<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">2014-06-23 11:31 GMT+04:00 Rene C. <span dir="ltr"><<a href="mailto:openvz@dokbua.com" target="_blank">openvz@dokbua.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Sorry, still stuck:<br></blockquote><div><br></div><div>Did you try OpenVPN configuration that I've suggested?</div><div><br></div><div>About IPSEC: not sure, check your syslog logs might give you some tips. </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
[root@server14 ~]# uname -a<br>
Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16<br>
15:13:38 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux<br>
[root@server14 ~]# for x in tun ppp_async pppol2tp<br>
xfrm4_mode_transport xfrm4_mode_tunnel xfrm_ipcomp esp4; do lsmod |<br>
grep $x; done<br>
xfrm4_mode_tunnel 2019 0<br>
tun 19157 0<br>
<div class="">ppp_async 7874 0<br>
ppp_generic 25400 3 pppol2tp,pppox,ppp_async<br>
</div>crc_ccitt 1733 1 ppp_async<br>
<div class="">pppol2tp 22749 0<br>
pppox 2712 1 pppol2tp<br>
</div>ppp_generic 25400 3 pppol2tp,pppox,ppp_async<br>
xfrm4_mode_transport 1465 0<br>
xfrm4_mode_tunnel 2019 0<br>
xfrm_ipcomp 4626 0<br>
esp4 5406 0<br>
[root@server14 ~]# vzctl enter 1418<br>
entered into CT 1418<br>
<div class="">[root@vps1418 /]# ipsec verify<br>
Checking your system to see if IPsec got installed and started correctly:<br>
Version check and ipsec on-path [OK]<br>
Linux Openswan U2.6.32/K(no kernel code presently loaded)<br>
Checking for IPsec support in kernel [FAILED]<br>
SAref kernel support [N/A]<br>
Checking that pluto is running [OK]<br>
Pluto listening for IKE on udp 500 [FAILED]<br>
Pluto listening for NAT-T on udp 4500 [FAILED]<br>
Checking for 'ip' command [OK]<br>
Checking /bin/sh is not /bin/dash [OK]<br>
Checking for 'iptables' command [OK]<br>
Opportunistic Encryption Support [DISABLED]<br>
<br>
</div>What am I missing?<br>
<div class="HOEnZb"><div class="h5"><br>
On Mon, Jun 23, 2014 at 1:12 AM, Rene C. <<a href="mailto:openvz@dokbua.com">openvz@dokbua.com</a>> wrote:<br>
> Yep, rebooted the container.<br>
><br>
> Here's the modules present:<br>
><br>
> [root@server18 ~]# lsmod<br>
> Module Size Used by<br>
> esp4 5406 0<br>
> xfrm_ipcomp 4626 0<br>
> xfrm4_mode_tunnel 2019 0<br>
> pppol2tp 22749 0<br>
> pppox 2712 1 pppol2tp<br>
> ppp_async 7874 0<br>
> ppp_generic 25400 3 pppol2tp,pppox,ppp_async<br>
> slhc 5821 1 ppp_generic<br>
> crc_ccitt 1733 1 ppp_async<br>
> vzethdev 8221 0<br>
> vznetdev 18952 10<br>
> pio_nfs 17576 0<br>
> pio_direct 28261 9<br>
> pfmt_raw 3213 0<br>
> pfmt_ploop1 6320 9<br>
> ploop 116096 23 pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1<br>
> simfs 4448 0<br>
> vzrst 196693 0<br>
> vzcpt 148911 1 vzrst<br>
> nfs 442438 3 pio_nfs,vzrst,vzcpt<br>
> lockd 77189 2 vzrst,nfs<br>
> fscache 55684 1 nfs<br>
> auth_rpcgss 44949 1 nfs<br>
> nfs_acl 2663 1 nfs<br>
> sunrpc 268245 6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl<br>
> vziolimit 3719 0<br>
> vzmon 24462 8 vznetdev,vzrst,vzcpt<br>
> ip6table_mangle 3669 0<br>
> nf_nat_ftp 3523 0<br>
> nf_conntrack_ftp 12929 1 nf_nat_ftp<br>
> iptable_nat 6302 1<br>
> nf_nat 23213 3 vzrst,nf_nat_ftp,iptable_nat<br>
> xt_length 1338 0<br>
> xt_hl 1547 0<br>
> xt_tcpmss 1623 0<br>
> xt_TCPMSS 3461 1<br>
> iptable_mangle 3493 0<br>
> xt_multiport 2716 0<br>
> xt_limit 2134 0<br>
> nf_conntrack_ipv4 9946 5 iptable_nat,nf_nat<br>
> nf_defrag_ipv4 1531 1 nf_conntrack_ipv4<br>
> ipt_LOG 6405 0<br>
> xt_DSCP 2849 0<br>
> xt_dscp 2073 0<br>
> ipt_REJECT 2399 12<br>
> tun 19157 0<br>
> xt_owner 2258 0<br>
> vzdquota 55339 0 [permanent]<br>
> vzevent 2179 1<br>
> vzdev 2733 5 vzethdev,vznetdev,vziolimit,vzmon,vzdquota<br>
> iptable_filter 2937 5<br>
> ip_tables 18119 3 iptable_nat,iptable_mangle,iptable_filter<br>
