[leaf-user] IPSec errors, kernel/userland version mismatch?
Hi, I've been asked to add VPN capabilities to our router here at work. It's currently Bering-uClibc 2.3.1. I keep getting this error in the /var/secure log when starting up or connecting to the VPN: Connecting: ERROR: L2TP-PSK[2] 5.6.7.8 #3: pfkey write() of SADB_ADD message 5 for Add SA [EMAIL PROTECTED] failed. Errno 22: Invalid argument Starting the service: ipsec_setup: /usr/lib/ipsec/eroute: pfkey write failed, returning -1 with errno=22. ipsec_setup: Invalid argument, check kernel log messages for specifics. All I can find with Google is that this suggests a kernel module/userland tools version mismatch. gateway# uname -r 2.4.31 gateway# ipsec --version Linux Openswan U2.4.5/K1.0.9 (klips) See `ipsec --copyright' for copyright information. Erm, I *guess* that's a version mismatch. If it is, where can I grab ipsec.lrp version 2.4.31? Or is the version of the kernel not the same as the version of its modules? Regards, James. The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. The contents of an attachment to this email may contain software viruses that could damage your own computer systems. Whilst The Spur Group of Companies has taken every precaution to minimise the risk, we cannot accept liability for any damage that you sustain as a result of software viruses. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] IPSec errors, kernel/userland version mismatch?
connecting from any IP address: 193.175.198.98 %any: PSK MySecretKey # (Line above only works on recent versions of Openswan). # There is a subtle difference with the following # (see also 'man ipsec.secrets') which affects NATed # clients that use a PSK: 193.175.198.98 : PSK MySecretKey -Original Message- From: [EMAIL PROTECTED] [mailto:leaf-user- [EMAIL PROTECTED] On Behalf Of James Neave Sent: 30 March 2007 12:55 To: leaf-user@lists.sourceforge.net Subject: [leaf-user] IPSec errors, kernel/userland version mismatch? Hi, I've been asked to add VPN capabilities to our router here at work. It's currently Bering-uClibc 2.3.1. I keep getting this error in the /var/secure log when starting up or connecting to the VPN: Connecting: ERROR: L2TP-PSK[2] 5.6.7.8 #3: pfkey write() of SADB_ADD message 5 for Add SA [EMAIL PROTECTED] failed. Errno 22: Invalid argument Starting the service: ipsec_setup: /usr/lib/ipsec/eroute: pfkey write failed, returning -1 with errno=22. ipsec_setup: Invalid argument, check kernel log messages for specifics. All I can find with Google is that this suggests a kernel module/userland tools version mismatch. gateway# uname -r 2.4.31 gateway# ipsec --version Linux Openswan U2.4.5/K1.0.9 (klips) See `ipsec --copyright' for copyright information. Erm, I *guess* that's a version mismatch. If it is, where can I grab ipsec.lrp version 2.4.31? Or is the version of the kernel not the same as the version of its modules? Regards, James. The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. The contents of an attachment to this email may contain software viruses that could damage your own computer systems. Whilst The Spur Group of Companies has taken every precaution to minimise the risk, we cannot accept liability for any damage that you sustain as a result of software viruses. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDE V leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [Leaf-user] ipsec errors
i did not find that specific line in the net ipfilter list command, however I did change the setting in the networ.conf file. however I still did not find that line in the above command. I got to thinking about the specific problem i'm having and thought I might try to give a little more information .. here goes the machines are mostly stock dachstein, running udhcpd (instead of dhcpd/dhclient), w/ slightly modified subnets. Both machines are routing as designed, and all machines can ping the other gateway, internet is working fine). Although the ip address for each gateway is dynamic, they have stayed the same for atleast the last 2 months, so I have based my works on the assumed fact that these IPs will stay the same for a while longer. At any rate, for testing purpose they have stayed the same. subnet-home--home-internet-office--subnet-of fice 192.168.3.0/2466.25.44.147-66.25.18.71192.168.1.0/24 IPSec loads without any noticable errors, except