Re: [leaf-user] ipsec setup
Am Montag, 10. November 2014, 22:56:28 schrieb Erich Titl: Hi Adam at 19.07.2007 00:57, Adam Niedzwiedzki wrote: Hi guys, insmod /lib/modules/ipsec.o has no issues (no errors) but I can't find af_key.o anywhere in the modules download. Any help appreciated Paul Wouters left the OpenSwan Project and it appears to be a dead duck now. AFAIK efforts have been made to port StrongSwan to LEAF and some progress was made but I am not sure about the current status. Anyway, 2.4.7 is _very_ old and I guess it will not work with the current kernel release. I don't have an environment to test ipsec anymore, so I am a bit offline. KP has done the port and may know more about the current status. What exactly was the question? The af_key module has been added with 5.12-beta1. And yes I've built a setup for strongswan, but it needs to be tested before it will be committed. If anyone is willing to help, pls write me off-list and I'll send a package for 5.1.2-beta1/-rc1. kp -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111iu=/4140/ostg.clktrk leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec setup
Hi Adam at 19.07.2007 00:57, Adam Niedzwiedzki wrote: Hi guys, insmod /lib/modules/ipsec.o has no issues (no errors) but I can't find af_key.o anywhere in the modules download. Any help appreciated Paul Wouters left the OpenSwan Project and it appears to be a dead duck now. AFAIK efforts have been made to port StrongSwan to LEAF and some progress was made but I am not sure about the current status. Anyway, 2.4.7 is _very_ old and I guess it will not work with the current kernel release. I don't have an environment to test ipsec anymore, so I am a bit offline. KP has done the port and may know more about the current status. cheers Erich -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111iu=/4140/ostg.clktrk leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec setup (not an ELF file) SOLVED
SOLVED this myself Don't try and restart /etc/init.d/ipsec from WITHIN the /etc/init.d/ directory. ie don't do ./ipsec --restart change to / then go full path /etc/init.d/ipsec --restart I'm guessing it's a bug somewhere, I'll leave the powers that be (the guys that KNOW what they're doing) to fix this one. Cheers Ad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Niedzwiedzki Sent: Thursday, 19 July 2007 9:57 AM To: leaf-user@lists.sourceforge.net Subject: [leaf-user] ipsec setup Hi guys, This has been fun dragging my old leaf boxes up to the new builds. I was running openvpn, and figured I'd upgrade to openswan (ipsec) for my vpns. The guide on the site Configuring openswan(ipsec) talks about openswan.lrp (but can't find it) so I'm guessing it's now ipsec.lrp. The guide talks about copying ipsec.o to modules (too easy), but starting ipsec up on my machine I get the following ipsec_setup: Starting Openswan IPsec 2.4.7... ipsec_setup: insmod: not an ELF file ipsec_setup: insmod: Could not load the module: Success ipsec_setup: insmod: af_key.o: no module by that name found ipsec_setup: ERROR: Failed to load or detect KLIPS and NETKEY ipsec_setup: Using ipsec ipsec_setup: insmod: not an ELF file ipsec_setup: insmod: Could not load the module: Success ipsec_setup: kernel appears to lack IPsec support (neither CONFIG_KLIPS or CONFIG_NET_KEY are set) insmod /lib/modules/ipsec.o has no issues (no errors) but I can't find af_key.o anywhere in the modules download. Any help appreciated Cheers Ad - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] ipsec setup
Hi guys, This has been fun dragging my old leaf boxes up to the new builds. I was running openvpn, and figured I'd upgrade to openswan (ipsec) for my vpns. The guide on the site Configuring openswan(ipsec) talks about openswan.lrp (but can't find it) so I'm guessing it's now ipsec.lrp. The guide talks about copying ipsec.o to modules (too easy), but starting ipsec up on my machine I get the following ipsec_setup: Starting Openswan IPsec 2.4.7... ipsec_setup: insmod: not an ELF file ipsec_setup: insmod: Could not load the module: Success ipsec_setup: insmod: af_key.o: no module by that name found ipsec_setup: ERROR: Failed to load or detect KLIPS and NETKEY ipsec_setup: Using ipsec ipsec_setup: insmod: not an ELF file ipsec_setup: insmod: Could not load the module: Success ipsec_setup: kernel appears to lack IPsec support (neither CONFIG_KLIPS or CONFIG_NET_KEY are set) insmod /lib/modules/ipsec.o has no issues (no errors) but I can't find af_key.o anywhere in the modules download. Any help appreciated Cheers Ad - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Ipsec Setup with Bering LEAF
