OK; so I think I'm making progress ... Anyway, when ipsec starts, I get:
# svi ipsec start
ipsec_setup: Starting FreeS/WAN IPsec 1.99...
ipsec_setup: Using /lib/modules/ipsec.o
ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = , should be 0)
However, I have changed /etc/network/options, and changed spoofprotect to
no. Doesn't that turn off route filtering?
Also, Shorewall complains that the gw zone is empty. The zones file looks
like:
gw ipsec0 IPSec
with a tunnels file of:
# TYPE ZONE GATEWAY GATEWAY ZONE
#
ipsec net 146.145.122.19 gw
That's the public IP of my office's PIX firewall.
Did I miss something?
my /var/log/auth.log:
Feb 9 23:53:18 ellcrys ipsec__plutorun: Starting Pluto subsystem...
Feb 9 23:53:18 ellcrys pluto[29637]: Starting Pluto (FreeS/WAN Version 1.99)
Feb 9 23:53:18 ellcrys pluto[29637]: including X.509 patch (Version 0.9.15)
Feb 9 23:53:18 ellcrys pluto[29637]: Changing to directory '/etc/ipsec.d/cacerts'
Feb 9 23:53:18 ellcrys pluto[29637]: loaded cacert file 'cacert.pem' (1623 bytes)
Feb 9 23:53:18 ellcrys pluto[29637]: Changing to directory '/etc/ipsec.d/crls'
Feb 9 23:53:18 ellcrys pluto[29637]: loaded crl file 'crl.pem' (686 bytes)
Feb 9 23:53:18 ellcrys pluto[29637]: loaded my default X.509 cert file
'/etc/x509cert.der' (1203 bytes)
Feb 9 23:54:13 ellcrys pluto[29637]: listening for IKE messages
Feb 9 23:54:13 ellcrys pluto[29637]: adding interface ipsec0/eth0 216.158.26.254
Feb 9 23:54:13 ellcrys pluto[29637]: loading secrets from "/etc/ipsec.secrets"
Feb 9 23:54:13 ellcrys pluto[29637]: loaded private key file
'/etc/ipsec.d/private/IPSecServerKey.pem' (1751 bytes)
It seems that I'm waiting for incoming IPSec connections. Which is cool, and
which I will eventually want. But right now, I want to establish the IPSec
tunnel from me (216.158.26.254) to my Pix (146.145.122.19), using preshared
keys.
ipsec.secrets:
%any 146.145.122.19: PSK "-my-preshared-key"
: RSA IPSecServerKey.pem -my-passphrase-
ipsec.conf:
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
---
I have no idea what else to put into this file; I've seen so many
differently configured samples, that I'm just lost at this point. :-)
Clues appreciated.
msg12878/pgp00000.pgp
Description: PGP signature
