VPN ( avanbçado)

[BZ]

Prezados,


busco ajuda, pois realmente estou desesperado.

Posasuo um fedora core 5, com openswan isntalado, fechando vpn com um cisco PIX.

O tunel fecha, porem não consigo dar nem receber os replys dos ping spor exemplo..

Meu log fica assim:

Código :

Apr 10 17:30:53 chattv01 ipsec_setup: KLIPS ipsec0 on eth0 x.x.x.x/255.255.255.240 broadcast x.x.x.x
Apr 10 17:30:53 chattv01 ipsec_setup: ...Openswan IPsec started
Apr 10 17:30:54 chattv01 ipsec__plutorun: ipsec_auto: fatal error in "packetdefault": %defaultroute requested but not known
Apr 10 17:30:54 chattv01 ipsec__plutorun: 021 no connection named "packetdefault"
Apr 10 17:30:54 chattv01 ipsec__plutorun: ...could not route conn "packetdefault"
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.185:556): avc: denied { read } for pid=12822 comm="ip" name="urandom" dev=tmpfs ino=1999 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.185:557): avc: denied { read write } for pid=12822 comm="ip" name="[27416]" dev=sockfs ino=27416 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.185:558): avc: denied { read write } for pid=12822 comm="ip" name="[27542]" dev=sockfs ino=27542 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 ipsec__plutorun: 104 "acotel-m4u" #1: STATE_MAIN_I1: initiate
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.197:559): avc: denied { read } for pid=12826 comm="ip" name="urandom" dev=tmpfs ino=1999 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Apr 10 17:30:54 chattv01 ipsec__plutorun: ...could not start conn "acotel-m4u"
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.197:560): avc: denied { read write } for pid=12826 comm="ip" name="[27416]" dev=sockfs ino=27416 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.197:561): avc: denied { read write } for pid=12826 comm="ip" name="[27542]" dev=sockfs ino=27542 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.201:562): avc: denied { read } for pid=12827 comm="ip" name="urandom" dev=tmpfs ino=1999 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.201:563): avc: denied { read write } for pid=12827 comm="ip" name="[27416]" dev=sockfs ino=27416 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.201:564): avc: denied { read write } for pid=12827 comm="ip" name="[27542]" dev=sockfs ino=27542 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:54 chattv01 kernel: audit(1144701054.201:565): avc: denied { write } for pid=12827 comm="ip" name="flush" dev=proc ino=-268435293 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
Apr 10 17:30:55 chattv01 kernel: audit(1144701055.177:566): avc: denied { read } for pid=12839 comm="ip" name="urandom" dev=tmpfs ino=1999 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Apr 10 17:30:55 chattv01 kernel: audit(1144701055.177:567): avc: denied { read write } for pid=12839 comm="ip" name="[27416]" dev=sockfs ino=27416 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
Apr 10 17:30:55 chattv01 kernel: audit(1144701055.177:568): avc: denied { write } for pid=12839 comm="ip" name="flush" dev=proc ino=-268435293 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file

Muito estranho, meus arquivos de configuração estão assim:

Código :

#ipsec auto --up pix route add -net 200.184.147.0 netmask 255.255.255.0 dev ipsec0
 
# /etc/ipsec.conf - OpenSWAN IPSec configuration file
 
#The version information is needed for OpenSWAN
 
version 2.0
 
# basic configuration
config setup
     interfaces="ipsec0=eth0"
     klipsdebug=none
     plutodebug=none
 
 
 
 
# Add connections here
 
 
 
conn acotel-m4u
    type= tunnel
    right=x.x.x.x
    rightnexthop=x.x.x.xGW
    left=y.y.y.y
    leftsubnet=y.y.y.y/32
    leftnexthop=y.y.y.yGW
    esp=3des-md5-96
    pfs=yes
    disablearrivalcheck=yes
    authby= secret
    keyexchange=ike
    auto=start
# Disable Opportunistic Encryption
 
# essential for inertoperating with Cisco devices
conn block
     auto=ignore
 
conn private
    auto=ignore
 
conn private-or-clear
    auto=ignore
 
 
conn clear-or-private
    auto=ignore
 
 
 
conn clear
    auto=ignore
 
# End of config for disabling Opportunistic Encryption
"/etc/ipsec.conf" 57L, 979C

e meu ipsec.secrests está:

x.x.x.x y.y.y.y : PSK "key"


Por favor, estou desesperado.. alguem que ja teve essa experiencia poderia me ajduar?

serei muito grato.
[]´s

[irado]

que eu saiba, vc não consegue nunca resposta de um gateway VPN. Vc pode pingar os hosts que estão ATRÁS dos gateway, mas não êles mesmos.

Experimente pingar um host qualquer da LAN do "outro lado", a partir de um host qualquer "dêste lado".

[BZ]

Só para esclarecer.. o problema era a porcaria do Selinux!!
[]´s

[gatoseco]

Nao entendi ??????