Re: [leaf-user] ipsec setup

[kp kirchdoerfer]

Am Montag, 10. November 2014, 22:56:28 schrieb Erich Titl:
 Hi Adam
 
 at 19.07.2007 00:57, Adam Niedzwiedzki wrote:
  Hi guys,
 
 
 
  insmod /lib/modules/ipsec.o has no issues (no errors) but I can't
  find af_key.o anywhere in the modules download.
  
  Any help appreciated
 
 Paul Wouters left the OpenSwan Project and it appears to be a dead duck
 now. AFAIK efforts have been made to port StrongSwan to LEAF and some
 progress was made but I am not sure about the current status. Anyway,
 2.4.7 is _very_ old and I guess it will not work with the current kernel
 release.
 
 I don't have an environment to test ipsec anymore, so I am a bit
 offline. KP has done the port and may know more about the current status.

What exactly was the question?

The af_key module has been added with 5.12-beta1.

And yes I've  built a setup for strongswan, but it needs to be tested before 
it will be committed. If anyone is willing to help, pls write me off-list and 
I'll send a package for 5.1.2-beta1/-rc1.

kp

--
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111iu=/4140/ostg.clktrk

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec setup

[Erich Titl]

Hi Adam

at 19.07.2007 00:57, Adam Niedzwiedzki wrote:
 Hi guys,



 insmod /lib/modules/ipsec.o has no issues (no errors) but I can't
 find af_key.o anywhere in the modules download.

 Any help appreciated

Paul Wouters left the OpenSwan Project and it appears to be a dead duck
now. AFAIK efforts have been made to port StrongSwan to LEAF and some
progress was made but I am not sure about the current status. Anyway,
2.4.7 is _very_ old and I guess it will not work with the current kernel
release.

I don't have an environment to test ipsec anymore, so I am a bit
offline. KP has done the port and may know more about the current status.

cheers

Erich



--
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111iu=/4140/ostg.clktrk

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec setup (not an ELF file) SOLVED

[Adam Niedzwiedzki]

SOLVED this myself

Don't try and restart /etc/init.d/ipsec from WITHIN the /etc/init.d/
directory. ie don't do ./ipsec --restart
change to / then go full path /etc/init.d/ipsec --restart

I'm guessing it's a bug somewhere, I'll leave the powers that be (the guys
that KNOW what they're doing) to fix this one.

Cheers
Ad

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Adam
Niedzwiedzki
Sent: Thursday, 19 July 2007 9:57 AM
To: leaf-user@lists.sourceforge.net
Subject: [leaf-user] ipsec setup

Hi guys,

This has been fun dragging my old leaf boxes up to the new builds. I was
running openvpn, and figured I'd upgrade to openswan (ipsec) for my vpns.
The guide on the site Configuring openswan(ipsec) talks about openswan.lrp
(but can't find it) so I'm guessing it's now ipsec.lrp.

The guide talks about copying ipsec.o to modules (too easy), but starting
ipsec up on my machine I get the following

ipsec_setup: Starting Openswan IPsec 2.4.7...
ipsec_setup: insmod: not an ELF file
ipsec_setup: insmod: Could not load the module: Success
ipsec_setup: insmod: af_key.o: no module by that name found
ipsec_setup: ERROR: Failed to load or detect KLIPS and NETKEY
ipsec_setup: Using ipsec
ipsec_setup: insmod: not an ELF file
ipsec_setup: insmod: Could not load the module: Success
ipsec_setup: kernel appears to lack IPsec support (neither CONFIG_KLIPS or
CONFIG_NET_KEY are set)

insmod /lib/modules/ipsec.o has no issues (no errors) but I can't find
af_key.o anywhere in the modules download.

Any help appreciated

Cheers
Ad


-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/


-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] ipsec setup

[Adam Niedzwiedzki]

Hi guys,

This has been fun dragging my old leaf boxes up to the new builds. I was
running openvpn, and figured I'd upgrade to openswan (ipsec) for my vpns.
The guide on the site Configuring openswan(ipsec) talks about openswan.lrp
(but can't find it) so I'm guessing it's now ipsec.lrp.

The guide talks about copying ipsec.o to modules (too easy), but starting
ipsec up on my machine I get the following

ipsec_setup: Starting Openswan IPsec 2.4.7...
ipsec_setup: insmod: not an ELF file
ipsec_setup: insmod: Could not load the module: Success
ipsec_setup: insmod: af_key.o: no module by that name found
ipsec_setup: ERROR: Failed to load or detect KLIPS and NETKEY
ipsec_setup: Using ipsec
ipsec_setup: insmod: not an ELF file
ipsec_setup: insmod: Could not load the module: Success
ipsec_setup: kernel appears to lack IPsec support (neither CONFIG_KLIPS or
CONFIG_NET_KEY are set)

insmod /lib/modules/ipsec.o has no issues (no errors) but I can't find
af_key.o anywhere in the modules download.

Any help appreciated

Cheers
Ad


-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] IPSec errors, kernel/userland version mismatch?

[James Neave]

Hi,

I've been asked to add VPN capabilities to our router here at work.
It's currently Bering-uClibc 2.3.1.

I keep getting this error in the /var/secure log when starting up or
connecting to the VPN:

Connecting:
ERROR: L2TP-PSK[2] 5.6.7.8 #3: pfkey write() of SADB_ADD message 5 for
Add SA [EMAIL PROTECTED] failed. Errno 22: Invalid argument

Starting the service:
ipsec_setup: /usr/lib/ipsec/eroute: pfkey write failed, returning -1
with errno=22.
ipsec_setup: Invalid argument, check kernel log messages for specifics.

All I can find with Google is that this suggests a kernel
module/userland tools version mismatch.

gateway# uname -r
2.4.31
gateway# ipsec --version
Linux Openswan U2.4.5/K1.0.9 (klips)
See `ipsec --copyright' for copyright information.

Erm, I *guess* that's a version mismatch. If it is, where can I grab
ipsec.lrp version 2.4.31?

Or is the version of the kernel not the same as the version of its
modules?

Regards,

James.

The information in this email is confidential and may be legally privileged.  
It is intended solely for the addressee.  Access to this email by anyone else 
is unauthorised.

If you are not the intended recipient, any disclosure, copying, distribution or 
any action taken or omitted to be taken in reliance on it is prohibited and may 
be unlawful.

The contents of an attachment to this email may contain software viruses that 
could damage your own computer systems.  Whilst The Spur Group of Companies has 
taken every precaution to minimise the risk, we cannot accept liability for any 
damage that you sustain as a result of software viruses.


-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] IPSec errors, kernel/userland version mismatch?

[James Neave]

 connecting from any IP address:
193.175.198.98 %any: PSK  MySecretKey 
# (Line above only works on recent versions of Openswan).

# There is a subtle difference with the following
# (see also 'man ipsec.secrets') which affects NATed
# clients that use a PSK:
193.175.198.98 : PSK MySecretKey



 -Original Message-
 From: [EMAIL PROTECTED] [mailto:leaf-user-
 [EMAIL PROTECTED] On Behalf Of James Neave
 Sent: 30 March 2007 12:55
 To: leaf-user@lists.sourceforge.net
 Subject: [leaf-user] IPSec errors, kernel/userland version mismatch?
 
 Hi,
 
 I've been asked to add VPN capabilities to our router here at work.
 It's currently Bering-uClibc 2.3.1.
 
 I keep getting this error in the /var/secure log when starting up or
 connecting to the VPN:
 
 Connecting:
 ERROR: L2TP-PSK[2] 5.6.7.8 #3: pfkey write() of SADB_ADD message 5
for
 Add SA [EMAIL PROTECTED] failed. Errno 22: Invalid argument
 
 Starting the service:
 ipsec_setup: /usr/lib/ipsec/eroute: pfkey write failed, returning -1
 with errno=22.
 ipsec_setup: Invalid argument, check kernel log messages for
specifics.
 
 All I can find with Google is that this suggests a kernel
 module/userland tools version mismatch.
 
 gateway# uname -r
 2.4.31
 gateway# ipsec --version
 Linux Openswan U2.4.5/K1.0.9 (klips)
 See `ipsec --copyright' for copyright information.
 
 Erm, I *guess* that's a version mismatch. If it is, where can I grab
 ipsec.lrp version 2.4.31?
 
 Or is the version of the kernel not the same as the version of its
 modules?
 
 Regards,
 
 James.
 
 The information in this email is confidential and may be legally
 privileged.  It is intended solely for the addressee.  Access to this
 email by anyone else is unauthorised.
 
 If you are not the intended recipient, any disclosure, copying,
 distribution or any action taken or omitted to be taken in reliance on
it
 is prohibited and may be unlawful.
 
 The contents of an attachment to this email may contain software
viruses
 that could damage your own computer systems.  Whilst The Spur Group of
 Companies has taken every precaution to minimise the risk, we cannot
 accept liability for any damage that you sustain as a result of
software
 viruses.
 
 


-
 Take Surveys. Earn Cash. Influence the Future of IT
 Join SourceForge.net's Techsay panel and you'll get the chance to
share
 your
 opinions on IT  business topics through brief surveys-and earn cash

http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDE
V


 leaf-user mailing list: leaf-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 Support Request -- http://leaf-project.org/

-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] ipsec

[Andrew Nance]

I was wondering if there is any documentation for using ipsec or some form
of vpn and Bering uClibc.

Specifically, I am using 3.0 beta 2 BuC with a standard 3 nic setup.  I was
wanting to setup (a secure) remote desktop to multiple windows servers on my
dmz and possibly also a workstation on the local network.  I have read that
a vpn will be the most secure way to access these machines.
Any help or tips you can give me will be much appreciated.

Thanks,
Andrew


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec

[Eric Spakman]

Hi Andrew,

Documentation about openvpn is in the following location:
http://leaf.sourceforge.net/doc/bk05ch07.html
Ipsec (openswan) documentation:
http://leaf.sourceforge.net/doc/bk05ch08.html

Additional information on the shorewall site (www.shorewall.net)

Regards,
Eric

I was wondering if there is any documentation for using ipsec or some form
of vpn and Bering uClibc.

Specifically, I am using 3.0 beta 2 BuC with a standard 3 nic setup.  I was
wanting to setup (a secure) remote desktop to multiple windows servers on my
dmz and possibly also a workstation on the local network.  I have read that
a vpn will be the most secure way to access these machines.
Any help or tips you can give me will be much appreciated.

Thanks,
Andrew


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Ipsec command not found

[Eric Spakman]

Hello Bodo,


 I got the same error with the package I just checked out from CVS.
 Then I checked the CVS revision:


 cvs status ipsec.lrp
 ==File:
 ipsec.lrp Status: Up-to-date

 Working revision:1.2
 Repository revision: 1.2
 /cvsroot/leaf/bin/packages/uclibc-0.9/20/2.4.32/ipsec.lrp,v
 ...


 This is the same (6 weeks old) revision as shown in the CVS view on
 http://cvs.sourceforge.net/viewcvs.py/leaf/bin/packages/uclibc-0.9/20/2.4.
 32/


 IIRC Sourceforge has 2 CVS servers: one for developers and one for
 anonymous access. Maybe the syncing of the developer CVS with the anonymous
 CVS does not work.


I'm afraid this is the case


 Please send me the package.

I will send you the package later today (UTC). I'm at work now ;-)



 Bodo

Eric



---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Ipsec command not found

[Eric Spakman]

Hello Huy,

There is indeed a typo in the buildtool setup of openswan, I have
corrected the setup and created a new package. It seems that Sourceforge's
CVS is down at the moment so I can't commit the fix. I will send you a new
package privately.

Thanks for reporting.

Eric

 Hi
 I am setting up a Bering uClibc 2.4 Release ipsec VPN with a old Bering
 2.0
 at one of our hosting center. Although the tunnel working perfectly when
 ever i type in any ipsec command such as ipsec eroute, ipsec manual
 con_name up, ipsec help ect. It alway faill with the following
 /usr/sbin/ipsec: unknown IPsec command `command' (`ipsec --help' for
 list) ipsec --help give this error:

 Usage: ipsec command argument ...
 where command is one of: ls: /usr/local/lib/ipsec: No such file or
 directory ls: /usr/local/libexec/ipsec: No such file or directory


 Most of these have their own manual pages, e.g. ipsec_auto(8).
 See also http://www.freeswan.org or the ipsec(8) manual page.


 Can anyone tell me what i miss.
 Thanks
 Huy




 ---
 This SF.Net email is sponsored by xPML, a groundbreaking scripting
 language that extends applications into web and mobile media. Attend the
 live webcast and join the prime developer group breaking into this new
 coding territory!
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
 
 leaf-user mailing list: leaf-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 Support Request -- http://leaf-project.org/






---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec and multiple IP problem

[Eric Spakman]

Hello Cpu,

Does the same fix applies to our current openswan-2.4.4?

Eric

 Hello,


 In addition to specifying a label I couldn't get openswan to work with
 secondary IPs unless I changed this line in _startklips:

 eval `ip addr show $phys primary | grep inet | sed -n 1p |

 to:


 eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p

 -cpu


 Charles Steinkuehler wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1


 Sandro Doro wrote:

 Hi,


 I am testing Bering 2.3.1 with a multiple IP interface as:


 # ip addr show eth0
 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast

 qlen
 1000
 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet
 82.46.148.130/24 brd 82.46.148.255 scope global eth0
 inet 82.46.148.128/24 scope global secondary eth0 inet6
 fe80::fcfd:58ff:fe24:f8e6/64 scope link


 Using the included ipsec.lrp (v.1.0.9) I setup VPN with:


 # /etc/ipsec.conf
 [...]
 interfaces=ipsec0=eth0 ipsec1=eth0:0 [...]


 After /etc/init.d/ipsec restart the following messages is printed:


 Device eth0:0 does not exist.
 ipsec_setup: unable to determine address of `eth0:0'


 This messages is printed also if I change the ip address with the
 following command:

 ip addr add 82.46.148.128/24 dev eth0 label eth0:0

 I have read in


 http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html


 that this interface specification is correct. This is possible only in
 v2 release (Bering v2.4) ?

 Thank you for any suggestions.


 I haven't tried this with FreeS/WAN, but I suspect your problem is you
 don't have an eth0:0.

 You *DO* have a secondary IP address on your external interface, but it
  has no name (linux hasn't required the ethn:m syntax since at
 least 2.2).

 Try removing the secondary IP, re-adding it with an appropriate label
 then starting freeswan:

 ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label
 eth0:0 dev eth0
 svi ipsec start

 ...if that works, you'll need to change how you're adding the IP alias
 in your startup scripts.

 - --
 Charles Steinkuehler
 [EMAIL PROTECTED] -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.0 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


 iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3
 rd55FxcC8wzl6N+/BWa4368= =3irC
 -END PGP SIGNATURE-



 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep through log

 files
 for problems?  Stop!  Download the new AJAX search engine that makes
 searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!

 http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164
 2
 
  leaf-user mailing list: leaf-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 Support Request -- http://leaf-project.org/











 __
 Do You Yahoo!?
 Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com



 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep through log
 files for problems?  Stop!  Download the new AJAX search engine that makes
  searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
 
 leaf-user mailing list: leaf-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 Support Request -- http://leaf-project.org/






---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec/openswan 2.4.2

[Eric Spakman]

Cpu,

If I'm not mistaken you have to use the standard kernel ciphers, openswan
doesn't use its own anymore.

#
# Cryptographic options
#
CONFIG_CRYPTO=y
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_NULL=m
CONFIG_CRYPTO_MD4=m
CONFIG_CRYPTO_MD5=m
CONFIG_CRYPTO_SHA1=m
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=m
CONFIG_CRYPTO_WP512=m
CONFIG_CRYPTO_DES=m
CONFIG_CRYPTO_BLOWFISH=m
CONFIG_CRYPTO_TWOFISH=m
CONFIG_CRYPTO_SERPENT=m
CONFIG_CRYPTO_AES=m
..

Eric

 Hello Arne,


 I don't understand openswan 2.x. It doesn't have SHA2 (which I use).
 Can't
 modularize ciphers; no blowfish (missing usual ALGs). I tried using
 cryptoapi's sha512 but that didn't work. I tried searching the openswan
 mailing list, found a couple of similar concerns, but no answers. Perhaps
 I'm asking some dumb questions? I've downgraded to 1.0.9 on kernel
 2.4.32.
 Effectively, a 2.4 ucBering hybrid.


 Here are the offending config lines:


 2.4.32:


 CONFIG_KLIPS=m
 #
 # IPsec options (Openswan)
 #
 CONFIG_KLIPS_IPIP=y
 CONFIG_KLIPS_AH=y
 CONFIG_KLIPS_ESP=y
 CONFIG_KLIPS_ENC_3DES=y
 CONFIG_KLIPS_ENC_AES=y
 CONFIG_KLIPS_AUTH_HMAC_MD5=y
 CONFIG_KLIPS_AUTH_HMAC_SHA1=y
 CONFIG_KLIPS_ALG=y
 # CONFIG_KLIPS_IPCOMP is not set
 CONFIG_KLIPS_DEBUG=y
 CONFIG_IPSEC_NAT_TRAVERSAL=y


 2.4.31 (the more familiar):


 CONFIG_IPSEC=m
 #
 # IPSec options (FreeS/WAN)
 #
 CONFIG_IPSEC_IPIP=y
 CONFIG_IPSEC_AH=y
 CONFIG_IPSEC_AUTH_HMAC_MD5=y
 CONFIG_IPSEC_AUTH_HMAC_SHA1=y
 CONFIG_IPSEC_ESP=y
 CONFIG_IPSEC_ENC_3DES=y
 CONFIG_IPSEC_ALG=y
 CONFIG_IPSEC_ALG_MD5=m
 CONFIG_IPSEC_ALG_SHA1=m
 CONFIG_IPSEC_ALG_SHA2=m  -- look sha2
 CONFIG_IPSEC_ALG_3DES=m
 CONFIG_IPSEC_ALG_AES=m
 CONFIG_IPSEC_ALG_BLOWFISH=m  -- and all
 CONFIG_IPSEC_ALG_TWOFISH=m   -- these
 CONFIG_IPSEC_ALG_SERPENT=m   -- other
 CONFIG_IPSEC_ALG_CAST=m  -- ciphers
 CONFIG_IPSEC_ALG_NULL=m
 # CONFIG_IPSEC_ALG_CRYPTOAPI is not set
 # CONFIG_IPSEC_ALG_1DES is not set
 CONFIG_IPSEC_IPCOMP=y
 CONFIG_IPSEC_DEBUG=y
 CONFIG_IPSEC_NAT_TRAVERSAL=y



 Any thoughts on getting strongswan to work with ucBering?


 Arne Bernin wrote:

 Hi all,


 i just finished packaging openswan 2.4.2 for bering-uclibc and did
 some
 initial testing, i am just wondering if someone else is using
 openswan/ipsec and is willing to test it, too.

 --arne




 __
 Do You Yahoo!?
 Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com



 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep through log
 files for problems?  Stop!  Download the new AJAX search engine that makes
  searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
 
 leaf-user mailing list: leaf-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 Support Request -- http://leaf-project.org/






---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec/openswan 2.4.2

[Eric Spakman]

Hello Cpu,

I looked through the openswan source, it seems that those ciphers are
linked into pluto.

Eric

 Hello Arne,


 I don't understand openswan 2.x. It doesn't have SHA2 (which I use).
 Can't
 modularize ciphers; no blowfish (missing usual ALGs). I tried using
 cryptoapi's sha512 but that didn't work. I tried searching the openswan
 mailing list, found a couple of similar concerns, but no answers. Perhaps
 I'm asking some dumb questions? I've downgraded to 1.0.9 on kernel
 2.4.32.
 Effectively, a 2.4 ucBering hybrid.


 Here are the offending config lines:


 2.4.32:


 CONFIG_KLIPS=m
 #
 # IPsec options (Openswan)
 #
 CONFIG_KLIPS_IPIP=y
 CONFIG_KLIPS_AH=y
 CONFIG_KLIPS_ESP=y
 CONFIG_KLIPS_ENC_3DES=y
 CONFIG_KLIPS_ENC_AES=y
 CONFIG_KLIPS_AUTH_HMAC_MD5=y
 CONFIG_KLIPS_AUTH_HMAC_SHA1=y
 CONFIG_KLIPS_ALG=y
 # CONFIG_KLIPS_IPCOMP is not set
 CONFIG_KLIPS_DEBUG=y
 CONFIG_IPSEC_NAT_TRAVERSAL=y


 2.4.31 (the more familiar):


 CONFIG_IPSEC=m
 #
 # IPSec options (FreeS/WAN)
 #
 CONFIG_IPSEC_IPIP=y
 CONFIG_IPSEC_AH=y
 CONFIG_IPSEC_AUTH_HMAC_MD5=y
 CONFIG_IPSEC_AUTH_HMAC_SHA1=y
 CONFIG_IPSEC_ESP=y
 CONFIG_IPSEC_ENC_3DES=y
 CONFIG_IPSEC_ALG=y
 CONFIG_IPSEC_ALG_MD5=m
 CONFIG_IPSEC_ALG_SHA1=m
 CONFIG_IPSEC_ALG_SHA2=m  -- look sha2
 CONFIG_IPSEC_ALG_3DES=m
 CONFIG_IPSEC_ALG_AES=m
 CONFIG_IPSEC_ALG_BLOWFISH=m  -- and all
 CONFIG_IPSEC_ALG_TWOFISH=m   -- these
 CONFIG_IPSEC_ALG_SERPENT=m   -- other
 CONFIG_IPSEC_ALG_CAST=m  -- ciphers
 CONFIG_IPSEC_ALG_NULL=m
 # CONFIG_IPSEC_ALG_CRYPTOAPI is not set
 # CONFIG_IPSEC_ALG_1DES is not set
 CONFIG_IPSEC_IPCOMP=y
 CONFIG_IPSEC_DEBUG=y
 CONFIG_IPSEC_NAT_TRAVERSAL=y



 Any thoughts on getting strongswan to work with ucBering?


 Arne Bernin wrote:

 Hi all,


 i just finished packaging openswan 2.4.2 for bering-uclibc and did
 some
 initial testing, i am just wondering if someone else is using
 openswan/ipsec and is willing to test it, too.