> ip6t_REJECT 4711 2<br>
> nf_conntrack_ipv6 8353 2<br>
> nf_defrag_ipv6 11188 1 nf_conntrack_ipv6<br>
> xt_state 1508 4<br>
> nf_conntrack 80313 9<br>
> vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state<br>
> ip6table_filter 3033 1<br>
> ip6_tables 18988 2 ip6table_mangle,ip6table_filter<br>
> ipv6 322874 1627<br>
> vzrst,ip6table_mangle,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6<br>
> iTCO_wdt 7147 0<br>
> iTCO_vendor_support 3072 1 iTCO_wdt<br>
> i2c_i801 11375 0<br>
> i2c_core 31084 1 i2c_i801<br>
> sg 29446 0<br>
> lpc_ich 12819 0<br>
> mfd_core 1911 1 lpc_ich<br>
> e1000e 267426 0<br>
> ptp 9614 1 e1000e<br>
> pps_core 11490 1 ptp<br>
> ext4 419456 11<br>
> jbd2 93779 1 ext4<br>
> mbcache 8209 1 ext4<br>
> sd_mod 39005 6<br>
> crc_t10dif 1557 1 sd_mod<br>
> ahci 42263 4<br>
> video 20978 0<br>
> output 2425 1 video<br>
> dm_mirror 14432 0<br>
> dm_region_hash 12101 1 dm_mirror<br>
> dm_log 9946 2 dm_mirror,dm_region_hash<br>
> dm_mod 84369 19 dm_mirror,dm_log<br>
><br>
> On Mon, Jun 23, 2014 at 12:52 AM, Pavel Odintsov<br>
> <<a href="mailto:pavel.odintsov@gmail.com">pavel.odintsov@gmail.com</a>> wrote:<br>
>> Hello!<br>
>><br>
>> IPsec should work from 84.8 kernel according to<br>
>> <a href="https://openvz.org/IPsec" target="_blank">https://openvz.org/IPsec</a> but I found explicit reference about IPsec<br>
>> only in 84.10: <a href="http://openvz.org/Download/kernel/rhel6-testing/042stab084.10" target="_blank">http://openvz.org/Download/kernel/rhel6-testing/042stab084.10</a><br>
>><br>
>> Did you restart CT after loading kernel modules for l2tp?<br>
>><br>
>> On Sun, Jun 22, 2014 at 7:05 PM, Rene C. <<a href="mailto:openvz@dokbua.com">openvz@dokbua.com</a>> wrote:<br>
>>> Ok I gave your suggestion a shot, using your link through Google<br>
>>> translate and <a href="http://www.maxwhale.com/how-to-install-l2tp-vpn-on-centos/" target="_blank">http://www.maxwhale.com/how-to-install-l2tp-vpn-on-centos/</a><br>
>>> for comparison.<br>
>>><br>
>>> Everything seems to go well until the 'ipsec verify' part when it says:<br>
>>><br>
>>> [root@vps1418 /]# ipsec verify<br>
>>> Checking your system to see if IPsec got installed and started correctly:<br>
>>> Version check and ipsec on-path [OK]<br>
>>> Linux Openswan U2.6.32/K(no kernel code presently loaded)<br>
>>> Checking for IPsec support in kernel [FAILED]<br>
>>> SAref kernel support [N/A]<br>
>>> Checking that pluto is running [OK]<br>
>>> Pluto listening for IKE on udp 500 [FAILED]<br>
>>> Pluto listening for NAT-T on udp 4500 [FAILED]<br>
>>> Checking for 'ip' command [OK]<br>
>>> Checking /bin/sh is not /bin/dash [OK]<br>
>>> Checking for 'iptables' command [OK]<br>
>>> Opportunistic Encryption Support [DISABLED]<br>
>>><br>
>>> I think the biggest problem here is the "Checking for IPsec support in kernel"?<br>
>>><br>
>>> I use 2.6.32-042stab085.20 - I know it's not the latest kernel, but<br>
>>> supposedly ipsec support should be in kernels after stab084?<br>
>>><br>
>>><br>
>>><br>
>>> On Sat, Jun 21, 2014 at 7:28 PM, Pavel Odintsov<br>
>>> <<a href="mailto:pavel.odintsov@gmail.com">pavel.odintsov@gmail.com</a>> wrote:<br>
>>>> Hello!<br>
>>>><br>
>>>> In modern version of OpenVZ you can use l2tp with ipsec support<br>
>>>> instead OpenVPN: <a href="http://habrahabr.ru/company/FastVPS/blog/205162/" target="_blank">http://habrahabr.ru/company/FastVPS/blog/205162/</a><br>
>>>> (sorry this manual in russian language but it's very simple). It's<br>
>>>> very useable because you do not need any special clients on Windows<br>
>>>> hosts. Maybe you can try this?<br>
>>>><br>
>>>><br>
>>>><br>
>>>> On Sat, Jun 21, 2014 at 2:11 PM, Benjamin Henrion <<a href="mailto:zoobab@gmail.com">zoobab@gmail.com</a>> wrote:<br>
