 3 08:36:25 2015 TCP connection established with [AF_INET] > >>>>> 10.1.0.1:52189 > >>>>> Tue Nov 3 08:36:25 2015 10.1.0.1:52189 Connection reset, restarting > >>>> [-1] > >>>>> Tue Nov 3 08:36:25 2015 10.1.0.1:52189 > >> SIGUSR1[soft,connection-reset] > >>>>> received, client-instance restarting > >>>>> Tue Nov 3 08:36:37 2015 TCP connection established with [AF_INET] > >>>>> 189.157.177.190:23572 > >>>>> Tue Nov 3 08:36:37 2015 189.157.177.190:23572 Connection reset, > >>>> restarting > >>>>> [-1] > >>>>> Tue Nov 3 08:36:37 2015 189.157.177.190:23572 > >>>>> SIGUSR1[soft,connection-reset] received, client-instance restarting > >>>>> > >>>>> Se supone que el segmento 10.8.0.0/24 es para la VPN y el segmento > >>>>> 10.1.0.0/24 es para mi red local. En mi *DHCP Server* solo tengo la > >>>>> configuración para asignar rangos del segmento 10.1.0.0/24. > >>>>> > >>>>> Saludos ! > >>>>> > >>>>> -- > >>>>> M.S.I. Angel Haniel Cantu Jauregui. > >>>>> > >>>>> Celular: (011-52-1)-899-871-17-22 > >>>>> E-Mail: angel.ca...@sie-group.net > >>>>> Web: http://www.sie-group.net/ > >>>>> Cd. Reynosa Tamaulipas. > >>>>> _______________________________________________ > >>>>> CentOS-es mailing list > >>>>> CentOS-es@centos.org > >>>>> https://lists.centos.org/mailman/listinfo/centos-es > >>>> _______________________________________________ > >>>> CentOS-es mailing list > >>>> CentOS-es@centos.org > >>>> https://lists.centos.org/mailman/listinfo/centos-es > >>> > >>> > >>> > >>> -- > >>> M.S.I. Angel Haniel Cantu Jauregui. > >>> > >>> Celular: (011-52-1)-899-871-17-22 > >>> E-Mail: angel.ca...@sie-group.net > >>> Web: http://www.sie-group.net/ > >>> Cd. Reynosa Tamaulipas. > >>> _______________________________________________ > >>> CentOS-es mailing list > >>> CentOS-es@centos.org > >>> https://lists.centos.org/mailman/listinfo/centos-es > >> > >> > >> > >> -- > >> Ricardo > >> _______________________________________________ > >> IT Architect > >> website: http://www.pulsarinara.com > >> _______________________________________________ > >> CentOS-es mailing list > >> CentOS-es@centos.org > >> https://lists.centos.org/mailman/listinfo/centos-es > > > > > > > > -- > > M.S.I. Angel Haniel Cantu Jauregui. > > > > Celular: (011-52-1)-899-871-17-22 > > E-Mail: angel.ca...@sie-group.net > > Web: http://www.sie-group.net/ > > Cd. Reynosa Tamaulipas. > > _______________________________________________ > > CentOS-es mailing list > > CentOS-es@centos.org > > https://lists.centos.org/mailman/listinfo/centos-es > _______________________________________________ > CentOS-es mailing list > CentOS-es@centos.org > https://lists.centos.org/mailman/listinfo/centos-es > -- M.S.I. Angel Haniel Cantu Jauregui. Celular: (011-52-1)-899-871-17-22 E-Mail: angel.ca...@sie-group.net Web: http://www.sie-group.net/ Cd. Reynosa Tamaulipas. _______________________________________________ CentOS-es mailing list CentOS-es@centos.org https://lists.centos.org/mailman/listinfo/centos-es