 --arne




 __
 Do You Yahoo!?
 Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com



 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep through log
 files for problems?  Stop!  Download the new AJAX search engine that makes
  searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
 
 leaf-user mailing list: leaf-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 Support Request -- http://leaf-project.org/






---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec and multiple IP problem

[cpu memhd]

Hi Eric,

I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the newer

_startklips and the line is the same. To me, this suggests it's making the

same assumptions about the interface. My guess is that it will work.

original 2.4.4
/usr/lib/ipsec/_startklips:

eval `ip addr show $phys primary | grep inet | sed -n 1p |

original 1.0.9
/lib/ipsec/_startklips:

eval `ip addr show $phys primary | grep inet | sed -n 1p |

-cpu

Eric Spakman wrote:
 Hello Cpu,
 
 Does the same fix applies to our current openswan-2.4.4?
 
 Eric
 
 Hello,


 In addition to specifying a label I couldn't get openswan to work with
 secondary IPs unless I changed this line in _startklips:

 eval `ip addr show $phys primary | grep inet | sed -n 1p |

 to:


 eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p

 -cpu


 Charles Steinkuehler wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1


 Sandro Doro wrote:

 Hi,


 I am testing Bering 2.3.1 with a multiple IP interface as:


 # ip addr show eth0
 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast

 qlen
 1000
 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet
 82.46.148.130/24 brd 82.46.148.255 scope global eth0
 inet 82.46.148.128/24 scope global secondary eth0 inet6
 fe80::fcfd:58ff:fe24:f8e6/64 scope link


 Using the included ipsec.lrp (v.1.0.9) I setup VPN with:


 # /etc/ipsec.conf
 [...]
 interfaces=ipsec0=eth0 ipsec1=eth0:0 [...]


 After /etc/init.d/ipsec restart the following messages is printed:


 Device eth0:0 does not exist.
 ipsec_setup: unable to determine address of `eth0:0'


 This messages is printed also if I change the ip address with the
 following command:

 ip addr add 82.46.148.128/24 dev eth0 label eth0:0

 I have read in


 http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html


 that this interface specification is correct. This is possible only
in
 v2 release (Bering v2.4) ?

 Thank you for any suggestions.

 I haven't tried this with FreeS/WAN, but I suspect your problem is you
 don't have an eth0:0.

 You *DO* have a secondary IP address on your external interface, but
it
  has no name (linux hasn't required the ethn:m syntax since at
 least 2.2).

 Try removing the secondary IP, re-adding it with an appropriate label
 then starting freeswan:

 ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24
label
 eth0:0 dev eth0
 svi ipsec start

 ...if that works, you'll need to change how you're adding the IP alias
 in your startup scripts.

 - --
 Charles Steinkuehler
 [EMAIL PROTECTED] -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.0 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


 iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3
 rd55FxcC8wzl6N+/BWa4368= =3irC
 -END PGP SIGNATURE-



 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep through log

 files
 for problems?  Stop!  Download the new AJAX search engine that makes
 searching your log files as easy as surfing the  web.  DOWNLOAD
SPLUNK!


http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164
 2


  leaf-user mailing list: leaf-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 Support Request -- http://leaf-project.org/










 __
 Do You Yahoo!?
 Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com



 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep through log
 files for problems?  Stop!  Download the new AJAX search engine that
makes
  searching your log files as easy as surfing the  web.  DOWNLOAD
SPLUNK!

http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642


 leaf-user mailing list: leaf-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 Support Request -- http://leaf-project.org/


 
 
 
 
 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
 for problems?  Stop!  Download the new AJAX search engine that makes
 searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
 
 leaf-user mailing list: leaf-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 Support Request -- http://leaf-project.org/
 
 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


---
This SF.net email is sponsored by: 

Re: [leaf-user] ipsec and multiple IP problem

[Eric Spakman]

Hello Cpu,

A pity 2.4.4 is not working ok for you. You are the first reporting a
problem with it.
I looked through various documents and it seems like all those ciphers are
supported but probably internal.

Does the _startklips fix still suports plain ethx interfaces?

Eric



 Hi Eric,


 I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the
 newer

 _startklips and the line is the same. To me, this suggests it's making
 the

 same assumptions about the interface. My guess is that it will work.

 original 2.4.4 /usr/lib/ipsec/_startklips:


 eval `ip addr show $phys primary | grep inet | sed -n 1p |

 original 1.0.9 /lib/ipsec/_startklips:


 eval `ip addr show $phys primary | grep inet | sed -n 1p |

 -cpu


 Eric Spakman wrote:

 Hello Cpu,


 Does the same fix applies to our current openswan-2.4.4?


 Eric


 Hello,



 In addition to specifying a label I couldn't get openswan to work
 with secondary IPs unless I changed this line in _startklips:

 eval `ip addr show $phys primary | grep inet | sed -n 1p |

 to:



 eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p

 -cpu



 Charles Steinkuehler wrote:


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1



 Sandro Doro wrote:


 Hi,



 I am testing Bering 2.3.1 with a multiple IP interface as:



 # ip addr show eth0
 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc
 pfifo_fast

 qlen
 1000
 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet
 82.46.148.130/24 brd 82.46.148.255 scope global eth0
 inet 82.46.148.128/24 scope global secondary eth0 inet6
 fe80::fcfd:58ff:fe24:f8e6/64 scope link



 Using the included ipsec.lrp (v.1.0.9) I setup VPN with:



 # /etc/ipsec.conf
 [...]
 interfaces=ipsec0=eth0 ipsec1=eth0:0 [...]


 After /etc/init.d/ipsec restart the following messages is
 printed:



 Device eth0:0 does not exist.
 ipsec_setup: unable to determine address of `eth0:0'



 This messages is printed also if I change the ip address with the
  following command:

 ip addr add 82.46.148.128/24 dev eth0 label eth0:0

 I have read in



 http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html



 that this interface specification is correct. This is possible
 only
 in
 v2 release (Bering v2.4) ?

 Thank you for any suggestions.


 I haven't tried this with FreeS/WAN, but I suspect your problem is
 you don't have an eth0:0.

 You *DO* have a secondary IP address on your external interface,
 but
 it
 has no name (linux hasn't required the ethn:m syntax since at
  least 2.2).

 Try removing the secondary IP, re-adding it with an appropriate
 label then starting freeswan:

 ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24
 label
 eth0:0 dev eth0
 svi ipsec start

 ...if that works, you'll need to change how you're adding the IP
 alias in your startup scripts.

 - --
 Charles Steinkuehler
 [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG
 v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla -
 http://enigmail.mozdev.org



 iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3
 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE-




 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep through
 log

 files
 for problems?  Stop!  Download the new AJAX search engine that
 makes searching your log files as easy as surfing the  web.
 DOWNLOAD

 SPLUNK!



 http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164

 2


 

 leaf-user mailing list: leaf-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 Support Request -- http://leaf-project.org/











 __
 Do You Yahoo!?
 Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com




 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep through log
  files for problems?  Stop!  Download the new AJAX search engine that

 makes
 searching your log files as easy as surfing the  web.  DOWNLOAD
 SPLUNK!


 http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642


 

 leaf-user mailing list: leaf-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 Support Request -- http://leaf-project.org/







 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep through log

 files
 for problems?  Stop!  Download the new AJAX search engine that makes
 searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!

 http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164
 2
 
  leaf-user mailing list: leaf-user@lists.sourceforge.net
 

Re: [leaf-user] ipsec and multiple IP problem

[cpu memhd]

Eric,

Regarding openswan 2.x. It looks like one is supposed to use cryptoapi 
instead of Juanjo's crypto algorithms. But there is no real info on how to

go from 1.x to 2.x. After getting stuck on SHA2_256 I gave up. Also, on 
1.0.9 I made some modifications to ./pluto/kernel.c to allow for multiple 
ipsec connections from the same host and I would have to do the same for 
2.4.4, which is quite different. It might not even work. Not worth the 
hassle right now.

The _startklips fix is backward compatible. Most of my ipsec hosts use
only 
a single ip address using interfaces=ipsec0=eth0.

-cpu


Eric Spakman wrote:
 Hello Cpu,
 
 A pity 2.4.4 is not working ok for you. You are the first reporting a
 problem with it.
 I looked through various documents and it seems like all those ciphers
are
 supported but probably internal.
 
 Does the _startklips fix still suports plain ethx interfaces?
 
 Eric
 
 
 
 Hi Eric,


 I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the
 newer

 _startklips and the line is the same. To me, this suggests it's making
 the

 same assumptions about the interface. My guess is that it will work.

 original 2.4.4 /usr/lib/ipsec/_startklips:


 eval `ip addr show $phys primary | grep inet | sed -n 1p |

 original 1.0.9 /lib/ipsec/_startklips:


 eval `ip addr show $phys primary | grep inet | sed -n 1p |

 -cpu


 Eric Spakman wrote:

 Hello Cpu,


 Does the same fix applies to our current openswan-2.4.4?


 Eric


 Hello,



 In addition to specifying a label I couldn't get openswan to work
 with secondary IPs unless I changed this line in _startklips:

 eval `ip addr show $phys primary | grep inet | sed -n 1p |

 to:



 eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p

 -cpu



 Charles Steinkuehler wrote:


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1



 Sandro Doro wrote:


 Hi,



 I am testing Bering 2.3.1 with a multiple IP interface as:



 # ip addr show eth0
 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc
 pfifo_fast

 qlen
 1000
 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet
 82.46.148.130/24 brd 82.46.148.255 scope global eth0
 inet 82.46.148.128/24 scope global secondary eth0 inet6
 fe80::fcfd:58ff:fe24:f8e6/64 scope link



 Using the included ipsec.lrp (v.1.0.9) I setup VPN with:



 # /etc/ipsec.conf
 [...]
 interfaces=ipsec0=eth0 ipsec1=eth0:0 [...]


 After /etc/init.d/ipsec restart the following messages is
 printed:



 Device eth0:0 does not exist.
 ipsec_setup: unable to determine address of `eth0:0'



 This messages is printed also if I change the ip address with the
  following command:

 ip addr add 82.46.148.128/24 dev eth0 label eth0:0

 I have read in



 http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html



 that this interface specification is correct. This is possible
 only
 in
 v2 release (Bering v2.4) ?

 Thank you for any suggestions.


 I haven't tried this with FreeS/WAN, but I suspect your problem is
 you don't have an eth0:0.

 You *DO* have a secondary IP address on your external interface,
 but
 it
 has no name (linux hasn't required the ethn:m syntax since at
  least 2.2).

 Try removing the secondary IP, re-adding it with an appropriate
 label then starting freeswan:

 ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24
 label
 eth0:0 dev eth0
 svi ipsec start

 ...if that works, you'll need to change how you're adding the IP
 alias in your startup scripts.

 - --
 Charles Steinkuehler
 [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version:
GnuPG
 v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla -
 http://enigmail.mozdev.org



 iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3
 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE-




 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep through
 log

 files
 for problems?  Stop!  Download the new AJAX search engine that
 makes searching your log files as easy as surfing the  web.
 DOWNLOAD

 SPLUNK!


 http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164

 2





 leaf-user mailing list: leaf-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 Support Request -- http://leaf-project.org/










 __
 Do You Yahoo!?
 Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com




 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep through
log
  files for problems?  Stop!  Download the new AJAX search engine that

 makes
 searching your log files as easy as surfing the  web.  DOWNLOAD
 SPLUNK!


http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642




 leaf-user mailing list: 

Re: [leaf-user] ipsec and multiple IP problem

[Eric Spakman]

Hi Cpu,

 Eric,


 Regarding openswan 2.x. It looks like one is supposed to use cryptoapi
 instead of Juanjo's crypto algorithms. But there is no real info on how to

The cryptoapi stuff is optional and the other ciphers are internal to pluto:

LIBDESSRCDIR=${OPENSWANSRCDIR}/linux/crypto/ciphers/des
LIBDESLITE:=${OBJDIRTOP}/lib/libcrypto/libdes/libdes.a
LIBAES=${OBJDIRTOP}/lib/libcrypto/libaes/libaes.a
LIBBLOWFISH=${OBJDIRTOP}/lib/libcrypto/libblowfish/libblowfish.a
LIBTWOFISH=${OBJDIRTOP}/lib/libcrypto/libtwofish/libtwofish.a
LIBSERPENT=${OBJDIRTOP}/lib/libcrypto/libserpent/libserpent.a
LIBSHA2=${OBJDIRTOP}/lib/libcrypto/libsha2/libsha2.a

But it seems like this is only added if USE_EXTRACRYPTO is set, which
will add an enormous bloat to the pluto binary.
I will look into how to implement cryptoapi, so the ciphers can be used
modular again.


 go from 1.x to 2.x. After getting stuck on SHA2_256 I gave up. Also, on
 1.0.9 I made some modifications to ./pluto/kernel.c to allow for multiple
  ipsec connections from the same host and I would have to do the same for
  2.4.4, which is quite different. It might not even work. Not worth the
 hassle right now.

I understand, but note that 1.0.x is end of life.

 The _startklips fix is backward compatible. Most of my ipsec hosts use
 only a single ip address using interfaces=ipsec0=eth0.

Ok, thanks! I will add this fix later today.

 -cpu

Eric



 Eric Spakman wrote:

 Hello Cpu,


 A pity 2.4.4 is not working ok for you. You are the first reporting a
 problem with it. I looked through various documents and it seems like all
 those ciphers
 are
 supported but probably internal.

 Does the _startklips fix still suports plain ethx interfaces?


 Eric




 Hi Eric,



 I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the
 newer

 _startklips and the line is the same. To me, this suggests it's
 making the

 same assumptions about the interface. My guess is that it will work.

 original 2.4.4 /usr/lib/ipsec/_startklips:


 eval `ip addr show $phys primary | grep inet | sed -n 1p |

 original 1.0.9 /lib/ipsec/_startklips:


 eval `ip addr show $phys primary | grep inet | sed -n 1p |

 -cpu



 Eric Spakman wrote:


 Hello Cpu,



 Does the same fix applies to our current openswan-2.4.4?



 Eric



 Hello,




 In addition to specifying a label I couldn't get openswan to work
  with secondary IPs unless I changed this line in _startklips:

 eval `ip addr show $phys primary | grep inet | sed -n 1p |

 to:




 eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n
 1p


 -cpu




 Charles Steinkuehler wrote:



 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1




 Sandro Doro wrote:



 Hi,




 I am testing Bering 2.3.1 with a multiple IP interface as:




 # ip addr show eth0
 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc
 pfifo_fast

 qlen
 1000
 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet
 82.46.148.130/24 brd 82.46.148.255 scope global eth0
 inet 82.46.148.128/24 scope global secondary eth0 inet6
 fe80::fcfd:58ff:fe24:f8e6/64 scope link




 Using the included ipsec.lrp (v.1.0.9) I setup VPN with:




 # /etc/ipsec.conf
 [...]
 interfaces=ipsec0=eth0 ipsec1=eth0:0 [...]


 After /etc/init.d/ipsec restart the following messages is
 printed:




 Device eth0:0 does not exist.
 ipsec_setup: unable to determine address of `eth0:0'




 This messages is printed also if I change the ip address with
 the following command:

 ip addr add 82.46.148.128/24 dev eth0 label eth0:0

 I have read in




 http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html




 that this interface specification is correct. This is
 possible only
 in
 v2 release (Bering v2.4) ?

 Thank you for any suggestions.



 I haven't tried this with FreeS/WAN, but I suspect your problem
 is you don't have an eth0:0.

 You *DO* have a secondary IP address on your external
 interface, but
 it
 has no name (linux hasn't required the ethn:m syntax
 since at least 2.2).

 Try removing the secondary IP, re-adding it with an appropriate
  label then starting freeswan:

 ip addr del 82.46.148.128/24 dev eth0 ip addr add
 82.46.148.128/24

 label
 eth0:0 dev eth0
 svi ipsec start

 ...if that works, you'll need to change how you're adding the
 IP
 alias in your startup scripts.

 - --
 Charles Steinkuehler
 [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version:
 GnuPG

 v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla -
 http://enigmail.mozdev.org




 iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg
 3
 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE-




 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep
 through log

 files
 for problems?  Stop!  Download the new AJAX search engine that
 makes searching your log files as easy as surfing the  web.
 DOWNLOAD


 SPLUNK!



 http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121
 64


 2




 

Re: [leaf-user] ipsec and multiple IP problem

[cpu memhd]

Hmmm... Where/how do you set USE_EXTRACRYPTO?
-cpu

Eric Spakman wrote:
 Hi Cpu,
 
 Eric,


 Regarding openswan 2.x. It looks like one is supposed to use cryptoapi
 instead of Juanjo's crypto algorithms. But there is no real info on how
to

 The cryptoapi stuff is optional and the other ciphers are internal to
pluto:
 
 LIBDESSRCDIR=${OPENSWANSRCDIR}/linux/crypto/ciphers/des
 LIBDESLITE:=${OBJDIRTOP}/lib/libcrypto/libdes/libdes.a
 LIBAES=${OBJDIRTOP}/lib/libcrypto/libaes/libaes.a
 LIBBLOWFISH=${OBJDIRTOP}/lib/libcrypto/libblowfish/libblowfish.a
 LIBTWOFISH=${OBJDIRTOP}/lib/libcrypto/libtwofish/libtwofish.a
 LIBSERPENT=${OBJDIRTOP}/lib/libcrypto/libserpent/libserpent.a
 LIBSHA2=${OBJDIRTOP}/lib/libcrypto/libsha2/libsha2.a
 
 But it seems like this is only added if USE_EXTRACRYPTO is set, which
 will add an enormous bloat to the pluto binary.
 I will look into how to implement cryptoapi, so the ciphers can be used
 modular again.
 
 go from 1.x to 2.x. After getting stuck on SHA2_256 I gave up. Also, on
 1.0.9 I made some modifications to ./pluto/kernel.c to allow for
multiple
  ipsec connections from the same host and I would have to do the same
for
  2.4.4, which is quite different. It might not even work. Not worth the
 hassle right now.

 I understand, but note that 1.0.x is end of life.
 
 The _startklips fix is backward compatible. Most of my ipsec hosts use
 only a single ip address using interfaces=ipsec0=eth0.

 Ok, thanks! I will add this fix later today.
 
 -cpu

 Eric
 

 Eric Spakman wrote:

 Hello Cpu,


 A pity 2.4.4 is not working ok for you. You are the first reporting a
 problem with it. I looked through various documents and it seems like
all
 those ciphers
 are
 supported but probably internal.

 Does the _startklips fix still suports plain ethx interfaces?


 Eric




 Hi Eric,



 I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the
 newer

 _startklips and the line is the same. To me, this suggests it's
 making the

 same assumptions about the interface. My guess is that it will work.

 original 2.4.4 /usr/lib/ipsec/_startklips:


 eval `ip addr show $phys primary | grep inet | sed -n 1p |

 original 1.0.9 /lib/ipsec/_startklips:


 eval `ip addr show $phys primary | grep inet | sed -n 1p |

 -cpu



 Eric Spakman wrote:


 Hello Cpu,



 Does the same fix applies to our current openswan-2.4.4?



 Eric



 Hello,




 In addition to specifying a label I couldn't get openswan to work
  with secondary IPs unless I changed this line in _startklips:

 eval `ip addr show $phys primary | grep inet | sed -n 1p |

 to:




 eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n
 1p


 -cpu




 Charles Steinkuehler wrote:



 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1




 Sandro Doro wrote:



 Hi,




 I am testing Bering 2.3.1 with a multiple IP interface as:




 # ip addr show eth0
 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc
 pfifo_fast

 qlen
 1000
 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet
 82.46.148.130/24 brd 82.46.148.255 scope global eth0
 inet 82.46.148.128/24 scope global secondary eth0 inet6
 fe80::fcfd:58ff:fe24:f8e6/64 scope link




 Using the included ipsec.lrp (v.1.0.9) I setup VPN with:




 # /etc/ipsec.conf
 [...]
 interfaces=ipsec0=eth0 ipsec1=eth0:0 [...]


 After /etc/init.d/ipsec restart the following messages is
 printed:




 Device eth0:0 does not exist.
 ipsec_setup: unable to determine address of `eth0:0'




 This messages is printed also if I change the ip address with
 the following command:

 ip addr add 82.46.148.128/24 dev eth0 label eth0:0

 I have read in




 http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html




 that this interface specification is correct. This is
 possible only
 in
 v2 release (Bering v2.4) ?

 Thank you for any suggestions.



 I haven't tried this with FreeS/WAN, but I suspect your problem
 is you don't have an eth0:0.

 You *DO* have a secondary IP address on your external
 interface, but
 it
 has no name (linux hasn't required the ethn:m syntax
 since at least 2.2).

 Try removing the secondary IP, re-adding it with an appropriate
  label then starting freeswan:

 ip addr del 82.46.148.128/24 dev eth0 ip addr add
 82.46.148.128/24

 label
 eth0:0 dev eth0
 svi ipsec start

 ...if that works, you'll need to change how you're adding the
 IP
 alias in your startup scripts.

 - --
 Charles Steinkuehler
 [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version:
 GnuPG

 v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla -
 http://enigmail.mozdev.org




 iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg
 3
 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE-




 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep
 through log

 files
 for problems?  Stop!  Download the new AJAX search engine that
 makes searching your log files as easy as surfing the  web.
 DOWNLOAD


 SPLUNK!


 

Re: [leaf-user] ipsec and multiple IP problem

[Eric Spakman]

Hi Cpu,

In makefile.inc

But a much better fix will be to enable cryptoapi in the kernel config and
rebuild openswan against it. Only the standard openswan patch doesn't
contain that option and I have to make a patch against it.

Eric

 Hmmm... Where/how do you set USE_EXTRACRYPTO?
 -cpu


 Eric Spakman wrote:

 Hi Cpu,


 Eric,



 Regarding openswan 2.x. It looks like one is supposed to use
 cryptoapi instead of Juanjo's crypto algorithms. But there is no real
 info on how
 to

 The cryptoapi stuff is optional and the other ciphers are internal to

 pluto:


 LIBDESSRCDIR=${OPENSWANSRCDIR}/linux/crypto/ciphers/des
 LIBDESLITE:=${OBJDIRTOP}/lib/libcrypto/libdes/libdes.a
 LIBAES=${OBJDIRTOP}/lib/libcrypto/libaes/libaes.a
 LIBBLOWFISH=${OBJDIRTOP}/lib/libcrypto/libblowfish/libblowfish.a
 LIBTWOFISH=${OBJDIRTOP}/lib/libcrypto/libtwofish/libtwofish.a
 LIBSERPENT=${OBJDIRTOP}/lib/libcrypto/libserpent/libserpent.a
 LIBSHA2=${OBJDIRTOP}/lib/libcrypto/libsha2/libsha2.a


 But it seems like this is only added if USE_EXTRACRYPTO is set, which
  will add an enormous bloat to the pluto binary. I will look into how to
 implement cryptoapi, so the ciphers can be used modular again.

 go from 1.x to 2.x. After getting stuck on SHA2_256 I gave up. Also,
 on 1.0.9 I made some modifications to ./pluto/kernel.c to allow for

 multiple
 ipsec connections from the same host and I would have to do the same
 for
 2.4.4, which is quite different. It might not even work. Not worth
 the hassle right now.

