headers
Dominique Claver KOUAME | 1 Oct 2007 09:34
Picon

[Debian Etch]

dear all,
I'm trying to install and test IPsec VPN option of shorewall. But when I launch installation of Racoon and Ipsec-tools, I get error messages below:

marina:/tmp# aptitude install racoon ipsec-tools
............
Paramétrage de ipsec-tools (0.6.6-3.1etch1) ...
Paramétrage de racoon (0.6.6-3.1etch1) ...
Generating /etc/default/racoon...
Loading IPSEC/crypto modules...
FATAL: Module /lib/modules/2.6.18_4_686/kernel/lib/zlib_deflate/zlib_deflate.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/aes.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/serpent.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/deflate.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/khazad.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/crc32c.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/crypto_null.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/michael_mic.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/blowfish.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/des.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/cast6.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/anubis.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/sha256.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/arc4.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/sha1.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/cast5.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/twofish.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/tea.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/tgr192.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/wp512.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/md4.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/sha512.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/net/xfrm/xfrm_user.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/net/key/af_key.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/net/ipv4/ah4.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/net/ipv4/esp4.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/net/ipv4/ipcomp.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/net/ipv6/ah6.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/net/ipv6/esp6.ko not found.
FATAL: Module /lib/modules/2.6.18_4_686/kernel/net/ipv6/ipcomp6.ko not found.
IPSEC/crypto modules loaded.
Flushing SAD and SPD...
SAD and SPD flushed.
Loading SAD and SPD...
SAD and SPD loaded.
Configuring racoon...racoon not running.
done.
Starting IKE (ISAKMP/Oakley) server: racoon.
marina:/tmp#

Please help me to success this installation. I must deploy this solution next week in one company.

Thanks more for your replies and help.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Permalink | Reply | 7 comments |
headers
Keith Edmunds | 1 Oct 2007 09:38
Gravatar

Re: [Debian Etch]

On Mon, 1 Oct 2007 08:34:55 +0100, kdclaver <at> gmail.com said:

> Please help me to success this installation. I must deploy this solution
> next week in one company.

I can't see that this is a Shorewall problem. Unless you really HAVE to
use racoon, I would suggest you use OpenVPN instead, which is an order of
magnitude easier to configure than racoon. If you must use racoon, there
are documents out there that can help you, but if you haven't done it
before then I strongly suggest you set it up on a test system first and
don't worry about firewalling it until after you have it working.

Keith

--

-- 
Keith Edmunds

+---------------------------------------------------------------------+
|  Tiger Computing Ltd  |  Helping businesses make the most of Linux  |
|  "The Linux Company"  |       http://www.tiger-computing.co.uk      |
+---------------------------------------------------------------------+

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Permalink | Reply | 5 comments |
headers
Dominique Claver KOUAME | 1 Oct 2007 09:55
Picon

Re: [Debian Etch]

Well,
I will describe the solution I must install and I think will give you more ideas to help me.
I have three (03) sites to interconnect via Internet with VPN. Below the design


[site A]------------------vpn1-----------------[site B]
     |                                                             |
   vpn2                                                     vpn3
     |_____________ [site C] ______________|

Each site get an Internet access and Public IPv4 address and I must configure shorewall to deliver proxy service, firewall to protect the LAN and a secure VPN via Internet.

Thanks more to help me find the best solution.



2007/10/1, Keith Edmunds <kae <at> midnighthax.com>:
On Mon, 1 Oct 2007 08:34:55 +0100, kdclaver <at> gmail.com said:

> Please help me to success this installation. I must deploy this solution
> next week in one company.

I can't see that this is a Shorewall problem. Unless you really HAVE to
use racoon, I would suggest you use OpenVPN instead, which is an order of
magnitude easier to configure than racoon. If you must use racoon, there
are documents out there that can help you, but if you haven't done it
before then I strongly suggest you set it up on a test system first and
don't worry about firewalling it until after you have it working.

Keith

--
Keith Edmunds

+---------------------------------------------------------------------+
|  Tiger Computing Ltd  |  Helping businesses make the most of Linux  |
|  "The Linux Company"  |       http://www.tiger-computing.co.uk      |
+---------------------------------------------------------------------+

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Permalink | Reply | 4 comments |
headers
Keith Edmunds | 1 Oct 2007 10:59
Gravatar

Re: [Debian Etch]

On Mon, 1 Oct 2007 08:55:06 +0100, kdclaver <at> gmail.com said:

> Each site get an Internet access and Public IPv4 address and I must
> configure shorewall to deliver proxy service, firewall to protect the LAN
> and a secure VPN via Internet.

Use OpenVPN. Much, much easier than racoon. Great documentation re
OpenVPN on the OpenVPN website, and great documentation on using Shorewall
with OpenVPN on the Shorewall website.

