*NIX

Nov. 26, 2010, 2:30 a.m.
posted by whitehat

Get the Status of the Openswan Installation



Get the Status of the Openswan Installation

Immediately after installing Openswan, run the ipsec verify command. It should give an [OK] status for most of its checks:

    [root@vpn2 tmp]# ipsec verify
    Checking your system to see if IPsec got installed and started
    correctly
    Version check and ipsec on-path                              [OK]
    Linux Openswan U2.2.0/K2.6.8-1.521 (native)
    Checking for IPsec support in kernel                         [OK]
    Checking for RSA private key (/etc/ipsec.secrets)            [OK]
    Checking that pluto is running                               [OK]
    Two or more interfaces found, checking IP forwarding         [OK]
    Checking NAT and MASQUERADEing                               [N/A]
    Checking for 'ip' command                                    [OK]
    Checking for 'iptables' command                              [OK]
    Checking for 'setkey' command for native IPsec stack support [OK]
    [root@vpn2 tmp] #

How to Fix Common Status Errors

The status check may provide some errors. The most common ones are related to IP forwarding and opportunistic encryption.

IP Forwarding

Each Linux VPN device needs to have routing or IP forwarding enabled. To enable it, simply add an ip_forward entry to the /etc/sysctl.conf file:

    #
    # File: /etc/sysctl.conf
    #
    #---------------------------------------------------------------
    # Enable routing (IP forwarding)
    #---------------------------------------------------------------

    net/ipv4/ip_forward = 1

Now use the sysctl -p command to activate the settings:

    [root@bigboy tmp]# sysctl -p
    ...
    ...
    net.ipv4.ip_forward = 1
    [root@bigboy tmp]#

You can find more details on the /etc/sysctl.conf in Appendix I, "Miscellaneous Linux Topics."

Opportunistic Encryption DNS Checks

The opportunistic encryption DNS checks feature of Openswan allows gateways to encrypt their traffic, even if the two gateway administrators have had no prior contact and neither system has any preset information about the other. The rationale behind this is to make all connections to servers behind the VPN device automatically be encrypted using IPSec in the same way that HTTP traffic can be seamlessly encrypted to become HTTPS traffic.

This feature should be disabled by default in your configuration file; simply ignore the errors related to it.

     Python   SQL   Java   php   Perl 
     game development   web development   internet   *nix   graphics   hardware 
     telecommunications   C++ 
     Flash   Active Directory   Windows