 I understand, but note that 1.0.x is end of life.


 The _startklips fix is backward compatible. Most of my ipsec hosts
 use only a single ip address using interfaces=ipsec0=eth0.

 Ok, thanks! I will add this fix later today.


 -cpu


 Eric



 Eric Spakman wrote:


 Hello Cpu,



 A pity 2.4.4 is not working ok for you. You are the first reporting
 a problem with it. I looked through various documents and it seems
 like
 all
 those ciphers
 are
 supported but probably internal.

 Does the _startklips fix still suports plain ethx interfaces?



 Eric





 Hi Eric,




 I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at
 the newer

 _startklips and the line is the same. To me, this suggests it's
 making the

 same assumptions about the interface. My guess is that it will
 work.

 original 2.4.4 /usr/lib/ipsec/_startklips:


 eval `ip addr show $phys primary | grep inet | sed -n 1p |

 original 1.0.9 /lib/ipsec/_startklips:


 eval `ip addr show $phys primary | grep inet | sed -n 1p |

 -cpu




 Eric Spakman wrote:



 Hello Cpu,




 Does the same fix applies to our current openswan-2.4.4?




 Eric




 Hello,





 In addition to specifying a label I couldn't get openswan to
 work with secondary IPs unless I changed this line in
 _startklips:


 eval `ip addr show $phys primary | grep inet | sed -n 1p |

 to:





 eval `ip addr show ${phys%%:*} label $phys | grep inet | sed
 -n
 1p



 -cpu





 Charles Steinkuehler wrote:




 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1





 Sandro Doro wrote:




 Hi,





 I am testing Bering 2.3.1 with a multiple IP interface
 as:





 # ip addr show eth0
 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc
 pfifo_fast

 qlen
 1000
 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet
 82.46.148.130/24 brd 82.46.148.255 scope global eth0
 inet 82.46.148.128/24 scope global secondary eth0 inet6
 fe80::fcfd:58ff:fe24:f8e6/64 scope link





 Using the included ipsec.lrp (v.1.0.9) I setup VPN with:





 # /etc/ipsec.conf
 [...]
 interfaces=ipsec0=eth0 ipsec1=eth0:0 [...]


 After /etc/init.d/ipsec restart the following messages
 is printed:





 Device eth0:0 does not exist.
 ipsec_setup: unable to determine address of `eth0:0'





 This messages is printed also if I change the ip address
 with the following command:

 ip addr add 82.46.148.128/24 dev eth0 label eth0:0

 I have read in





 http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html





 that this interface specification is correct. This is
 possible only
 in
 v2 release (Bering v2.4) ?

 Thank you for any suggestions.




 I haven't tried this with FreeS/WAN, but I suspect your
 problem is you don't have an eth0:0.

 You *DO* have a secondary IP address on your external
 interface, but
 it
 has no name (linux hasn't required the ethn:m syntax
 since at least 2.2).

 Try removing the secondary IP, re-adding it with an
 appropriate label then starting freeswan:

 ip addr del 82.46.148.128/24 dev eth0 ip addr add
 82.46.148.128/24


 label
 eth0:0 dev eth0
 svi ipsec start

 ...if that works, you'll need to change how you're adding
 the IP
 alias in your startup scripts.

 - --
 Charles Steinkuehler
 [EMAIL PROTECTED] -BEGIN PGP SIGNATURE-
 Version:

 GnuPG


 v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla -
 http://enigmail.mozdev.org





 iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwC
 eLvg 3
 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE-




 

Re: [leaf-user] ipsec and multiple IP problem

[Eric Spakman]

Hello Cpu,

I think the fix to support cryptoapi is rather simple, it's just broken in
the openswan sources (patch).

If you change the following line in the kernel's linux/net/ipsec/Config.in
from:
bool '   IPsec Modular Extensions' CONFIG_KLIPS_ALG
if [ $CONFIG_KLIPS_ALG != n ]; then
source net/ipsec/alg/Config.in
fi

to:

bool '   IPsec Modular Extensions' CONFIG_KLIPS_ALG
if [ $CONFIG_KLIPS_ALG != n ]; then
  bool '  CryptoAPI algorithm interface' CONFIG_KLIPS_ENC_CRYPTOAPI
fi

Do a make menuconfig, enable klips cryptoapi support and (optional)
disable klips 3des and aes (you can use the crypto ciphers now) it should
work.

Eric



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec/openswan 2.4.2

[cpu memhd]

Hello Arne,

I don't understand openswan 2.x. It doesn't have SHA2 (which I use).
Can't
modularize ciphers; no blowfish (missing usual ALGs). I tried using
cryptoapi's sha512 but that didn't work. I tried searching the openswan
mailing list, found a couple of similar concerns, but no answers.
Perhaps
I'm asking some dumb questions? I've downgraded to 1.0.9 on kernel
2.4.32.
Effectively, a 2.4 ucBering hybrid.

Here are the offending config lines:

2.4.32:

CONFIG_KLIPS=m
#
# IPsec options (Openswan)
#
CONFIG_KLIPS_IPIP=y
CONFIG_KLIPS_AH=y
CONFIG_KLIPS_ESP=y
CONFIG_KLIPS_ENC_3DES=y
CONFIG_KLIPS_ENC_AES=y
CONFIG_KLIPS_AUTH_HMAC_MD5=y
CONFIG_KLIPS_AUTH_HMAC_SHA1=y
CONFIG_KLIPS_ALG=y
# CONFIG_KLIPS_IPCOMP is not set
CONFIG_KLIPS_DEBUG=y
CONFIG_IPSEC_NAT_TRAVERSAL=y

2.4.31 (the more familiar):

CONFIG_IPSEC=m
#
# IPSec options (FreeS/WAN)
#
CONFIG_IPSEC_IPIP=y
CONFIG_IPSEC_AH=y
CONFIG_IPSEC_AUTH_HMAC_MD5=y
CONFIG_IPSEC_AUTH_HMAC_SHA1=y
CONFIG_IPSEC_ESP=y
CONFIG_IPSEC_ENC_3DES=y
CONFIG_IPSEC_ALG=y
CONFIG_IPSEC_ALG_MD5=m
CONFIG_IPSEC_ALG_SHA1=m
CONFIG_IPSEC_ALG_SHA2=m  -- look sha2
CONFIG_IPSEC_ALG_3DES=m
CONFIG_IPSEC_ALG_AES=m
CONFIG_IPSEC_ALG_BLOWFISH=m  -- and all
CONFIG_IPSEC_ALG_TWOFISH=m   -- these
CONFIG_IPSEC_ALG_SERPENT=m   -- other
CONFIG_IPSEC_ALG_CAST=m  -- ciphers
CONFIG_IPSEC_ALG_NULL=m
# CONFIG_IPSEC_ALG_CRYPTOAPI is not set
# CONFIG_IPSEC_ALG_1DES is not set
CONFIG_IPSEC_IPCOMP=y
CONFIG_IPSEC_DEBUG=y
CONFIG_IPSEC_NAT_TRAVERSAL=y


Any thoughts on getting strongswan to work with ucBering?

Arne Bernin wrote:
 Hi all,
 
 i just finished packaging openswan 2.4.2 for bering-uclibc and did
some 
 initial testing, i am just wondering if someone else is using 
 openswan/ipsec and is willing to test it, too.
 
 --arne
 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec and multiple IP problem

[Charles Steinkuehler]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sandro Doro wrote:
 Hi,
 
   I am testing Bering 2.3.1 with a multiple IP interface as:
 
 # ip addr show eth0
 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 
 1000
 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff
 inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0
 inet 82.46.148.128/24 scope global secondary eth0 
 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link
 
 Using the included ipsec.lrp (v.1.0.9) I setup VPN with: 
 
# /etc/ipsec.conf
[...]
interfaces=ipsec0=eth0 ipsec1=eth0:0
[...]
 
 After /etc/init.d/ipsec restart the following messages is printed:
 
   Device eth0:0 does not exist.
   ipsec_setup: unable to determine address of `eth0:0'
 
 This messages is printed also if I change the ip address with the
 following command:
 
   ip addr add 82.46.148.128/24 dev eth0 label eth0:0
 
 I have read in
 
   http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html
 
 that this interface specification is correct. This is possible
 only in v2 release (Bering v2.4) ?
 
 Thank you for any suggestions.

I haven't tried this with FreeS/WAN, but I suspect your problem is you
don't have an eth0:0.

You *DO* have a secondary IP address on your external interface, but it
has no name (linux hasn't required the ethn:m syntax since at
least 2.2).

Try removing the secondary IP, re-adding it with an appropriate label
then starting freeswan:

ip addr del 82.46.148.128/24 dev eth0
ip addr add 82.46.148.128/24 label eth0:0 dev eth0
svi ipsec start

...if that works, you'll need to change how you're adding the IP alias
in your startup scripts.

- --
Charles Steinkuehler
[EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3
rd55FxcC8wzl6N+/BWa4368=
=3irC
-END PGP SIGNATURE-


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] ipsec and multiple IP problem

[Sandro Doro]

Hi,

  I am testing Bering 2.3.1 with a multiple IP interface as:

# ip addr show eth0
5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 
1000
link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff
inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0
inet 82.46.148.128/24 scope global secondary eth0 
inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link

Using the included ipsec.lrp (v.1.0.9) I setup VPN with: 

   # /etc/ipsec.conf
   [...]
   interfaces=ipsec0=eth0 ipsec1=eth0:0
   [...]

After /etc/init.d/ipsec restart the following messages is printed:

  Device eth0:0 does not exist.
  ipsec_setup: unable to determine address of `eth0:0'

This messages is printed also if I change the ip address with the
following command:

  ip addr add 82.46.148.128/24 dev eth0 label eth0:0

I have read in

  http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html

that this interface specification is correct. This is possible
only in v2 release (Bering v2.4) ?

Thank you for any suggestions.


Regards,
  Sandro Doro

-- 
Sandro Doro
e-mail: sandro.doro AT istruzione.it





---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] ipsec/openswan 2.4.2

[Arne Bernin]

Hi all,

i just finished packaging openswan 2.4.2 for bering-uclibc
and did some initial testing, i am just wondering if someone
else is using openswan/ipsec and is willing to test it, too.

--arne

-- 
Arne Bernin [EMAIL PROTECTED]

http://www.ucBering.de





---
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628alloc_id=16845op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] IPSec qeustion

[James Neave]

Hello list,

Quick question, for Bering-uClibc.
To use a box as an IPSec server, is it still FreeS/WAN that gets used?
And is all the same documentation that was used for original Bering
still valid?

Thanks,

James.

The information in this email is confidential and may be legally privileged.  
It is intended solely for the addressee.  Access to this email by anyone else 
is unauthorised.

If you are not the intended recipient, any disclosure, copying, distribution or 
any action taken or omitted to be taken in reliance on it is prohibited and may 
be unlawful.

The contents of an attachment to this email may contain software viruses that 
could damage your own computer systems.  Whilst The Spur Group of Companies has 
taken every precaution to minimise the risk, we cannot accept liability for any 
damage that you sustain as a result of software viruses.



---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Erich Titl]

Tom

Tom Eastep wrote:
 
 
 
 while true; do
   ip link ls dev ppp0  /dev/null 21  break
   echo Waiting for ppp0 to come up...
   sleep 5
 done

Yes, that is more or less the thing I finally did, although this will
loop forever and without a console the poor luser might never know why.
So I placed a max_loop limit into my code.

Erich



---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Erich Titl]

Richard Saunders wrote:
 Does this problem have anything to do with shorewall? Shorewall seems to
 startup
  without a problem and everything else runs fine. It's only ipsec that
 can't find a default route.
 I thought inetd may be responsible. Not that I know anything much about it.

Shorewall is just one of the many services which may rely on routing
being set up correctly. IPSEC is another one.

Erich


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Erich Titl]

Richard Saunders wrote:
 Thanks Tom and Eric
 I don't know if it matters to me how long it takes to come up, so long
 as everything that is supposed to work works once it's up.
 When ppp0 is up its a router, until then it's lump of useless metal
 chewing power.
 I have put the loop here:
 
 #!/bin/sh
 # IPsec startup and shutdown script
 # Copyright (C) 1998, 1999, 2001  Henry Spencer.
 
 /..SNIP
 
 # misc setup
 umask 022
 
 while true; do
 ip link ls dev ppp0  /dev/null 21  break
 echo Waiting for ppp0 to come up...
 sleep 5
 done
 
 # do it
 case $1 in
   start|--start|stop|--stop)
 
 Is this alright? I won't get to test it until I can reboot on the weekend.

Give it a chance to barf in the loop to tell you what is wrong.

Erich



---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Erich Titl]

Richard Saunders wrote:
 I managed to kick everyone off at lunchtime and reboot.
 The loop paused the startup for about half a second and off it went.
 Everything started up fine including ipsec.

I doubt it looped at all then.

Please ignore my previous post on the barf, I must be getting blind.
Still consider adding some logging to syslog in case you don't have a
console.

Erich


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Richard Saunders]

Thanks Eric
Unfortunately that has had no effect, but I do think you are on the 
right track

ie. ipsec is starting before ppp0 is fully up, but since I know nothing except
being able to blindly follow instructions, I don't like my chances of 
finding a

solution myself.

Regarding  WARNING: ppp0 has route filtering turned on, KLIPS may not work.
This error has always been there and has never shown any detrimental effects
as far as I know. There have been previous threads regarding this and I think
the conclusion was to ignore it.

At 06:08 PM 28/09/2005, you wrote:

Hello Richard,

I've looked through the changes between ipsec from 2.2.3 and 2.3rc1, there
was a change in the start/stop levels of ipsecs init.d script due to
warnings when stopping ipsec.
The differences are:
(2.2.3): RCDLINKS=0,K42 1,K42 2,S42 3,S42 4,S42 5,S42 6,K42
(2.3rc1): RCDLINKS=0,K19 1,K19 2,S21 3,S21 4,S21 5,S21 6,K19

It could be that the ppp interface isn't full brought up, before ipsec is
started. You could try to change the /etc/init.d/ipsec script to read:
RCDLINKS=0,K19 1,K19 2,S41 3,S41 4,S41 5,S41 6,K19

Although the following line in you log is also somewhat strange:
Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route
filtering turned on, KLIPS may not work Sep 28 14:26:52 firewall
Did you also had that warning with 2.2.3? You can turn of route filtering
by setting spoofprotect=no in lrcfg - 1) Network configuration - 2)
network options file (/etc/network/options)

Eric Spakman

 Hi
 I am setting up uClibc 2.3rc1.
 I have copied the ipsec.conf file from my uClibc 2.23 box which has
 always worked ok. When starting up I get the following errors
 in auth.log:

 Sep 28 13:57:09 firewall pluto[21197]: no public interfaces found


 in daemon.log:

 Sep 28 13:57:07 firewall ipsec_setup: no default route, %defaultroute
 cannot cope!!! Sep 28 13:57:08 firewall ipsec_setup: ...Openswan IPsec
 started Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error
 in w2k: %defaultroute requested but not known
 Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in
 net-net: %defaultroute requested but not known


 When the box finishes starting if I type ipsec setup restart  it runs
 fine.

 Sep 28 14:26:50 firewall ipsec_setup: Stopping Openswan IPsec...
 Sep 28 14:26:50 firewall ipsec_setup: stop ordered, but IPsec does
 not appear to be running! Sep 28 14:26:50 firewall ipsec_setup: doing
 cleanup anyway... Sep 28 14:26:51 firewall ipsec_setup: ...Openswan IPsec
 stopped Sep 28 14:26:51 firewall ipsec_setup: Starting Openswan IPsec
 1.0.9...
 Sep 28 14:26:51 firewall ipsec_setup: Using /lib/modules/ipsec.o
 Sep 28 14:26:51 firewall ipsec_setup: KLIPS debug `none'
 Sep 28 14:26:52 firewall ipsec_setup: KLIPS ipsec0 on ppp0
 220.245.99.4 peer 202.7.162.162/32
 Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route
 filtering turned on, KLIPS may not work Sep 28 14:26:52 firewall
 ipsec_setup:  (/proc/sys/net/ipv4/conf/ppp0/rp_filter = `1', should be 0)
 Sep 28 14:26:52 firewall ipsec_setup: ...Openswan IPsec started


 Here is my setup:
 # basic configuration
 config setup interfaces=%defaultroute klipsdebug=none plutodebug=none
 plutoload=%search plutostart=%search uniqueids=yes



 # defaults for subsequent connection descriptions
 conn %default keyingtries=0

 conn net-net authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24
 leftrsasigkey=[keyid AQON] leftnexthop=%defaultroute right=220.244.10.142
 rightsubnet=192.168.0.0/27 rightrsasigkey=[keyid AQN7]
 rightnexthop=%defaultroute pfs=yes auto=add

 conn w2k authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24
 leftnexthop=%defaultroute leftrsasigkey=%cert leftcert=fwCert.pem
right=%any
  rightrsasigkey=%cert leftid=CN=fw pfs=yes auto=add #


 Any ideas on what might be happening?







 ---
 This SF.Net email is sponsored by:
 Power Architecture Resource Center: Free content, downloads, discussions,
 and more. http://solutions.newsforge.com/ibmarch.tmpl
 
 leaf-user mailing list: leaf-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 Support Request -- http://leaf-project.org/






---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Erich Titl]

Rick

Richard Saunders wrote:
 Thanks Eric
 Unfortunately that has had no effect, but I do think you are on the
 right track
 ie. ipsec is starting before ppp0 is fully up, but since I know nothing
 except
 being able to blindly follow instructions, I don't like my chances of
 finding a
 solution myself.

This problem has always existed for any connection type. It shows up in
a lot of different locations on all Bering versions. I saw this on ppp
connections as well as pcmcia based ethernet connections. The common
denominator of all these is, that you cannot predict reliably how long
they take to come up, but the init script may terminate _before_ they
are up completely.

What is missing is a generic solution to assert _all_ necessary
connections/services are up _before_ any service depending on them is
started. This is true for ipsec but also for shorewall and probably
other services. I am running a fair number of WRAP boards as IPSEC end
points. These boards do not have a battery for the clock, so the time is
lost at power down. I am using certificates for the ipsec links,
therefore I need to have accurate sytem time. I am running ntpdate early
at start up, but  a slow connection may make a single ntpdate start
fail. So I have to check connectivity to the uplink router and the
presence of a default route before I even attempt to update my system time.

cheers

Erich


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Paul Traina]

This problem has always existed for any connection type. It shows up in
a lot of different locations on all Bering versions. I saw this on ppp
connections as well as pcmcia based ethernet connections. The common
denominator of all these is, that you cannot predict reliably how long
they take to come up, but the init script may terminate _before_ they
are up completely.


Agreed.  Shorewall by default has really awful failure modes if the 
upstream ppp interface isn't up yet.


I'd love to have an is up? semaphore, but perhaps in some cases, we 
should instead be triggering the apps by the fact that the interface is 
up.  Both /etc/network/interfaces and ppp have trigger scripts they can 
call for interface up.  Then it comes down to what is up?  -- link up? 
address configured and able to pass data?  routing up?


I don't want to confuse things with those last questions, there probably 
is no universal good way to do these things.  Frankly, I wish shorewall 
was just a little smarter when it came to ephemeral interfaces.


Paul



---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Richard Saunders]

Is it possible just to insert a pause somewhere in the startup 
scripts to wait for ppp0

to come up before continuing?

At 07:43 AM 30/09/2005, you wrote:

This problem has always existed for any connection type. It shows up in
a lot of different locations on all Bering versions. I saw this on ppp
connections as well as pcmcia based ethernet connections. The common
denominator of all these is, that you cannot predict reliably how long
they take to come up, but the init script may terminate _before_ they
are up completely.


Agreed.  Shorewall by default has really awful failure modes if the 
upstream ppp interface isn't up yet.


I'd love to have an is up? semaphore, but perhaps in some cases, 
we should instead be triggering the apps by the fact that the 
interface is up.  Both /etc/network/interfaces and ppp have trigger 
scripts they can call for interface up.  Then it comes down to what 
is up?  -- link up? address configured and able to pass data?  routing up?


I don't want to confuse things with those last questions, there 
probably is no universal good way to do these things.  Frankly, I 
wish shorewall was just a little smarter when it came to ephemeral interfaces.


Paul





---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Tom Eastep]

Richard Saunders wrote:
 Is it possible just to insert a pause somewhere in the startup scripts
 to wait for ppp0
 to come up before continuing?
 

You could place a pause/check loop in /etc/shorewall/init. Or, better
yet, configure Shorewall so that it doesn't require ppp0 to be up when
it starts.

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


signature.asc
Description: OpenPGP digital signature

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Erich Titl]

Richard Saunders wrote:
Is it possible just to insert a pause somewhere in the startup scripts 
to wait for ppp0

to come up before continuing?


Yes, that was my first aproach, unfortunately not a very smart one, as, 
for example, ppp may take a very long time to come up.


Erich



---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Tom Eastep]

Erich Titl wrote:
 Richard Saunders wrote:
 Is it possible just to insert a pause somewhere in the startup scripts
 to wait for ppp0
 to come up before continuing?
 
 Yes, that was my first aproach, unfortunately not a very smart one, as,
 for example, ppp may take a very long time to come up.
 

while true; do
ip link ls dev ppp0  /dev/null 21  break
echo Waiting for ppp0 to come up...
sleep 5
done

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


signature.asc
Description: OpenPGP digital signature

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Erich Titl]

Paul Traina wrote:

This problem has always existed for any connection type. It shows up in
a lot of different locations on all Bering versions. I saw this on ppp
connections as well as pcmcia based ethernet connections. The common
denominator of all these is, that you cannot predict reliably how long
they take to come up, but the init script may terminate _before_ they
are up completely.