something out abour rp_filter should be 0, but reads 1 (or vice versa). If I understand correclty, once both machines are at this point I could ping the office subnet from the home subnet, and the opposite, however this does not work. So then I tried ' ipsec auto --up office ' .. and then this just hangs. sits for awhile (reading the logs says something about itializing office on MAIN). After a minute or so, I ctrl-break this and am unable to go any further. Thats about where I am .. and am stuck... joey - Original Message - From: Charles Steinkuehler [EMAIL PROTECTED] To: [EMAIL PROTECTED]; LRP Support [EMAIL PROTECTED] Sent: Friday, March 08, 2002 5:46 PM Subject: Re: [Leaf-user] ipsec errors Where do I check to see if protocol 50 packets are being allowed through? I'll be working more on it this weekend.. I'd really like to get this working so I'll try just about anything.. even possibly step/by/step support via phone (I'd beg someone to call my 800 number for a little assistance... The primary source is the output of net ipfilter list, which shows you exactly how your firewall rules are setup. You're looking for a line allowing protocol 50, preferrably with non-zero byte/packet counts: 1843 356K ACCEPT 50 -- 0xFF 0x00 eth0 snip You open protocol 50 traffic with the following in network.conf: EXTERN_PROTO0=50 0/0 Of course, you can change the 0/0 (the entire internet) to the address (or network) of your remote VPN link, if it's static. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec errors
yes u gota problem Sir: now u do this: echo 1 /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 /proc/sys/net/ipv4/conf/ipsec0/rp_filter then: ipsec setup --restart I don't know how u setup your /etc/ipsec.conf... if u have it auto=add line to your conn.. then ready to go.. u almost there... good luck Upnet Joe. - Original Message - from: joey officer [EMAIL PROTECTED] To: Charles Steinkuehler [EMAIL PROTECTED]; LRP Support [EMAIL PROTECTED] Sent: Saturday, March 09, 2002 11:21 AM Subject: Re: [Leaf-user] ipsec errors i did not find that specific line in the net ipfilter list command, however I did change the setting in the networ.conf file. however I still did not find that line in the above command. I got to thinking about the specific problem i'm having and thought I might try to give a little more information .. here goes the machines are mostly stock dachstein, running udhcpd (instead of dhcpd/dhclient), w/ slightly modified subnets. Both machines are routing as designed, and all machines can ping the other gateway, internet is working fine). Although the ip address for each gateway is dynamic, they have stayed the same for atleast the last 2 months, so I have based my works on the assumed fact that these IPs will stay the same for a while longer. At any rate, for testing purpose they have stayed the same. subnet-home--home-internet-office--subnet-of fice 192.168.3.0/2466.25.44.147-66.25.18.71192.168.1.0/24 IPSec loads without any noticable errors, except something out abour rp_filter should be 0, but reads 1 (or vice versa). If I understand correclty, once both machines are at this point I could ping the office subnet from the home subnet, and the opposite, however this does not work. So then I tried ' ipsec auto --up office ' .. and then this just hangs. sits for awhile (reading the logs says something about itializing office on MAIN). After a minute or so, I ctrl-break this and am unable to go any further. Thats about where I am .. and am stuck... joey - Original Message - From: Charles Steinkuehler [EMAIL PROTECTED] To: [EMAIL PROTECTED]; LRP Support [EMAIL PROTECTED] Sent: Friday, March 08, 2002 5:46 PM Subject: Re: [Leaf-user] ipsec errors Where do I check to see if protocol 50 packets are being allowed through? I'll be working more on it this weekend.. I'd really like to get this working so I'll try just about anything.. even possibly step/by/step support via phone (I'd beg someone to call my 800 number for a little assistance... The primary source is the output of net ipfilter list, which shows you exactly how your firewall rules are setup. You're looking for a line allowing protocol 50, preferrably with non-zero byte/packet counts: 1843 356K ACCEPT 50 -- 0xFF 0x00 eth0 snip You open protocol 50 traffic with the following in network.conf: EXTERN_PROTO0=50 0/0 Of course, you can change the 0/0 (the entire internet) to the address (or network) of your remote VPN link, if it's static. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec errors
