SLUG Mailing List Archives
Re: [SLUG] Site to Site VPN
- To: slug@xxxxxxxxxxx
- Subject: Re: [SLUG] Site to Site VPN
- From: Daniel Pittman <daniel@xxxxxxxxxxxx>
- Date: Mon, 01 Jun 2009 12:25:51 +1000
- Organization: I know I put it down here, somewhere.
- User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.91 (gnu/linux)
Peter Rundle <peter@xxxxxxxxxxxxxxxxxx> writes:
>> That isn't right! The RHEL kernel should have a whole bunch of modules,
>> and their being missing is not a good sign.
>> ...because your kernel is screwed. Try reinstalling that to get all the
>> modules in place, then give IPSec a shot again. :)
> The thick plottens!
> The box that I'm trying to make be the VPN peer is a Virtual machine which is
> running Virtuoso and it's kernel has been deliberately "screwed" to prevent
> kernel modules from being installed because "they represent a security threat
> to the other VMs" at the ISP.
Oh. This is a VE inside a Virtuozzo system? (The commercial version of
OpenVZ, specifically, and a "containers" solution.) Your ISP response
isn't terribly technically accurate, then.
(I should have noted that from the specific kernel version. Tsk.)
Inside the VE you can't load kernel modules, and they shouldn't have
bothered putting a kernel image on disk — the kernel is not accessible
to you, which is also why lsmod returns nothing.
> Seems that there is only one kernel running that is shared by all the
> virtual machines, not sure of the details but bottom line is, no
> kernel modules!
Well, not that are accessible to you. However, two options:
I would take the second option, since it seems that vpnc has some issues
with the Juniper VPN implementation.
If the ISP can provide a TUN interface, which isn't a security risk to
them and is virtualized, as well as routing for the traffic types
needed, then pipsecd should work just fine.
 Which is probably the less likely option, sadly, unless your friend
paid for a dedicated IP for his system.