Agreed.  Shorewall by default has really awful failure modes if the 
upstream ppp interface isn't up yet.


I'd love to have an is up? semaphore, but perhaps in some cases, we 
should instead be triggering the apps by the fact that the interface is 
up.  Both /etc/network/interfaces and ppp have trigger scripts they can 
call for interface up.  Then it comes down to what is up?  -- link up? 
address configured and able to pass data?  routing up?


Mhh... routing up is a pretty good indication for a dynamic interface to 
work, a check against the uplink router might be even better.


I published an ipsec watchdog script some time ago on this list, which 
uses this method and has proven to be rather reliably.


Erich




---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Richard Saunders]

Does this problem have anything to do with shorewall? Shorewall seems 
to startup
 without a problem and everything else runs fine. It's only ipsec 
that can't find a default route.

I thought inetd may be responsible. Not that I know anything much about it.

At 08:24 AM 30/09/2005, you wrote:

Richard Saunders wrote:
 Is it possible just to insert a pause somewhere in the startup scripts
 to wait for ppp0
 to come up before continuing?


You could place a pause/check loop in /etc/shorewall/init. Or, better
yet, configure Shorewall so that it doesn't require ppp0 to be up when
it starts.

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Tom Eastep]

Richard Saunders wrote:
 Does this problem have anything to do with shorewall? Shorewall seems to
 startup
  without a problem and everything else runs fine. It's only ipsec that
 can't find a default route.
 I thought inetd may be responsible. Not that I know anything much about it.
 

I was simply responding to Paul's and Erich's posts about Shorewall
problems caused by devices that aren't up when Shorewall starts. If in
your case Shorewall is starting without error when ppp0 is absent then
Shorewall isn't involved in your ipsec issue.

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


signature.asc
Description: OpenPGP digital signature

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Paul Traina]

Tom Eastep wrote:

You could place a pause/check loop in /etc/shorewall/init. Or, better
yet, configure Shorewall so that it doesn't require ppp0 to be up when
it starts.


I'm not sure I can come up with the semantics to do that, but I'd love 
to give it a try...


Here's what I've got:

Zones:

net Net Internet
loc Local   Local networks
dmz DMZ Demilitarized zone
dsl DSL DSL modem nat area
guest   Guest   Guest host network

Interfaces:

dsl eth0detect  dhcp,routefilter
net ppp0-
tcpflags,blacklist,routefilter,norfc1918,nosmurfs,upnp
loc eth1detect  dhcp
dmz eth2detect  dhcp,routefilter
guest   ath0detect  dhcp,routefilter

Masq:

(INT_QUEMADURA and EXT_QUEMADURA are internal and external IP addrs)
(ditto EXT_GUEST so guest network users are natted to a different routed
 IP addr in case they do something evil like send spam)

ppp0$INT_QUEMADURA  $EXT_QUEMADURA
ppp0eth1
ppp0ath0$EXT_GUEST
eth0eth1

and rules (excerpted):

DNAT   net  loc:$INT_QUEMADURA   tcp 22  - $EXT_QUEMADURA


Now, I'm assuming it's the masq entries referencing ppp0 that are 
kicking my ass?


So this error, is caused by routefilter/ppp0 not existing (soft err):

Setting up Kernel Route Filtering...
   Warning: Cannot set route filtering on ppp0

and this error is caused by masq?

Adding IP Addresses...
Device ppp0 does not exist.
Cannot find device ppp0

Do you suggest I do snating instead?  if so, who adds the ip aliases to 
ppp0 and when?  I have 5 static IP addresses that I use, so snat is a 
fine option (I use one IP for the fw/home nat, one for the bastion host,

and one for a separate guest network).


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Richard Saunders]

Thanks Tom and Eric
I don't know if it matters to me how long it takes to come up, so 
long as everything that is supposed to work works once it's up.
When ppp0 is up its a router, until then it's lump of useless metal 
chewing power.

I have put the loop here:

#!/bin/sh
# IPsec startup and shutdown script
# Copyright (C) 1998, 1999, 2001  Henry Spencer.

/..SNIP

# misc setup
umask 022

while true; do
ip link ls dev ppp0  /dev/null 21  break
echo Waiting for ppp0 to come up...
sleep 5
done

# do it
case $1 in
  start|--start|stop|--stop)

Is this alright? I won't get to test it until I can reboot on the weekend.

At 08:35 AM 30/09/2005, you wrote:

Richard Saunders wrote:
Is it possible just to insert a pause somewhere in the startup 
scripts to wait for ppp0

to come up before continuing?


Yes, that was my first aproach, unfortunately not a very smart one, 
as, for example, ppp may take a very long time to come up.


Erich





---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Tom Eastep]

Paul Traina wrote:

 
 Adding IP Addresses...
 Device ppp0 does not exist.
 Cannot find device ppp0
 

Been a while since I had to deal with pppd but as I recall there is a
user-provided script that gets run when the interface comes up. Add the
IP addresses in that script rather than having Shorewall do it.

And set route filtering there too while you are at it rather than using
the Shorewall 'routefilter' option.

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


signature.asc
Description: OpenPGP digital signature

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Tom Eastep]

Richard Saunders wrote:

 
 # misc setup
 umask 022
 
 while true; do
 ip link ls dev ppp0  /dev/null 21  break
 echo Waiting for ppp0 to come up...
 sleep 5
 done
 
 # do it
 case $1 in
   start|--start|stop|--stop)
 
 Is this alright? I won't get to test it until I can reboot on the weekend.

I don't have a ppp interface to test with so I don't know at what point
'ip link ls dev ppp0' returns 0 for an exit status. If the above doesn't
work, the output of 'ip' may need to be piped into 'grep -q' looking for
'inet' or something like that

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


signature.asc
Description: OpenPGP digital signature

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Richard Saunders]

I managed to kick everyone off at lunchtime and reboot.
The loop paused the startup for about half a second and off it went.
Everything started up fine including ipsec.
Thank you very much Tom and Erich.
I am very grateful for your help.
Richard Saunders

At 10:56 AM 30/09/2005, you wrote:

Richard Saunders wrote:


 # misc setup
 umask 022

 while true; do
 ip link ls dev ppp0  /dev/null 21  break
 echo Waiting for ppp0 to come up...
 sleep 5
 done

 # do it
 case $1 in
   start|--start|stop|--stop)

 Is this alright? I won't get to test it until I can reboot on the weekend.

I don't have a ppp interface to test with so I don't know at what point
'ip link ls dev ppp0' returns 0 for an exit status. If the above doesn't
work, the output of 'ip' may need to be piped into 'grep -q' looking for
'inet' or something like that

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key





---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Eric Spakman]

Hello Richard,

I've looked through the changes between ipsec from 2.2.3 and 2.3rc1, there
was a change in the start/stop levels of ipsecs init.d script due to
warnings when stopping ipsec.
The differences are:
(2.2.3): RCDLINKS=0,K42 1,K42 2,S42 3,S42 4,S42 5,S42 6,K42
(2.3rc1): RCDLINKS=0,K19 1,K19 2,S21 3,S21 4,S21 5,S21 6,K19

It could be that the ppp interface isn't full brought up, before ipsec is
started. You could try to change the /etc/init.d/ipsec script to read:
RCDLINKS=0,K19 1,K19 2,S41 3,S41 4,S41 5,S41 6,K19

Although the following line in you log is also somewhat strange:
Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route
filtering turned on, KLIPS may not work Sep 28 14:26:52 firewall
Did you also had that warning with 2.2.3? You can turn of route filtering
by setting spoofprotect=no in lrcfg - 1) Network configuration - 2)
network options file (/etc/network/options)

Eric Spakman

 Hi
 I am setting up uClibc 2.3rc1.
 I have copied the ipsec.conf file from my uClibc 2.23 box which has
 always worked ok. When starting up I get the following errors
 in auth.log:

 Sep 28 13:57:09 firewall pluto[21197]: no public interfaces found


 in daemon.log:

 Sep 28 13:57:07 firewall ipsec_setup: no default route, %defaultroute
 cannot cope!!! Sep 28 13:57:08 firewall ipsec_setup: ...Openswan IPsec
 started Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error
 in w2k: %defaultroute requested but not known
 Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in
 net-net: %defaultroute requested but not known


 When the box finishes starting if I type ipsec setup restart  it runs
 fine.

 Sep 28 14:26:50 firewall ipsec_setup: Stopping Openswan IPsec...
 Sep 28 14:26:50 firewall ipsec_setup: stop ordered, but IPsec does
 not appear to be running! Sep 28 14:26:50 firewall ipsec_setup: doing
 cleanup anyway... Sep 28 14:26:51 firewall ipsec_setup: ...Openswan IPsec
 stopped Sep 28 14:26:51 firewall ipsec_setup: Starting Openswan IPsec
 1.0.9...
 Sep 28 14:26:51 firewall ipsec_setup: Using /lib/modules/ipsec.o
 Sep 28 14:26:51 firewall ipsec_setup: KLIPS debug `none'
 Sep 28 14:26:52 firewall ipsec_setup: KLIPS ipsec0 on ppp0
 220.245.99.4 peer 202.7.162.162/32
 Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route
 filtering turned on, KLIPS may not work Sep 28 14:26:52 firewall
 ipsec_setup:  (/proc/sys/net/ipv4/conf/ppp0/rp_filter = `1', should be 0)
 Sep 28 14:26:52 firewall ipsec_setup: ...Openswan IPsec started


 Here is my setup:
 # basic configuration
 config setup interfaces=%defaultroute klipsdebug=none plutodebug=none
 plutoload=%search plutostart=%search uniqueids=yes



 # defaults for subsequent connection descriptions
 conn %default keyingtries=0

 conn net-net authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24
 leftrsasigkey=[keyid AQON] leftnexthop=%defaultroute right=220.244.10.142
 rightsubnet=192.168.0.0/27 rightrsasigkey=[keyid AQN7]
 rightnexthop=%defaultroute pfs=yes auto=add

 conn w2k authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24
 leftnexthop=%defaultroute leftrsasigkey=%cert leftcert=fwCert.pem
right=%any
  rightrsasigkey=%cert leftid=CN=fw pfs=yes auto=add #


 Any ideas on what might be happening?







 ---
 This SF.Net email is sponsored by:
 Power Architecture Resource Center: Free content, downloads, discussions,
 and more. http://solutions.newsforge.com/ibmarch.tmpl
 
 leaf-user mailing list: leaf-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 Support Request -- http://leaf-project.org/






---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] ipsec %defaultroute in Bering 2.3 rc1

[Richard Saunders]

Hi
I am setting up uClibc 2.3rc1.
I have copied the ipsec.conf file from my uClibc 2.23 box which has 
always worked ok.

When starting up I get the following errors
in auth.log:

Sep 28 13:57:09 firewall pluto[21197]: no public interfaces found

in daemon.log:

Sep 28 13:57:07 firewall ipsec_setup: no default route, %defaultroute 
cannot cope!!!

Sep 28 13:57:08 firewall ipsec_setup: ...Openswan IPsec started
Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in 
w2k: %defaultroute requested but not known
Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in 
net-net: %defaultroute requested but not known


When the box finishes starting if I type ipsec setup restart  it runs fine.

Sep 28 14:26:50 firewall ipsec_setup: Stopping Openswan IPsec...
Sep 28 14:26:50 firewall ipsec_setup: stop ordered, but IPsec does 
not appear to be running!

Sep 28 14:26:50 firewall ipsec_setup: doing cleanup anyway...
Sep 28 14:26:51 firewall ipsec_setup: ...Openswan IPsec stopped
Sep 28 14:26:51 firewall ipsec_setup: Starting Openswan IPsec 1.0.9...
Sep 28 14:26:51 firewall ipsec_setup: Using /lib/modules/ipsec.o
Sep 28 14:26:51 firewall ipsec_setup: KLIPS debug `none'
Sep 28 14:26:52 firewall ipsec_setup: KLIPS ipsec0 on ppp0 
220.245.99.4 peer 202.7.162.162/32
Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route 
filtering turned on, KLIPS may not work
Sep 28 14:26:52 firewall 
ipsec_setup:  (/proc/sys/net/ipv4/conf/ppp0/rp_filter = `1', should be 0)

Sep 28 14:26:52 firewall ipsec_setup: ...Openswan IPsec started

Here is my setup:
# basic configuration
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes



# defaults for subsequent connection descriptions
conn %default
keyingtries=0

conn net-net
authby=rsasig
left=220.245.99.4
leftsubnet=192.168.1.0/24
leftrsasigkey=[keyid AQON]
leftnexthop=%defaultroute
right=220.244.10.142
rightsubnet=192.168.0.0/27
rightrsasigkey=[keyid AQN7]
rightnexthop=%defaultroute
pfs=yes
auto=add

conn w2k
authby=rsasig
left=220.245.99.4
leftsubnet=192.168.1.0/24
leftnexthop=%defaultroute
leftrsasigkey=%cert
leftcert=fwCert.pem
right=%any
rightrsasigkey=%cert
leftid=CN=fw
pfs=yes
auto=add
#

Any ideas on what might be happening?






---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] IPSEC md5sum not found

[Charles Steinkuehler]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tibbs, Richard wrote:
| Dear list:
| I have a subnet-to-subnet ipsec tunnel that is not coming up, and an
| ipsec barf shows several
| md5sum not found messages in association with all of the secrets.
|
| I looked through the ipsec.conf man page with no luck to find some way
| to generate the md5 checksum.
|
| Is this a fatal error?
No.  The ipsec barf tool is trying to create an MD5 sum of your PSK, to
avoid posting it 'in the clear' as debugging information.  There *IS* no
md5sum utility on most leaf systems, hence your error.
I'm still awaiting enough free cycles to crawl through the ipsec barf you
sent...
- --
Charles Steinkuehler
[EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFCf3b+LywbqEHdNFwRAin9AJ0cjqPVLNsVsHTYC7eaxSzwN5yadwCfebGl
zpK8wg9xxkyGGCiqUhK/1yA=
=1f9u
-END PGP SIGNATURE-
---
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] IPSEC md5sum not found

[Tibbs, Richard]

Thanks Charles!
I have plenty of other mysteries to explore.
Rick.

-Original Message-
From: Charles Steinkuehler [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 09, 2005 10:43 AM
To: Tibbs, Richard
Cc: Bering List
Subject: Re: [leaf-user] IPSEC md5sum not found

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Tibbs, Richard wrote:

| Dear list:
| I have a subnet-to-subnet ipsec tunnel that is not coming up, and an
| ipsec barf shows several
| md5sum not found messages in association with all of the secrets.
|
| I looked through the ipsec.conf man page with no luck to find some way
| to generate the md5 checksum.
|
| Is this a fatal error?

No.  The ipsec barf tool is trying to create an MD5 sum of your PSK, to
avoid posting it 'in the clear' as debugging information.  There *IS* no
md5sum utility on most leaf systems, hence your error.

I'm still awaiting enough free cycles to crawl through the ipsec barf
you
sent...

- --
Charles Steinkuehler
[EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFCf3b+LywbqEHdNFwRAin9AJ0cjqPVLNsVsHTYC7eaxSzwN5yadwCfebGl
zpK8wg9xxkyGGCiqUhK/1yA=
=1f9u
-END PGP SIGNATURE-


---
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r 

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] IPSEC md5sum not found

[Tibbs, Richard]

Dear list:
I have a subnet-to-subnet ipsec tunnel that is not coming up, and an 
ipsec barf shows several
md5sum not found messages in association with all of the secrets.

I looked through the ipsec.conf man page with no luck to find some way
to generate the md5 checksum.

Is this a fatal error?

TIA, 
Rick.


---
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r 

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPSEC md5sum not found

[Erich Titl]

Rick
Tibbs, Richard wrote:
Dear list:
I have a subnet-to-subnet ipsec tunnel that is not coming up, and an 
ipsec barf shows several
md5sum not found messages in association with all of the secrets.

I looked through the ipsec.conf man page with no luck to find some way
to generate the md5 checksum.
Let us know more. Do you use PSK, RSA keys or certificates?
Is this a fatal error?
Fatal in the sense of lethal, no, but apparently your tunnel does not 
come up.

Post your barf output (not too much mangled) somewhere on the net so we 
can have a look.

cheers
Erich

---
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] IPSEC md5sum not found

[Tibbs, Richard]

Actually, the errors are only on PSK lines in ipsec.secrets.
I have transitioned to certificates, but no errors there.
I left the PSK lines in to go back if desired.
Rick.

-Original Message-
From: Erich Titl [mailto:[EMAIL PROTECTED] 
Sent: Sunday, May 08, 2005 12:26 PM
To: Tibbs, Richard
Cc: Bering List
Subject: Re: [leaf-user] IPSEC md5sum not found

Rick

Tibbs, Richard wrote:
 Dear list:
 I have a subnet-to-subnet ipsec tunnel that is not coming up, and an 
 ipsec barf shows several
 md5sum not found messages in association with all of the secrets.
 
 I looked through the ipsec.conf man page with no luck to find some way
 to generate the md5 checksum.

Let us know more. Do you use PSK, RSA keys or certificates?

 
 Is this a fatal error?

Fatal in the sense of lethal, no, but apparently your tunnel does not 
come up.

Post your barf output (not too much mangled) somewhere on the net so we 
can have a look.

cheers

Erich




---
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r 

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] ipsec - no support for interface aliases

[Eric Spakman]

Hello Cpu,

Thanks for your fix. I like some more feedback from other users so this can be 
added to ipsec the package. Anyone who can also test this?

Eric 

-Original Message-
From: cpu memhd[EMAIL PROTECTED]
Sent: 19-4-05 18:50:02
To: leaf-user@lists.sourceforge.netleaf-user@lists.sourceforge.net
Subject: [leaf-user] ipsec - no support for interface aliases

Seems like the ipsec scripts rely heavily on ifconfig but that utility
is not available on bering-uclibc. There are lots of modifications to
make it work with the ip command. I was able to overcome this problem
by replacing this line in _startklips:

eval `ip addr show $phys primary | grep inet | sed -n 1p |

With this:

eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p |

Before:

Device eth2:0 does not exist.

After:

inet 192.168.8.10/16 brd 192.168.8.255 scope global secondary eth2:0

If there is no ethx:xxx label, the above modification still works (eg.
ip addr show eth0 label eth0).

Just thought I'd mention this because I think it's important enough to
change. Openswan does support aliased interfaces and it's the only way
to use a secondary ip, that I know of at least.



   
__ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 


---
This SF.Net email is sponsored by: New Crystal Reports XI.
Version 11 adds new functionality designed to reduce time involved in
creating, integrating, and deploying reporting solutions. Free runtime info,
new features, or free trial, at: http://www.businessobjects.com/devxi/728

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.Net email is sponsored by: New Crystal Reports XI.
Version 11 adds new functionality designed to reduce time involved in
creating, integrating, and deploying reporting solutions. Free runtime info,
new features, or free trial, at: http://www.businessobjects.com/devxi/728

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] ipsec - no support for interface aliases

[cpu memhd]

Seems like the ipsec scripts rely heavily on ifconfig but that utility
is not available on bering-uclibc. There are lots of modifications to
make it work with the ip command. I was able to overcome this problem
by replacing this line in _startklips:

eval `ip addr show $phys primary | grep inet | sed -n 1p |

With this:

eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p |

Before:

Device eth2:0 does not exist.

After:

inet 192.168.8.10/16 brd 192.168.8.255 scope global secondary eth2:0

If there is no ethx:xxx label, the above modification still works (eg.
ip addr show eth0 label eth0).

Just thought I'd mention this because I think it's important enough to
change. Openswan does support aliased interfaces and it's the only way
to use a secondary ip, that I know of at least.




__ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 


---
This SF.Net email is sponsored by: New Crystal Reports XI.
Version 11 adds new functionality designed to reduce time involved in
creating, integrating, and deploying reporting solutions. Free runtime info,
new features, or free trial, at: http://www.businessobjects.com/devxi/728

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] ipsec problem

[Tibbs, Richard]

Dear list, sorry for long post.

I am having an issue with IPsec.  
I have a WinXP machine that can build a successful SA just outside
office firewall (Bering 1.2) in road-warrior mode, but not from behind
another bering 1.2 home firewall.  Nat traversal patch is on  WinXP.

home-subnet - homefw --ethsw -- internet --ethsw-
officefw--offic-sub
192.168.1.0   |  |  192.168.10.0
Winxp   (.3)  |  |  
won't work here will work  Will work

I have moved the laptop farther away from office fw and as soon as I am
behind a NAT device, I get this message from officefw:

road-warrior[4] 216.x.y.z #5: no suitable connection for peer
'192.168.1.3'  

What could be wrong here?
TIA,
Rick

The ipsec configs of both firewalls are displayed below.

