FC9 and Openswan - 1st time questions

Gary Stainburn gary.stainburn at ringways.co.uk
Fri Jan 23 00:50:08 UTC 2009 

Hi folks.

I've just set up two FC9 boxes and yum installed openswan.

I've followed the instructions from the wiki for setting up the roadwarrior 
setup, including creating newhostkeys, creating /etc/ipsec.d/road.conf by 
cut/paste'ing the code from the wiki page and changing IP addresses and keys 
as appropriate.

When I then restarted the ipsec services and ran ipsec auto --up road all 
looked fine.

However, I have two questions.

1) with previous (non-openswan) VPN's I've ended up with virtual net devices 
(e.g.ppp0) representing both ends of the link which I can then use for IP 
routing. This time I don't have any new net devices. Is this right? and if 
so, how do I now do routing?

2) I saw the command ipsec verify and got the following output.  What do the 
failures mean, and how do I fix them?

[root at groucho ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.19/K2.6.27.9-73.fc9.i686 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: groucho.ringways.co.uk  [MISSING]
   Does the machine have at least one non-private address?      [FAILED]
[root at groucho ~]#     
-- 
Gary Stainburn
 
This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000

More information about the fedora-list mailing list