I already upgraded the kernel to the latest before the last test: [root@server14 ~]# uname -a Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16
Sorry if I didn't make that very clear On Thu, Jun 26, 2014 at 1:38 PM, Pavel Odintsov <pavel.odint...@gmail.com> wrote: > Hello! > > I'm not sure about your problems but we have few production > installation with this configuration. But we use only up to date > kernels like 90.x series. What kernel you used for tests? > > On Thu, Jun 26, 2014 at 5:28 AM, spameden <spame...@gmail.com> wrote: >> >> >> >> 2014-06-25 22:19 GMT+04:00 Rene C. <ope...@dokbua.com>: >> >>> No, I went in the direction of l2tp as recommended. It both seems more >>> secure and more compatible with both windows and android clients than >>> openvpn. >> >> >> >> 'more secure' ? >> >> did you audit OpenVPN/OpenSSL code? How can you say so. >> >> There are clients for both android and windows for OpenVPN. >> >> Anyways, if you've decided to go with IPSec go over with it, it should work >> too. >> >> >>> >>> >>> >>> I still get the "Checking for IPsec support in kernel >>> [FAILED]" error from the check, although the latest openvz >>> kernel is now installed. >>> >>> What can we do to narrow down the cause of this? >> >> >> tbh, I have no idea, had no experience with IPSec setup on OpenVZ, ask the >> guy who've suggested ipsec setup. >> >>> >>> On Mon, Jun 23, 2014 at 7:56 PM, spameden <spame...@gmail.com> wrote: >>> > >>> > >>> > >>> > 2014-06-23 11:31 GMT+04:00 Rene C. <ope...@dokbua.com>: >>> >> >>> >> Sorry, still stuck: >>> > >>> > >>> > Did you try OpenVPN configuration that I've suggested? >>> > >>> > About IPSEC: not sure, check your syslog logs might give you some tips. >>> >> >>> >> >>> >> [root@server14 ~]# uname -a >>> >> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16 >>> >> 15:13:38 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux >>> >> [root@server14 ~]# for x in tun ppp_async pppol2tp >>> >> xfrm4_mode_transport xfrm4_mode_tunnel xfrm_ipcomp esp4; do lsmod | >>> >> grep $x; done >>> >> xfrm4_mode_tunnel 2019 0 >>> >> tun 19157 0 >>> >> ppp_async 7874 0 >>> >> ppp_generic 25400 3 pppol2tp,pppox,ppp_async >>> >> crc_ccitt 1733 1 ppp_async >>> >> pppol2tp 22749 0 >>> >> pppox 2712 1 pppol2tp >>> >> ppp_generic 25400 3 pppol2tp,pppox,ppp_async >>> >> xfrm4_mode_transport 1465 0 >>> >> xfrm4_mode_tunnel 2019 0 >>> >> xfrm_ipcomp 4626 0 >>> >> esp4 5406 0 >>> >> [root@server14 ~]# vzctl enter 1418 >>> >> entered into CT 1418 >>> >> [root@vps1418 /]# ipsec verify >>> >> Checking your system to see if IPsec got installed and started >>> >> correctly: >>> >> Version check and ipsec on-path [OK] >>> >> Linux Openswan U2.6.32/K(no kernel code presently loaded) >>> >> Checking for IPsec support in kernel [FAILED] >>> >> SAref kernel support [N/A] >>> >> Checking that pluto is running [OK] >>> >> Pluto listening for IKE on udp 500 [FAILED] >>> >> Pluto listening for NAT-T on udp 4500 [FAILED] >>> >> Checking for 'ip' command [OK] >>> >> Checking /bin/sh is not /bin/dash [OK] >>> >> Checking for 'iptables' command [OK] >>> >> Opportunistic Encryption Support [DISABLED] >>> >> >>> >> What am I missing? >>> >> >>> >> On Mon, Jun 23, 2014 at 1:12 AM, Rene C. <ope...