Hello! You can try to do something like this: touch /lib/modules/2.6.32-042stab090.3/modules.dep
It can suppress ipsec_setup warnings. On Thu, Jun 26, 2014 at 9:52 PM, Rene C. <ope...@dokbua.com> wrote: > Going through the whole thing again I fell over this fatal error > during the ipsec restart: > > ipsec_setup: FATAL: Could not load > /lib/modules/2.6.32-042stab090.3/modules.dep: No such file or > directory > > I installed both openswan xl2tpd though yum (epel repo) but neither > seem to add anything to /lib/modules. What am I missing? > > > On Thu, Jun 26, 2014 at 2:06 PM, Rene C. <ope...@dokbua.com> wrote: >> I already upgraded the kernel to the latest before the last test: >> >> [root@server14 ~]# uname -a >> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16 >> >> Sorry if I didn't make that very clear >> >> On Thu, Jun 26, 2014 at 1:38 PM, Pavel Odintsov >> <pavel.odint...@gmail.com> wrote: >>> Hello! >>> >>> I'm not sure about your problems but we have few production >>> installation with this configuration. But we use only up to date >>> kernels like 90.x series. What kernel you used for tests? >>> >>> On Thu, Jun 26, 2014 at 5:28 AM, spameden <spame...@gmail.com> wrote: >>>> >>>> >>>> >>>> 2014-06-25 22:19 GMT+04:00 Rene C. <ope...@dokbua.com>: >>>> >>>>> No, I went in the direction of l2tp as recommended. It both seems more >>>>> secure and more compatible with both windows and android clients than >>>>> openvpn. >>>> >>>> >>>> >>>> 'more secure' ? >>>> >>>> did you audit OpenVPN/OpenSSL code? How can you say so. >>>> >>>> There are clients for both android and windows for OpenVPN. >>>> >>>> Anyways, if you've decided to go with IPSec go over with it, it should work >>>> too. >>>> >>>> >>>>> >>>>> >>>>> >>>>> I still get the "Checking for IPsec support in kernel >>>>> [FAILED]" error from the check, although the latest openvz >>>>> kernel is now installed. >>>>> >>>>> What can we do to narrow down the cause of this? >>>> >>>> >>>> tbh, I have no idea, had no experience with IPSec setup on OpenVZ, ask the >>>> guy who've suggested ipsec setup. >>>> >>>>> >>>>> On Mon, Jun 23, 2014 at 7:56 PM, spameden <spame...@gmail.com> wrote: >>>>> > >>>>> > >>>>> > >>>>> > 2014-06-23 11:31 GMT+04:00 Rene C. <ope...@dokbua.com>: >>>>> >> >>>>> >> Sorry, still stuck: >>>>> > >>>>> > >>>>> > Did you try OpenVPN configuration that I've suggested? >>>>> > >>>>> > About IPSEC: not sure, check your syslog logs might give you some tips. >>>>> >> >>>>> >> >>>>> >> [root@server14 ~]# uname -a >>>>> >> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16 >>>>> >> 15:13:38 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux >>>>> >> [root@server14 ~]# for x in tun ppp_async pppol2tp >>>>> >> xfrm4_mode_transport xfrm4_mode_tunnel xfrm_ipcomp esp4; do lsmod | >>>>> >> grep $x; done >>>>> >> xfrm4_mode_tunnel 2019 0 >>>>> >> tun 19157 0 >>>>> >> ppp_async 7874 0 >>>>> >> ppp_generic 25400 3 