When trying to tunnel from home,
The auth.log on office fw says
Jan 21 18:31:46 firewall pluto[1025]: packet from 216.x.y.z:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 0004]
Jan 21 18:31:46 firewall pluto[1025]: packet from 216.x.y.z:500:
ignoring Vendor ID payload [4048b7d56ebce885...]
Jan 21 18:31:46 firewall pluto[1025]: packet from 216.x.y.z:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jan 21 18:31:46 firewall pluto[1025]: packet from 216.x.y.z:500:
ignoring Vendor ID payload [26244d38eddb61b3...]
Jan 21 18:31:46 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5:
responding to Main Mode from unknown peer 216.x.y.z
Jan 21 18:31:47 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5:
Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3'
Jan 21 18:31:47 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: no
suitable connection for peer '192.168.1.3'
Jan 21 18:31:47 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5:
sending notification INVALID_ID_INFORMATION to 216.x.y.z:500
Jan 21 18:31:48 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5:
Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3'
Jan 21 18:31:48 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: no
suitable connection for peer '192.168.1.3'
Jan 21 18:31:48 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5:
sending notification INVALID_ID_INFORMATION to 216.x.y.z:500
Jan 21 18:31:50 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5:
Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3'
Jan 21 18:31:50 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: no
suitable connection for peer '192.168.1.3'
Jan 21 18:31:50 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5:
sending notification INVALID_ID_INFORMATION to 216.x.y.z:500
Jan 21 18:31:54 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5:
Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3'
Jan 21 18:31:54 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: no
suitable connection for peer '192.168.1.3'
Jan 21 18:31:54 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5:
sending notification INVALID_ID_INFORMATION to 216.x.y.z:500
Jan 21 18:32:02 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5:
Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3'
Jan 21 18:32:02 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: no
suitable connection for peer '192.168.1.3'
Jan 21 18:32:02 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5:
sending notification INVALID_ID_INFORMATION to 216.x.y.z:500
Jan 21 18:32:18 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5:
Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3'
Jan 21 18:32:18 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: no
suitable connection for peer '192.168.1.3'
Jan 21 18:32:18 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5:
sending notification INVALID_ID_INFORMATION to 216.x.y.z:500

firewall: -root-
 
== office ipsec.conf


# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
#interfaces=ipsec0=eth0
# Debug-logging controls:  none for (almost) none, all for
lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
nat_traversal=no


# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means
very).
keyingtries=0
# RSA authentication with keys from DNS.
#authby=rsasig  
# Authentication by pre-shared secret key
authby=secret
right=%defaultroute
#left=%defaultroute
rightsubnet=192.168.10.0/24
#leftnexthop=%direct
rightfirewall=yes
pfs=yes
auto=add
#leftrsasigkey=%dns
#rightrsasigkey=%dns

conn road-warrior
left=%any



= home ipsec.conf


# basic configuration
config setup
# THIS 

Re: [leaf-user] ipsec problem

[Charles Steinkuehler]

Tibbs, Richard wrote:
Dear list, sorry for long post.
I am having an issue with IPsec.  
I have a WinXP machine that can build a successful SA just outside
office firewall (Bering 1.2) in road-warrior mode, but not from behind
another bering 1.2 home firewall.  Nat traversal patch is on  WinXP.

home-subnet - homefw --ethsw -- internet --ethsw- officefw--offic-sub
192.168.1.0   |  |  192.168.10.0
Winxp   (.3)  |  |  
won't work here will work  Will work

I have moved the laptop farther away from office fw and as soon as I am
behind a NAT device, I get this message from officefw:
road-warrior[4] 216.x.y.z #5: no suitable connection for peer
'192.168.1.3'  

What could be wrong here?
I'm not sure exactly what's wrong, but the errors in the log tickle my 
memory, especially:

Jan 21 18:31:46 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5:
responding to Main Mode from unknown peer 216.x.y.z
Jan 21 18:31:47 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5:
Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3'
Jan 21 18:31:47 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: no
suitable connection for peer '192.168.1.3'
The last message indicates a problem with your connection description (the 
information provided while negotiating an SA doesn't match anything in 
ipsec.conf).  It looks to me like IPSec is defaulting to using the IP 
address as it's identifier, and you may be running into problems when this 
doesn't match the 'visible' IP of the connection on the other end (due to NAT).

Try putting [left|right]id stanzas in your ipsec.conf file(s).  I like to 
use unresolved names, ie: [EMAIL PROTECTED] (see ipsec.conf 
man page for details and other options).

Also, you mention enabling nat-traversal on the XP machine, but your 
connection defaults set nat_traversal=no, and the road-warrior connection 
descriptions don't seem to override this.  This mis-match could also be 
causing your problem (or adding to it).

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag--drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ipsec problem

[Charles Steinkuehler]

Tibbs, Richard wrote:
Charles, 
On the nat-traversal issue in bering fws -- I thought that parameter was
if there was a router downstream that would subsequently nat the
connection.   I had an exchange with Microsoft about the need for a
patch on the XP (or any machine) going through a nat box like bering.
And I think a while back someone on the list volunteered that
nat_traversal=yes was ineffective. 
There is a NAT box...the home FW between your XP system and the internet.
The nat_traversal=yes could be ineffective...I don't use nat_traversal, so 
I'm not sure.  IIRC it's not something that can be negotiated at connection 
time, however, so both ends need to be setup with agreeing NAT-T settings at 
configuration time.

Let me try a domain name in my XP IPsec config, as well as -- I think --
the office fw config. Right?  
IOW, here is my current xp box security policy on the outbound
direction:
Mirr Desc Proto srcport destport srcDNS Scraddr   destDNS  destaddr
Y	-   any	 any	any	myIPmyIP/32 Subnet
192.168.10.0/24
 and  for inbound.
Y	-   any	 any	any  Subnet 192.168.10.0/24 myIPmyIP/32

So, at least the destdns for inbound needs to be mydomain.com
and office fw ipsec.conf should have
leftid = mydomain.com ?
I don't grok XP ipsec config, and the above looks more like firewall rules 
than an IPSec connection config.  If this were two linux boxen, they should 
have something like the following in the config files on *BOTH* ends of the 
link:

conn roadwarrior
[EMAIL PROTECTED]
[EMAIL PROTECTED]
...
NOTES:
- These ID's could also go in conn %default, an included file, etc.
- The @ sign is important!  If you don't include the @, the name is resolved 
and the IP address is used as the identifier, typically *NOT* what you want 
(you're defaulting to the IP address of ipsec0 for the identifier already, 
by not specifying [left|right]id).

- The ID's provided/expected by each end must match, (along with other 
settings, like [L|R]subnet, etc) or you'll get the 'no suitable connection' 
error.

- I don't know how you specify this sort of ID in XP...perhps google can 
help you.

BTW, don't know if it matters by I notice that the homefw ipsec conf has
both
left=216.12.22.89 
left=%deafultroute.

Could that be any problem?
It could, but I suspect the latter value simply overwrites the earlier one 
(check the man page and your log files to be sure).

One other issue that might be causing you problems:  Are you establishing 
any IPSec links between your home FW and the office FW?  If so, the problem 
could be that the office FW is getting confused by the fact that you've got 
multiple connections comming from the same IP address, which already has 
identity information associated with it (this would also explain the errors 
in the log about no valid connection description).  Using explicit IDs might 
help you, but it might not (depends on what your other tunnels are like, as 
there are limitations based on when various information is transfered and 
how ipsec figures out which connection description to use).

You fundamental problem is that the office FW can't figure out which 
connection description applies to the inbound connections from your XP box, 
and this is pretty much by definition a configuration problem (or a problem 
with the architecture of your network not properly taking into account the 
limitations of identifying inbound ipsec connections).  If using explicit 
IDs doesn't get you anywhere, try to up the debugging level and post more 
information from your logs when trying to get the XP box to connect.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag--drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPSEC pluto errors

[Erich Titl]

Scott A. Young wrote:
Erich, thanks for the info.  

So then I *_do_* need to generate certificates even if I'm just using
pre-shared keys?
 

IFAIK _no_, just make sure you do not have an empty file where a cert 
would be searched for. The code I looked at would do that weird thing 
with a file of length zero.

Erich
---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] IPSEC pluto errors

[Scott A. Young]

Erich, thanks for the info.  

So then I *_do_* need to generate certificates even if I'm just using
pre-shared keys?

Scott.

-
Scott Young
Network Integration Solutions Inc.
Phone: 780-461-3371
Fax: 780-465-7270
email: [EMAIL PROTECTED]
  

 -Original Message-
 From: Erich Titl [mailto:[EMAIL PROTECTED] 
 Sent: Tuesday, November 23, 2004 6:04 AM
 To: Scott A. Young
 Cc: [EMAIL PROTECTED]
 Subject: Re: [leaf-user] IPSEC pluto errors
 
 Scott
 
 Scott A. Young wrote:
 
 Hi All, I'm also back on the subnet-to-subnet ipsec setup.  
 Even with 
 all the info on the list and archives, I'm at a loss.
 
 Both ends of connection are bering-uclibc v2.2.1 boxes w/ipsec.  
 According to the bering userguide chapter 15, you don't need 
 certificates if your using pre-shared keys.  But, I'm getting the 
 following errors, and I'm wondering if it's related some how.
 
 
 So what's up with the FATAL ERROR?   It would seem without 
 pluto, my ipsec
 configuration is unable to start?
 
 I can supply full details if required, but I'm hoping it's something 
 much simpler then that.
   
 
 I had a look at the code, is it possible that you have an 
 empty certificate file, possibly called cert?
 Else you can contact Andreas Steffen on the StrongSwan list.
 
 cheers
 Erich
 
 
 


---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPSEC pluto errors

[Erich Titl]

Scott
Scott A. Young wrote:
Hi All, I'm also back on the subnet-to-subnet ipsec setup.  Even with all the
info on the list and archives, I'm at a loss.
Both ends of connection are bering-uclibc v2.2.1 boxes w/ipsec.  According to
the bering userguide chapter 15, you don't need certificates if your using
pre-shared keys.  But, I'm getting the following errors, and I'm wondering if
it's related some how.

So what's up with the FATAL ERROR?   It would seem without pluto, my ipsec
configuration is unable to start?
I can supply full details if required, but I'm hoping it's something much
simpler then that.
 

I had a look at the code, is it possible that you have an empty 
certificate file, possibly called cert?
Else you can contact Andreas Steffen on the StrongSwan list.

cheers
Erich

---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] IPSEC subnet routing

[Troy Aden]

Hello again. 
I have fought with this for a week now and I must be missing something.
First of all, if I use a conn statement that has %defaultroute for right=,
I get an error that the statement does not exist. However, if I use a
right=(IP) and rightnexthop=(gateway), the conn statement works fine. Can
anyone explain this?
But... Non of the conn statements below work. My guess is that the conn
statements that contain the also= parameter must be missing something. So
I added esp=aes and auto=start or auto=add depending on the side of the
connection. Still no joy. 
Can anyone please tell me what I am doing wrong here? If you need error
logs, I can provide them.

Thanks in advance!

Troy.   

-Original Message-
From: Erich Titl [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 16, 2004 3:30 AM
Cc: Troy Aden; Leaf-User (E-mail)
Subject: Re: [leaf-user] IPSEC subnet routing


Looking at my mail there are a few typos. Long live cut and paste :-(

Erich Titl wrote:

Troy

It is a bit confusing for me, as I am always using left for the local
system, right for the remote.

Assumptions 

S'Toon 

external IP address 135.115.157.162
internal networks 192.168.161.0/24 192.168.162.0/24 192.168.163.0/24

Victoria 
external IP address 24.35.38.129
internal network 172.0.0.0/8

Please observe the difference in auto= between the two systems, only one
should start the connection.

At 18:59 15.11.2004 -0600, Troy Aden wrote:
  

First of all, thanks so much for the quick reply! I am sorry to bug you a
second time but I need some baby steps here.
Can you please give me a example with the configs I provided. I need to
see
the also=common_conn_params in terms of my config.
For example, if I had a 192.168.161.0/24,
192.168.162.0/24,192.168.163.0/24,
networks on router A side. And I wanted Router B to connect to ONLY those
subnets. Can you please type in exactly what I would need on both router
A
(S'toon) and router B (Victoria). From that, I should be able to figure
out
what I need to do to be more pricise about the Router B networks within
the
172.0.0.0/8 range. 

Again.Thanks in advance!!! Sorry to be a pain.

Troy.




Router A (S'toon)
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls:  none for (almost) none, all for
lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes


# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
pfs=yes

conn block
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear
auto=ignore

conn packetdefault
auto=ignore

conn victoria
right=%defaultroute
left=24.35.38.129
leftsubnet=172.0.0.0/8
esp=aes
auto=start

conn victoria_1
also=victoria
rightsubnet=192.168.161.0/24

conn victoria_2
also=victoria
rightsubnet=192.168.162.0/24

conn victoria_3
also=victoria
rightsubnet=192.168.163.0/24


Router B (Victoria)

# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls:  none for (almost) none, all for
lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes



# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
pfs=yes

conn block
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear
auto=ignore

conn packetdefault
auto=ignore


conn stoon
right=%defaultroute
rightsubnet=172.0.0.0/8
left=135.115.157.162
esp=aes
auto=add

conn stoon_1
also=stoon
leftsubnet=192.168.161.0/24

conn stoon_2
also=stoon
leftsubnet=192.168.162.0/24

conn stoon_3
also=stoon
leftsubnet=192.168.163.0/24


HTH
Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16

Re: [leaf-user] IPSEC subnet routing

[Erich Titl]

Troy
Troy Aden wrote:
Hello again. 
I have fought with this for a week now and I must be missing something.
First of all, if I use a conn statement that has %defaultroute for right=,
I get an error that the statement does not exist. However, if I use a
right=(IP) and rightnexthop=(gateway), the conn statement works fine. Can
anyone explain this?
But... Non of the conn statements below work. My guess is that the conn
statements that contain the also= parameter must be missing something. So
I added esp=aes and auto=start or auto=add depending on the side of the
connection. Still no joy. 
Can anyone please tell me what I am doing wrong here? If you need error
logs, I can provide them.
 

try to put the connection referencet to by the also statement at the end 
of your file

here are the files I use, it's still 1.99 but it should not matter
  kerberos
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
   # THIS SETTING MUST BE CORRECT or almost nothing will work;
   # %defaultroute is okay for most simple cases.
   interfaces=%defaultroute
   # Debug-logging controls:  none for (almost) none, all for lots.
   klipsdebug=none
   plutodebug=none
   #plutodebug=all
   # Use auto= parameters in conn descriptions to control startup 
actions.
   plutoload=%search
   plutostart=%search
   # Close down old connection when new one using same ID shows up.
   uniqueids=yes


# defaults for subsequent connection descriptions
conn %default
   # How persistent to be in (re)keying negotiations (0 means very).
   keyingtries=0
   # RSA authentication with keys from DNS.
   authby=rsasig
   leftrsasigkey=%dns
   rightrsasigkey=%dns
include /etc/ipsec.d/connections/test
 /etc/ipsec.d/connections/test
#
# this is the barebone description of multiple connections through
# the same ipsec endpoints
#
conntest_to_dmz
   also=test
   leftsubnet=195.141.2.160/27
   auto=add
conntest
   ike=aes
   esp=aes
   left=%defaultroute
   leftcert=aspcert.pem
   leftrsasigkey=%cert
   right=%any
   rightsubnet=10.250.99.0/24
   rightrsasigkey=%cert
   rightid=C=CH,L=Schlieren,O=RUF Gruppe,OU=ASP 
Plus,CN=test.asp.ruf.ch
   keylife=10m
   rekeymargin=3m
   rekeyfuzz=150%


right = remote
left = local
HTH
Erich
---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPSEC subnet routing

[Fabrice Theoleyre]

For the also parameter :
# defaults for subsequent connection descriptions
conn %default
   # How persistent to be in (re)keying negotiations (0 means very).
   keyingtries=0
   # RSA authentication with keys from DNS.
   authby=secret
   right=135.115.157.162
   rightsubnet=192.168.0.0/16
   rightnexthop=135.115.157.224
   pfs=yes
conn block
   auto=ignore
conn private
   also=block
conn private-or-clear
   also=block
conn clear
   also=block
conn packetdefault
   also=block
conn victoria
   left=24.35.38.129
   leftsubnet=172.0.0.0/8
   leftnexthop=24.35.38.1
   esp=aes
   auto=start
For the subnets, you can specify a leftsubnet=192.168.160/22, but the subnet 192.168.160.0/24 will be routed too. 
I don't known any other manner to specify several subnets for one connection.

You can perhaps specify several connections :
conn victoria_1
   left=24.35.38.129
   leftsubnet=192.168.161.0/24
   leftnexthop=24.35.38.1
   esp=aes
   auto=start
conn victoria_2
also = victoria_1
   leftsubnet=192.168.162.0/24
conn victoria_3
also = victoria_1
   leftsubnet=192.168.163.0/24
But I never tested it, and I find it not very elegant...
Fabrice

Troy Aden wrote:
First of all, thanks so much for the quick reply! I am sorry to bug you a
second time but I need some baby steps here.
Can you please give me a example with the configs I provided. I need to see
the also=common_conn_params in terms of my config.
For example, if I had a 192.168.161.0/24, 192.168.162.0/24,192.168.163.0/24,
networks on router A side. And I wanted Router B to connect to ONLY those
subnets. Can you please type in exactly what I would need on both router A
(S'toon) and router B (Victoria). From that, I should be able to figure out
what I need to do to be more pricise about the Router B networks within the
172.0.0.0/8 range. 

Again.Thanks in advance!!! Sorry to be a pain.
Troy.
Router A (S'toon)
# basic configuration
config setup
   # THIS SETTING MUST BE CORRECT or almost nothing will work;
   # %defaultroute is okay for most simple cases.
   interfaces=%defaultroute
   # Debug-logging controls:  none for (almost) none, all for lots.
   klipsdebug=none
   plutodebug=none
   # Use auto= parameters in conn descriptions to control startup
actions.
   plutoload=%search
   plutostart=%search
   # Close down old connection when new one using same ID shows up.
   uniqueids=yes

# defaults for subsequent connection descriptions
conn %default
   # How persistent to be in (re)keying negotiations (0 means very).
   keyingtries=0
   # RSA authentication with keys from DNS.
   authby=secret
   right=135.115.157.162
   rightsubnet=192.168.0.0/16
   rightnexthop=135.115.157.224
   pfs=yes
conn block
   auto=ignore
conn private
   auto=ignore
conn private-or-clear
   auto=ignore
conn clear
   auto=ignore
conn packetdefault
   auto=ignore
conn victoria
   left=24.35.38.129
   leftsubnet=172.0.0.0/8
   leftnexthop=24.35.38.1
   esp=aes
   auto=start
Router B (Victoria)
# basic configuration
config setup
   # THIS SETTING MUST BE CORRECT or almost nothing will work;
   # %defaultroute is okay for most simple cases.
   interfaces=%defaultroute
   # Debug-logging controls:  none for (almost) none, all for lots.
   klipsdebug=none
   plutodebug=none
   # Use auto= parameters in conn descriptions to control startup
actions.
   plutoload=%search
   plutostart=%search
   # Close down old connection when new one using same ID shows up.
   uniqueids=yes

# defaults for subsequent connection descriptions
conn %default
   # How persistent to be in (re)keying negotiations (0 means very).
   keyingtries=0
   # RSA authentication with keys from DNS.
   authby=secret
   right=24.35.38.129
   rightsubnet=172.0.0.0/8
   rightnexthop=24.35.38.1
   pfs=yes
conn block
   auto=ignore
conn private
   auto=ignore
conn private-or-clear
   auto=ignore
conn clear
   auto=ignore
conn packetdefault
   auto=ignore
conn stoon
   left=135.115.157.162
   leftsubnet=192.168.0.0/16
   leftnexthop=135.115.157.224
   esp=aes
   auto=start
 



---
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] IPSEC subnet routing

[Erich Titl]

Troy

It is a bit confusing for me, as I am always using left for the local system, 
right for the remote.

Assumptions 

S'Toon 

external IP address 135.115.157.162
internal networks 192.168.161.0/24 192.168.162.0/24 192.168.163.0/24

Victoria 
external IP address 24.35.38.129
internal network 172.0.0.0/8

Please observe the difference in auto= between the two systems, only one should 
start the connection.

At 18:59 15.11.2004 -0600, Troy Aden wrote:
First of all, thanks so much for the quick reply! I am sorry to bug you a
second time but I need some baby steps here.
Can you please give me a example with the configs I provided. I need to see
the also=common_conn_params in terms of my config.
For example, if I had a 192.168.161.0/24, 192.168.162.0/24,192.168.163.0/24,
networks on router A side. And I wanted Router B to connect to ONLY those
subnets. Can you please type in exactly what I would need on both router A
(S'toon) and router B (Victoria). From that, I should be able to figure out
what I need to do to be more pricise about the Router B networks within the
172.0.0.0/8 range. 

Again.Thanks in advance!!! Sorry to be a pain.

Troy.


Router A (S'toon)
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls:  none for (almost) none, all for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes


# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
pfs=yes

conn block
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear
auto=ignore

conn packetdefault
auto=ignore

conn victoria
right=%defaultroute
left=24.35.38.129
leftsubnet=172.0.0.0/8
esp=aes
auto=start

conn victoria_1
also=victoria
rightsubnet=192.168.161.0/24

conn victoria_2
also=victoria
rightsubnet=192.168.162.0/24

conn victoria_2
also=victoria
rightsubnet=192.168.163.0/24


Router B (Victoria)

# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls:  none for (almost) none, all for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes



# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
pfs=yes

conn block
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear
auto=ignore

conn packetdefault
auto=ignore


conn stoon
right=%defaultroute
rightsubnet=172.0.0.0/8
left=135.115.157.162
esp=aes
auto=add

conn stoon_1
also=stoon
leftsubnet=192.168.161.0/24

conn stoon_1
also=stoon
leftsubnet=192.168.162.0/24

conn stoon_1
also=stoon
leftsubnet=192.168.163.0/24


HTH
Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




---
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPSEC subnet routing

[Erich Titl]

Looking at my mail there are a few typos. Long live cut and paste :-(
Erich Titl wrote:
Troy
It is a bit confusing for me, as I am always using left for the local system, 
right for the remote.
Assumptions 

S'Toon 

external IP address 135.115.157.162
internal networks 192.168.161.0/24 192.168.162.0/24 192.168.163.0/24
Victoria 
external IP address 24.35.38.129
internal network 172.0.0.0/8

Please observe the difference in auto= between the two systems, only one should 
start the connection.
At 18:59 15.11.2004 -0600, Troy Aden wrote:
 

First of all, thanks so much for the quick reply! I am sorry to bug you a
second time but I need some baby steps here.
Can you please give me a example with the configs I provided. I need to see
the also=common_conn_params in terms of my config.
For example, if I had a 192.168.161.0/24, 192.168.162.0/24,192.168.163.0/24,
networks on router A side. And I wanted Router B to connect to ONLY those
subnets. Can you please type in exactly what I would need on both router A
(S'toon) and router B (Victoria). From that, I should be able to figure out
what I need to do to be more pricise about the Router B networks within the
172.0.0.0/8 range. 

Again.Thanks in advance!!! Sorry to be a pain.
Troy.
   

