On 26/06/2014 18:52, Rene C. wrote: > Going through the whole thing again I fell over this fatal error > during the ipsec restart: > > ipsec_setup: FATAL: Could not load > /lib/modules/2.6.32-042stab090.3/modules.dep: No such file or > directory > > I installed both openswan xl2tpd though yum (epel repo) but neither > seem to add anything to /lib/modules. What am I missing?
Hi, I get this error allot between kernel upgrades when using iptables within containers. I found the fix is to make the directory its complaining about first, then run depmod -a (all from within the container): # mkdir -p /lib/modules/2.6.32-042stab090.3/ # depmod -a Can someone shed a light on why this error occurs? It is complaining about a previous kernel version here (Rene states that stab090.4 is installed below). Regards Ian -- > > > On Thu, Jun 26, 2014 at 2:06 PM, Rene C. <ope...@dokbua.com> wrote: >> I already upgraded the kernel to the latest before the last test: >> >> [root@server14 ~]# uname -a >> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16 >> >> Sorry if I didn't make that very clear >> >> On Thu, Jun 26, 2014 at 1:38 PM, Pavel Odintsov >> <pavel.odint...@gmail.com> wrote: >>> Hello! >>> >>> I'm not sure about your problems but we have few production >>> installation with this configuration. But we use only up to date >>> kernels like 90.x series. What kernel you used for tests? >>> >>> On Thu, Jun 26, 2014 at 5:28 AM, spameden <spame...@gmail.com> wrote: >>>> >>>> >>>> >>>> 2014-06-25 22:19 GMT+04:00 Rene C. <ope...@dokbua.com>: >>>> >>>>> No, I went in the direction of l2tp as recommended. It both seems more >>>>> secure and more compatible with both windows and android clients than >>>>> openvpn. >>>> >>>> >>>> >>>> 'more secure' ? >>>> >>>> did you audit OpenVPN/OpenSSL code? How can you say so. >>>> >>>> There are clients for both android and windows for OpenVPN. >>>> >>>> Anyways, if you've decided to go with IPSec go over with it, it should work >>>> too. >>>> >>>> >>>>> >>>>> >>>>> >>>>> I still get the "Checking for IPsec support in kernel >>>>> [FAILED]" error from the check, although the latest openvz >>>>> kernel is now installed. >>>>> >>>>> What can we do to narrow down the cause of this? >>>> >>>> >>>> tbh, I have no idea, had no experience with IPSec setup on OpenVZ, ask the >>>> guy who've suggested ipsec setup. >>>> >>>>> >>>>> On Mon, Jun 23, 2014 at 7:56 PM, spameden <spame...@gmail.com> wrote: >>>>>> >>>>>> >>>>>> >>>>>> 2014-06-23 11:31 GMT+04:00 Rene C. <ope...