Jim Walters wrote:
Hi,
Thanks for the quick response, Charles! Here are some answers to your good questions.
1) Is the ipsec service running on startup? Yes. The ipsec service seems to be running on startup, which is what I want it to do. If I try starting the service without stopping it, ipsec complains that it is already running. If I shut down the service and restart it, I get the pluto errors in the logs again.
I thought as much, but it never hurts to ask the obvious questions!
2) Try simpler authentication method? Well, I was trying to be simple and use a pre-shared key ("jwalters" on both ends), but maybe I'm not configuring it properly if it complaining about certs. When I was following the excellent Bering installation guide IPSec section, it mentioned that the certificate creation could be skipped if only pre-shared keys were being used. When I skipped the cert creation, there were errors in the auth.log file complaining about the certificate directories being empty, so I figured that adding certificates might help. Perhaps my problem is trying to do without the certificates when I really need them.
Now that you mention it, I see the PSK in your ipsec.secrets file that you're trying to use. I was thrown by the existance of the RSA key, which I suggest you delete if you're not using.
3) Using RSA keys without certificates? I'm not sure that I fully understand the whole certificate scenario, so I was trying to avoid that altogether. Perhaps that's not possible with Bering-uClibc. I'd be happy to use a standard Bering version, if that would make things easier. I'll try taking one of my older Bering router images and adding the appropriate lrp files. I do remember trying that route early on in the process and not being able to find the mawk.lrp or libm.lrp file that I thought I needed and abandoning the attempt. I think that is worth investigating, if you have gotten that working in a similar application. I'll try that next.
You can get mawk from my Dachstein ipsec page: http://lrp.steinkuehler.net/Packages/ipsec1.91.htm
You might also find my (undocumneted) Bering-CD image helpful. I haven't had time to put together real documentation, so right now it's just an iso image and the CD-contents dumped on my website:
http://lrp.steinkuehler.net/files/diskimages/Bering-CD/
This is basically Bering 1.2 modified to be a lot more like Dachstein-CD than the Bering CD creation method listed in the Bering user's guide.
I have all LRP packages you need to run IPSec, and I can verify they work together (my IPSec VPN between a Bering-CD and Dachstein-CD router works fine).
If you decide to use the Bering-CD image (and not just raid packages from it :), troll the leaf-devel archives for documentation on the new linuxrc functionality (and the new LEAF.CFG file), or look through the new scripts (esp. the readme and changelog files), which can be found here:
http://lrp.steinkuehler.net/files/kernels/misc-stuff/linuxrc-2004-05-05.tgz
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html