pppol2tp,pppox,ppp_async >>>>> >> crc_ccitt 1733 1 ppp_async >>>>> >> pppol2tp 22749 0 >>>>> >> pppox 2712 1 pppol2tp >>>>> >> ppp_generic 25400 3 pppol2tp,pppox,ppp_async >>>>> >> xfrm4_mode_transport 1465 0 >>>>> >> xfrm4_mode_tunnel 2019 0 >>>>> >> xfrm_ipcomp 4626 0 >>>>> >> esp4 5406 0 >>>>> >> [root@server14 ~]# vzctl enter 1418 >>>>> >> entered into CT 1418 >>>>> >> [root@vps1418 /]# ipsec verify >>>>> >> Checking your system to see if IPsec got installed and started >>>>> >> correctly: >>>>> >> Version check and ipsec on-path [OK] >>>>> >> Linux Openswan U2.6.32/K(no kernel code presently loaded) >>>>> >> Checking for IPsec support in kernel [FAILED] >>>>> >> SAref kernel support [N/A] >>>>> >> Checking that pluto is running [OK] >>>>> >> Pluto listening for IKE on udp 500 [FAILED] >>>>> >> Pluto listening for NAT-T on udp 4500 [FAILED] >>>>> >> Checking for 'ip' command [OK] >>>>> >> Checking /bin/sh is not /bin/dash [OK] >>>>> >> Checking for 'iptables' command [OK] >>>>> >> Opportunistic Encryption Support [DISABLED] >>>>> >> >>>>> >> What am I missing? >>>>> >> >>>>> >> On Mon, Jun 23, 2014 at 1:12 AM, Rene C. <ope...@dokbua.com> wrote: >>>>> >> > Yep, rebooted the container. >>>>> >> > >>>>> >> > Here's the modules present: >>>>> >> > >>>>> >> > [root@server18 ~]# lsmod >>>>> >> > Module Size Used by >>>>> >> > esp4 5406 0 >>>>> >> > xfrm_ipcomp 4626 0 >>>>> >> > xfrm4_mode_tunnel 2019 0 >>>>> >> > pppol2tp 22749 0 >>>>> >> > pppox 2712 1 pppol2tp >>>>> >> > ppp_async 7874 0 >>>>> >> > ppp_generic 25400 3 pppol2tp,pppox,ppp_async >>>>> >> > slhc 5821 1 ppp_generic >>>>> >> > crc_ccitt 1733 1 ppp_async >>>>> >> > vzethdev 8221 0 >>>>> >> > vznetdev 18952 10 >>>>> >> > pio_nfs 17576 0 >>>>> >> > pio_direct 28261 9 >>>>> >> > pfmt_raw 3213 0 >>>>> >> > pfmt_ploop1 6320 9 >>>>> >> > ploop 116096 23 >>>>> >> > pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1 >>>>> >> > simfs 4448 0 >>>>> >> > vzrst 196693 0 >>>>> >> > vzcpt 148911 1 vzrst >>>>> >> > nfs 442438 3 pio_nfs,vzrst,vzcpt >>>>> >> > lockd 77189 2 vzrst,nfs >>>>> >> > fscache 55684 1 nfs >>>>> >> > auth_rpcgss 44949 1 nfs >>>>> >> > nfs_acl 2663 1 nfs >>>>> >> > sunrpc 268245 6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl >>>>> >> > vziolimit 3719 0 >>>>> >> > vzmon 24462 8 vznetdev,vzrst,vzcpt >>>>> >> > ip6table_mangle 3669 0 >>>>> >> > nf_nat_ftp 3523 0 >>>>> >> > nf_conntrack_ftp 12929 1 nf_nat_ftp >>>>> >> > iptable_nat 6302 1 >>>>> >> > nf_nat 23213 3 vzrst,nf_nat_ftp,iptable_nat >>>>> >> > xt_length 1338 0 >>>>> >> > xt_hl 1547 0 >>>>> >> > xt_tcpmss 1623 0 >>>>> >> > xt_TCPMSS 3461 1 >>>>> >> > iptable_mangle 3493 0 >>>>> >> > xt_multiport 2716 0 >>>>> >> > xt_limit 2134 0 >>>>> >> > nf_conntrack_ipv4 9946 5 iptable_nat,nf_nat >>>>> >> > nf_defrag_ipv4 1531 1 nf_conntrack_ipv4 >>>>> >> > ipt_LOG 6405 0 >>>>> >> > xt_DSCP 2849 0 >>>>> >> > xt_dscp 2073 0 >>>>> >> > ipt_REJECT 2399 12 >>>>> >> > tun 19157 0 >>>>> >> > xt_owner 