@dokbua.com>: >>>>>>> >>>>>>> Sorry, still stuck: >>>>>> >>>>>> >>>>>> Did you try OpenVPN configuration that I've suggested? >>>>>> >>>>>> About IPSEC: not sure, check your syslog logs might give you some tips. >>>>>>> >>>>>>> >>>>>>> [root@server14 ~]# uname -a >>>>>>> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16 >>>>>>> 15:13:38 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux >>>>>>> [root@server14 ~]# for x in tun ppp_async pppol2tp >>>>>>> xfrm4_mode_transport xfrm4_mode_tunnel xfrm_ipcomp esp4; do lsmod | >>>>>>> grep $x; done >>>>>>> xfrm4_mode_tunnel 2019 0 >>>>>>> tun 19157 0 >>>>>>> ppp_async 7874 0 >>>>>>> ppp_generic 25400 3 pppol2tp,pppox,ppp_async >>>>>>> crc_ccitt 1733 1 ppp_async >>>>>>> pppol2tp 22749 0 >>>>>>> pppox 2712 1 pppol2tp >>>>>>> ppp_generic 25400 3 pppol2tp,pppox,ppp_async >>>>>>> xfrm4_mode_transport 1465 0 >>>>>>> xfrm4_mode_tunnel 2019 0 >>>>>>> xfrm_ipcomp 4626 0 >>>>>>> esp4 5406 0 >>>>>>> [root@server14 ~]# vzctl enter 1418 >>>>>>> entered into CT 1418 >>>>>>> [root@vps1418 /]# ipsec verify >>>>>>> Checking your system to see if IPsec got installed and started >>>>>>> correctly: >>>>>>> Version check and ipsec on-path [OK] >>>>>>> Linux Openswan U2.6.32/K(no kernel code presently loaded) >>>>>>> Checking for IPsec support in kernel [FAILED] >>>>>>> SAref kernel support [N/A] >>>>>>> Checking that pluto is running [OK] >>>>>>> Pluto listening for IKE on udp 500 [FAILED] >>>>>>> Pluto listening for NAT-T on udp 4500 [FAILED] >>>>>>> Checking for 'ip' command [OK] >>>>>>> Checking /bin/sh is not /bin/dash [OK] >>>>>>> Checking for 'iptables' command [OK] >>>>>>> Opportunistic Encryption Support [DISABLED] >>>>>>> >>>>>>> What am I missing? >>>>>>> >>>>>>> On Mon, Jun 23, 2014 at 1:12 AM, Rene C. <ope...@dokbua.com> wrote: >>>>>>>> Yep, rebooted the container. >>>>>>>> >>>>>>>> Here's the modules present: >>>>>>>> >>>>>>>> [root@server18 ~]# lsmod >>>>>>>> Module Size Used by >>>>>>>> esp4 5406 0 >>>>>>>> xfrm_ipcomp 4626 0 >>>>>>>> xfrm4_mode_tunnel 2019 0 >>>>>>>> pppol2tp 22749 0 >>>>>>>> pppox 2712 1 pppol2tp >>>>>>>> ppp_async 7874 0 >>>>>>>> ppp_generic 25400 3 pppol2tp,pppox,ppp_async >>>>>>>> slhc 5821 1 ppp_generic >>>>>>>> crc_ccitt 1733 1 ppp_async >>>>>>>> vzethdev 8221 0 >>>>>>>> vznetdev 18952 10 >>>>>>>> pio_nfs 17576 0 >>>>>>>> pio_direct 28261 9 >>>>>>>> pfmt_raw 3213 0 >>>>>>>> pfmt_ploop1 6320 9 >>>>>>>> ploop 116096 23 >>>>>>>> pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1 >>>>>>>> simfs 4448 0 >>>>>>>> vzrst 196693 0 >>>>>>>> vzcpt 148911 1 vzrst >>>>>>>> nfs 442438 3 pio_nfs,vzrst,vzcpt >>>>>>>> lockd 77189 2 vzrst,nfs >>>>>>>> fscache 55684 1 nfs >>>>>>>> auth_rpcgss 44949 1 nfs >>>>>>>> nfs_acl 2663 1 nfs >>>>>>>> sunrpc 268245 6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl >>>>>>>> vziolimit 3719 0 >>>>>>>> vzmon 24462 8 vznetdev,vzrst,vzcpt >>>>>>>> ip6table_mangle 3669 0 >>>>>>>> nf_nat_ftp 3523 0 >>>>>>>> nf_conntrack_ftp 12929 1 nf_nat_ftp >>>>>>>> iptable_nat 6302 1 >>>>>>>> nf_nat 23213 3 vzrst,nf_nat_ftp,iptable_nat >>>>>>>> xt_length 1338 0 >>>>>>>> xt_hl 1547 0 >>>>>>>> xt_tcpmss 1623 0 >>>>>>>> xt_TCPMSS 3461 1 >>>>>>>> iptable_mangle 3493 0 >>>>>>>> xt_multiport 2716 0 >>>>>>>> xt_limit 2134 0 >>>>>>>> nf_conntrack_ipv4 9946 5 iptable_nat,nf_nat >>>>>>>> nf_defrag_ipv4 1531 1 nf_conntrack_ipv4 >>>>>>>> ipt_LOG 6405 0 >>>>>>>> xt_DSCP 