Regards,
Keith

--

-- 
Keith Edmunds

+---------------------------------------------------------------------+
|  Tiger Computing Ltd  |  Helping businesses make the most of Linux  |
|  "The Linux Company"  |       http://www.tiger-computing.co.uk      |
+---------------------------------------------------------------------+

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Permalink | Reply | 3 comments |
headers
Dominique Claver KOUAME | 1 Oct 2007 11:13
Picon

Re: [Debian Etch]

can you please send me url I can't locate them on shorewall website.

Thanks more

2007/10/1, Keith Edmunds <kae <at> midnighthax.com>:
On Mon, 1 Oct 2007 08:55:06 +0100, kdclaver <at> gmail.com said:

> Each site get an Internet access and Public IPv4 address and I must
> configure shorewall to deliver proxy service, firewall to protect the LAN
> and a secure VPN via Internet.

Use OpenVPN. Much, much easier than racoon. Great documentation re
OpenVPN on the OpenVPN website, and great documentation on using Shorewall
with OpenVPN on the Shorewall website.

Regards,
Keith

--
Keith Edmunds

+---------------------------------------------------------------------+
|  Tiger Computing Ltd  |  Helping businesses make the most of Linux  |
|  "The Linux Company"  |       http://www.tiger-computing.co.uk      |
+---------------------------------------------------------------------+

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Permalink | Reply | 1 comment |
headers
Roberto C. Sánchez | 1 Oct 2007 13:01
Favicon

Re: [Debian Etch]

On Mon, Oct 01, 2007 at 08:34:55AM +0100, Dominique Claver KOUAME wrote:
> dear all,
> I'm trying to install and test IPsec VPN option of shorewall. But when I
> launch installation of Racoon and Ipsec-tools, I get error messages below:
> 
> marina:/tmp# aptitude install racoon ipsec-tools
> ............
> Paramétrage de ipsec-tools (0.6.6-3.1etch1) ...
> Paramétrage de racoon (0.6.6-3.1etch1) ...
> Generating /etc/default/racoon...
> Loading IPSEC/crypto modules...
> FATAL: Module
> /lib/modules/2.6.18_4_686/kernel/lib/zlib_deflate/zlib_deflate.ko not found.
> FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/aes.ko not found.
> FATAL: Module /lib/modules/2.6.18_4_686/kernel/crypto/serpent.ko not found.

A few things:

 - Why racoon?  Why not just use OpenSwan?
 - The directory for the kernel modules is /lib/modules/2.6.18-4-686/
   (note that there are hyphens instead of underscores, a bug in racoon,
   perhaps?)
 - You are running a vulnerable kernel.  The latest packages are
   linux-2.6.18-5-$(ARCH) at version 2.6.18.dfsg.1-13etch3.

Regards,

-Roberto

--

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Permalink | Reply | 0 comments |
headers
mt | 1 Oct 2007 13:03

Can't load nf_conntrack_ipv4

Perhaps it is obvious, but I have googled a lot and couldn't find an  
answer. Is that error message something to worry about?

FATAL: Error inserting nf_conntrack_ipv4 (/lib/modules/2.6.13-15.16- 
default/kernel/net/ipv4/netfilter/nf_conntrack_ipv4.ko): Device or  
resource busy

I am using OpenSuse 10.0 if that matters.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Permalink | Reply | 1 comment |
headers
Roberto C. Sánchez | 1 Oct 2007 13:05
Favicon

Re: [Debian Etch]

On Mon, Oct 01, 2007 at 09:59:20AM +0100, Keith Edmunds wrote:
> On Mon, 1 Oct 2007 08:55:06 +0100, kdclaver <at> gmail.com said:
> 
> > Each site get an Internet access and Public IPv4 address and I must
> > configure shorewall to deliver proxy service, firewall to protect the LAN
> > and a secure VPN via Internet.
> 
> Use OpenVPN. Much, much easier than racoon. Great documentation re
> OpenVPN on the OpenVPN website, and great documentation on using Shorewall
> with OpenVPN on the Shorewall website.
> 
I would have to agree, especially if you are doing site-to-site and you
don't have to support road-warriors.

Regards,

-Roberto

--

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Permalink | Reply | 0 comments |
headers
Roberto C. Sánchez | 1 Oct 2007 13:05
Favicon

Re: [Debian Etch]

On Mon, Oct 01, 2007 at 10:13:52AM +0100, Dominique Claver KOUAME wrote:
> can you please send me url I can't locate them on shorewall website.
> 

http://www.google.com/search?hl=en&q=openvpn&btnG=Google+Search
http://www.google.com/search?hl=en&q=site%3Ashorewall.net+openvpn&btnG=Google+Search

Regards,

-Roberto
--

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Permalink | Reply | 0 comments |
headers
Michel Di Croci | 1 Oct 2007 13:56
Picon

Question about Contivity VPN

Hello All! :)

Thanks for anyone who could help me with that one.

