[Ubuntu-BR] Ubuntu Vs VPN

Erasmo José Pereira de Oliveira erasmojpo em gmail.com
Domingo Maio 17 17:01:20 UTC 2009 

Amigos continuo na luta para configurar a net com VPN pra poder voltar a
usar apenas o Ubuntu quando dou o comando abaixo dá errado...

erasmo em erasmo-desktop:~$ sudo ipsec whack --name Brisanet --initiate
002 "Brisanet" #1: initiating Main Mode
104 "Brisanet" #1: STATE_MAIN_I1: initiate
003 "Brisanet" #1: ignoring unknown Vendor ID payload
[4f454b427a64597b774d5d40]
003 "Brisanet" #1: received Vendor ID payload [Dead Peer Detection]
002 "Brisanet" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "Brisanet" #1: STATE_MAIN_I2: sent MI2, expecting MR2
002 "Brisanet" #1: I am sending my cert
002 "Brisanet" #1: I am sending a certificate request
003 "Brisanet" #1: unable to locate my private key for RSA Signature
224 "Brisanet" #1: STATE_MAIN_I2: AUTHENTICATION_FAILED
002 "Brisanet" #1: sending notification AUTHENTICATION_FAILED to
201.65.232.15:500


note que meu ipsec.conf está assim

/etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006-10-19 03:49:46 paul Exp $

# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5


version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
protostack=netkey
nat_traversal=no
nhelpers=0
fragicmp=no
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
# VPN Brisanet
conn Brisanet
#
# ----------------------------------------------------------
# Use certificates. Disable Perfect Forward Secrecy.
# Initiate rekeying.
# Connection type _must_ be Transport Mode.
#
authby=rsasig
pfs=no
rekey=yes
keyingtries=3
type=transport
#
# Neste ponto voce deve colocar o endereco IP que voce recebe da
Torre
# e o endereco de Gateway, normalmente um endereco da rede 10
left=10.235.24.2
leftnexthop=10.235.0.1
#
# The certificate of this client.
#
leftcert=/etc/ipsec.d/erasmojosecrt.pem
leftrsasigkey=%cert
leftprotoport=17/1701
#
# ----------------------------------------------------------
#
# Servidor de VPN
right=portalegre.brisanet.com.br
#
# AS LINHAS ABAIXO NÃO DEVEM SER ALTERADAS
rightid="C=BR, ST=Ceara, O=Brisanet Internet, OU=Brisanet Internet,
CN=Brisanet, E=suporte em ...<http://br.groups.yahoo.com/group/openswan-br/post?postID=dkeBPkiDXCO1BpFcJ1ZER_N15qybvWbg5sHFYwDAGQ0KjhsbUqQt8-xAZvKFimQh2tPZDJATgla5wm9HgYE5vg>
"
# (Alternatives for rightcert= are also possible)
rightrsasigkey=%cert
rightca=%same
rightprotoport=17/1701
auto=add

Depois disso repeti os comandos /etc/init.d/ipsec restart

erasmo em erasmo-desktop:~$ sudo /etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec appear to be stopped already!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting Openswan IPsec 2.4.12...


e ipsec auto --up Brisanet

só que desse não tive retorno ...

erasmo em erasmo-desktop:~$ sudo ipsec auto --up Brisanet

O CURSOR FICOU SÓ PISCANDO E PRONTO.

