2014-06-23 11:31 GMT+04:00 Rene C. <ope...@dokbua.com>: > Sorry, still stuck: >
Did you try OpenVPN configuration that I've suggested? About IPSEC: not sure, check your syslog logs might give you some tips. > > [root@server14 ~]# uname -a > Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16 > 15:13:38 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux > [root@server14 ~]# for x in tun ppp_async pppol2tp > xfrm4_mode_transport xfrm4_mode_tunnel xfrm_ipcomp esp4; do lsmod | > grep $x; done > xfrm4_mode_tunnel 2019 0 > tun 19157 0 > ppp_async 7874 0 > ppp_generic 25400 3 pppol2tp,pppox,ppp_async > crc_ccitt 1733 1 ppp_async > pppol2tp 22749 0 > pppox 2712 1 pppol2tp > ppp_generic 25400 3 pppol2tp,pppox,ppp_async > xfrm4_mode_transport 1465 0 > xfrm4_mode_tunnel 2019 0 > xfrm_ipcomp 4626 0 > esp4 5406 0 > [root@server14 ~]# vzctl enter 1418 > entered into CT 1418 > [root@vps1418 /]# ipsec verify > Checking your system to see if IPsec got installed and started correctly: > Version check and ipsec on-path [OK] > Linux Openswan U2.6.32/K(no kernel code presently loaded) > Checking for IPsec support in kernel [FAILED] > SAref kernel support [N/A] > Checking that pluto is running [OK] > Pluto listening for IKE on udp 500 [FAILED] > Pluto listening for NAT-T on udp 4500 [FAILED] > Checking for 'ip' command [OK] > Checking /bin/sh is not /bin/dash [OK] > Checking for 'iptables' command [OK] > Opportunistic Encryption Support [DISABLED] > > What am I missing? > > On Mon, Jun 23, 2014 at 1:12 AM, Rene C. <ope...@dokbua.com> wrote: > > Yep, rebooted the container. > > > > Here's the modules present: > > > > [root@server18 ~]# lsmod > > Module Size Used by > > esp4 5406 0 > > xfrm_ipcomp 4626 0 > > xfrm4_mode_tunnel 2019 0 > > pppol2tp 22749 0 > > pppox 2712 1 pppol2tp > > ppp_async 7874 0 > > ppp_generic 25400 3 pppol2tp,pppox,ppp_async > > slhc 5821 1 ppp_generic > > crc_ccitt 1733 1 ppp_async > > vzethdev 8221 0 > > vznetdev 18952 10 > > pio_nfs 17576 0 > > pio_direct 28261 9 > > pfmt_raw 3213 0 > > pfmt_ploop1 6320 9 > > ploop 116096 23 pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1 > > simfs 4448 0 > > vzrst 196693 0 > > vzcpt 148911 1 vzrst > > nfs 442438 3 pio_nfs,vzrst,vzcpt > > lockd 77189 2 vzrst,nfs > > fscache 55684 1 nfs > > auth_rpcgss 44949 1 nfs > > nfs_acl 2663 1 nfs > > sunrpc 268245 6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl > > vziolimit 3719 0 > > vzmon 24462 8 vznetdev,vzrst,vzcpt > > ip6table_mangle 3669 0 > > nf_nat_ftp 3523 0 > > nf_conntrack_ftp 12929 1 nf_nat_ftp > > iptable_nat 6302 1 > > nf_nat 23213 3 vzrst,nf_nat_ftp,iptable_nat > > xt_length 1338 0 > > xt_hl 1547 0 > > xt_tcpmss 1623 0 > > xt_TCPMSS 3461 1 > > iptable_mangle 3493 0 > > xt_multiport 2716 0 > > xt_limit 2134 0 > > nf_conntrack_ipv4 9946 5 iptable_nat,nf_nat > > nf_defrag_ipv4 1531 1 nf_conntrack_ipv4 > > ipt_LOG 6405 0 > > xt_DSCP 2849 0 > > xt_dscp 2073 0 > > ipt_REJECT 2399 12 > > tun 19157 0 > > xt_owner 2258 0 > > vzdquota 55339 0 [permanent] > > vzevent 2179 1 > > vzdev 2733 5 > vzethdev,vznetdev,vziolimit,vzmon,vzdquota > > iptable_filter 2937 5 > > ip_tables 18119 3 iptable_nat,iptable_mangle,iptable_filter > > ip6t_REJECT 4711 2 > > nf_conntrack_ipv6 8353 2 > > nf_defrag_ipv6 11188 1 nf_conntrack_ipv6 > > xt_state 1508 4 > > nf_conntrack 80313 9 > > > vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state > > ip6table_filter 3033 1 > > ip6_tables 18988 2 ip6table_mangle,ip6table_filter > > ipv6 322874 1627 > > vzrst,ip6table_mangle,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6 > > iTCO_wdt 7147 0 > > iTCO_vendor_support 3072 1 iTCO_wdt > > i2c_i801 11375 0 > > i2c_core 31084 1 i2c_i801 > > sg 29446 0 > > lpc_ich 12819 0 > > mfd_core 1911 1 lpc_ich > > e1000e 267426 0 > > ptp 9614 1 e1000e > > pps_core 11490 1 ptp > > ext4 419456 11 > > jbd2 93779 1 ext4 > > mbcache 8209 1 ext4 > > sd_mod 39005 6 > > crc_t10dif 1557 1 sd_mod > > ahci 42263 4 > > video 20978 0 > > output 2425 1 video > > dm_mirror 14432 0 > > dm_region_hash 12101 1 dm_mirror > > dm_log 9946 2 dm_mirror,dm_region_hash > > dm_mod 84369 19 dm_mirror,dm_log > > > > On Mon, Jun 23, 2014 at 12:52 AM, Pavel Odintsov > > <pavel.odint...@gmail.com> wrote: > >> Hello! > >> > >> IPsec should work from 84.8 kernel according to > >> https://openvz.org/IPsec but I found explicit reference about IPsec > >> only in 84.10: > http://openvz.org/Download/kernel/rhel6-testing/042stab084.10 > >> > >> Did you restart CT after loading kernel modules for l2tp? > >> > >> On Sun, Jun 22, 2014 at 7:05 PM, Rene C. <ope...