>>>>> On Sat, Jun 21, 2014 at 8:47 AM, Rene C. <<a href="mailto:openvz@dokbua.com">openvz@dokbua.com</a>> wrote:<br>
>>>>>> I got the openvpn part itself down, no problem, but getting it to work<br>
>>>>>> in a container is a lot of hassle. Many pages, but most are outdated<br>
>>>>>> and things keeps changing. Anyone know how to get it to work TODAY?<br>
>>>>>><br>
>>>>>> The server is an otherwise normal server with public ip addresses and<br>
>>>>>> works with cpanel, no problem that far. The problem is getting an<br>
>>>>>> openvpn service to work in it.<br>
>>>>>><br>
>>>>>> I've already added the tun device, and I can connect to the server<br>
>>>>>> with the openvpn client, just can't continue from there, so some<br>
>>>>>> routing is missing.<br>
>>>>>><br>
>>>>>> I've followed the general routing instructions but because openvz<br>
>>>>>> doesn't support MASQ it doesn't work.<br>
>>>>>><br>
>>>>>> - which modules to insmod on the hwnode<br>
>>>>><br>
>>>>> Just make sure "tun" is present in lsmod.<br>
>>>>><br>
>>>>>> - which modules to add into /etc/vz/vz.conf<br>
>>>>><br>
>>>>> The same. "tun" should be part of the list of modules in vz.conf, so<br>
>>>>> it gets loaded at vz start.<br>
>>>>><br>
>>>>>> - which modules to add into /etc/vz/<ct>.conf<br>
>>>>><br>
>>>>> And the for the CTID you want to run openvpn access in:<br>
>>>>><br>
>>>>> <a href="https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP" target="_blank">https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP</a><br>
>>>>><br>
>>>>> Can you provide openvpn-client debug messages?<br>
>>>>><br>
>>>>> --<br>
>>>>> Benjamin Henrion <bhenrion at <a href="http://ffii.org" target="_blank">ffii.org</a>><br>
>>>>> FFII Brussels - +32-484-566109 - +32-2-4148403<br>
>>>>> "In July 2005, after several failed attempts to legalise software<br>
>>>>> patents in Europe, the patent establishment changed its strategy.<br>
>>>>> Instead of explicitly seeking to sanction the patentability of<br>
>>>>> software, they are now seeking to create a central European patent<br>
>>>>> court, which would establish and enforce patentability rules in their<br>
>>>>> favor, without any possibility of correction by competing courts or<br>
>>>>> democratically elected legislators."<br>
>>>>> _______________________________________________<br>
>>>>> Users mailing list<br>
>>>>> <a href="mailto:Users@openvz.org">Users@openvz.org</a><br>
>>>>> <a href="https://lists.openvz.org/mailman/listinfo/users" target="_blank">https://lists.openvz.org/mailman/listinfo/users</a><br>
>>>><br>
>>>><br>
>>>><br>
>>>> --<br>
>>>> Sincerely yours, Pavel Odintsov<br>
>>>> _______________________________________________<br>
>>>> Users mailing list<br>
>>>> <a href="mailto:Users@openvz.org">Users@openvz.org</a><br>
>>>> <a href="https://lists.openvz.org/mailman/listinfo/users" target="_blank">https://lists.openvz.org/mailman/listinfo/users</a><br>
>>> _______________________________________________<br>
>>> Users mailing list<br>
>>> <a href="mailto:Users@openvz.org">Users@openvz.org</a><br>
>>> <a href="https://lists.openvz.org/mailman/listinfo/users" target="_blank">https://lists.openvz.org/mailman/listinfo/users</a><br>
>><br>
>><br>
>><br>
>> --<br>
>> Sincerely yours, Pavel Odintsov<br>
>> _______________________________________________<br>
>> Users mailing list<br>
>> <a href="mailto:Users@openvz.org">Users@openvz.org</a><br>
>> <a href="https://lists.openvz.org/mailman/listinfo/users" target="_blank">https://lists.openvz.org/mailman/listinfo/users</a><br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@openvz.org">Users@openvz.org</a><br>
<a href="https://lists.openvz.org/mailman/listinfo/users" target="_blank">https://lists.openvz.org/mailman/listinfo/users</a><br>
</div></div></blockquote></div><br></div></div>