2258 0 >>>>> >> > vzdquota 55339 0 [permanent] >>>>> >> > vzevent 2179 1 >>>>> >> > vzdev 2733 5 >>>>> >> > vzethdev,vznetdev,vziolimit,vzmon,vzdquota >>>>> >> > iptable_filter 2937 5 >>>>> >> > ip_tables 18119 3 >>>>> >> > iptable_nat,iptable_mangle,iptable_filter >>>>> >> > ip6t_REJECT 4711 2 >>>>> >> > nf_conntrack_ipv6 8353 2 >>>>> >> > nf_defrag_ipv6 11188 1 nf_conntrack_ipv6 >>>>> >> > xt_state 1508 4 >>>>> >> > nf_conntrack 80313 9 >>>>> >> > >>>>> >> > >>>>> >> > vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state >>>>> >> > ip6table_filter 3033 1 >>>>> >> > ip6_tables 18988 2 ip6table_mangle,ip6table_filter >>>>> >> > ipv6 322874 1627 >>>>> >> > vzrst,ip6table_mangle,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6 >>>>> >> > iTCO_wdt 7147 0 >>>>> >> > iTCO_vendor_support 3072 1 iTCO_wdt >>>>> >> > i2c_i801 11375 0 >>>>> >> > i2c_core 31084 1 i2c_i801 >>>>> >> > sg 29446 0 >>>>> >> > lpc_ich 12819 0 >>>>> >> > mfd_core 1911 1 lpc_ich >>>>> >> > e1000e 267426 0 >>>>> >> > ptp 9614 1 e1000e >>>>> >> > pps_core 11490 1 ptp >>>>> >> > ext4 419456 11 >>>>> >> > jbd2 93779 1 ext4 >>>>> >> > mbcache 8209 1 ext4 >>>>> >> > sd_mod 39005 6 >>>>> >> > crc_t10dif 1557 1 sd_mod >>>>> >> > ahci 42263 4 >>>>> >> > video 20978 0 >>>>> >> > output 2425 1 video >>>>> >> > dm_mirror 14432 0 >>>>> >> > dm_region_hash 12101 1 dm_mirror >>>>> >> > dm_log 9946 2 dm_mirror,dm_region_hash >>>>> >> > dm_mod 84369 19 dm_mirror,dm_log >>>>> >> > >>>>> >> > On Mon, Jun 23, 2014 at 12:52 AM, Pavel Odintsov >>>>> >> > <pavel.odint...@gmail.com> wrote: >>>>> >> >> Hello! >>>>> >> >> >>>>> >> >> IPsec should work from 84.8 kernel according to >>>>> >> >> https://openvz.org/IPsec but I found explicit reference about IPsec >>>>> >> >> only in 84.10: >>>>> >> >> http://openvz.org/Download/kernel/rhel6-testing/042stab084.10 >>>>> >> >> >>>>> >> >> Did you restart CT after loading kernel modules for l2tp? >>>>> >> >> >>>>> >> >> On Sun, Jun 22, 2014 at 7:05 PM, Rene C. <ope...@dokbua.com> wrote: >>>>> >> >>> Ok I gave your suggestion a shot, using your link through Google >>>>> >> >>> translate and >>>>> >> >>> http://www.maxwhale.com/how-to-install-l2tp-vpn-on-centos/ >>>>> >> >>> for comparison. >>>>> >> >>> >>>>> >> >>> Everything seems to go well until the 'ipsec verify' part when it >>>>> >> >>> says: >>>>> >> >>> >>>>> >> >>> [root@vps1418 /]# ipsec verify >>>>> >> >>> Checking your system to see if IPsec got installed and started >>>>> >> >>> correctly: >>>>> >> >>> Version check and ipsec on-path [OK] >>>>> >> >>> Linux Openswan U2.6.32/K(no kernel code presently loaded) >>>>> >> >>> Checking for IPsec support in kernel >>>>> >> >>> [FAILED] >>>>> >> >>> SAref kernel support [N/A] >>>>> >> >>> Checking that pluto is running [OK] >>>>> >> >>> Pluto listening for IKE on udp 500 >>>>> >> >>> [FAILED] >>>>> >> >>> Pluto listening for NAT-T on udp 4500 >>>>> >> >>> [FAILED] >>>>> >> >>> Checking for 