Router A (S'toon)
# basic configuration
config setup
   # THIS SETTING MUST BE CORRECT or almost nothing will work;
   # %defaultroute is okay for most simple cases.
   interfaces=%defaultroute
   # Debug-logging controls:  none for (almost) none, all for lots.
   klipsdebug=none
   plutodebug=none
   # Use auto= parameters in conn descriptions to control startup
actions.
   plutoload=%search
   plutostart=%search
   # Close down old connection when new one using same ID shows up.
   uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
   # How persistent to be in (re)keying negotiations (0 means very).
   keyingtries=0
   # RSA authentication with keys from DNS.
   authby=secret
   pfs=yes
conn block
   auto=ignore
conn private
   auto=ignore
conn private-or-clear
   auto=ignore
conn clear
   auto=ignore
conn packetdefault
   auto=ignore
conn victoria
   right=%defaultroute
   left=24.35.38.129
   leftsubnet=172.0.0.0/8
   esp=aes
   auto=start
conn victoria_1
   also=victoria
   rightsubnet=192.168.161.0/24
conn victoria_2
   also=victoria
   rightsubnet=192.168.162.0/24
conn victoria_3
   also=victoria
   rightsubnet=192.168.163.0/24
Router B (Victoria)
# basic configuration
config setup
   # THIS SETTING MUST BE CORRECT or almost nothing will work;
   # %defaultroute is okay for most simple cases.
   interfaces=%defaultroute
   # Debug-logging controls:  none for (almost) none, all for lots.
   klipsdebug=none
   plutodebug=none
   # Use auto= parameters in conn descriptions to control startup
actions.
   plutoload=%search
   plutostart=%search
   # Close down old connection when new one using same ID shows up.
   uniqueids=yes

# defaults for subsequent connection descriptions
conn %default
   # How persistent to be in (re)keying negotiations (0 means very).
   keyingtries=0
   # RSA authentication with keys from DNS.
   authby=secret
   pfs=yes
conn block
   auto=ignore
conn private
   auto=ignore
conn private-or-clear
   auto=ignore
conn clear
   auto=ignore
conn packetdefault
   auto=ignore
conn stoon
   right=%defaultroute
   rightsubnet=172.0.0.0/8
   left=135.115.157.162
   esp=aes
   auto=add
conn stoon_1
   also=stoon
   leftsubnet=192.168.161.0/24
conn stoon_2
   also=stoon
   leftsubnet=192.168.162.0/24
conn stoon_3
   also=stoon
   leftsubnet=192.168.163.0/24
HTH
Erich
THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16


---
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
 


---
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8

leaf-user mailing list: [EMAIL PROTECTED]

Re: [leaf-user] IPSEC subnet routing

[Charles Steinkuehler]

Erich Titl wrote:
Troy
Troy Aden wrote:
Hello all, This may seem a silly question but I have not been able to find
any info in any how-to or docs and I am hoping someone here can help me out.
 

http://www.freeswan.org/freeswan_trees/freeswan-1.98b/doc/manpage.d/ipsec.conf.5.html
The question is : How do I setup the IPSEC config so that I route only
specific subnets over the IPSEC tunnel. Currently, I have set it up by
simply using a large subnet mask that encompasses all the networks on either
side of the link. (see my exmaple below) The problem is that I need to be
more granular now and only route specific subnets over the link. I have
played with it for awhile now and I can't seem to have more than one subnet
declaration in my default conn statement. For example lets say I want only
192.168.130.0/24 and 192.168.134.0/24 to get routed over the IPSEC on router
A and I only want 172.31.0.0/16 and 172.161.0.0/16 on router B. These are
the only subnets I would like to be able to communicate over the IPSEC
link... Is there a clean way to do this? Please have a look at my configs
below and let me know how I should do this.
 

Define a single connection for each subnet. You can use the also= 
statement to include common parameters.

e.g.
conn xx
also=common_conn_params
rightsubnet=10.0.0.32/27
auto=add  

conn comon_conn_params
left=xx.yy.zz.nn
leftsubnet=aa.bb.cc.dd/nn
..
Another option for complex routing problems with IPSec is to switch to using 
host-host tunnels, with another tunneling protocol on top of IPSec 
(typically GRE).  You can then run routing protocols like RIP or BGP across 
the GRE tunnels, or use the kernel routing tables (rather than the IPSec 
configuration) to set up all your subnet routing (if it's not complex or 
dynamic enough to require a routing protocol).

There's a nice picture of the basic idea on the Cisco website:
http://www.cisco.com/warp/public/707/gre_ipsec_ospf.html#diag
--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] IPSEC pluto errors

[Scott A. Young]

Hi All, I'm also back on the subnet-to-subnet ipsec setup.  Even with all the
info on the list and archives, I'm at a loss.

Both ends of connection are bering-uclibc v2.2.1 boxes w/ipsec.  According to
the bering userguide chapter 15, you don't need certificates if your using
pre-shared keys.  But, I'm getting the following errors, and I'm wondering if
it's related some how.

*** auth.log:
Nov 1 13:46:41 r2 ipsec__plutorun: Starting Pluto subsystem...
Nov 1 13:46:41 r2 pluto[21628]: Starting Pluto (Openswan Version 1.0.7)
Nov 1 13:46:41 r2 pluto[21628]: including X.509 patch with traffic selectors
(Version 0.9.42)
Nov 1 13:46:41 r2 pluto[21628]: including NAT-Traversal patch (Version 0.6)
[disabled]
Nov 1 13:46:41 r2 pluto[21628]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Nov 1 13:46:41 r2 pluto[21628]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Nov 1 13:46:41 r2 pluto[21628]: ike_alg_register_enc(): Activating
OAKLEY_CAST_CBC: Ok (ret=0)
Nov 1 13:46:41 r2 pluto[21628]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Nov 1 13:46:41 r2 pluto[21628]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Nov 1 13:46:41 r2 pluto[21628]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Nov 1 13:46:41 r2 pluto[21628]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Nov 1 13:46:41 r2 pluto[21628]: ike_alg_register_enc(): Activating
OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
Nov 1 13:46:41 r2 pluto[21628]: Changing to directory '/etc/ipsec.d/cacerts'
Nov 1 13:46:41 r2 pluto[21628]: Warning: empty directory
Nov 1 13:46:41 r2 pluto[21628]: Changing to directory '/etc/ipsec.d/crls'
Nov 1 13:46:41 r2 pluto[21628]: Warning: empty directory
Nov 1 13:46:41 r2 pluto[21628]: FATAL ERROR: unable to malloc 0 bytes for
cert
*** end auth.log

So what's up with the FATAL ERROR?   It would seem without pluto, my ipsec
configuration is unable to start?

I can supply full details if required, but I'm hoping it's something much
simpler then that.

Thanks,
Scott.

---
Scott Young
Network Integration Solutions Inc.
9415 Ottewell Road
Edmonton, Alberta T6B2E1
Canada
Phone: 780-461-3371
Fax: 780-465-7270



---
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] IPSEC subnet routing

[Troy Aden]

Hello all, This may seem a silly question but I have not been able to find
any info in any how-to or docs and I am hoping someone here can help me out.


The question is : How do I setup the IPSEC config so that I route only
specific subnets over the IPSEC tunnel. Currently, I have set it up by
simply using a large subnet mask that encompasses all the networks on either
side of the link. (see my exmaple below) The problem is that I need to be
more granular now and only route specific subnets over the link. I have
played with it for awhile now and I can't seem to have more than one subnet
declaration in my default conn statement. For example lets say I want only
192.168.130.0/24 and 192.168.134.0/24 to get routed over the IPSEC on router
A and I only want 172.31.0.0/16 and 172.161.0.0/16 on router B. These are
the only subnets I would like to be able to communicate over the IPSEC
link... Is there a clean way to do this? Please have a look at my configs
below and let me know how I should do this.

Thanks in advance!

Troy.

router A (S'toon)
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls:  none for (almost) none, all for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes



# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
right=135.115.157.162
rightsubnet=192.168.0.0/16
rightnexthop=135.115.157.224
pfs=yes

conn block
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear
auto=ignore

conn packetdefault
auto=ignore

conn victoria
left=24.35.38.129
leftsubnet=172.0.0.0/8
leftnexthop=24.35.38.1
esp=aes
auto=start


Router B (Victoria)

# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls:  none for (almost) none, all for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes



# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
right=24.35.38.129
rightsubnet=172.0.0.0/8
rightnexthop=24.35.38.1
pfs=yes

conn block
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear
auto=ignore

conn packetdefault
auto=ignore


conn stoon
left=135.115.157.162
leftsubnet=192.168.0.0/16
leftnexthop=135.115.157.224
esp=aes
auto=start



---
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPSEC subnet routing

[Erich Titl]

Troy
Troy Aden wrote:
Hello all, This may seem a silly question but I have not been able to find
any info in any how-to or docs and I am hoping someone here can help me out.
 

http://www.freeswan.org/freeswan_trees/freeswan-1.98b/doc/manpage.d/ipsec.conf.5.html
The question is : How do I setup the IPSEC config so that I route only
specific subnets over the IPSEC tunnel. Currently, I have set it up by
simply using a large subnet mask that encompasses all the networks on either
side of the link. (see my exmaple below) The problem is that I need to be
more granular now and only route specific subnets over the link. I have
played with it for awhile now and I can't seem to have more than one subnet
declaration in my default conn statement. For example lets say I want only
192.168.130.0/24 and 192.168.134.0/24 to get routed over the IPSEC on router
A and I only want 172.31.0.0/16 and 172.161.0.0/16 on router B. These are
the only subnets I would like to be able to communicate over the IPSEC
link... Is there a clean way to do this? Please have a look at my configs
below and let me know how I should do this.
 

Define a single connection for each subnet. You can use the also= 
statement to include common parameters.

e.g.
conn xx
   also=common_conn_params
   rightsubnet=10.0.0.32/27
   auto=add  

conn comon_conn_params
   left=xx.yy.zz.nn
   leftsubnet=aa.bb.cc.dd/nn
..
cheers
Erich

---
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] IPSEC subnet routing

[Troy Aden]

First of all, thanks so much for the quick reply! I am sorry to bug you a
second time but I need some baby steps here.
Can you please give me a example with the configs I provided. I need to see
the also=common_conn_params in terms of my config.
For example, if I had a 192.168.161.0/24, 192.168.162.0/24,192.168.163.0/24,
networks on router A side. And I wanted Router B to connect to ONLY those
subnets. Can you please type in exactly what I would need on both router A
(S'toon) and router B (Victoria). From that, I should be able to figure out
what I need to do to be more pricise about the Router B networks within the
172.0.0.0/8 range. 

Again.Thanks in advance!!! Sorry to be a pain.

Troy.


Router A (S'toon)
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls:  none for (almost) none, all for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes



# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
right=135.115.157.162
rightsubnet=192.168.0.0/16
rightnexthop=135.115.157.224
pfs=yes

conn block
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear
auto=ignore

conn packetdefault
auto=ignore

conn victoria
left=24.35.38.129
leftsubnet=172.0.0.0/8
leftnexthop=24.35.38.1
esp=aes
auto=start


Router B (Victoria)

# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls:  none for (almost) none, all for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes



# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
right=24.35.38.129
rightsubnet=172.0.0.0/8
rightnexthop=24.35.38.1
pfs=yes

conn block
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear
auto=ignore

conn packetdefault
auto=ignore


conn stoon
left=135.115.157.162
leftsubnet=192.168.0.0/16
leftnexthop=135.115.157.224
esp=aes
auto=start

-Original Message-
From: Erich Titl [mailto:[EMAIL PROTECTED]
Sent: Monday, November 15, 2004 2:33 PM
To: Troy Aden
Cc: Leaf-User (E-mail)
Subject: Re: [leaf-user] IPSEC subnet routing


Troy

Troy Aden wrote:

Hello all, This may seem a silly question but I have not been able to find
any info in any how-to or docs and I am hoping someone here can help me
out.
  

http://www.freeswan.org/freeswan_trees/freeswan-1.98b/doc/manpage.d/ipsec.co
nf.5.html


The question is : How do I setup the IPSEC config so that I route only
specific subnets over the IPSEC tunnel. Currently, I have set it up by
simply using a large subnet mask that encompasses all the networks on
either
side of the link. (see my exmaple below) The problem is that I need to be
more granular now and only route specific subnets over the link. I have
played with it for awhile now and I can't seem to have more than one subnet
declaration in my default conn statement. For example lets say I want only
192.168.130.0/24 and 192.168.134.0/24 to get routed over the IPSEC on
router
A and I only want 172.31.0.0/16 and 172.161.0.0/16 on router B. These are
the only subnets I would like to be able to communicate over the IPSEC
link... Is there a clean way to do this? Please have a look at my configs
below and let me know how I should do this.
  

Define a single connection for each subnet. You can use the also= 
statement to include common parameters.

e.g.

conn xx
also=common_conn_params
rightsubnet=10.0.0.32/27
auto=add  

conn comon_conn_params
left=xx.yy.zz.nn
leftsubnet=aa.bb.cc.dd/nn
..

cheers
Erich


---
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies

[leaf-user] ipsec subnet-to-subnet vpn

[Scott A. Young]

Hi All,

First of all, thanks to everyone involved with this project.  The support
from the mailing list archives is great!  

I've been trying to get an ipsec vpn between two bering-uclibc v2.2.1 routers
going.  

Before boring everyone with the details, I'm wondering if there is a
definitive example of subet-to-subnet ipsec setup with shorewall.   I will
post full deatils, as per instructions, but at this point, I think I just
need a good example to work from.  

Both routers are the same, with the following .lrp's loaded:
NameVersionDescription
===-==-==
initrd  V2.2.1 uClibc- LEAF Bering-uClibc initial filesystem 
rootV2.2.1 uClibc- Core LEAF Bering-uClibc package   
config  0.4Core config and backup system package 
etc V2.2.1 uClibc-   
local   V2.2.1 uClibc- LEAF Bering local package 
iptables1.2.11 IP packet filter administration tools for 2.4.
shorwall 
ulogd   1.02   The Netfilter Userspace Logging Daemon
dropbear0.43 Rev 2 Dropbear SSH 2 server and scp client  
ntpdate 4.1.0-8client for setting system time from NTP server
ntpsimpl4.1.0-8NTP v4 daemon for simple systems from Debian  
sh-httpd1.2.5 Rev 3Small shell-based web server  
weblet  1.0.0 Rev 4http-server content   
lpthread0.9.20 The libpthread library
mawk1.3.3-9Mawk is an interpreter for the AWK Programming
libm0.9.20 The libm library  
modules V2.2.1 uClibc- Define  contain your LEAF Bering modules 
ipsec   1.0.7  Openswan IPSEC
dnsmasq 2.15 Rev 1 Dnsmasq is lightweight, easy to configure DNS


TIA,
Scott.

---
Scott Young
Network Integration Solutions Inc.
Phone: 780-461-3371
Fax: 780-465-7270



---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88alloc_id065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] ipsec subnet-to-subnet vpn

[Troy Aden]

 shared secrets file}

Now type: 'shorewall restart'

Ok I like to do a terminate statement first. : 'ipsec whack -terminate -name
example' { I always do this first just incase there is an existing tunnel}
Then try bring up the tunnel: 'ipsec whack -initiate -name example' {Those
are double dashes incase they come out garbled on your end}
If it worked you should see an output something like this:

002  example #32: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
122  example #32: STATE_QUICK_I1: initiate
002  example #32: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
002  example #32: sent QI2, IPsec SA established
004  example #32: STATE_QUICK_I2: sent QI2, IPsec SA established

Troy
-Original Message-
From: Scott A. Young [mailto:[EMAIL PROTECTED]
Sent: Sunday, October 31, 2004 7:14 PM
To: Troy Aden
Subject: RE: [leaf-user] ipsec subnet-to-subnet vpn

That would be perfect... Pre-shared-keys is where I'm starting as well.

Thanks,
Scott.


-
Scott Young
Network Integration Solutions Inc.
Phone: 780-461-3371
Fax: 780-465-7270
email: [EMAIL PROTECTED]
 

 -Original Message-
 From: Troy Aden [mailto:[EMAIL PROTECTED]
 Sent: Sunday, October 31, 2004 5:21 PM
 To: Scott A. Young
 Subject: RE: [leaf-user] ipsec subnet-to-subnet vpn

 I think I can help you out. I have a working config using
 pre-shared keys..
 Are you interested in this? If so, I will send it on.

 Troy
 -Original Message-
 From: Scott A. Young [mailto:[EMAIL PROTECTED]
 Sent: Sunday, October 31, 2004 5:49 PM
 To: [EMAIL PROTECTED]
 Subject: [leaf-user] ipsec subnet-to-subnet vpn

 Hi All,

 First of all, thanks to everyone involved with this project. 
 The support from the mailing list archives is great!

 I've been trying to get an ipsec vpn between two
 bering-uclibc v2.2.1 routers going.

 Before boring everyone with the details, I'm wondering if there is a
 definitive example of subet-to-subnet ipsec setup with
 shorewall.   I will
 post full deatils, as per instructions, but at this point, I
 think I just need a good example to work from.

 Both routers are the same, with the following .lrp's loaded:
 NameVersionDescription
 ===-==-===
 ==
 =
 initrd  V2.2.1 uClibc- LEAF Bering-uClibc initial
 filesystem   
 rootV2.2.1 uClibc- Core LEAF Bering-uClibc
 package 
 config  0.4Core config and backup system
 package   
 etc V2.2.1 uClibc-   
  
 local   V2.2.1 uClibc- LEAF Bering local package 
  
 iptables1.2.11 IP packet filter
 administration tools for
 2.4.
 shorwall 
  
 ulogd   1.02   The Netfilter Userspace
 Logging Daemon  
 dropbear0.43 Rev 2 Dropbear SSH 2 server and scp
 client
 ntpdate 4.1.0-8client for setting system time from NTP
 server
 ntpsimpl4.1.0-8NTP v4 daemon for simple
 systems from Debian
 sh-httpd1.2.5 Rev 3Small shell-based web server  
  
 weblet  1.0.0 Rev 4http-server content   
  
 lpthread0.9.20 The libpthread library
  
 mawk1.3.3-9Mawk is an interpreter for the AWK
 Programming
 libm0.9.20 The libm library  
  
 modules V2.2.1 uClibc- Define  contain your LEAF
 Bering modules   
 ipsec   1.0.7  Openswan IPSEC
  
 dnsmasq 2.15 Rev 1 Dnsmasq is lightweight, easy
 to configure DNS


 TIA,
 Scott.

 ---
 Scott Young
 Network Integration Solutions Inc.
 Phone: 780-461-3371
 Fax: 780-465-7270



 ---
 This SF.Net email is sponsored by:
 Sybase ASE Linux Express Edition - download now for FREE
 LinuxWorld Reader's Choice Award Winner for best database on Linux.
 http://ads.osdn.com/?ad_idU88alloc_id065op=click
 --
 --
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] IPsec and NAT traversal: Bering 1.2 and Linksys BEFSR41

[Timothy J. Massey]

Hello!
I'm trying to set up a VPN between a Windows 2000 notebook and a Bering 
1.2 LEAF firewall, running SuperFreeS/WAN 1.99.6.2.

On this firewall, I have two tunnels set up.  One is a tunnel between 
two LEAF firewalls bridiging two subnets, and works great.  The other is 
a tunnel designed for road warrior usage.  I'm using the Windows 2000 
VPN tool (http://vpn.ebootis.de/) on the 2000 notebook to try to connect 
to my LEAF firewall.

If I connect the notebook directly to the Internet with a real-world IP, 
it works great.  If, however, I put it behind a router (in this case, a 
Linksys BEFSR41) it does not work.  I've made sure that IPsec passthru 
is turned on in the Linksys, and it is.  I can browse the Internet from 
behind the router, but not connect to the VPN.

Here is the relevant parts of my firewall's ipsec.conf:
config setup
   interfaces=%defaultroute
   klipsdebug=none
   plutodebug=none
   plutoload=%search
   plutostart=%search
   uniqueids=yes
conn %default
   keyingtries=3
conn RoadWarrior
   authby=secret
   left=FirewallExternalIP
   leftsubnet=InternalNetwork/22
   leftnexthop=FirewallExternalGateway
   leftfirewall=yes
   right=%any
   keylife=30m
   auto=add
Also, here is the Windows computer's ipsec.conf:
conn AmherstOfficeToRoadWarrior
   left=FirewallExternalIP
   leftsubnet=InternalNetwork/255.255.252.0
   right=%any
   presharedkey=SharedKey
   network=lan
   rekey=1800S/3K
   auto=start
   pfs=yes
Like I said, the VPN works when not behind the router, so I know that 
the IP's and shared secret are correct.

Here are the errors I get on the LEAF firewall.  I'm typing these by 
hand, so I'm only including what look to be the interesting parts.  If 
you need more, let me know.

RoadWarrior[1] Linksys IP #3 responding to Main Mode from unknown 
peer Linksys External IP
RoadWarrior[1] Linksys IP #3 Main mode peer ID is ID_IPV4_ADDR: 
Internal IP of notebook behind Linksys
RoadWarrior[1] Linksys IP #3 No suitable connection for peer 
'Internal IP of notebook behind Linksys
RoadWarrior[1] Linksys IP #3 sending notiviation 
INVALID_ID_INFORMATION to Linksys External IP:500

These lines repeat several times.
As you can see, the LEAF firewall sees the packets as coming from the 
Linksys IP address (because of NAT), but the packets themselves say that 
the endpoint has the IP address of an internal-to-the-Linksys IP.  
Obviously, this is not correct.

What do I need to do to make this work?  I was told that the IP passthru 
was supposed to be transparent and just plug-in-and-go.  I've *never* 
found anything related to IPsec plug-in-and-go: why should this be any 
different?  :)

Any suggestions would be *greatly* appreciated!  Thank you!
Tim Massey

---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPsec and NAT traversal: Bering 1.2 and Linksys BEFSR41

[Charles Steinkuehler]

Timothy J. Massey wrote:
Hello!
I'm trying to set up a VPN between a Windows 2000 notebook and a Bering 
1.2 LEAF firewall, running SuperFreeS/WAN 1.99.6.2.

On this firewall, I have two tunnels set up.  One is a tunnel between 
two LEAF firewalls bridiging two subnets, and works great.  The other is 
a tunnel designed for road warrior usage.  I'm using the Windows 2000 
VPN tool (http://vpn.ebootis.de/) on the 2000 notebook to try to connect 
to my LEAF firewall.

If I connect the notebook directly to the Internet with a real-world IP, 
it works great.  If, however, I put it behind a router (in this case, a 
Linksys BEFSR41) it does not work.  I've made sure that IPsec passthru 
is turned on in the Linksys, and it is.  I can browse the Internet from 
behind the router, but not connect to the VPN.

Here is the relevant parts of my firewall's ipsec.conf:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=3
conn RoadWarrior
authby=secret
left=FirewallExternalIP
leftsubnet=InternalNetwork/22
leftnexthop=FirewallExternalGateway
leftfirewall=yes
right=%any
keylife=30m
auto=add
Also, here is the Windows computer's ipsec.conf:
conn AmherstOfficeToRoadWarrior
left=FirewallExternalIP
leftsubnet=InternalNetwork/255.255.252.0
right=%any
presharedkey=SharedKey
network=lan
rekey=1800S/3K
auto=start
pfs=yes
Like I said, the VPN works when not behind the router, so I know that 
the IP's and shared secret are correct.