@dokbua.com> wrote: >>> >> > Yep, rebooted the container. >>> >> > >>> >> > Here's the modules present: >>> >> > >>> >> > [root@server18 ~]# lsmod >>> >> > Module Size Used by >>> >> > esp4 5406 0 >>> >> > xfrm_ipcomp 4626 0 >>> >> > xfrm4_mode_tunnel 2019 0 >>> >> > pppol2tp 22749 0 >>> >> > pppox 2712 1 pppol2tp >>> >> > ppp_async 7874 0 >>> >> > ppp_generic 25400 3 pppol2tp,pppox,ppp_async >>> >> > slhc 5821 1 ppp_generic >>> >> > crc_ccitt 1733 1 ppp_async >>> >> > vzethdev 8221 0 >>> >> > vznetdev 18952 10 >>> >> > pio_nfs 17576 0 >>> >> > pio_direct 28261 9 >>> >> > pfmt_raw 3213 0 >>> >> > pfmt_ploop1 6320 9 >>> >> > ploop 116096 23 >>> >> > pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1 >>> >> > simfs 4448 0 >>> >> > vzrst 196693 0 >>> >> > vzcpt 148911 1 vzrst >>> >> > nfs 442438 3 pio_nfs,vzrst,vzcpt >>> >> > lockd 77189 2 vzrst,nfs >>> >> > fscache 55684 1 nfs >>> >> > auth_rpcgss 44949 1 nfs >>> >> > nfs_acl 2663 1 nfs >>> >> > sunrpc 268245 6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl >>> >> > vziolimit 3719 0 >>> >> > vzmon 24462 8 vznetdev,vzrst,vzcpt >>> >> > ip6table_mangle 3669 0 >>> >> > nf_nat_ftp 3523 0 >>> >> > nf_conntrack_ftp 12929 1 nf_nat_ftp >>> >> > iptable_nat 6302 1 >>> >> > nf_nat 23213 3 vzrst,nf_nat_ftp,iptable_nat >>> >> > xt_length 1338 0 >>> >> > xt_hl 1547 0 >>> >> > xt_tcpmss 1623 0 >>> >> > xt_TCPMSS 3461 1 >>> >> > iptable_mangle 3493 0 >>> >> > xt_multiport 2716 0 >>> >> > xt_limit 2134 0 >>> >> > nf_conntrack_ipv4 9946 5 iptable_nat,nf_nat >>> >> > nf_defrag_ipv4 1531 1 nf_conntrack_ipv4 >>> >> > ipt_LOG 6405 0 >>> >> > xt_DSCP 2849 0 >>> >> > xt_dscp 2073 0 >>> >> > ipt_REJECT 2399 12 >>> >> > tun 19157 0 >>> >> > xt_owner 2258 0 >>> >> > vzdquota 55339 0 [permanent] >>> >> > vzevent 2179 1 >>> >> > vzdev 2733 5 >>> >> > vzethdev,vznetdev,vziolimit,vzmon,vzdquota >>> >> > iptable_filter 2937 5 >>> >> > ip_tables 18119 3 >>> >> > iptable_nat,iptable_mangle,iptable_filter >>> >> > ip6t_REJECT 4711 2 >>> >> > nf_conntrack_ipv6 8353 2 >>> >> > nf_defrag_ipv6 11188 1 nf_conntrack_ipv6 >>> >> > xt_state 1508 4 >>> >> > nf_conntrack 80313 9 >>> >> > >>> >> > >>> >> > vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state >>> >> > ip6table_filter 3033 1 >>> >> > ip6_tables 18988 2 ip6table_mangle,ip6table_filter >>> >> > ipv6 322874 1627 >>> >> > vzrst,ip6table_mangle,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6 >>> >> > iTCO_wdt 7147 0 >>> >> > iTCO_vendor_support 3072 1 iTCO_wdt >>> >> > i2c_i801 11375 0 >>> >> > i2c_core 31084 1 i2c_i801 >>> >> > sg 29446 0 >>> >> > lpc_ich 12819 0 >>> >> > mfd_core 1911 1 lpc_ich >>> >> > e1000e 267426 0 >>> >> > ptp 9614 1 e1000e >>> >> > pps_core 11490 1 ptp >>> >> > ext4 419456 11 >>> >> > jbd2 93779 1 ext4 >>> >> > mbcache 8209 1 ext4 >>> >> > sd_mod 39005 6 >>> >> > crc_t10dif 1557 1 sd_mod >>> >> > ahci 42263 4 >>> >> > video 20978 0 >>> >> > output 2425 1 video >>> >> > dm_mirror 14432 0 >>> >> > dm_region_hash 12101 1 dm_mirror >>> >> > dm_log 9946 2 dm_mirror,dm_region_hash >>> >> > dm_mod 84369 19 dm_mirror,dm_log >>> >> > >>> >> > On Mon, Jun 23, 2014 at 12:52 AM, Pavel Odintsov >>> >> > <pavel.odint...