@dokbua.com> wrote: > >>> Ok I gave your suggestion a shot, using your link through Google > >>> translate and > http://www.maxwhale.com/how-to-install-l2tp-vpn-on-centos/ > >>> for comparison. > >>> > >>> Everything seems to go well until the 'ipsec verify' part when it says: > >>> > >>> [root@vps1418 /]# ipsec verify > >>> Checking your system to see if IPsec got installed and started > correctly: > >>> Version check and ipsec on-path [OK] > >>> Linux Openswan U2.6.32/K(no kernel code presently loaded) > >>> Checking for IPsec support in kernel [FAILED] > >>> SAref kernel support [N/A] > >>> Checking that pluto is running [OK] > >>> Pluto listening for IKE on udp 500 [FAILED] > >>> Pluto listening for NAT-T on udp 4500 [FAILED] > >>> Checking for 'ip' command [OK] > >>> Checking /bin/sh is not /bin/dash [OK] > >>> Checking for 'iptables' command [OK] > >>> Opportunistic Encryption Support [DISABLED] > >>> > >>> I think the biggest problem here is the "Checking for IPsec support in > kernel"? > >>> > >>> I use 2.6.32-042stab085.20 - I know it's not the latest kernel, but > >>> supposedly ipsec support should be in kernels after stab084? > >>> > >>> > >>> > >>> On Sat, Jun 21, 2014 at 7:28 PM, Pavel Odintsov > >>> <pavel.odint...@gmail.com> wrote: > >>>> Hello! > >>>> > >>>> In modern version of OpenVZ you can use l2tp with ipsec support > >>>> instead OpenVPN: http://habrahabr.ru/company/FastVPS/blog/205162/ > >>>> (sorry this manual in russian language but it's very simple). It's > >>>> very useable because you do not need any special clients on Windows > >>>> hosts. Maybe you can try this? > >>>> > >>>> > >>>> > >>>> On Sat, Jun 21, 2014 at 2:11 PM, Benjamin Henrion <zoo...@gmail.com> > wrote: > >>>>> On Sat, Jun 21, 2014 at 8:47 AM, Rene C. <ope...@dokbua.com> wrote: > >>>>>> I got the openvpn part itself down, no problem, but getting it to > work > >>>>>> in a container is a lot of hassle. Many pages, but most are outdated > >>>>>> and things keeps changing. Anyone know how to get it to work TODAY? > >>>>>> > >>>>>> The server is an otherwise normal server with public ip addresses > and > >>>>>> works with cpanel, no problem that far. The problem is getting an > >>>>>> openvpn service to work in it. > >>>>>> > >>>>>> I've already added the tun device, and I can connect to the server > >>>>>> with the openvpn client, just can't continue from there, so some > >>>>>> routing is missing. > >>>>>> > >>>>>> I've followed the general routing instructions but because openvz > >>>>>> doesn't support MASQ it doesn't work. > >>>>>> > >>>>>> - which modules to insmod on the hwnode > >>>>> > >>>>> Just make sure "tun" is present in lsmod. > >>>>> > >>>>>> - which modules to add into /etc/vz/vz.conf > >>>>> > >>>>> The same. "tun" should be part of the list of modules in vz.conf, so > >>>>> it gets loaded at vz start. > >>>>> > >>>>>> - which modules to add into /etc/vz/<ct>.conf > >>>>> > >>>>> And the for the CTID you want to run openvpn access in: > >>>>> > >>>>> > https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP > >>>>> > >>>>> Can you provide openvpn-client debug messages? > >>>>> > >>>>> -- > >>>>> Benjamin Henrion <bhenrion at ffii.org> > >>>>> FFII Brussels - +32-484-566109 - +32-2-4148403 > >>>>> "In July 2005, after several failed attempts to legalise software > >>>>> patents in Europe, the patent establishment changed its strategy. > >>>>> Instead of explicitly seeking to sanction the patentability of > >>>>> software, they are now seeking to create a central European patent > >>>>> court, which would establish and enforce patentability rules in their > >>>>> favor, without any possibility of correction by competing courts or > >>>>> democratically elected legislators." > >>>>> _______________________________________________ > >>>>> Users mailing list > >>>>> Users@openvz.org > >>>>> https://lists.openvz.org/mailman/listinfo/users > >>>> > >>>> > >>>> > >>>> -- > >>>> Sincerely yours, Pavel Odintsov > >>>> _______________________________________________ > >>>> Users mailing list > >>>> Users@openvz.org > >>>> https://lists.openvz.org/mailman/listinfo/users > >>> _______________________________________________ > >>> Users mailing list > >>> Users@openvz.org > >>> https://lists.openvz.org/mailman/listinfo/users > >> > >> > >> > >> -- > >> Sincerely yours, Pavel Odintsov > >> _______________________________________________ > >> Users mailing list > >> Users@openvz.org > >> https://lists.openvz.org/mailman/listinfo/users > _______________________________________________ > Users mailing list > Users@openvz.org > https://lists.openvz.org/mailman/listinfo/users >
_______________________________________________ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