Here are the errors I get on the LEAF firewall.  I'm typing these by 
hand, so I'm only including what look to be the interesting parts.  If 
you need more, let me know.

RoadWarrior[1] Linksys IP #3 responding to Main Mode from unknown 
peer Linksys External IP
RoadWarrior[1] Linksys IP #3 Main mode peer ID is ID_IPV4_ADDR: 
Internal IP of notebook behind Linksys
RoadWarrior[1] Linksys IP #3 No suitable connection for peer 
'Internal IP of notebook behind Linksys
RoadWarrior[1] Linksys IP #3 sending notiviation 
INVALID_ID_INFORMATION to Linksys External IP:500

These lines repeat several times.
As you can see, the LEAF firewall sees the packets as coming from the 
Linksys IP address (because of NAT), but the packets themselves say that 
the endpoint has the IP address of an internal-to-the-Linksys IP.  
Obviously, this is not correct.

What do I need to do to make this work?  I was told that the IP passthru 
was supposed to be transparent and just plug-in-and-go.  I've *never* 
found anything related to IPsec plug-in-and-go: why should this be any 
different?  :)

Any suggestions would be *greatly* appreciated!  Thank you!
Your problem may have nothing to do with IP addresses.  Based on the limited 
information above, I'd start checking your configuration files on both ends, 
looking to make sure the peer names match.  The linux IPSec implementation 
is *VERY* picky about how connection names are matched.

The No suitable connection for peer whatever error typically means IPSec 
can't find a valid tunnel description in your configuration file that 
matches what the client's trying to setup, ie: your connection descriptions 
on each end don't match.  Note that the peer ID defaults to the IP address, 
which can be a bad thing (espeically for road-warrior clients), so I usually 
assign actual names to the machines in question.  Depending on how you're 
authenticating, this can also allow you to specify unique connection 
descriptions for different road-warrior clients, despite the fact that you 
don't know their IP in advance (if you use certs or rsa keys, but not 
pre-shared-secrets).

An example of setting the peer name on the linux side:
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Note the @ symbol, which prevents ipsec from trying to resolve the domain 
name and use the IP address as the peer name instead.  For details, see the 
IPSec man pages:

quote
leftid
how the left participant should be identified for authentication; 
defaults to left. Can be an IP address (in any ipsec_ttoaddr(3) syntax) or a 
fully-qualified domain name preceded by @ (which is used as a literal string 
and not resolved).
/quote

You have to have a connection description with matching [left|right]id's, 
and matching tunnel specifications (ie: subnet-host, host-host, or 
subnet-subnet, with identical IPs) to avoid the No suitable connection error.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]

[leaf-user] Ipsec roadwarrior won't pass through a Bering Firewall

[Tibbs, Richard]

Dear list:
Erich Titl has already given me great help (off-list -- much thanks to
him) on this, but I thought I would post to the leaf list and verify
some conclusions. 
They are:
1) The Nat-traversal patch available in Bering ipsec does UDP
encapsulation after any masquerading. The particular situation is a
win2k machine with a roadwarrior IP security policy as described in the
Bering users guide, as well as the Freeswan site.
2) It will be necessary to perform nat-traversal on the win2k box
itself.

If anyone can verify the above two points are true, I would be grateful.
Each fw masquerades outbound.
See log file records from office fw at the end.

I have the following configuration
Offce win2k
137.45.192.86  eth sw- 137.45.192.69(office FW) -
192.168.10.0/24
ping works fine   |
  (Campus Net)
 |
  (Internet)
 |
  HomeFW  192.168.1.0/24
   |   
 win2k box,  
IP security Policy as   
described in the bering users guide
Can't ping from (192.168.1.3) to 192.168.10.x behind office fw. 

I am using two Bering 1.2 firewalls with SuperFreeSwan and the
nat-traversal patch is enabled (on both -- most importantly the home
FW). 
Each Win2k box is set up quite identically, following some road-warrior
configs from the freeswan examples. 
The differences are:
1)The home win2k box goes the HomeFW. 
2)The outbound/inbound IP security filters of course name a different
src/dest endpoint.

The symptoms are as follows: I can ping, telnet etc from a machine just
outside the office firewall, but not from a virtually identical setup
behind the home FW. The auth.log on the office firewall gives a few
interesting records: From the home fw (216.12.22.89) we see in the
office FW auth.log a record: Jul 28 18:45:25 firewall pluto[21755]:
road-warrior[2] 216.12.22.89#1: sent MR3, ISAKMP SA established 
So the Key mgmt SA is accepted.  

But from there things go downhill. Why would this log message be issued
on the office FW one second later? Jul 28 18:45:26 firewall
pluto[21755]: road-warrior[2] 216.12.22.89 #1: cannot  respond to
IPsec SA request because no connection is known for 192.168.10.0/24=
==137.45.192.69...216.12.22.89[192.168.1.3]===192.168.1.3/32

I think the above record from auth.log is where things go wrong, but
why? 
Is it the apparently strange IP addresses, as the tail of auth.log
complains: firewall pluto[21755]: road-warrior[2] 216.12.22.89 #721:
Main  mode peer ID is ID_IPV4_ADDR: '216.12.22.89' Jul 29 09:46:59
firewall pluto[21755]: road-warrior[2] 216.12.22.89 #721: we r equire
peer to have ID '192.168.1.3', but peer declares '216.12.22.89'
 
Why doesn't nat traversal on Bering take care of this? Is there
something wrong with my config? 
TIA for any help Rick.

My Office IPSec.conf is:
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# More elaborate and more varied sample configurations can be found # in
FreeS/WAN's doc/examples file, and in the HTML documentation.



# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
#interfaces=ipsec0=eth0
# Debug-logging controls:  none for (almost) none, all for
lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
nat_traversal=yes


# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means
very).
keyingtries=0
# RSA authentication with keys from DNS.
#authby=rsasig
# Authentication by pre-shared secret key
authby=secret
#left=137.45.192.69
left=%defaultroute
leftsubnet=192.168.10.0/24
#leftnexthop=%direct
leftfirewall=yes
pfs=yes
auto=add
#leftrsasigkey=%dns
#rightrsasigkey=%dns

conn road-warrior
right=%any

# connection description for (experimental!) opportunistic encryption #
(requires KEY record in your DNS reverse map; see doc/opportunism.howto)
#conn me-to-anyone
#   left=%defaultroute
#   right=%opportunistic
# uncomment to enable incoming; change to auto=route for
outgoing
#auto=add



# sample VPN connection
conn sample
# Left security gateway, subnet behind it, next hop toward
right.
left=10.0.0.1
leftsubnet=172.16.0.0/24
leftnexthop=10.22.33.44
# Right security gateway, subnet behind it, next hop toward
left.
right=10.12.12.1
rightsubnet=192.168.0.0/24
rightnexthop=10.101.102.103
# To authorize this connection, but not 

Re: [leaf-user] Ipsec roadwarrior won't pass through a Bering Firewall

[Lynn Avants]

On Friday 30 July 2004 09:51 am, Tibbs, Richard wrote:
snipped completely
 Why doesn't nat traversal on Bering take care of this? Is there
 something wrong with my config?

Is your right side running a firewall (yes)?
Does your right side have a subnet (yes)?

%any doesn't cover everything except for a host-to-host or host-to-subnet
connection. Your key also needs to be indentified by the connection name.

Your config is incomplete for a subnet-to-subnet tunnel.
-- 
~Lynn Avants
Linux Embedded Appliance Firewall Developer
http://leaf.sourceforge.net
http://guitarlynn.homelinux.org:81


---
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPsec between FreeS/WAN 1.91 (Dachstein) and Linksys router/Windows 2000 computer

[Timothy J. Massey]

[EMAIL PROTECTED] wrote on 04/23/2004 05:52:30 PM:

Sorry for the delay, but I wanted to write and let others (and future 
searchers) know what the resolution to this problem was:

 Timothy J. Massey wrote:
  Hello!
 
  I'm using a Dachstein firewall with FreeS/WAN 1.91.  I would like 
to set
  up an IPsec VPN with either a Linksys BEFVP41 router, or a Windows 
2000
  computer behind it.
 
 To be clear, the problem is entirely on the Linksys end (ie: the windows
 box that works when not behind the router is behind the linksys router,
 not the Dachstein box)?

Correct.

 Assuming an affirmative answer to the above, you'll need to setup the
 Linksys box in a VPN pass-through mode (I'm not sure if it supports
 this), or provide some details about how you're trying to get it to
 connect to the Dachstein box.
I was not able to make this work, though I did not try *really* hard.  
It certainly did not work out of the box as I might have expected it 
to.  I could make a Windows 2000 computer connect to Dachstein if the 
Windows box were directly connected to the Internet.  However, if I 
moved it behind the Linksys, with IPsec pass-through enabled, it would 
not work.  From my research, it seems that you need 
nat_transversal=yes in your IPsec configuration, but 1.92 does not 
support this.  1.91 is the newest version for Dachstein, AFAIK.

 After a quick review of the Linksys manual for your box, it looks like
 it should work fine as an IPSec gateway with Dachstein's IPSec, as long
 as you get the configuration correct.  Make sure you're selecting 3DES,
 SHA, IKE (with perfect-forward-security), and have a properly setup
 pre-shared key.
This was the largest source of problem.  The Bering instructions say to 
use MD5, unless I'm reading them wrong.  I assumed that the default 
would be the same for Dachstein's IPsec.  This is no the case.

Specifically, you need 1024-bit SHA.  The Linksys supports 768 and 
1024.  Dachstein supports 1024 and 1536.  Obviously, only 1024 is in common.

  Also, is there a newer version of FreeS/WAN for Dachstein?  I have 
some
  routing issues that is making the migration to Bering difficult at the
  moment...

 Not That I'm aware of...

Nor am I.  I would upgrade to Bering here, but there are some routing 
issues more easily solved with Dachstein.

Thank you very much for your help.  The pointer to SHA was invaluable.  
I would have probably only tried that if I got to the, well, let's see 
what else I can change stage.  It saved me much frustration.

Tim Massey



---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPsec between FreeS/WAN 1.91 (Dachstein) and Linksys router/Windows 2000 computer

[Ramiro Morales]

Hi

On 23 Apr 2004 at 16:52, Charles Steinkuehler wrote about Re: [leaf-user] IPsec 
between FreeS/WAN 1.91 (Dac:

 Timothy J. Massey wrote:
  Hello!
  
  I'm using a Dachstein firewall with FreeS/WAN 1.91.  I would like to set up an
  IPsec VPN with either a Linksys BEFVP41 router, or a Windows 2000 computer
  behind it.
  
  I have been unable to do either.  The router won't negotiate a tunnel 
  with the LEAF firewall, and I can't seem to make the IPsec passthrough 
  work, either.  The Windows 2000 computer does work if plug it into the 
  Internet directly, but not from behind the router.
  
  Any ideas on what I could try?  Even a success story would be enough:  
  it would be nice to know that it's possible.
 
 [...]
 
 After a quick review of the Linksys manual for your box, it looks like 
 it should work fine as an IPSec gateway with Dachstein's IPSec, as long 
 as you get the configuration correct.  Make sure you're selecting 3DES, 
 SHA, IKE (with perfect-forward-security), and have a properly setup 
 pre-shared key.
 
 You also need to verify the basic tunnel configuration is correct (ie: 
 subnet-subnet, host-host, or subnet-host) and the IP's/networks match on 
 both ends.
 
 There's probably useful information in the logs on both ends 
 (web-accessible on the Linksys, and in /var/log/auth.log on the 
 Dachstein box...also accessible via the web if you're running weblet).
 
 We could probably help a lot more with some additional debugging info 
 from the logs and details of your ipsec.conf from Dachstein and the 
 configuration settings on the Linksys.

You could also try an update to Windows 2000 with NAT-T enhacements
published bt M$ a year ago

http://support.microsoft.com/default.aspx?scid=kb;en-us;818043#6

Note that the article states you need Windows 2000 Service pack 3 or 
greater but it doesn't says if the update got bundled with the Service
Pack 4.

Regards,

-
Ramiro



---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] IPsec between FreeS/WAN 1.91 (Dachstein) and Linksys router/Windows 2000 computer

[Timothy J. Massey]

Hello!

I'm using a Dachstein firewall with FreeS/WAN 1.91.  I would like to set 
up an IPsec VPN with either a Linksys BEFVP41 router, or a Windows 2000 
computer behind it.

I have been unable to do either.  The router won't negotiate a tunnel 
with the LEAF firewall, and I can't seem to make the IPsec passthrough 
work, either.  The Windows 2000 computer does work if plug it into the 
Internet directly, but not from behind the router.

Any ideas on what I could try?  Even a success story would be enough:  
it would be nice to know that it's possible.

Also, is there a newer version of FreeS/WAN for Dachstein?  I have some 
routing issues that is making the migration to Bering difficult at the 
moment...

Thank you very much for any help you might be able to give me.

Tim Massey





---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPsec between FreeS/WAN 1.91 (Dachstein) and Linksys router/Windows 2000 computer

[Charles Steinkuehler]

Timothy J. Massey wrote:
Hello!

I'm using a Dachstein firewall with FreeS/WAN 1.91.  I would like to set 
up an IPsec VPN with either a Linksys BEFVP41 router, or a Windows 2000 
computer behind it.

I have been unable to do either.  The router won't negotiate a tunnel 
with the LEAF firewall, and I can't seem to make the IPsec passthrough 
work, either.  The Windows 2000 computer does work if plug it into the 
Internet directly, but not from behind the router.

Any ideas on what I could try?  Even a success story would be enough:  
it would be nice to know that it's possible.
To be clear, the problem is entirely on the Linksys end (ie: the windows 
box that works when not behind the router is behind the linksys router, 
not the Dachstein box)?

Assuming an affirmative answer to the above, you'll need to setup the 
Linksys box in a VPN pass-through mode (I'm not sure if it supports 
this), or provide some details about how you're trying to get it to 
connect to the Dachstein box.

After a quick review of the Linksys manual for your box, it looks like 
it should work fine as an IPSec gateway with Dachstein's IPSec, as long 
as you get the configuration correct.  Make sure you're selecting 3DES, 
SHA, IKE (with perfect-forward-security), and have a properly setup 
pre-shared key.

You also need to verify the basic tunnel configuration is correct (ie: 
subnet-subnet, host-host, or subnet-host) and the IP's/networks match on 
both ends.

There's probably useful information in the logs on both ends 
(web-accessible on the Linksys, and in /var/log/auth.log on the 
Dachstein box...also accessible via the web if you're running weblet).

We could probably help a lot more with some additional debugging info 
from the logs and details of your ipsec.conf from Dachstein and the 
configuration settings on the Linksys.

Also, is there a newer version of FreeS/WAN for Dachstein?  I have some 
routing issues that is making the migration to Bering difficult at the 
moment...
Not That I'm aware of...

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] IPSEC help needed....

[Kevin]

 I checked and after loading the module, and making the changes to the
/etc/network.conf file, saved to disk and the work VPN works!!!

Thanks for the help, now I can work from home :)

-Original Message-
From: Kevin [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 20, 2004 9:07 PM
To: 'Charles Steinkuehler'
Cc: '[EMAIL PROTECTED]'
Subject: RE: [leaf-user] IPSEC help needed

Thanks Charles - yes I just need to allow the passthrough of the IPSEC
protocol for everything to work. I will update the firewall like below and
bring the laptop home tomorrow to try it out. The IT guys do not understand
my router and all they have troubleshooting guides for are the commercial
routers for consumers 

I will try the rules first, then the kernel and module.

SNIP



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] IPSEC help needed....

[Matthew Pozzi]

There is no ipsec.o module in Dachstein for IPSEC. I have a pair of boxes
with an IPSEC VPN between them on static ip's and its all in the
configuration of IPSEC, that is the secret.

Read the howto's and look at the freeswan site if its still around. We need
a bit more than just to get the work VPN software to work correctly. Are
you setting up a subnet to subnet or single client to subnet? The howto's
are out there, just look.

Email the list again if you need more help. 

Matt

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin
Sent: Tuesday, April 20, 2004 10:27 AM
To: [EMAIL PROTECTED]
Subject: [leaf-user] IPSEC help needed

I am using Dachstein 1.02 and need IPSEC enabled to get the work VPN
software to work correctly. I do not see a module IPSEC that is loaded,
should I have one to make this work correctly?
 
Here are the modules loaded:
 
Linux version 2.2.19-3-LEAF ([EMAIL PROTECTED]) (gcc version 2.7.2.3) #1 Sat Dec 1
12:15:05 CST 2001

Installed Modules:
ip_masq_vdolive 1180   0 (unused)
ip_masq_user3708   0 (unused)
ip_masq_raudio  2980   0 (unused)
ip_masq_quake   1220   0 (unused)
ip_masq_portfw  2416   0 (unused)
ip_masq_mfw 3196   0 (unused)
ip_masq_irc 1924   0
ip_masq_ftp 3576   0
ip_masq_cuseeme  964   0 (unused)
ip_masq_autofw  2476   0 (unused)
ne  6292   2
83906236   0 [ne]
bsd_comp3708   0 (unused)
ppp_deflate40672   0 (unused)
ppp20828   2 [bsd_comp ppp_deflate]
slhc4436   0 [ppp]


Here are the packages:
 
NameVersionDescription
===-==-=
=
root4.0.6Linux Router
Project
etc 4.0.1  /etc/ of the main root, minus any other
packag
ramlog  1.1Creates additinal ramdisks on boot

local   4.0.6  Local package. This package does not contain
a
modules 4.0.6  Modules package. Contains kernel modules and
u
ppp 2.3.11 PPPd Deamon for Dial-Up

dhcpd   2.0pl5 dhcpd - Autoconfigure client machines

dnscache1.05a  dnscache from djbdns (V1.05a) package creates

ifconfig1.45   ifconfig and route commnads

pppoe   2.6Roaring Penguin PPPoE Client LRP Package

weblet  1.2.0  weblet - LRP status via a small web server

sshd3.0p1  OpenSSH sshd daemon.

oidentd 1.6.0  There shouldn't be any configuration needed
un
libzso.1   used for SSHD only

psentry 1.0If this package failed to load, please create


This is the block that needs to pass through:

Apr 19 07:10:48 amberton kernel: Packet log: input DENY ppp0 PROTO=50
207.11.4.7:65535 68.19.16.103:65535 L=168 S=0x00 I=8699 F=0x T=243 (#70)

I am not sure if I need a rule set or a package loaded, any help would be
beneficial.



---
This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial
presented by Daniel Robbins, President and CEO of GenToo technologies. Learn
everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPSEC help needed....

[Charles Steinkuehler]

Kevin wrote:
I am using Dachstein 1.02 and need IPSEC enabled to get the work VPN
software to work correctly. I do not see a module IPSEC that is loaded,
should I have one to make this work correctly?
 
Here are the modules loaded:
 
Linux version 2.2.19-3-LEAF ([EMAIL PROTECTED]) (gcc version 2.7.2.3) #1 Sat Dec 1
12:15:05 CST 2001

Installed Modules:
ip_masq_vdolive 1180   0 (unused)
ip_masq_user3708   0 (unused)
ip_masq_raudio  2980   0 (unused)
ip_masq_quake   1220   0 (unused)
ip_masq_portfw  2416   0 (unused)
ip_masq_mfw 3196   0 (unused)
ip_masq_irc 1924   0
ip_masq_ftp 3576   0
ip_masq_cuseeme  964   0 (unused)
ip_masq_autofw  2476   0 (unused)
ne  6292   2
83906236   0 [ne]
bsd_comp3708   0 (unused)
ppp_deflate40672   0 (unused)
ppp20828   2 [bsd_comp ppp_deflate]
slhc4436   0 [ppp]

Here are the packages:
snip
This is the block that needs to pass through:

Apr 19 07:10:48 amberton kernel: Packet log: input DENY ppp0 PROTO=50
207.11.4.7:65535 68.19.16.103:65535 L=168 S=0x00 I=8699 F=0x T=243 (#70)
I am not sure if I need a rule set or a package loaded, any help would be
beneficial.
Actually, I think you need a rule set and a module loaded.

I'm going to work under the assumption that you need to masquerade an 
IPSec connection (ie: you're running an ipsec client on an internal 
system, rather than trying to run ipsec on the firewall itself).

To do this, you first need to make sure you're using the proper kernel. 
Masqerading ipsec and running ipsec on the firewall are mutually 
exclusive, and require different kernels.  The 'plain' kernels avaialble 
from my site support ipsec masquerading, while kernels with -IPSec in 
the name support running ipsec directly on the firewall.  Which kernel 
flavor you want depends on your system, but you probably want either the 
'small' or 'normal' kernel:

http://lrp2.steinkuehler.net/files/kernels/Dachstein-small/
http://lrp2.steinkuehler.net/files/kernels/Dachstein-normal/
The floppy version ships with the small kernel w/o ipsec by default.

Once you have an approprate kernel (or have verified you're running the 
linux-2.2.19-3-LEAF-small.zImage.upx kernel by filesize), you need to 
copy the ip_masq_ipsec.o masquerading 'helper' module to  your modules 
directory and add it to /etc/modules.

The last thing you need to do is allow the actual IPSec traffic through 
your firewall.  This typically involves UDP port 500, and *PROTOCOL* 50 
or 51, depending on whether you're running ESP or AH.  To do this, add 
the following in /etc/network.conf

EXTERN_UDP_PORTS=0/0_500
EXTERN_PORTS=50_0/0 51_0/0
--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] IPSEC help needed....

[Kevin]

Thanks Charles - yes I just need to allow the passthrough of the IPSEC
protocol for everything to work. I will update the firewall like below and
bring the laptop home tomorrow to try it out. The IT guys do not understand
my router and all they have troubleshooting guides for are the commercial
routers for consumers 

I will try the rules first, then the kernel and module.

As Matt stated, I will also search the HOWTO's and ask the IT guys what type
of connection this is if I need more help.

-Original Message-
From: Charles Steinkuehler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 20, 2004 7:41 AM
To: Kevin
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] IPSEC help needed

Kevin wrote:
SNIP


Actually, I think you need a rule set and a module loaded.

