IPSEC NETLINK errors

Harald Hoyer harald at redhat.com
Tue May 11 15:42:14 UTC 2004


you can also have a look in:
/etc/sysconfig/network-scripts/ifup-ipsec
and trace it with:
# sh -x /etc/sysconfig/network-scripts/ifup-ipsec [....]

Nathanael Noblet wrote:
> Hello,
>     I'm a little unsure of where to post this problem, but google turned 
> up some results relating to it on this list I figured I might at least 
> get a pointer of where to go.
> 
>     I am attempting to setup an IPSEC VPN in a net-to-net configuration. 
> I've done it with freeswan/openswan and openvpn, so do know a bit about 
> the stuff going on. I recently learned that the RH supplied kernels 
> contain the 2.6 IPSEC stack backported, and the package ipsec-tools can 
> be used to set up these tunnels. I started to learn the setkey to 
> manually set one up. As I did that I found out that the 
> redhat-config-network contains a tab for IPSEC stuff. Made me happy. 
> Unfortunately I can't get it to work. The command ifup ipsec0 returns 
> with NETLINK answers: Network is unreachable.
> here is my ifcfg-ipsec0 file
> 
> # COMP A ifcfg-ipsec0
> DSTGW=192.168.0.1
> SRCGW=10.0.0.1
> DSTNET=192.168.0.0/24
> SRCNET=10.0.0.0/24
> DST=24.72.x.x
> TYPE=IPSEC
> ONBOOT=no
> 
>               --------------                                        
> ---------------
> 10.0.0.0/24---| COMP A | 24.68.x.x --- internet --- 24.72.x.x | COMP B | 
> --- 192.168.0.0/24
>              ---------------                             ---------------
> 
> I've tried 2 different configuration setups with the compA's 
> ifcfg-ipsec0 file.
> this is the other one
> # COMP A ifcfg-ipsec0
> 
> DSTGW=24.72.x.x
> SRCGW=24.68.x.x
> DSTNET=192.168.0.0/24
> SRCNET=10.0.0.0/24
> DST=24.72.x.x
> TYPE=IPSEC
> ONBOOT=no
> 
> my iptables contain on both sides...
> 
> iptables -t udp -p udp --dport 500 -j ACCEPT
> iptables -p 50 -j ACCEPT
> iptables -p 51 -j ACCEPT
> 
> 
> So my two questions are:
> 1) What am I doing wrong?
>     1a) How can I get greater debug info if that is what is needed?
> 2) If here isn't a good place to ask the above question, where do I go?
> 
> 
> Thanks for any help you can provide.
> 





More information about the fedora-devel-list mailing list