Para tentar ajudar a encontrar o erro ai vai o xl2tpd.conf

;
; Sample l2tpd configuration file
;
; This example file should give you some idea of how the options for l2tpd
; should work. The best place to look for a list of all options is in
; the source code itself, until I have the time to write better
documetation :)
; Specifically, the file "file.c" contains a list of commands at the end.
;
; You most definitely don't have to spell out everything as it is done here
;
; [global] ; Global parameters:
; port = 1701 ; * Bind to port 1701
; auth file = /etc/l2tpd/l2tp-secrets ; * Where our challenge secrets are
; access control = yes ; * Refuse connections without IP match
; rand source = dev ; Source for entropy for random
; ; numbers, options are:
; ; dev - reads of /dev/urandom
; ; sys - uses rand()
; ; egd - reads from egd socket
; ; egd is not yet implemented
;
; [lns default] ; Our fallthrough LNS definition
; exclusive = no ; * Only permit one tunnel per host
; ip range = 192.168.0.1-192.168.0.20 ; * Allocate from this IP range
; no ip range = 192.168.0.3-192.168.0.9 ; * Except these hosts
; ip range = 192.168.0.5 ; * But this one is okay
; ip range = lac1-lac2 ; * And anything from lac1 to lac2's IP
; lac = 192.168.1.4 - 192.168.1.8 ; * These can connect as LAC's
; no lac = untrusted.marko.net ; * This guy can't connect
; hidden bit = no ; * Use hidden AVP's?
; local ip = 192.168.1.2 ; * Our local IP to use
; length bit = yes ; * Use length bit in payload?
; require chap = yes ; * Require CHAP auth. by peer
; refuse pap = yes ; * Refuse PAP authentication
; refuse chap = no ; * Refuse CHAP authentication
; refuse authentication = no ; * Refuse authentication altogether
; require authentication = yes ; * Require peer to authenticate
; unix authentication = no ; * Use /etc/passwd for auth.
; name = myhostname ; * Report this as our hostname
; ppp debug = no ; * Turn on PPP debugging
; pppoptfile = /etc/ppp/options.l2tpd.lns ; * ppp options file
; call rws = 10 ; * RWS for call (-1 is valid)
; tunnel rws = 4 ; * RWS for tunnel (must be > 0)
; flow bit = yes ; * Include sequence numbers
; challenge = yes ; * Challenge authenticate peer ;
;
; [lac marko] ; Example VPN LAC definition
; lns = lns.marko.net ; * Who is our LNS?
; lns = lns2.marko.net ; * A backup LNS (not yet used)
; redial = yes ; * Redial if disconnected?
; redial timeout = 15 ; * Wait n seconds between redials
; max redials = 5 ; * Give up after n consecutive failures
; hidden bit = yes ; * User hidden AVP's?
; local ip = 192.168.1.1 ; * Force peer to use this IP for us
; remote ip = 192.168.1.2 ; * Force peer to use this as their IP
; length bit = no ; * Use length bit in payload?
; require pap = no ; * Require PAP auth. by peer
; require chap = yes ; * Require CHAP auth. by peer
; refuse pap = yes ; * Refuse PAP authentication
; refuse chap = no ; * Refuse CHAP authentication
; refuse authentication = no ; * Refuse authentication altogether
; require authentication = yes ; * Require peer to authenticate
; name = marko ; * Report this as our hostname
; ppp debug = no ; * Turn on PPP debugging
; pppoptfile = /etc/ppp/options.l2tpd.marko ; * ppp options file for this
lac
; call rws = 10 ; * RWS for call (-1 is valid)
; tunnel rws = 4 ; * RWS for tunnel (must be > 0)
; flow bit = yes ; * Include sequence numbers
; challenge = yes ; * Challenge authenticate peer
;
; [lac cisco] ; Another quick LAC
; lns = cisco.marko.net ; * Required, but can take from default
; require authentication = yes

[lac Brisanet]
lns = portalegre.brisanet.com.br
;require chap = yes
require pap = yes
require authentication = yes
; Nome do usuario que vai se autenticar na VPN
name = erasmojose em ...<http://br.groups.yahoo.com/group/openswan-br/post?postID=-h8z8nARwbYxbN9dDuKnOi4G7opGZeFq4CgiTqMzckqj2YwtSD-G6jOB-X9tybHg7XijF2xYEyZZduW8hAuxS0k>
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd.client
length bit = yes


o /etc/ppp/pap-secrets está assim

#
# /etc/ppp/pap-secrets
#
# This is a pap-secrets file to be used with the AUTO_PPP function of
# mgetty. mgetty-0.99 is preconfigured to startup pppd with the login
option
# which will cause pppd to consult /etc/passwd (and /etc/shadow in turn)
# after a user has passed this file. Don't be disturbed therefore by the
fact
# that this file defines logins with any password for users. /etc/passwd
# (again, /etc/shadow, too) will catch passwd mismatches.
#
# This file should block ALL users that should not be able to do AUTO_PPP.
# AUTO_PPP bypasses the usual login program so it's necessary to list all
# system userids with regular passwords here.
#
# ATTENTION: The definitions here can allow users to login without a
# password if you don't use the login option of pppd! The mgetty Debian
# package already provides this option; make sure you don't change that.

# INBOUND connections

# Every regular user can use PPP and has to use passwords from /etc/passwd
* hostname "" *

# UserIDs that cannot use PPP at all. Check your /etc/passwd and add any
# other accounts that should not be able to use pppd!
guest hostname "*" -
master hostname "*" -
root hostname "*" -
support hostname "*" -
stats hostname "*" -

# OUTBOUND connections

# Here you should add your userid password to connect to your providers via
# PAP. The * means that the password is to be used for ANY host you connect
# to. Thus you do not have to worry about the foreign machine name. Just
# replace password with your password.
# If you have different providers with different passwords then you better
# remove the following line.

# * password
erasmojose em ...<http://br.groups.yahoo.com/group/openswan-br/post?postID=-h8z8nARwbYxbN9dDuKnOi4G7opGZeFq4CgiTqMzckqj2YwtSD-G6jOB-X9tybHg7XijF2xYEyZZduW8hAuxS0k>*
minha senha do email brisanet


O arquivo /etc/ppp/options.xl2tpd.client está assim

ipcp-accept-local
ipcp-accept-remote
refuse-eap
noccp
noauth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
#proxyarp
usepeerdns
connect-delay 5000




--
Erasmo José Pereira de Oliveira
Contato: (84)9998-8232

More information about the ubuntu-br mailing list