Hi We are considering using a Bering firewall to connect two networks via the internet. Both these networks will have a windows 2000 server which will need to communicate with each other. I have got to grips with installing Bering and Shorewall, but I am struggling with ipsec I have several questions associated with the setup: - 1) Do I need ipsec or ipsec509 for use with windows 2000 servers located on each network. 2) If I do need ipsec509, then I note that the current release of Bering seems to have broken links to the ipsec509.lrp file. 3) Is there any further documentation on the setup of ipsec for a network to network setup, particularily with setup of certificates. I started to go through the Bering documentation (LEAF Bering user's guide), and attempted to use the openssl, which is installed on my spare Mandrake 9.0 box, but errors are generated when I try to run the following to setup a certificate authority. # mkdir -p demoCA/private; mkdir -p demoCA/newcerts; # touch demoCA/index.txt; echo 01 demoCA/serial; chmod -R 700 demoCA # openssl req -x509 -days 3650 -newkey rsa:2048 -keyout demoCA/private/cakey.pem -out demoCA/cacert.pem The above runs ok, but when I run the following # openssl ca -gencrl -out crl.pem I get no such file or directory trying to load CA private key Any help would be greatly appreciated. Regards, Simon Chalk. --- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Ipsec Setup with Bering LEAF
Simon Chalk wrote: Hi We are considering using a Bering firewall to connect two networks via the internet. Both these networks will have a windows 2000 server which will need to communicate with each other. I have got to grips with installing Bering and Shorewall, but I am struggling with ipsec I have several questions associated with the setup: - 1) Do I need ipsec or ipsec509 for use with windows 2000 servers located on each network. The fact that you're using windows 2000 servers doesn't matter if the two bering boxes are the VPN gateways. I'd suggest using plain RSA keys (ie ipsec.lrp) unless you need to interoperate with something that requires the use of certificates. 2) If I do need ipsec509, then I note that the current release of Bering seems to have broken links to the ipsec509.lrp file. Can't help with this one. 3) Is there any further documentation on the setup of ipsec for a network to network setup, particularily with setup of certificates. I started to go through the Bering documentation (LEAF Bering user's guide), and attempted to use the openssl, which is installed on my spare Mandrake 9.0 box, but errors are generated when I try to run the following to setup a certificate authority. # mkdir -p demoCA/private; mkdir -p demoCA/newcerts; # touch demoCA/index.txt; echo 01 demoCA/serial; chmod -R 700 demoCA # openssl req -x509 -days 3650 -newkey rsa:2048 -keyout demoCA/private/cakey.pem -out demoCA/cacert.pem The above runs ok, but when I run the following # openssl ca -gencrl -out crl.pem I get no such file or directory trying to load CA private key The main documentation for ipsec is the FreeS/WAN site, which includes *LOTS* of information: http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/index.html http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/config.html Note that X.509 support is in the form of a patch, with documentation available at a different location: http://www.strongsec.com/freeswan/ http://www.strongsec.com/freeswan/install.htm -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Ipsec Setup with Bering LEAF
While i am not 100% sure but i think that Jacques has included the ipsec509 patches to the latest ipsec.lrp package. This means you no longer need to have a separate ipsec509.lrp. All, please correct me if i am wrong :) -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 1:01 PM To: Simon Chalk Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] Ipsec Setup with Bering LEAF Simon Chalk wrote: Hi We are considering using a Bering firewall to connect two networks via the internet. Both these networks will have a windows 2000 server which will need to communicate with each other. I have got to grips with installing Bering and Shorewall, but I am struggling with ipsec I have several questions associated with the setup: - 1) Do I need ipsec or ipsec509 for use with windows 2000 servers located on each network. The fact that you're using windows 2000 servers doesn't matter if the two bering boxes are the VPN gateways. I'd suggest using plain RSA keys (ie ipsec.lrp) unless you need to interoperate with something that requires the use of certificates. 