I'm going to work under the assumption that you need to masquerade an 
IPSec connection (ie: you're running an ipsec client on an internal 
system, rather than trying to run ipsec on the firewall itself).

To do this, you first need to make sure you're using the proper kernel. 
Masqerading ipsec and running ipsec on the firewall are mutually 
exclusive, and require different kernels.  The 'plain' kernels avaialble 
from my site support ipsec masquerading, while kernels with -IPSec in 
the name support running ipsec directly on the firewall.  Which kernel 
flavor you want depends on your system, but you probably want either the 
'small' or 'normal' kernel:

http://lrp2.steinkuehler.net/files/kernels/Dachstein-small/
http://lrp2.steinkuehler.net/files/kernels/Dachstein-normal/

The floppy version ships with the small kernel w/o ipsec by default.

Once you have an approprate kernel (or have verified you're running the 
linux-2.2.19-3-LEAF-small.zImage.upx kernel by filesize), you need to 
copy the ip_masq_ipsec.o masquerading 'helper' module to  your modules 
directory and add it to /etc/modules.

The last thing you need to do is allow the actual IPSec traffic through 
your firewall.  This typically involves UDP port 500, and *PROTOCOL* 50 
or 51, depending on whether you're running ESP or AH.  To do this, add 
the following in /etc/network.conf

EXTERN_UDP_PORTS=0/0_500
EXTERN_PORTS=50_0/0 51_0/0

-- 
Charles Steinkuehler
[EMAIL PROTECTED]



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPSEC help needed....

[Charles Steinkuehler]

Kevin wrote:

Thanks Charles - yes I just need to allow the passthrough of the IPSEC
protocol for everything to work. I will update the firewall like below and
bring the laptop home tomorrow to try it out. The IT guys do not understand
my router and all they have troubleshooting guides for are the commercial
routers for consumers 

I will try the rules first, then the kernel and module.

As Matt stated, I will also search the HOWTO's and ask the IT guys what type
of connection this is if I need more help.
You'll need the rules and the module.  You won't need to mess with the 
kernel if you're running Dachstein from floppy.  If you're running off 
of CD, the default kernel is configured to run IPSec on the firewall so 
it won't work w/o changing the kernel (kind of hard on the CD-ROM, but 
you could install to a HDD or similar).

Post to the list if you need further help.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] IPSEC help needed....

[Kevin]

I am using Dachstein 1.02 and need IPSEC enabled to get the work VPN
software to work correctly. I do not see a module IPSEC that is loaded,
should I have one to make this work correctly?
 
Here are the modules loaded:
 
Linux version 2.2.19-3-LEAF ([EMAIL PROTECTED]) (gcc version 2.7.2.3) #1 Sat Dec 1
12:15:05 CST 2001

Installed Modules:
ip_masq_vdolive 1180   0 (unused)
ip_masq_user3708   0 (unused)
ip_masq_raudio  2980   0 (unused)
ip_masq_quake   1220   0 (unused)
ip_masq_portfw  2416   0 (unused)
ip_masq_mfw 3196   0 (unused)
ip_masq_irc 1924   0
ip_masq_ftp 3576   0
ip_masq_cuseeme  964   0 (unused)
ip_masq_autofw  2476   0 (unused)
ne  6292   2
83906236   0 [ne]
bsd_comp3708   0 (unused)
ppp_deflate40672   0 (unused)
ppp20828   2 [bsd_comp ppp_deflate]
slhc4436   0 [ppp]


Here are the packages:
 
NameVersionDescription
===-==-=
=
root4.0.6Linux Router
Project
etc 4.0.1  /etc/ of the main root, minus any other
packag
ramlog  1.1Creates additinal ramdisks on boot

local   4.0.6  Local package. This package does not contain
a
modules 4.0.6  Modules package. Contains kernel modules and
u
ppp 2.3.11 PPPd Deamon for Dial-Up

dhcpd   2.0pl5 dhcpd - Autoconfigure client machines

dnscache1.05a  dnscache from djbdns (V1.05a) package creates

ifconfig1.45   ifconfig and route commnads

pppoe   2.6Roaring Penguin PPPoE Client LRP Package

weblet  1.2.0  weblet - LRP status via a small web server

sshd3.0p1  OpenSSH sshd daemon.

oidentd 1.6.0  There shouldn't be any configuration needed
un
libzso.1   used for SSHD only

psentry 1.0If this package failed to load, please create


This is the block that needs to pass through:

Apr 19 07:10:48 amberton kernel: Packet log: input DENY ppp0 PROTO=50
207.11.4.7:65535 68.19.16.103:65535 L=168 S=0x00 I=8699 F=0x T=243 (#70)

I am not sure if I need a rule set or a package loaded, any help would be
beneficial.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] IPSec, PPP dropped then reconnect internet connection

[freeman]

Having just recently placed a mail server on my DMZ I am now addressing 
an issue whereby my PPP link (over PPPoE) would drop, then come back up 
but my routing table would be thereafter mucked up and require manual 
intervention to reset the networking/shorewall/ipsec utilities to get 
proper connectivity restored. (Manual intervention was tolerable for my 
personal use but I need to have my mail server up 7/24).

I am running Bering 1.2. eth0=internet, eth1=private, eth2=DMZ. I am 
running IPSec.

Relevant package versions are:
Name Ver  Description

initrd   V1.2 LEAF Bering initial filesystem
root V1.2 Core LEAF Bering package
iptables 1.2.8IP packet filter admin' tools for 2.4.
ppp  2.4.1-pppoe  Point-to-Point Protocol (PPP) daemon
pppoe3.3-1PPPoE add-on for pppd
shorwall 1.4.2Shoreline Firewall (Shorewall)
ipsec1.99.6.2 Super Freeswan IPSEC
After a bootup of my LEAF box and all was working well, my routing table 
would be as follows:
===
216.99.105.4 dev ppp0  proto kernel  scope link  src 216.99.99.35
216.99.105.4 dev ipsec0  proto kernel  scope link  src 216.99.99.35
10.0.0.0/24 dev eth2  proto kernel  scope link  src 10.0.0.254
172.16.0.0/24 dev eth0  proto kernel  scope link  src 172.16.0.1
192.168.1.0/24 via 216.99.105.4 dev ipsec0
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.254
default via 216.99.105.4 dev ppp0

After a PPP link drop (simulated by my powering off my DSL modem) my 
routing table would be as follows:
===
216.99.105.4 dev ipsec0  proto kernel  scope link  src 216.99.99.35
10.0.0.0/24 dev eth2  proto kernel  scope link  src 10.0.0.254
172.16.0.0/24 dev eth0  proto kernel  scope link  src 172.16.0.1
192.168.1.0/24 via 216.99.105.4 dev ipsec0
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.254

After the PPP link restored (simulated by my powering back on, my DSL 
modem) my routing table would be as follows:
===
216.99.105.4 dev ipsec0  proto kernel  scope link  src 216.99.99.35
216.99.105.4 dev ppp0  proto kernel  scope link  src 216.99.99.35
10.0.0.0/24 dev eth2  proto kernel  scope link  src 10.0.0.254
172.16.0.0/24 dev eth0  proto kernel  scope link  src 172.16.0.1
192.168.1.0/24 via 216.99.105.4 dev ipsec0
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.254
default via 216.99.105.4 dev ipsec0

And thus I don't have connectivity to the internet thereafter. It would 
appear to me that the 'default' traffic is trying to get out on the 
ipsec interface which is, as expected, not working.

I resolved this problem by adding to (the bottom of ) the 
/etc/ppp/ip-down an 'svi ipsec stop' command. To /etc/ppp/ip-up I added 
'svi ipsec start'. This has, AFAICT, resolved the issue. Having 
apparently solved my problem (hacker! :) I'd like to inquire:
   - is this the proper way to solve this problem?
   - should a change be made to some parts of the IPSec and/or PPP 
packages to preclude this issue from effecting others?
   - and/or should some change to some documentation be made to make 
mention of this problem and resolution?

I checked the mail archives and relevant documentation 
(http://leaf.sourceforge.net/doc/guide/buipsec.html) but there was no 
mention (that I could find) of this problem or resolution.

Thanks for any feedback!

Cheers,
scott; canada


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] IPsec pluto etc: static build requred?

[Alex Rhomberg]

 I'm just getting started with Leaf Bering.

 I've built a new 2.4.20 kernel using the woody environment and have
 iptables built statically and all is well as far as that goes.

There are newer 2.4 kernels around

 Freeswan is a  it of a mystery though. I'm using super-freeswan-1.99.6.2.


Compiling FreeS/WAN for Bering is nontrivial, because the Bering userland
libc is so ancient and the kernel and userland compile environment is
different.

I see several possibilities:

- use the Bering package. It is compiled from super-FreeS/WAN. We use it for
certificate authentication

- The userland stuff of freeswan cannot be compiled separately
  (make programs), but needs patches for the potato environment. These
patches should be available from Jacques or Eric, somebody did build the
ipsec.lrp

- The userland stuff can also be compiled statically. Go to the pluto
directory and add -static to the LDFLAGS = line in the Makefile (about
line 90 in mine) and then call make programs

- I think I at one time I used the userland binaries that I compiled in a
SuSE environment and they worked (Don't know why, though..)

HTH
Alex



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] IPsec pluto etc: static build requred?

[Tom Redfern]

I'm just getting started with Leaf Bering.

I've built a new 2.4.20 kernel using the woody environment and have 
iptables built statically and all is well as far as that goes.

Freeswan is a  it of a mystery though. I'm using super-freeswan-1.99.6.2.

Pluto whack and other utilities are linked to libc.6 on the woody
system, while  I'm using  libc-2.0.7.so on my userland system which,
of course, is causing some rather erratic behavior when starting ipsec.
What is the best way around this?  I'm digging through the docs and don't
really find an easy way of building all the utilities alone statically.
The temptation here is to just modify the Makefile.inc to pass the arg
to build everything statically linked.  Do I have it right?

Is there a doc that covers the problem?  Any patches?

Any help would be appreciated.

Thanks.

-- 
--
* Tom Redfern | Address:Box 21 Snoqualmie  WA 98065-0021 USA *
* | Email:  [EMAIL PROTECTED]  *
--


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] IPSec WiFi vs. weblet

[Francois BERGERET]

Hi Christopher,

Happy New Year to you and the list.

Yes, I use IPSec.

Best Regards,
Francois BERGERET,
France.


 -Message d'origine-
 De : Christopher Harewood [mailto:[EMAIL PROTECTED]
 Envoye : vendredi 26 decembre 2003 17:20
 A : Francois BERGERET
 Cc : [EMAIL PROTECTED]
 Objet : RE: [leaf-user] IPSec WiFi vs. weblet


 I already had a similar entry in my policy file:

 vpn   fw  ACCEPT
 fwvpn ACCEPT

 to no avail.  Are you using IPSec, Francois?

 On Mon, 15 Dec 2003,
 Francois BERGERET wrote:

  Hi all,
 
  I use two wireless networks simultaneous in a Soekris
 embeded PC with
  Bering V1.2. + one normaly wired LAN. Weblet run fine from all
  subnets. I have not uncomment this in ssh.httpd.conf file :
 
  #Who can access the server?
  #CLIENT_ADDRS=192.168.1
 
  In Shorewall policy file, I have this :
 
  fw  loc ACCEPT
  loc fw  ACCEPT
 
  and the same for all invoqued interfaces wlan0 and wlan1
 zone aliases.
 
  I hope this could help. If not, let me know what you want more.
 
  Good Luck.
  Best Regards,
  Francois BERGERET,
  France.
 
   -Message d'origine-
   De : [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] la part de
   Christopher
   Harewood
   Envoye : lundi 15 decembre 2003 07:10
   Cc : [EMAIL PROTECTED]
   Objet : Re: [leaf-user] IPSec WiFi vs. weblet
  
  
   The 192.168.3.0 subnet is my IPSec vpn.  Hence, in
   /etc/shorewall/rules:
   ACCEPTloc fw  tcp 80
   ACCEPTvpn fw  tcp 80
  
   No weblet over the vpn, and no hits in the firewall log, so I
   surmise that
   it's not a Shorewall issue.  But I've been wrong before.
  
  
  
  
   ---
   This SF.net email is sponsored by: IBM Linux Tutorials.
   Become an expert in LINUX or just sharpen your skills.  Sign
   up for IBM's
   Free Linux Tutorials.  Learn everything from the bash shell
   to sys admin.
   Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
   --
   --
   leaf-user mailing list: [EMAIL PROTECTED]
   https://lists.sourceforge.net/lists/listinfo/leaf-user
   SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
  
 









---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] IPSec WiFi vs. weblet

[Christopher Harewood]

Eureka!

Determined to resolve this issue, I attempted to access the weblet over 
the VPN, and checked to see if any log file was touched.  

Just one.  daemon.log.  Which told me that I had failed to place a 
carriage return after the second entry in hosts.allow for my ipsec'd 
subnet.  One carriage return later, all is well.  

Rejoice, etc.  

Thanks to one and all for their help.  Perhaps Jacq^H^H^H^HEric can add 
this to the next round of documentation.  Or are trailing carriare returns 
just *nix common sense?  

:Max



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] IPSec WiFi vs. weblet

[Ray Olszewski]

At 06:20 PM 12/29/2003 +0100, Christopher Harewood wrote:
Eureka!

Determined to resolve this issue, I attempted to access the weblet over
the VPN, and checked to see if any log file was touched.
Just one.  daemon.log.  Which told me that I had failed to place a
carriage return after the second entry in hosts.allow for my ipsec'd
subnet.  One carriage return later, all is well.
Rejoice, etc.

Thanks to one and all for their help.  Perhaps Jacq^H^H^H^HEric can add
this to the next round of documentation.  Or are trailing carriare returns
just *nix common sense?
Not quite *nix comon sense, but a good bit more general than this 
specific file (/etc/hosts.allow).

Some text files need a NEWLINE (0x0A or LineFeed, not a carriage return 
or 0x0D ... though properly configured Unix/Linux keyboard/text-processor 
combos do insert the correct character when the ENTER key is pressed, 
editing on a DOS/WIndows system and moving the file to a Unix/Linux system 
can introduce problems here) at the end of the last line of text. Some do 
not. As best as I can recall, adding one never hurts.

Whether this means the docs for a specific package should mention it or not 
is unclear to me ... if it should, I suspect a lot of documentation needs 
this addition, not just this package.





---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] IPSEC

[Robert Sabine von Knobloch]

Hope everyone had a happy Christmas,

can anyone point me to documentation about the Bering uClib2.0 IPSEC package
?
The links at Freeswan don't seem very relevant to the config in Bering. I'm
trying to set the RSA keys up but not having any success so far.

Best wishes for the new year,

robert von Knobloch



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPSEC

[K.-P. Kirchdörfer]

Am Freitag, 26. Dezember 2003 12:28 schrieb Robert  Sabine von Knobloch:
 Hope everyone had a happy Christmas,

 can anyone point me to documentation about the Bering uClib2.0 IPSEC
 package ?
 The links at Freeswan don't seem very relevant to the config in Bering. I'm
 trying to set the RSA keys up but not having any success so far.

any success so far isn't precise enough to help you.

What says lrpkg -l?

I'm also intested in  /var/log/auth.log and /var/log/messages...

kp



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] IPSec WiFi vs. weblet

[Francois BERGERET]

Hi all,

I use two wireless networks simultaneous in a Soekris embeded PC with
Bering V1.2. + one normaly wired LAN. Weblet run fine from all
subnets. I have not uncomment this in ssh.httpd.conf file :

#Who can access the server?
#CLIENT_ADDRS=192.168.1

In Shorewall policy file, I have this :

fw  loc ACCEPT
loc fw  ACCEPT

and the same for all invoqued interfaces wlan0 and wlan1 zone aliases.

I hope this could help. If not, let me know what you want more.

Good Luck.
Best Regards,
Francois BERGERET,
France.

 -Message d'origine-
 De : [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] la part de
 Christopher
 Harewood
 Envoye : lundi 15 decembre 2003 07:10
 Cc : [EMAIL PROTECTED]
 Objet : Re: [leaf-user] IPSec WiFi vs. weblet


 The 192.168.3.0 subnet is my IPSec vpn.  Hence, in
 /etc/shorewall/rules:
 ACCEPTloc fw  tcp 80
 ACCEPTvpn fw  tcp 80

 No weblet over the vpn, and no hits in the firewall log, so I
 surmise that
 it's not a Shorewall issue.  But I've been wrong before.




 ---
 This SF.net email is sponsored by: IBM Linux Tutorials.
 Become an expert in LINUX or just sharpen your skills.  Sign
 up for IBM's
 Free Linux Tutorials.  Learn everything from the bash shell
 to sys admin.
 Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
 --
 --
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPSec WiFi vs. weblet

[Christopher Harewood]

Tried both of these before posting.  192.168.1.0 is my wired subnet, 
192.68.3.0 is my wireless subnet.  

hosts.allow: 
ALL: 192.168.1.0/255.255.255.0
ALL: 192.168.3.0/255.255.255.0

sh-httpd.conf (pertinent parts)
# Who are we - used for CGI scripts
SERVER_NAME=ice.rawdata.lab
SERVER_ADDR=192.168.1.99
SERVER_PORT=80

# Who can access the server?
CLIENT_ADDRS=192.168.1. 192.168.3.


On Sat, 13 Dec 2003, Lynn Avants wrote:

 A declaration of the wireless host(s) in the /etc/host.allow file on the 
 Bering machine and likely in /etc/sh-httpd.conf as well



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPSec WiFi vs. weblet

[Victor McAllister]

Christopher Harewood wrote:

Tried both of these before posting.  192.168.1.0 is my wired subnet, 
192.68.3.0 is my wireless subnet.  

hosts.allow: 
ALL: 192.168.1.0/255.255.255.0
ALL: 192.168.3.0/255.255.255.0

sh-httpd.conf (pertinent parts)
# Who are we - used for CGI scripts
SERVER_NAME=ice.rawdata.lab
SERVER_ADDR=192.168.1.99
SERVER_PORT=80
# Who can access the server?
CLIENT_ADDRS=192.168.1. 192.168.3.
On Sat, 13 Dec 2003, Lynn Avants wrote:

 

A declaration of the wireless host(s) in the /etc/host.allow file on the 
Bering machine and likely in /etc/sh-httpd.conf as well
   

Did you open the port up on the firewall in the /etc/shorewall/rules
for normal weblet access from the loc - which would appear to be 192.168.1
ACCEPT  loc   fwtcp 80
perhaps you need an
whatever the name of your other 192.168.3 internal network is.
ACCEPT ?? fwtcp  80




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPSec WiFi vs. weblet

[Lynn Avants]

On Saturday 13 December 2003 12:25 am, Christopher Harewood wrote:
 I have finally (through the alignment of planets, presumably) set up IPSec
 on the wifi connection to my Bering box.  All works well (browse Samba
 shares with no problems, net access, etc.  The only thing that fails to
 load over the ipsec tunnel is the weblet.  It works fine from any wired
 local machine.  Any ideas?

A declaration of the wireless host(s) in the /etc/host.allow file on the 
Bering machine and likely in /etc/sh-httpd.conf as well
-- 
~Lynn Avants
Linux Embedded Appliance Firewall Developer
http://leaf.sourceforge.net
http://guitarlynn.homelinux.org:81


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] IPSec WiFi vs. weblet

[Christopher Harewood]

I have finally (through the alignment of planets, presumably) set up IPSec 
on the wifi connection to my Bering box.  All works well (browse Samba 
shares with no problems, net access, etc.  The only thing that fails to 
load over the ipsec tunnel is the weblet.  It works fine from any wired 
local machine.  Any ideas? 

:Max



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPSEC NAT traversal with shorewall HELP!

[Lynn Avants]

On Tuesday 25 November 2003 08:47 pm, Troy Aden wrote:
[...]
 My goal with this configuration is to have two networks linked via IPSEC. I
 would expect that all users from site A will be able to communicate with
 all users on site B transparently meaning that for all intents and
 purposes users on site A's internal network would be able to communicate
 with users from site B's internal network as if they were on the same LAN.
 If I am off base in how this works, please feel free to correct me.

DNS, WINS, and other forms of broadcast traffic will not work ideally across
the tunnel transparently. For SMB networking, you'll likely have to link 
PDC's and/or WIN servers on each subnet. There is some information on
this at http://leaf.sf.net/devel/guitarlynn/ipsec.txt
-- 
~Lynn Avants
Linux Embedded Appliance Firewall Developer
http://leaf.sourceforge.net
http://guitarlynn.homelinux.org:81


---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] IPSEC NAT traversal with shorewall HELP!

[Troy Aden]

Thanks!
Ok I followed your procedure and I am getting this when I initiate the
tunnel from the Victoria side:

ipsec whack --initiate --name victoria
002 victoria #1: initiating Main Mode
104 victoria #1: STATE_MAIN_I1: initiate
106 victoria #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 victoria #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 victoria #1: Main mode peer ID is ID_IPV4_ADDR: '139.142.224.39'
002 victoria #1: ISAKMP SA established
004 victoria #1: STATE_MAIN_I4: ISAKMP SA established
002 victoria #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
117 victoria #2: STATE_QUICK_I1: initiate
010 victoria #2: STATE_QUICK_I1: retransmission; will wait 20s for
response


It never completes the tunnel. Can anyone please tell me what I am missing
here?

Thanks in advance!

Troy
-Original Message-
From: Lynn Avants [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 26, 2003 1:10 AM
To: Troy Aden; Leaf-User ([EMAIL PROTECTED])
Subject: Re: [leaf-user] IPSEC NAT traversal with shorewall HELP!

On Tuesday 25 November 2003 08:47 pm, Troy Aden wrote:
[...]
 My goal with this configuration is to have two networks linked via IPSEC.
I
 would expect that all users from site A will be able to communicate with
 all users on site B transparently meaning that for all intents and
 purposes users on site A's internal network would be able to communicate
 with users from site B's internal network as if they were on the same LAN.
 If I am off base in how this works, please feel free to correct me.

DNS, WINS, and other forms of broadcast traffic will not work ideally across
the tunnel transparently. For SMB networking, you'll likely have to link
PDC's and/or WIN servers on each subnet. There is some information on
this at http://leaf.sf.net/devel/guitarlynn/ipsec.txt
--
~Lynn Avants
Linux Embedded Appliance Firewall Developer
http://leaf.sourceforge.net
http://guitarlynn.homelinux.org:81


---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html