Hi,
Thanks for the quick response, Charles! Here are some answers to your good
questions.
1) Is the ipsec service running on startup? Yes. The ipsec service seems
to be running on startup, which is what I want it to do. If I try starting
the service without stopping it, ipsec complains that it is already running.
If I shut down the service and restart it, I get the pluto errors in the
logs again.
2) Try simpler authentication method? Well, I was trying to be simple and
use a pre-shared key ("jwalters" on both ends), but maybe I'm not
configuring it properly if it complaining about certs. When I was following
the excellent Bering installation guide IPSec section, it mentioned that the
certificate creation could be skipped if only pre-shared keys were being
used. When I skipped the cert creation, there were errors in the auth.log
file complaining about the certificate directories being empty, so I figured
that adding certificates might help. Perhaps my problem is trying to do
without the certificates when I really need them.
3) Using RSA keys without certificates? I'm not sure that I fully
understand the whole certificate scenario, so I was trying to avoid that
altogether. Perhaps that's not possible with Bering-uClibc. I'd be happy
to use a standard Bering version, if that would make things easier. I'll
try taking one of my older Bering router images and adding the appropriate
lrp files. I do remember trying that route early on in the process and not
being able to find the mawk.lrp or libm.lrp file that I thought I needed and
abandoning the attempt. I think that is worth investigating, if you have
gotten that working in a similar application. I'll try that next.
Also, I am wondering how wise my choice was to try ipsec on a LEAF image
before I had ever configured a full server with ipsec. All of my prior
experiences with LRP and LEAF were enhanced when I tried getting it working
with a full server (with all of the associated debug tools that are
referenced in the various howto files and man pages). Perhaps a couple of
hours making some test servers would help me understand some of the
ipsec.conf nuances that might be confounding me. I think I'll try that
after I try my configuration with a standard Bering distribution.
Thanks for the pointers, and I'll reply to the list with more information
when I have some.
Thanks,
Jim Walters
-----Original Message-----
From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]
Sent: Friday, June 04, 2004 4:06 PM
To: Jim Walters
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] trying to get ipsec VPN working
Jim Walters wrote:
> Hi All,
>
> I have been a happy LRP and LEAF user for a number of years now. Thanks
for
> all the great work! I started messing with LRP for fun and began
production
> use at some offices with LRP 2.9.4. The offices have been updated over
the
> years, moving up through Dachstein and Eiger and using Bering most
recently.
> Fantastic stuff that just works! My best uptime so far has been about 380
> days! Nice! Anyway, I've been recently asked to provide some VPN
> functionality at a couple of offices that are running Bering. I've done a
> bit of research and spent a bit of time trying to get a working setup on
the
> bench. I can't seem to get past a couple of hitches and it is time to ask
> the community for a bit of help. I'm certain that it it is my
inexperience
> with IPSec that is causing the problems, so hopefully it will be a quick
bit
> of advice that will put me back on track.
>
> At this point, I have eleminated all of the errors that displayed on the
> console during the startup phase. When I try to start the VPN connection
> from the command line with "ipsec auto --up vpn_jim" (vpn_jim is the name
of
> my vpn tunnel, I think), I get "whack: Pluto is not running (no
> "var/run/pluto.ctl")" as the response. I get that message for most
anything
> that I type that starts with ipsec. When I look in /var/log/daemon.log, I
> can see a line that says "ipsec__plutorun: !pluto failure: exited with
error
> status 1". When I look in /var/log/auth.log, I can see a line that says
> "pluto[31029]: FATAL ERROR: unable to malloc 0 bytes for cert". The few
> previous lines mentioned loading the cacert file and the crl file. There
is
> nothing in the process list about pluto, so I think it's dead.
>
> Anybody got any suggestions?
Stupid question #1:
Did you start IPSec at startup (or manually)? Try running:
svi ipsec start
Stupid question #2:
If you did try starting pluto and it crashed, have you tried using a
simpler auth method? I suggest getting things going with
pre-shared-secrets, then migrating to RSA keys or certs once things are
working...there's enough complexity in IPSec by itself, adding cert
issues on top of it can be daunting for a first go-round.
Stupid question #3:
It looks like you're using plain RSA keys. I don't know if the
Cert-patched version of ipsec that comes with Bering-uClibc supports
this, or if it only likes full-blown certificates. I use RSA keys (w/o
using certs) on Bering (normal, not uClibc), and it happily
interoperates with my Dachstein routers still in production (which don't
understand certs anyway).
NOTE: It is *REALLY* easy to malform your ipsec secrets file (it's got
an odd syntax, and ipsec very picky), which can cause no end of
'what-now..it should work' type problems. Be careful when editing, read
through the manpages (find online), and try to follow some examples
verbatim for your first tunnel(s). A misplaced (or missing) space or
tab can do you in...
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
>From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