'ip' command [OK] >>>>> >> >>> Checking /bin/sh is not /bin/dash [OK] >>>>> >> >>> Checking for 'iptables' command [OK] >>>>> >> >>> Opportunistic Encryption Support >>>>> >> >>> [DISABLED] >>>>> >> >>> >>>>> >> >>> I think the biggest problem here is the "Checking for IPsec support >>>>> >> >>> in >>>>> >> >>> kernel"? >>>>> >> >>> >>>>> >> >>> I use 2.6.32-042stab085.20 - I know it's not the latest kernel, but >>>>> >> >>> supposedly ipsec support should be in kernels after stab084? >>>>> >> >>> >>>>> >> >>> >>>>> >> >>> >>>>> >> >>> On Sat, Jun 21, 2014 at 7:28 PM, Pavel Odintsov >>>>> >> >>> <pavel.odint...@gmail.com> wrote: >>>>> >> >>>> Hello! >>>>> >> >>>> >>>>> >> >>>> In modern version of OpenVZ you can use l2tp with ipsec support >>>>> >> >>>> instead OpenVPN: http://habrahabr.ru/company/FastVPS/blog/205162/ >>>>> >> >>>> (sorry this manual in russian language but it's very simple). It's >>>>> >> >>>> very useable because you do not need any special clients on >>>>> >> >>>> Windows >>>>> >> >>>> hosts. Maybe you can try this? >>>>> >> >>>> >>>>> >> >>>> >>>>> >> >>>> >>>>> >> >>>> On Sat, Jun 21, 2014 at 2:11 PM, Benjamin Henrion >>>>> >> >>>> <zoo...@gmail.com> >>>>> >> >>>> wrote: >>>>> >> >>>>> On Sat, Jun 21, 2014 at 8:47 AM, Rene C. <ope...@dokbua.com> >>>>> >> >>>>> wrote: >>>>> >> >>>>>> I got the openvpn part itself down, no problem, but getting it >>>>> >> >>>>>> to >>>>> >> >>>>>> work >>>>> >> >>>>>> in a container is a lot of hassle. Many pages, but most are >>>>> >> >>>>>> outdated >>>>> >> >>>>>> and things keeps changing. Anyone know how to get it to work >>>>> >> >>>>>> TODAY? >>>>> >> >>>>>> >>>>> >> >>>>>> The server is an otherwise normal server with public ip >>>>> >> >>>>>> addresses >>>>> >> >>>>>> and >>>>> >> >>>>>> works with cpanel, no problem that far. The problem is getting >>>>> >> >>>>>> an >>>>> >> >>>>>> openvpn service to work in it. >>>>> >> >>>>>> >>>>> >> >>>>>> I've already added the tun device, and I can connect to the >>>>> >> >>>>>> server >>>>> >> >>>>>> with the openvpn client, just can't continue from there, so some >>>>> >> >>>>>> routing is missing. >>>>> >> >>>>>> >>>>> >> >>>>>> I've followed the general routing instructions but because >>>>> >> >>>>>> openvz >>>>> >> >>>>>> doesn't support MASQ it doesn't work. >>>>> >> >>>>>> >>>>> >> >>>>>> - which modules to insmod on the hwnode >>>>> >> >>>>> >>>>> >> >>>>> Just make sure "tun" is present in lsmod. >>>>> >> >>>>> >>>>> >> >>>>>> - which modules to add into /etc/vz/vz.conf >>>>> >> >>>>> >>>>> >> >>>>> The same. "tun" should be part of the list of modules in vz.conf, >>>>> >> >>>>> so >>>>> >> >>>>> it gets loaded at vz start. >>>>> >> >>>>> >>>>> >> >>>>>> - which modules to add into /etc/vz/<ct>.conf >>>>> >> >>>>> >>>>> >> >>>>> And the for the CTID you want to run openvpn access in: >>>>> >> >>>>> >>>>> >> >>>>> >>>>> >> >>>>> >>>>> >> >>>>> https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP >>>>> >> >>>>> >>>>> >> >>>>> Can you provide openvpn-client debug messages? >>>>> >> >>>>> >>>>> >> >>>>> -- >>>>> >> >>>>> Benjamin Henrion <bhenrion at ffii.org> >>>>> >> >>>>> FFII Brussels - +32-484-566109 - +32-2-4148403 >>>>> >> >>>>> "In July 2005, after several failed attempts to legalise software >>>>> >> >>>>> patents in Europe, the patent establishment changed its strategy. >>>>> >> >>>>> Instead of explicitly seeking to sanction the patentability of >>>>> >> >>>>> software, they are now seeking to create a central European >>>>> >> >>>>> patent >>>>> >> >>>>> court, which would establish and enforce patentability rules in >>>>> >> >>>>> their >>>>> >> >>>>> favor, without any possibility of correction by competing courts >>>>> >> >>>>> or >>>>> >> >>>>> democratically elected legislators." >>>>> >> >>>>> _______________________________________________ >>>>> >> >>>>> Users mailing list >>>>> >> >>>>> Users@openvz.org >>>>> >> >>>>> https://lists.openvz.org/mailman/listinfo/users >>>>> >> >>>> >>>>> >> >>>> >>>>> >> >>>> >>>>> >> >>>> -- >>>>> >> >>>> Sincerely yours, Pavel Odintsov >>>>> >> >>>> _______________________________________________ >>>>> >> >>>> Users mailing list >>>>> >> >>>> Users@openvz.org >>>>> >> >>>> https://lists.openvz.org/mailman/listinfo/users >>>>> >> >>> _______________________________________________ >>>>> >> >>> Users mailing list >>>>> >> >>> Users@openvz.org >>>>> >> >>> https://lists.openvz.org/mailman/listinfo/users >>>>> >> >> >>>>> >> >> >>>>> >> >> >>>>> >> >> -- >>>>> >> >> Sincerely yours, Pavel Odintsov >>>>> >> >> _______________________________________________ >>>>> >> >> Users mailing list >>>>> >> >> Users@openvz.org >>>>> >> >> https://lists.openvz.org/mailman/listinfo/users >>>>> >> _______________________________________________ >>>>> >> Users mailing list >>>>> >> Users@openvz.org >>>>> >> https://lists.openvz.org/mailman/listinfo/users >>>>> > >>>>> > >>>>> > >>>>> > _______________________________________________ >>>>> > Users mailing list >>>>> > Users@openvz.org >>>>> > https://lists.openvz.org/mailman/listinfo/users >>>>> > >>>>> _______________________________________________ >>>>> Users mailing list >>>>> Users@openvz.org >>>>> https://lists.openvz.org/mailman/listinfo/users >>>> >>>> >>>> >>>> _______________________________________________ >>>> Users mailing list >>>> Users@openvz.org >>>> https://lists.openvz.org/mailman/listinfo/users >>>> >>> >>> >>> >>> -- >>> Sincerely yours, Pavel Odintsov >>> _______________________________________________ >>> Users mailing list >>> Users@openvz.org >>> https://lists.openvz.org/mailman/listinfo/users > _______________________________________________ > Users mailing list > Users@openvz.org > https://lists.openvz.org/mailman/listinfo/users -- Sincerely yours, Pavel Odintsov _______________________________________________ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