2) If I do need ipsec509, then I note that the current release of Bering seems to have broken links to the ipsec509.lrp file. Can't help with this one. 3) Is there any further documentation on the setup of ipsec for a network to network setup, particularily with setup of certificates. I started to go through the Bering documentation (LEAF Bering user's guide), and attempted to use the openssl, which is installed on my spare Mandrake 9.0 box, but errors are generated when I try to run the following to setup a certificate authority. # mkdir -p demoCA/private; mkdir -p demoCA/newcerts; # touch demoCA/index.txt; echo 01 demoCA/serial; chmod -R 700 demoCA # openssl req -x509 -days 3650 -newkey rsa:2048 -keyout demoCA/private/cakey.pem -out demoCA/cacert.pem The above runs ok, but when I run the following # openssl ca -gencrl -out crl.pem I get no such file or directory trying to load CA private key The main documentation for ipsec is the FreeS/WAN site, which includes *LOTS* of information: http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/index.html http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/config.html Note that X.509 support is in the form of a patch, with documentation available at a different location: http://www.strongsec.com/freeswan/ http://www.strongsec.com/freeswan/install.htm -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Ipsec Setup with Bering LEAF
On Thursday 27 March 2003 04:10 am, Simon Chalk wrote: 1) Do I need ipsec or ipsec509 for use with windows 2000 servers located on each network. As CS noted, this doesn't matter as long as both are gateways. x509 certs are much more difficult than RSA-keys IMHO. 2) If I do need ipsec509, then I note that the current release of Bering seems to have broken links to the ipsec509.lrp file. There are not seperate packages in the Bering-1.1 ipsec package. ipsec.lrp has all patches including x509 and NAT-transversal applied to it in /latest. 3) Is there any further documentation on the setup of ipsec for a network to network setup, particularily with setup of certificates. I started to go through the Bering documentation (LEAF Bering user's guide), and attempted to use the openssl, which is installed on my spare Mandrake 9.0 box, but errors are generated when I try to run the following to setup a certificate authority. The command to make a cert with OpenSSL is depreciated now IIRC. There was a post in the leaf-user archives that described the new command(s)/method for creating a cert, but I haven't used it personally. Current documentation for FreeS/WAN and OpenSSL will likely include instructions for creating certs as well. I agree with CS in that you will likely find it easier to use the Bering boxes as ipsec-gateways and authenticate with RSA keys. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Ipsec Setup with Bering LEAF
Hi Charles, Are you saying that windows 2000 is quite happy with RSA keys, and will still offer a secure path connecting two networks. I am a little confused about the whole concept of which method to use, and the relevance of X509. I had assumed that since it gets mentioned everywhere that it was necessary. Regards, Simon. -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED] Sent: 27 March 2003 13:01 To: Simon Chalk Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] Ipsec Setup with Bering LEAF Simon Chalk wrote: Hi We are considering using a Bering firewall to connect two networks via the internet. Both these networks will have a windows 2000 server which will need to communicate with each other. I have got to grips with installing Bering and Shorewall, but I am struggling with ipsec I have several questions associated with the setup: - 1) Do I need ipsec or ipsec509 for use with windows 2000 servers located on each network. The fact that you're using windows 2000 servers doesn't matter if the two bering boxes are the VPN gateways. I'd suggest using plain RSA keys (ie ipsec.lrp) unless you need to interoperate with something that requires the use of certificates. 2) If I do need ipsec509, then I note that the current release of Bering seems to have broken links to the ipsec509.lrp file. Can't help with this one. 3) Is there any further documentation on the setup of ipsec for a network to network setup, particularily with setup of certificates. I started to go through the Bering documentation (LEAF Bering user's guide), and attempted to use the openssl, which is installed on my spare Mandrake 9.0 box, but errors are generated when I try to run the following to setup a certificate authority. # mkdir -p demoCA/private; mkdir -p demoCA/newcerts; # touch demoCA/index.txt; echo 01 demoCA/serial; chmod -R 700 demoCA # openssl req -x509 -days 3650 -newkey rsa:2048 -keyout demoCA/private/cakey.pem -out demoCA/cacert.pem The above runs ok, but when I run the following # openssl ca -gencrl -out crl.pem I get no such file or directory trying to load CA private key The main documentation for ipsec is the FreeS/WAN site, which includes *LOTS* of information: http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/index.html http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/config.html Note that X.509 support is in the form of a patch, with documentation available at a different location: http://www.strongsec.com/freeswan/ http://www.strongsec.com/freeswan/install.htm -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Ipsec Setup with Bering LEAF