@gmail.com> wrote: >>> >> >> Hello! >>> >> >> >>> >> >> IPsec should work from 84.8 kernel according to >>> >> >> https://openvz.org/IPsec but I found explicit reference about IPsec >>> >> >> only in 84.10: >>> >> >> http://openvz.org/Download/kernel/rhel6-testing/042stab084.10 >>> >> >> >>> >> >> Did you restart CT after loading kernel modules for l2tp? >>> >> >> >>> >> >> On Sun, Jun 22, 2014 at 7:05 PM, Rene C. <ope...@dokbua.com> wrote: >>> >> >>> Ok I gave your suggestion a shot, using your link through Google >>> >> >>> translate and >>> >> >>> http://www.maxwhale.com/how-to-install-l2tp-vpn-on-centos/ >>> >> >>> for comparison. >>> >> >>> >>> >> >>> Everything seems to go well until the 'ipsec verify' part when it >>> >> >>> says: >>> >> >>> >>> >> >>> [root@vps1418 /]# ipsec verify >>> >> >>> Checking your system to see if IPsec got installed and started >>> >> >>> correctly: >>> >> >>> Version check and ipsec on-path [OK] >>> >> >>> Linux Openswan U2.6.32/K(no kernel code presently loaded) >>> >> >>> Checking for IPsec support in kernel >>> >> >>> [FAILED] >>> >> >>> SAref kernel support [N/A] >>> >> >>> Checking that pluto is running [OK] >>> >> >>> Pluto listening for IKE on udp 500 >>> >> >>> [FAILED] >>> >> >>> Pluto listening for NAT-T on udp 4500 >>> >> >>> [FAILED] >>> >> >>> Checking for 'ip' command [OK] >>> >> >>> Checking /bin/sh is not /bin/dash [OK] >>> >> >>> Checking for 'iptables' command [OK] >>> >> >>> Opportunistic Encryption Support >>> >> >>> [DISABLED] >>> >> >>> >>> >> >>> I think the biggest problem here is the "Checking for IPsec support >>> >> >>> in >>> >> >>> kernel"? >>> >> >>> >>> >> >>> I use 2.6.32-042stab085.20 - I know it's not the latest kernel, but >>> >> >>> supposedly ipsec support should be in kernels after stab084? >>> >> >>> >>> >> >>> >>> >> >>> >>> >> >>> On Sat, Jun 21, 2014 at 7:28 PM, Pavel Odintsov >>> >> >>> <pavel.odint...@gmail.com> wrote: >>> >> >>>> Hello! >>> >> >>>> >>> >> >>>> In modern version of OpenVZ you can use l2tp with ipsec support >>> >> >>>> instead OpenVPN: http://habrahabr.ru/company/FastVPS/blog/205162/ >>> >> >>>> (sorry this manual in russian language but it's very simple). It's >>> >> >>>> very useable because you do not need any special clients on >>> >> >>>> Windows >>> >> >>>> hosts. Maybe you can try this? >>> >> >>>> >>> >> >>>> >>> >> >>>> >>> >> >>>> On Sat, Jun 21, 2014 at 2:11 PM, Benjamin Henrion >>> >> >>>> <zoo...@gmail.com> >>> >> >>>> wrote: >>> >> >>>>> On Sat, Jun 21, 2014 at 8:47 AM, Rene C. <ope...@dokbua.com> >>> >> >>>>> wrote: >>> >> >>>>>> I got the openvpn part itself down, no problem, but getting it >>> >> >>>>>> to >>> >> >>>>>> work >>> >> >>>>>> in a container is a lot of hassle. Many pages, but most are >>> >> >>>>>> outdated >>> >> >>>>>> and things keeps changing. Anyone know how to get it to work >>> >> >>>>>> TODAY? >>> >> >>>>>> >>> >> >>>>>> The server is an otherwise normal server with public ip >>> >> >>>>>> addresses >>> >> >>>>>> and >>> >> >>>>>> works with cpanel, no problem that far. The problem is getting >>> >> >>>>>> an >>> >> >>>>>> openvpn service to work in it. >>> >> >>>>>> >>> >> >>>>>> I've already added the tun device, and I can connect to the >>> >> >>>>>> server >>> >> >>>>>> with the openvpn client, just can't continue from there, so some >>> >> >>>>>> routing is missing. >>> >> >>>>>> >>> >> >>>>>> I've