Pluto not finding interface on a ipsec VPN
The answer to this one in the end was that openVZ VPS providers have to have a kernel that supports ipsec and must enable ipsec modules on the host machine. Some of our providers would not do this as its a big change for the host machine. Instead we found all our providers supported the openvpn protocol and we enabled 'tun' on all our openvz VPS's with our providers.
Related videos on Youtube
RCG
Updated on September 18, 2022Comments
-
RCG almost 2 years
I'm trying to setup ipsec however pluto appears not to bind to a public IP and IPsec Kernel requires updating.
This is what I've come up with so far: -IPSec Verify states my kernel is not supporting IPsec
-I've had the VPS provider enable IPSec in the openvz environment on the host machine however they state I have to rebuild the kernel and provided me a link to the linux kernel archive site for generic linux kernels.
-I've tried building the kernel and installing it but I cannot seem to get it to install properly. The last step I do is 'mkinitramfs -o initrd.img-3.16.3 3.16.3'
-tutorials state to do stuff with grub, however I am on a VPS and don't think grub is even on my VPS image? One tutorial I followed: http://www.cyberciti.biz/tips/compiling-linux-kernel-26.html
- I tried some grub commands and nothing seems to be there. How do you write a kernel to a VPS container from within the container?
-I had given up on building from source and found *.deb kernel packages and tried installing them, they seemed to unpack and no errors came from it but when I rebooted it was still the old kernel, is there a special command you use with dpkg-buildpackage to make it install? Is it having issues installing due to no boot loader since it's a VPS?(assuming a container doesn't hold a boot loader?)
here is my ipsec output but I think part of the issue is the kernel:
Sep 18 04:36:45 shiftmy ipsec_setup: Starting Openswan IPsec 2.6.41... Sep 18 04:36:45 shiftmy ipsec_setup: Using NETKEY(XFRM) stack Sep 18 04:36:45 shiftmy ipsec_setup: multiple ip addresses, using 127.0.0.2 on venet0 Sep 18 04:36:45 shiftmy ipsec_setup: ...Openswan IPsec started Sep 18 04:36:45 shiftmy ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d Sep 18 04:36:45 shiftmy pluto: adjusting ipsec.d to /etc/ipsec.d Sep 18 04:36:45 shiftmy ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT" Sep 18 04:36:45 shiftmy ipsec__plutorun: 003 no public interfaces found
here is my interfaces file, I read somewhere that ipsec binds to the default interface that is first in the interface list. in this case venet0 127.0.0.2 while the public IP is on venet0:0 107.161.xx.xx(not sure if this is the issue) My VPS providers interfaces file is locked so I cannot modify that part, I believe all traffic goes from 107.161.xx.xx through 127.0.0.2 which connects to the openvz host machine aka gateway.
root@shiftmy:/etc/network# cat /etc/network/interfaces # This configuration file is auto-generated. # # WARNING: Do not edit this file, your changes will be lost. # Please create/edit /etc/network/interfaces.head and # /etc/network/interfaces.tail instead, their contents will be # inserted at the beginning and at the end of this file, respectively. # # NOTE: it is NOT guaranteed that the contents of /etc/network/interfaces.tail # will be at the very end of this file. # # Auto generated lo interface auto lo iface lo inet loopback # Auto generated venet0 interface auto venet0 iface venet0 inet manual up ifconfig venet0 up up ifconfig venet0 127.0.0.2 up route add default dev venet0 down route del default dev venet0 down ifconfig venet0 down iface venet0 inet6 manual up route -A inet6 add default dev venet0 down route -A inet6 del default dev venet0 auto venet0:0 iface venet0:0 inet static address 107.161.xx.xx netmask 255.255.255.255
I have been searching the net for "ipsec__plutorun: 003 no public interfaces found" issues and can't find much help. Not sure if this is even the real problem as I believe I setup the interfaces correctly.
ipsec verify also fails:
Version check and ipsec on-path [OK] Openswan U2.6.41/K(no kernel code presently loaded) See `ipsec --copyright' for copyright information. Checking for IPsec support in kernel [FAILED] The ipsec service should be started before running 'ipsec verify' Hardware random device check [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [FAILED] Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED] Pluto listening for IKE/NAT-T on udp 4500 [DISABLED] Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED] Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED] Checking NAT and MASQUERADEing [TEST INCOMPLETE] Checking 'ip' command [OK] Checking 'iptables' command [OK] ipsec verify: encountered errors
I've read it can fail if ipsec isn't started correctly and show false failures in some sections of the checklist. IPsec seems to be 'running', i'm not sure if Kernel support is truly not there or if that's a false failure? Also not sure how to fix the pluto failure.
I have followed various guides and cannot seem to get over this issue.
ipsec config:
root@shiftmy:/etc/network# cat /etc/ipsec.conf version 2.0 # conforms to second version of ipsec.conf specification config setup interfaces=%defaultroute dumpdir=/var/run/pluto/ nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 oe=off protostack=auto protostack=netkey force_keepalive=yes keep_alive=60 conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 ikelifetime=8h keylife=1h ike=aes256-sha1;modp1024! phase2alg=aes256-sha1;modp1024 type=transport left=107.161.xx.xx leftprotoport=17/1701 right=%any rightprotoport=17/%any dpddelay=10 dpdtimeout=20 dpdaction=clear
ipsec secrets:
root@shiftmy:/etc/network# cat /etc/ipsec.secrets 107.161.xx.xx %any: PSK "<key here>" #include /var/lib/openswan/ipsec.secrets.inc