2849 0 >>>>>>>> xt_dscp 2073 0 >>>>>>>> ipt_REJECT 2399 12 >>>>>>>> tun 19157 0 >>>>>>>> xt_owner 2258 0 >>>>>>>> vzdquota 55339 0 [permanent] >>>>>>>> vzevent 2179 1 >>>>>>>> vzdev 2733 5 >>>>>>>> vzethdev,vznetdev,vziolimit,vzmon,vzdquota >>>>>>>> iptable_filter 2937 5 >>>>>>>> ip_tables 18119 3 >>>>>>>> iptable_nat,iptable_mangle,iptable_filter >>>>>>>> ip6t_REJECT 4711 2 >>>>>>>> nf_conntrack_ipv6 8353 2 >>>>>>>> nf_defrag_ipv6 11188 1 nf_conntrack_ipv6 >>>>>>>> xt_state 1508 4 >>>>>>>> nf_conntrack 80313 9 >>>>>>>> >>>>>>>> >>>>>>>> vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state >>>>>>>> ip6table_filter 3033 1 >>>>>>>> ip6_tables 18988 2 ip6table_mangle,ip6table_filter >>>>>>>> ipv6 322874 1627 >>>>>>>> vzrst,ip6table_mangle,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6 >>>>>>>> iTCO_wdt 7147 0 >>>>>>>> iTCO_vendor_support 3072 1 iTCO_wdt >>>>>>>> i2c_i801 11375 0 >>>>>>>> i2c_core 31084 1 i2c_i801 >>>>>>>> sg 29446 0 >>>>>>>> lpc_ich 12819 0 >>>>>>>> mfd_core 1911 1 lpc_ich >>>>>>>> e1000e 267426 0 >>>>>>>> ptp 9614 1 e1000e >>>>>>>> pps_core 11490 1 ptp >>>>>>>> ext4 419456 11 >>>>>>>> jbd2 93779 1 ext4 >>>>>>>> mbcache 8209 1 ext4 >>>>>>>> sd_mod 39005 6 >>>>>>>> crc_t10dif 1557 1 sd_mod >>>>>>>> ahci 42263 4 >>>>>>>> video 20978 0 >>>>>>>> output 2425 1 video >>>>>>>> dm_mirror 14432 0 >>>>>>>> dm_region_hash 12101 1 dm_mirror >>>>>>>> dm_log 9946 2 dm_mirror,dm_region_hash >>>>>>>> dm_mod 84369 19 dm_mirror,dm_log >>>>>>>> >>>>>>>> On Mon, Jun 23, 2014 at 12:52 AM, Pavel Odintsov >>>>>>>> <pavel.odint...@gmail.com> wrote: >>>>>>>>> Hello! >>>>>>>>> >>>>>>>>> IPsec should work from 84.8 kernel according to >>>>>>>>> https://openvz.org/IPsec but I found explicit reference about IPsec >>>>>>>>> only in 84.10: >>>>>>>>> http://openvz.org/Download/kernel/rhel6-testing/042stab084.10 >>>>>>>>> >>>>>>>>> Did you restart CT after loading kernel modules for l2tp? >>>>>>>>> >>>>>>>>> On Sun, Jun 22, 2014 at 7:05 PM, Rene C. <ope...@dokbua.com> wrote: >>>>>>>>>> Ok I gave your suggestion a shot, using your link through Google >>>>>>>>>> translate and >>>>>>>>>> http://www.maxwhale.com/how-to-install-l2tp-vpn-on-centos/ >>>>>>>>>> for comparison. >>>>>>>>>> >>>>>>>>>> Everything seems to go well until the 'ipsec verify' part when it >>>>>>>>>> says: >>>>>>>>>> >>>>>>>>>> [root@vps1418 /]# ipsec verify >>>>>>>>>> Checking your system to see if IPsec got installed and started >>>>>>>>>> correctly: >>>>>>>>>> Version check and ipsec on-path [OK] >>>>>>>>>> Linux Openswan U2.6.32/K(no kernel code presently loaded) >>>>>>>>>> Checking for IPsec support in kernel >>>>>>>>>> [FAILED] >>>>>>>>>> SAref kernel support [N/A] >>>>>>>>>> Checking that pluto is running [OK] >>>>>>>>>> Pluto listening for IKE on udp 500 >>>>>>>>>> [FAILED] >>>>>>>>>> Pluto listening for NAT-T on udp 4500 >>>>>>>>>> [FAILED] >>>>>>>>>> Checking for 'ip' command [OK] >>>>>>>>>> Checking /bin/sh is not /bin/dash [OK] >>>>>>>>>> Checking for 'iptables' command [OK] >>>>>>>>>> Opportunistic Encryption Support >>>>>>>>>> [DISABLED] >>>>>>>>>> >>>>>>>>>> I think the biggest problem here is the "Checking for IPsec support >>>>>>>>>> in >>>>>>>>>> kernel"? >>>>>>>>>> >>>>>>>>>> I use 2.6.32-042stab085.20 - I know it's not the latest kernel, but >>>>>>>>>> supposedly ipsec support should be in kernels after stab084? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Sat, Jun 21, 2014 at 7:28 PM, Pavel Odintsov >>>>>>>>>> <pavel.odint...@gmail.com> wrote: >>>>>>>>>>> Hello! >>>>>>>>>>> >>>>>>>>>>> In modern version of OpenVZ you can use l2tp with ipsec support >>>>>>>>>>> instead OpenVPN: http://habrahabr.ru/company/FastVPS/blog/205162/ >>>>>>>>>>> (sorry this manual in russian language but it's very simple). It's >>>>>>>>>>> very useable because you do not need any special clients on >>>>>>>>>>> Windows >>>>>>>>>>> hosts. Maybe you can try this? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Sat, Jun 21, 2014 at 2:11 PM, Benjamin Henrion >>>>>>>>>>> <zoo...@gmail.com> >>>>>>>>>>> wrote: >>>>>>>>>>>> On Sat, Jun 21, 2014 at 8:47 AM, Rene C. <ope...@dokbua.com> >>>>>>>>>>>> wrote: >>>>>>>>>>>>> I got the openvpn part itself down, no problem, but getting it >>>>>>>>>>>>> to >>>>>>>>>>>>> work >>>>>>>>>>>>> in a container is a lot of hassle. Many pages, but most are >>>>>>>>>>>>> outdated >>>>>>>>>>>>> and things keeps changing. Anyone know how to get it to work >>>>>>>>>>>>> TODAY? >>>>>>>>>>>>> >>>>>>>>>>>>> The server is an otherwise normal server with public ip >>>>>>>>>>>>> addresses >>>>>>>>>>>>> and >>>>>>>>>>>>> works with cpanel, no problem that far. The problem is getting >>>>>>>>>>>>> an >>>>>>>>>>>>> openvpn service to work in it. >>>>>>>>>>>>> >>>>>>>>>>>>> I've already added the tun device, and I can connect to the >>>>>>>>>>>>> server >>>>>>>>>>>>> with the openvpn client, just can't continue from there, so some >>>>>>>>>>>>> routing is missing. >>>>>>>>>>>>> >>>>>>>>>>>>> I've followed the general routing instructions but because >>>>>>>>>>>>> openvz >>>>>>>>>>>>> doesn't support MASQ it doesn't work. >>>>>>>>>>>>> >>>>>>>>>>>>> - which modules to insmod on the hwnode >>>>>>>>>>>> >>>>>>>>>>>> Just make sure "tun" is present in lsmod. >>>>>>>>>>>> >>>>>>>>>>>>> - which modules to add into /etc/vz/vz.conf >>>>>>>>>>>> >>>>>>>>>>>> The same. "tun" should be part of the list of modules in vz.conf, >>>>>>>>>>>> so >>>>>>>>>>>> it gets loaded at vz start. >>>>>>>>>>>> >>>>>>>>>>>>> - which modules to add into /etc/vz/<ct>.conf >>>>>>>>>>>> >>>>>>>>>>>> And the for the CTID you want to run openvpn access in: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP >>>>>>>>>>>> >>>>>>>>>>>> Can you provide openvpn-client debug messages? >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Benjamin Henrion <bhenrion at ffii.org> _______________________________________________ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