First, I do not see any error, or any trouble with the default log level.  I want to log in my corporate network through a contivity VPN. My firewall is now my Debian server (since yesterday), before I was using a small dlink box that was doing (wireless and routing) and my corporate laptop was connecting through Contivity VPN (from Nortel) and it was working flawlessly.

So now the schema is:

Internet --> Debian Box + shorewall ---> Switch --> Laptop

Pretty simple to be honest and it's a dlink switch that is relatively no brainer ;)

Everything is working except my Nortel PC Client to use with my ip phone.  To gather the most log I could, I put debug in every settings and this is what I see when I use the ip phone


Oct  1 07:54:16 ZoneDry kernel: Shorewall:nat:OUTPUT:IN= OUT=ppp0 SRC=67.71.188.26 DST=66.249.83.19 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5141 DF PROTO=TCP SPT=52336 DPT=80 WINDOW=5488 RES=0x00 SYN URGP=0
Oct  1 07:54:16 ZoneDry kernel: Shorewall:filter:OUTPUT:IN= OUT=ppp0 SRC=67.71.188.26 DST=66.249.83.19 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5141 DF PROTO=TCP SPT=52336 DPT=80 WINDOW=5488 RES=0x00 SYN URGP=0
Oct  1 07:54:16 ZoneDry kernel: Shorewall:mangle:POSTROUTING:IN= OUT=ppp0 SRC=67.71.188.26 DST=66.249.83.19 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5141 DF PROTO=TCP SPT=52336 DPT=80 WINDOW=5488 RES=0x00 SYN URGP=0
Oct  1 07:54:16 ZoneDry kernel: Shorewall:nat:POSTROUTING:IN= OUT=ppp0 SRC=67.71.188.26 DST=66.249.83.19 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5141 DF PROTO=TCP SPT=52336 DPT=80 WINDOW=5488 RES=0x00 SYN URGP=0
Oct  1 07:54:34 ZoneDry kernel: Shorewall:mangle:PREROUTING:IN=ppp0 OUT= MAC= SRC=219.148.119.2 DST=67.71.188.26 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256 DF PROTO=TCP SPT=12200 DPT=8000 WINDOW=8192 RES=0x00 SYN URGP=0
Oct  1 07:54:34 ZoneDry kernel: Shorewall:nat:PREROUTING:IN=ppp0 OUT= MAC= SRC=219.148.119.2 DST=67.71.188.26 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256 DF PROTO=TCP SPT=12200 DPT=8000 WINDOW=8192 RES=0x00 SYN URGP=0
Oct  1 07:54:34 ZoneDry kernel: Shorewall:mangle:INPUT:IN=ppp0 OUT= MAC= SRC=219.148.119.2 DST=67.71.188.26 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256 DF PROTO=TCP SPT=12200 DPT=8000 WINDOW=8192 RES=0x00 SYN URGP=0
Oct  1 07:54:34 ZoneDry kernel: Shorewall:filter:INPUT:IN=ppp0 OUT= MAC= SRC=219.148.119.2 DST=67.71.188.26 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256 DF PROTO=TCP SPT=12200 DPT=8000 WINDOW=8192 RES=0x00 SYN URGP=0
Oct  1 07:54:34 ZoneDry kernel: Shorewall:mangle:PREROUTING:IN=ppp0 OUT= MAC= SRC=219.148.119.2 DST=67.71.188.26 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256 DF PROTO=TCP SPT=12200 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Oct  1 07:54:34 ZoneDry kernel: Shorewall:nat:PREROUTING:IN=ppp0 OUT= MAC= SRC=219.148.119.2 DST=67.71.188.26 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256 DF PROTO=TCP SPT=12200 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Oct  1 07:54:34 ZoneDry kernel: Shorewall:mangle:INPUT:IN=ppp0 OUT= MAC= SRC=219.148.119.2 DST=67.71.188.26 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256 DF PROTO=TCP SPT=12200 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Oct  1 07:54:34 ZoneDry kernel: Shorewall:filter:INPUT:IN=ppp0 OUT= MAC= SRC=219.148.119.2 DST=67.71.188.26 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256 DF PROTO=TCP SPT=12200 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0

I think that this is not showing anything but the message on the PC Client is : The proxy is not responding. If a VPN client is needed to access the proxy, please start it right now. But I'm connected to the corporate network right now.

I'm pretty sure also that I already resolved that issue in the past, but I don't remember how and where was the settings.

If you need more settings conf files on my sides, just ask me. I use a simply ppp0       10.87.76.0/24 pour mon natting, rien d'autres de spécial.

Miche

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Permalink | Reply | 7 comments |

Gmane