Hi
On the webui of the openvpn-n2n configuration is discribed that the
server port wil be used as management port by default. But if you don't
fill the field then the management don't work.
- Daniel
--
You need a firewall?
Easy to use? Powerful? Modular? For free?
www.ipfire.org
An Open Source Firewall Solution
Hello,
as Core Update 61 has now been released, it is time to go on with
developments for the next one:
I have updated strongswan to version 5.0.0 which finally removes the
pluto daemon which was responsible for IKEv1 connections.
However, pluto has gotten very old and was created in the beginnings of
the IPsec for Linux developments back in freeswan times.
charon was introduced by strongswan some time ago when IKEv2 connections
got supported. It handles IKEv1 connections as well as IKEv2 connections
since strongswan version 5.0.0.
What are the benefits for IPFire?
As mentioned earlier, pluto is very old and got very hard to maintain.
There have been problems with VPNs that terminate at hosts with dynamic
IP addresses, so we needed to restart the entire IPsec subsystem in
intervals of 5 minutes.
This caused some trouble in stability terms.
charon handles those dynamic endpoints much better without the need to
restart anything. Connections may now be added and removed smoothly and
in total there should be much more connection stability.
There is also some new code for hybrid IPsec VPNs which can be used with
Android 4 and maybe Apple iOS. I have not done any investigation on this
topic, because I am not interested, but hopefully somebody else gives it
a shot.
I have now packaged the changes into a small package which wants to be
installed on your system.
http://people.ipfire.org/~ms/unsupported/core-upgrade-2.11-strongswan.ipfire
It should not require any manual interaction at all. Please install and
give me feedback about the connection stability and the interoperability
with other (proprietary) implementations.
I am looking forward to it.
Michael
P.S. If you reply to this mail make sure to keep both mailing lists.
> Hi all,
> i have tried that and after a
>
> [root@ipfire-server ~]# /etc/init.d/ipsec start
> Starting strongSwan 5.0.0 IPsec [starter]...
> insmod /lib/modules/2.6.32.45-ipfire/kernel/net/key/af_key.ko
> insmod /lib/modules/2.6.32.45-ipfire/kernel/net/ipv4/ah4.ko
> insmod /lib/modules/2.6.32.45-ipfire/kernel/net/ipv4/esp4.ko
> insmod /lib/modules/2.6.32.45-ipfire/kernel/net/xfrm/xfrm_ipcomp.ko
> insmod /lib/modules/2.6.32.45-ipfire/kernel/net/ipv4/ipcomp.ko
> insmod /lib/modules/2.6.32.45-ipfire/kernel/net/ipv4/tunnel4.ko
> insmod /lib/modules/2.6.32.45-ipfire/kernel/net/ipv4/xfrm4_tunnel.ko
> insmod /lib/modules/2.6.32.45-ipfire/kernel/net/xfrm/xfrm_user.ko
>
> there was no output on httpd/error_log
>
> but my log manager warned me per email with a:
>
> OSSEC HIDS Notification.
> 2012 Aug 07 10:29:16
>
> Received From: ipfire-server->/var/log/messages
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Aug 7 10:29:16 ipfire-server charon: 00[LIB] plugin 'padlock': failed to load - padlock_plugin_create returned NULL
>
>
>
> --END OF NOTIFICATION
>
> and a look to /var/log/messages gives me the following back:
>
>
> Aug 7 10:34:28 ipfire-server charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32.45-ipfire, i686)
> Aug 7 10:34:28 ipfire-server charon: 00[LIB] Padlock not found, CPU is GenuineIntel
> Aug 7 10:34:28 ipfire-server charon: 00[LIB] plugin 'padlock': failed to load - padlock_plugin_create returned NULL
>
> Also is there a dev list with changes on this new version especially for the WUI so the documentation can start up more quickly ?
>
> Greetings
>
> Erik
>
> Am 06.08.2012 um 23:11 schrieb Michael Tremer:
>
>> Please try to manually stop strongswan with the helper tool:
>>
>> ipsecctrl D
>>
>> Try to start it again with:
>>
>> ipsecctrl S
>>
>> On Mon, 2012-08-06 at 21:48 +0200, Stefan Schantl wrote:
>>> Hello Michael,
>>>
>>> I've tested to stop IPSec from shell which worked without problems. But
>>> if I try to disable and stop it from the WUI, by
>>> unsing the checkbox the service does a restart and no shutdown.
>>>
>>> I've looked inside the error_log from the httpd, and found the following
>>> lines:
>>>
>>> [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] IPSec
>>> enabled on orange but orange interface is invalid or not found, referer:
>>> https://gate.xxx:444/cgi-bin/vpnmain.cgi
>>> [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] IPSec
>>> enabled on blue but blue interface is invalid or not found, referer:
>>> https://gate.xxx:444/cgi-bin/vpnmain.cgi
>>> [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] Stopping
>>> strongSwan IPsec..., referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi
>>> [Mon Aug 06 21:42:12 2012] [error] [client 192.168.xxx.xxx] Starting
>>> strongSwan 5.0.0 IPsec [starter]..., referer:
>>> https://gate.xxx:444/cgi-bin/vpnmain.cgi
>>> [Mon Aug 06 21:42:12 2012] [error] [client 192.168.xxx.xxx] , referer:
>>> https://gate.xxx:444/cgi-bin/vpnmain.cgi
>>>
>>> Why are there entries about an orange and blue network, I don't have one
>>> of them......
>>>
>>> Do you have any idea about that ?
>>>
>>> Stefan
>>>
>>>> On Mon, 2012-08-06 at 17:21 +0200, Stefan Schantl wrote:
>>>>> The only bad point, I've to report is, that after the update I can't
>>>>> disable IPSec over the WUI anymore - may other testers will report the
>>>>> same issue.
>>>> What is the exact problem? Did you get an internal server error from the
>>>> CGI script? Need a more precise error report.
>>>>
>>>> Michael
>>>>
>>>>
>>>
>>> _______________________________________________
>>> SIG-VPN mailing list
>>> SIG-VPN(a)lists.ipfire.org
>>> http://lists.ipfire.org/mailman/listinfo/sig-vpn
>>
>> _______________________________________________
>> Development mailing list
>> Development(a)lists.ipfire.org
>> http://lists.ipfire.org/mailman/listinfo/development
>
Hi all,
we have tested the --mtu-disc directive for OpenVPN with quiet positive results. If someone is interested , i have open up a thread in the IPFire forum --> http://forum.ipfire.org/index.php/topic,6673.msg45074/topicseen.html#msg450… .
Might be a nice feature also for the GUI ?
Greetings from
ummeegge
P.S. Thanks to Daniel for supporting the testing rounds