Re: [Swan] VTI issue to SRX unable to send traffic through the interface

2017-11-10 Thread Paul Wouters 

On Wed, 1 Nov 2017, Paul Tran wrote:


RP_filter is disabled but the ipsec verify shows the same message about 
disabling it still (rp_filter is not fully
aware of IPsec and should be disabled).


The "all" or "default" options only take effect on newly created
interfaces. So either manually disable each existing one, or
restart the networking (or reboot?)


XfrmInStateMismatch 19


Are they not marked properly? Or routed into the VTI interface?



But there are XFRM policies in place for
use -
 src 10.0.0.0/8 dst 192.168.0.0/16 uid 0
    dir out action allow index 177 priority 2864 ptype main share any flag  
(0x)



    mark 5/0xfff


so if you have a route into the vti device which has a key of 5, as
shown with "ip tunnel" then it should work provided the ping packet
has a 10.* source ip to 192.168.*.*.

Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

[Swan-commit] Changes to ref refs/heads/master

2017-11-10 Thread Andrew Cagney 
New commits:
commit 892fa8c15a7db860d2d834d6be767c0e6124e7f7
Author: Andrew Cagney 
Date:   Fri Nov 10 10:46:15 2017 -0500

testing: add ikev1-impair-01-dup-incomming-packets

When a machine is under load - taking time to get to each packet - the
initator will timeout out and start sending duplicates for each
request.

This simulates the senario by overwhelming east's incomming queue with
duplicates of all packets received.  The test then checks that the
duplicates are detected and either replied-to or discarded.  Most
important is the responder detecting duplicate initial requests (and
not creating new states like was happening).

___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit

[Swan-commit] Changes to ref refs/heads/master

2017-11-10 Thread Andrew Cagney 
New commits:
commit 04340e850cadd339dcf187815a73f3b5ea5be56e
Author: Andrew Cagney 
Date:   Fri Nov 10 10:12:58 2017 -0500

ikev1: when --impair dup-incoming-packets overwhelm the state with 
duplicates

In tests, this will force the code capping re-transmits from duplicate
packets to kick in.

___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit

Re: [Swan] Forward of moderated message

2017-11-10 Thread Paul Wouters 
In git master this is fixed. We will release 3.23 soon

Sent from my iPhone

> On Nov 10, 2017, at 18:35, Ivan Kuznetsov  wrote:
> 
> Hello
> 
> Yes I hit the same problem with libreswan-3.22-2.el6_9.i686 rpm:
> 
> [root@pine ipsec.d]# ipsec setup start
> Redirecting to: service ipsec start
> Starting pluto IKE daemon for IPsec: . [FAIL ]
> [root@pine init.d]# ipsec pluto --config /etc/ipsec.conf
> pluto: FATAL: unable to create lock dir: "/run/pluto/": No such file or 
> directory
> Nov 10 15:54:04: | crl fetch request list locked by 'free_crl_fetch'
> Nov 10 15:54:04: | crl fetch request list unlocked by 'free_crl_fetch'
> 
> It seems that there is typo in libreswan.spec
> 
> 10.11.2017 07:42, Paul Wouters пишет:
>>> The binary package for RHEL/CentOS 6 in the LibreSWAN repository
>>> appears to have been built with the RHEL/CentOS 7 directory structure
>>> for the PID and socket files; upon upgrading the ipsec service would
>>> no longer start, with a "pluto apparently already running (?!?)" error.
>>> 
>>> Some troubleshooting indicated that pluto was trying to write to
>>> /run/pluto (which doesn't exist) instead of /var/run/pluto.
>>> 
>>> A quick symlink from /run  to /var/run allows the ipsec service to
>>> start successfully, but the package should be fixed.
>> We had noticed that and released 3.22-2 packages. Is this still a
>> problem?
>> Paul
>> ___
>> Swan mailing list
>> Swan@lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
> 
> -- 
> Ivan Kuznetsov
> SOLVO ltd
> ___
> Swan mailing list
> Swan@lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Forward of moderated message

2017-11-10 Thread Ivan Kuznetsov 

Hello

Yes I hit the same problem with libreswan-3.22-2.el6_9.i686 rpm:

[root@pine ipsec.d]# ipsec setup start
Redirecting to: service ipsec start
Starting pluto IKE daemon for IPsec: . [FAIL ]
[root@pine init.d]# ipsec pluto --config /etc/ipsec.conf
pluto: FATAL: unable to create lock dir: "/run/pluto/": No such file or 
directory

Nov 10 15:54:04: | crl fetch request list locked by 'free_crl_fetch'
Nov 10 15:54:04: | crl fetch request list unlocked by 'free_crl_fetch'

It seems that there is typo in libreswan.spec

10.11.2017 07:42, Paul Wouters пишет:



The binary package for RHEL/CentOS 6 in the LibreSWAN repository
appears to have been built with the RHEL/CentOS 7 directory structure
for the PID and socket files; upon upgrading the ipsec service would
no longer start, with a "pluto apparently already running (?!?)" error.

Some troubleshooting indicated that pluto was trying to write to
/run/pluto (which doesn't exist) instead of /var/run/pluto.

A quick symlink from /run  to /var/run allows the ipsec service to
start successfully, but the package should be fixed.


We had noticed that and released 3.22-2 packages. Is this still a
problem?

Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan


--
Ivan Kuznetsov
SOLVO ltd
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan