Openswanをインストールしてipsecの環境を確認しました。

インストール直後の状態です

# ipsec verify


Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-504.16.2.el6.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
 SAref kernel support [N/A]
 NETKEY: Testing for disabled ICMP send_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/send_redirects
 or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
 or NETKEY will accept bogus ICMP redirects!

Checking that pluto is running [OK]
 Pluto listening for IKE on udp 500 [OK]
 Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

[FAILED]が出てたんでメッセージに従って対策を。。

# echo “0” > /proc/sys/net/ipv4/conf/all/send_redirects
# echo “0” > /proc/sys/net/ipv4/conf/default/send_redirects
# echo “0” > /proc/sys/net/ipv4/conf/eth0/send_redirects
# echo “0” > /proc/sys/net/ipv4/conf/lo/send_redirects

# echo “0” > /proc/sys/net/ipv4/conf/all/accept_redirects
# echo “0” > /proc/sys/net/ipv4/conf/default/accept_redirects
# echo “0” > /proc/sys/net/ipv4/conf/eth0/accept_redirects
# echo “0” > /proc/sys/net/ipv4/conf/lo/accept_redirects

# ipsec verify


Checking your system to see if IPsec got installed and started correctly:
 Version check and ipsec on-path [OK]
 Linux Openswan U2.6.32/K2.6.32-504.16.2.el6.x86_64 (netkey)
 Checking for IPsec support in kernel [OK]
 SAref kernel support [N/A]
 NETKEY: Testing for disabled ICMP send_redirects [OK]
 NETKEY detected, testing for disabled ICMP accept_redirects [OK]
 Checking that pluto is running [OK]
 Pluto listening for IKE on udp 500 [OK]
 Pluto listening for NAT-T on udp 4500 [OK]
 Two or more interfaces found, checking IP forwarding [FAILED]
 Checking for 'ip' command [OK]
 Checking /bin/sh is not /bin/dash [WARNING]
 Checking for 'iptables' command [OK]
 Opportunistic Encryption Support [DISABLED]

「Two or more interfaces found, checking IP forwarding」は気にしない?

なお、再起動したら消えてしまうので下記へ追記。

 /etc/sysctl.conf
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0

■設定ファイルの編集

0)前提

・VPNサーバー側プライベートアドレス:192.168.1.1/24

・VPNサーバー側グローバルアドレス:接続先ホスト名

・接続名:PEER_L2TP

1)/etc/ipsec.d/ipsec.secrets

%any : PSK “共有キー”

2)/etc/ipsec.secrets

include /etc/ipsec.d/*.secrets

3)/etc/ipsec.d/connection.conf

conn PEER_L2TP
authby=secret
pfs=no
rekey=no
keyingtries=3
type=transport
left=%defaultroute
leftprotoport=17/1701
right=接続先ホスト名
rightid=192.168.1.1
rightprotoport=17/1701
auto=add

4)/etc/ipsec.conf

# /etc/ipsec.conf – Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
# Debug-logging controls: “none” for (almost) none, “all” for lots.
# klipsdebug=none
# plutodebug=”control parsing”
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=%v4:192.168.1.0/24,%v4:!192.168.0.0
oe=off
# Enable this if you see “failed to find any available worker”
# nhelpers=0

#You may put your configuration (.conf) file in the “/etc/ipsec.d/” and uncomment this.
include /etc/ipsec.d/*.conf

■起動します。

1)/etc/rc.d/init.d/ipsec start

2)# ipsec auto –up PEER_L2TP

これが表示されれば接続できた模様。

004 "PEER_L2TP" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xd176561f <0xb3b0b68f xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}