[leaf-user] RE: IPSEC md5sum not found (Tibbs, Richard)
Hi, Message: 1 Date: Sun, 8 May 2005 09:31:43 -0400 From: Tibbs, Richard [EMAIL PROTECTED] To: Bering List leaf-user@lists.sourceforge.net Subject: [leaf-user] IPSEC md5sum not found Dear list: I have a subnet-to-subnet ipsec tunnel that is not coming up, and an=20 ipsec barf shows several md5sum not found messages in association with all of the secrets. I looked through the ipsec.conf man page with no luck to find some way to generate the md5 checksum. Is this a fatal error? I believe ipsec keying mechanisms are looking for the tool `md5sum`. Regards, Vic -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.6 - Release Date: 5/6/2005 --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC md5sum not found
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tibbs, Richard wrote: | Dear list: | I have a subnet-to-subnet ipsec tunnel that is not coming up, and an | ipsec barf shows several | md5sum not found messages in association with all of the secrets. | | I looked through the ipsec.conf man page with no luck to find some way | to generate the md5 checksum. | | Is this a fatal error? No. The ipsec barf tool is trying to create an MD5 sum of your PSK, to avoid posting it 'in the clear' as debugging information. There *IS* no md5sum utility on most leaf systems, hence your error. I'm still awaiting enough free cycles to crawl through the ipsec barf you sent... - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCf3b+LywbqEHdNFwRAin9AJ0cjqPVLNsVsHTYC7eaxSzwN5yadwCfebGl zpK8wg9xxkyGGCiqUhK/1yA= =1f9u -END PGP SIGNATURE- --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Discussion: fragmentation issues across ipsec channel
Hi folks I found a problem sending large packets (e.g. large icmp echo requests) across an ipsec tunnel. I used a ping size of 2000 bytes and found that the remote ipsec gateway tried to reply with a fragmentation needed icmp packet. The icmp packet though went through the default gateway, which was not the ipsec tunnel. here is some ascii art local client network | 192.168.5.1 client gateway dynamic ip (dsl) | static ip (dsl) central gateway 192.168.1.1 | central network 192.168.1.1 I added an iproute2 table and rule to allow the client gateway to access the network 192.168.1.0/24 through the ipsec tunnel using a source address of 192.168.5.1. This is just handy if you don't have access to a real computer on the client network to use as a source for tests. I could observe that the large packet to 192.168.1.254, a server on the central network, entered the ipsec tunnel on the client side and got delivered to the ipsec gateway on the central site. Then the ipsec gateway on the central site tried to send a fragmentation needed icmp packet to the source (192.168.5.1). This icmp packet had as source address the external static ip of the central gateway. There is no valid route through the internet to 192.168.5.1 so this packet was lost and of course my ping request was never replied to. The same would apply if a large data packet from the client network was sent with the don't fragment bit set. I found that by applying a similar iproute2 table, rule and route, which allowed the internal address of the central ipsec gateway to access the client network would then route the icmp packets from the central router through the ipsec tunnel to the client's local network, hence notify the source of the large packet of the fragmentation necessity. Subsequently the echo requests suceeded. Is this enough of a general interest to make it to the ipsec docs? Is this best practice or is there a better way to solve this? cheers Erich --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC md5sum not found
Thanks Charles! I have plenty of other mysteries to explore. Rick. -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED] Sent: Monday, May 09, 2005 10:43 AM To: Tibbs, Richard Cc: Bering List Subject: Re: [leaf-user] IPSEC md5sum not found -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tibbs, Richard wrote: | Dear list: | I have a subnet-to-subnet ipsec tunnel that is not coming up, and an | ipsec barf shows several | md5sum not found messages in association with all of the secrets. | | I looked through the ipsec.conf man page with no luck to find some way | to generate the md5 checksum. | | Is this a fatal error? No. The ipsec barf tool is trying to create an MD5 sum of your PSK, to avoid posting it 'in the clear' as debugging information. There *IS* no md5sum utility on most leaf systems, hence your error. I'm still awaiting enough free cycles to crawl through the ipsec barf you sent... - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCf3b+LywbqEHdNFwRAin9AJ0cjqPVLNsVsHTYC7eaxSzwN5yadwCfebGl zpK8wg9xxkyGGCiqUhK/1yA= =1f9u -END PGP SIGNATURE- --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
