Eu tenho problema com o IPsec no centOS. Ao adicionar uma conexão usando
ipsec auto --add cx
Isso dá
multiple ip addresses, using 127.0.0.1 on venet0
Ao usar
ipsec auto --up cx
Recebo Não podemos nos identificar com nenhum dos dois lados dessa conexão.
saída ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/void
inet 127.0.0.1/32 scope host venet0
inet <here goes ip>/32 brd <here goes ip> scope global venet0:0
ipsec.conf
## general configuration parameters ##
config setup
plutodebug=none
plutostderrlog=/var/log/pluto.log
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
## disable opportunistic encryption in Red Hat ##
oe=off
## disable opportunistic encryption in Debian ##
## Note: this is a separate declaration statement ##
#include /etc/ipsec.d/examples/no_oe.conf
## connection definition in Red Hat ##
conn mazeed
authby=secret
auto=start
ike=aes256-sha
auth=esp
## phase 1 ##
keyexchange=ike
## phase 2 ##
#phase2=esp
#phase2alg=aes256-sha
compress=no
pfs=yes
type=tunnel
left=<ip goes here from above>
leftsubnet=192.168.30.10/24
leftnexthop=%defaultroute
right=<remote ip>
rightsubnet=172.16.198.29/24
EDITAR: Ipsec Verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan U3.12/K(no kernel code presently loaded) on 2.6.32-46-pve
Checking for IPsec support in kernel [FAILED]
The ipsec service should be started before running 'ipsec verify'
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [FAILED]
Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
ipsec verify: encountered 3 errors - see 'man ipsec_verify' for help
No entanto, todas as portas estão abertas no firewall