Simon Chalk wrote: Hi Charles, Are you saying that windows 2000 is quite happy with RSA keys, and will still offer a secure path connecting two networks. I am a little confused about the whole concept of which method to use, and the relevance of X509. I had assumed that since it gets mentioned everywhere that it was necessary. You haven't mentioned what your VPN network architecture looks like. There are three basic options: 1) The Bering boxes are the VPN gateways. If you setup your network this way, the two windows boxes simply think they are seperated by a simple router, and require no special configuration or knowledge due to the fact that you're actually running a VPN (although they do need special configuration to be able to talk to each other, since the broadcast packets typically used for network discovery/browsing will not cross a router). You can use either pre-shared-keys (PSK), RSA keys, or x.509 keys for authentication. 2) You use the built-in windows IPSec client on both ends. To do this, you will have to configure your firewall to pass-through the IPSec traffic, and you will obviously have to configure VPN tunnels on the windows boxes. This will likely require you generate certificates or use pre-shared-keys. 3) You use the built-in windows IPSec client on one end, and the Bering firewall on the other end for the VPN gateway. This seems like extra work to me, but you might want to do this for some reason. In this case, you would likely be forced into using x.509 certs on the Bering firewall, as I don't think windows can use RSA keys that are not wrapped inside a certificate. I assumed you were looking at implementing option 1, since you were asking questions about ipsec509 on bering. With this setup, Windows doesn't know anything about the VPN, so it doesn't have to be happy with RSA keys...only the VPN gateways (the two Bering boxes) need to know anything about the VPN. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Ipsec Setup with Bering LEAF
Hi Charles, Thanks for your information. I essentially need what you describe in option 1, but assumed that I had also to do option 2 to achieve the required result. To confirm my requirement: - I essentially have two private networks permantently connected to the internet, each to be protected by a Bering Firewall running both Shorewall and Ipsec. WINSRV A -- Bering A Router A Internet - Router B - Bering B - WINSRV B Both the private networks also need to communicate with each other, in that a windows 2000 server on one site, needs to be able to see the other one. Not for file sharing but for connecting an IIS web server to a remote sql server, traffic is to path in both directions. So my desired solution is for the Bering firewall to appear as a router, that offers a secure path to the other private network, allowing data to be passed for ports 80 www and sql 1433. Regards, Simon. -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED] Sent: 27 March 2003 13:27 To: Simon Chalk Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] Ipsec Setup with Bering LEAF Simon Chalk wrote: Hi Charles, Are you saying that windows 2000 is quite happy with RSA keys, and will still offer a secure path connecting two networks. I am a little confused about the whole concept of which method to use, and the relevance of X509. I had assumed that since it gets mentioned everywhere that it was necessary. You haven't mentioned what your VPN network architecture looks like. There are three basic options: 1) The Bering boxes are the VPN gateways. If you setup your network this way, the two windows boxes simply think they are seperated by a simple router, and require no special configuration or knowledge due to the fact that you're actually running a VPN (although they do need special configuration to be able to talk to each other, since the broadcast packets typically used for network discovery/browsing will not cross a router). You can use either pre-shared-keys (PSK), RSA keys, or x.509 keys for authentication. 2) You use the built-in windows IPSec client on both ends. To do this, you will have to configure your firewall to pass-through the IPSec traffic, and you will obviously have to configure VPN tunnels on the windows boxes. This will likely require you generate certificates or use pre-shared-keys. 3) You use the built-in windows IPSec client on one end, and the Bering firewall on the other end for the VPN gateway. This seems like extra work to me, but you might want to do this for some reason. In this case, you would likely be forced into using x.509 certs on the Bering firewall, as I don't think windows can use RSA keys that are not wrapped inside a certificate. I assumed you were looking at implementing option 1, since you were asking questions about ipsec509 on bering. With this setup, Windows doesn't know anything about the VPN, so it doesn't have to be happy with RSA keys...only the VPN gateways (the two Bering boxes) need to know anything about the VPN. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html