followed the general routing instructions but because >>> >> >>>>>> openvz >>> >> >>>>>> doesn't support MASQ it doesn't work. >>> >> >>>>>> >>> >> >>>>>> - which modules to insmod on the hwnode >>> >> >>>>> >>> >> >>>>> Just make sure "tun" is present in lsmod. >>> >> >>>>> >>> >> >>>>>> - which modules to add into /etc/vz/vz.conf >>> >> >>>>> >>> >> >>>>> The same. "tun" should be part of the list of modules in vz.conf, >>> >> >>>>> so >>> >> >>>>> it gets loaded at vz start. >>> >> >>>>> >>> >> >>>>>> - which modules to add into /etc/vz/<ct>.conf >>> >> >>>>> >>> >> >>>>> And the for the CTID you want to run openvpn access in: >>> >> >>>>> >>> >> >>>>> >>> >> >>>>> >>> >> >>>>> https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP >>> >> >>>>> >>> >> >>>>> Can you provide openvpn-client debug messages? >>> >> >>>>> >>> >> >>>>> -- >>> >> >>>>> Benjamin Henrion <bhenrion at ffii.org> >>> >> >>>>> FFII Brussels - +32-484-566109 - +32-2-4148403 >>> >> >>>>> "In July 2005, after several failed attempts to legalise software >>> >> >>>>> patents in Europe, the patent establishment changed its strategy. >>> >> >>>>> Instead of explicitly seeking to sanction the patentability of >>> >> >>>>> software, they are now seeking to create a central European >>> >> >>>>> patent >>> >> >>>>> court, which would establish and enforce patentability rules in >>> >> >>>>> their >>> >> >>>>> favor, without any possibility of correction by competing courts >>> >> >>>>> or >>> >> >>>>> democratically elected legislators." >>> >> >>>>> _______________________________________________ >>> >> >>>>> Users mailing list >>> >> >>>>> Users@openvz.org >>> >> >>>>> https://lists.openvz.org/mailman/listinfo/users >>> >> >>>> >>> >> >>>> >>> >> >>>> >>> >> >>>> -- >>> >> >>>> Sincerely yours, Pavel Odintsov >>> >> >>>> _______________________________________________ >>> >> >>>> Users mailing list >>> >> >>>> Users@openvz.org >>> >> >>>> https://lists.openvz.org/mailman/listinfo/users >>> >> >>> _______________________________________________ >>> >> >>> Users mailing list >>> >> >>> Users@openvz.org >>> >> >>> https://lists.openvz.org/mailman/listinfo/users >>> >> >> >>> >> >> >>> >> >> >>> >> >> -- >>> >> >> Sincerely yours, Pavel Odintsov >>> >> >> _______________________________________________ >>> >> >> Users mailing list >>> >> >> Users@openvz.org >>> >> >> https://lists.openvz.org/mailman/listinfo/users >>> >> _______________________________________________ >>> >> Users mailing list >>> >> Users@openvz.org >>> >> https://lists.openvz.org/mailman/listinfo/users >>> > >>> > >>> > >>> > _______________________________________________ >>> > Users mailing list >>> > Users@openvz.org >>> > https://lists.openvz.org/mailman/listinfo/users >>> > >>> _______________________________________________ >>> Users mailing list >>> Users@openvz.org >>> https://lists.openvz.org/mailman/listinfo/users >> >> >> >> _______________________________________________ >> Users mailing list >> Users@openvz.org >> https://lists.openvz.org/mailman/listinfo/users >> > > > > -- > Sincerely yours, Pavel Odintsov > _______________________________________________ > Users mailing list > Users@openvz.org > https://lists.openvz.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
