[Durham] openswan ipsec issue
andrewglass3 at gmail.com
Thu Nov 10 00:37:50 UTC 2011
Evening/morning all :)
Ive got a little problem with my openswan ipsec vpn that I run out in france.
Sometimes I get the following messages, if I tail the syslog regarding my openswan startup
root at zen:/var/log# tail -f syslog
Nov 10 01:19:22 zen ipsec_setup: Starting Openswan IPsec U2.6.28/K18.104.22.168-grsec-xxxx-grs-ipv6-32...
Nov 10 01:19:22 zen ipsec_setup: Using NETKEY(XFRM) stack
Nov 10 01:19:22 zen ipsec_setup: ...Openswan IPsec started
Nov 10 01:19:22 zen ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Nov 10 01:19:22 zen pluto: adjusting ipsec.d to /etc/ipsec.d
Nov 10 01:19:22 zen kernel: init: plymouth-stop pre-start process (3476) terminated with status 1
Nov 10 01:19:22 zen ipsec__plutorun: 002 added connection description "vpnserver"
Nov 10 01:19:22 zen ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T
Nov 10 01:19:22 zen ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Nov 10 01:19:22 zen ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T
Nov 10 01:20:17 zen kernel: init: ssh main process (2739) terminated with status 255
Nov 10 01:20:32 zen ntpdate: step time server 22.214.171.124 offset -2.310234 sec
Nov 10 01:20:32 zen kernel: grsec: time set by /usr/sbin/ntpdate[ntpdate:3540] uid/euid:0/0 gid/egid:0/0, parent /etc/network/if-up.d/ntpdate[ntpdate:3532] uid/euid:0/0 gid/egid:0/0
This can intermittently prevent me from connecting from home. So I issue this command
root at zen:/var/log# /etc/init.d/ipsec stop
ipsec_setup: Stopping Openswan IPsec...
Then restart it:
root at zen:/var/log# /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.28/K126.96.36.199-grsec-xxxx-grs-ipv6-32...
root at zen:/var/log#
I can then connect no problem - Im wondering if it the nat command I've used in my iptables may be to blame??
After opening the various ports for services I have used the following commands:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -j DROP
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Have I missed something that u can see?? Ive also noticed from the first day of renting this server, that ssh takes a little while to respond to my request to login. I am using a none standard port for ssh connections but Ive never had such a slow response to ssh'ing on a none standard port before???? Sometimes takes up to 20 secs to respond ??? Any ideas??
Cheers in advance if you can help peeps! :) Hopefully see some of you at the meeting this coming week too :)
More information about the Durham