i did the below, and restarted ipsec, and got an error about eth0, so i changed it back, then I started scanning the /var/log/syslog and noticed that port 500 was being denied : Mar 9 14:46:43 firewall kernel: Packet log: input DENY eth0 PROTO=17 66.25.18.71:500 66.25.44.147:500 L=204 S=0x00 I=31 F=0x T=62 (#41) now I modifed was able to get this to stop being denied on one side, but I cannot do it on the home side. I have a feeling I am just one step away, can someone push me in the right direction... joey - Original Message - From: Charles Steinkuehler [EMAIL PROTECTED] To: [EMAIL PROTECTED]; LRP Support [EMAIL PROTECTED] Sent: Friday, March 08, 2002 5:46 PM Subject: Re: [Leaf-user] ipsec errors Where do I check to see if protocol 50 packets are being allowed through? I'll be working more on it this weekend.. I'd really like to get this working so I'll try just about anything.. even possibly step/by/step support via phone (I'd beg someone to call my 800 number for a little assistance... The primary source is the output of net ipfilter list, which shows you exactly how your firewall rules are setup. You're looking for a line allowing protocol 50, preferrably with non-zero byte/packet counts: 1843 356K ACCEPT 50 -- 0xFF 0x00 eth0 snip You open protocol 50 traffic with the following in network.conf: EXTERN_PROTO0=50 0/0 Of course, you can change the 0/0 (the entire internet) to the address (or network) of your remote VPN link, if it's static. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec errors
On Saturday 09 March 2002 10:21, joey officer wrote: i did not find that specific line in the net ipfilter list command, however I did change the setting in the networ.conf file. however I still did not find that line in the above command. I got to thinking about the specific problem i'm having and thought I might try to give a little more information .. here goes IPSec loads without any noticable errors, except something out abour rp_filter should be 0, but reads 1 (or vice versa). If I understand correclty, once both machines are at this point I could ping the office subnet from the home subnet, and the opposite, however this does not work. So then I tried ' ipsec auto --up office ' .. and then this just hangs. sits for awhile (reading the logs says something about itializing office on MAIN). After a minute or so, I ctrl-break this and am unable to go any further. The rp_filter has to do with the network.conf setup, turn off eth0_IPSPOOF to fix this. ipsec barf will check the connection attempt(s) and give you any errors there. Also, did you add leftfirewall=yes and rightfirewall=yes assuming these boxes are both being run with fiter=firewall or router. Personally, it sounds like the RSA authentication problem. ipsec barf or cat /var/log/auth.log should show the point of failure. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec errors
I modified the eth0_IP_SPOOF=NO now, but that does not fix the error of being denied.. which I posted a little while ago... any other thoughts joey - Original Message - From: guitarlynn [EMAIL PROTECTED] To: joey officer [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, March 09, 2002 6:21 PM Subject: Re: [Leaf-user] ipsec errors On Saturday 09 March 2002 10:21, joey officer wrote: i did not find that specific line in the net ipfilter list command, however I did change the setting in the networ.conf file. however I still did not find that line in the above command. I got to thinking about the specific problem i'm having and thought I might try to give a little more information .. here goes IPSec loads without any noticable errors, except something out abour rp_filter should be 0, but reads 1 (or vice versa). If I understand correclty, once both machines are at this point I could ping the office subnet from the home subnet, and the opposite, however this does not work. So then I tried ' ipsec auto --up office ' .. and then this just hangs. sits for awhile (reading the logs says something about itializing office on MAIN). After a minute or so, I ctrl-break this and am unable to go any further. The rp_filter has to do with the network.conf setup, turn off eth0_IPSPOOF to fix this. ipsec barf will check the connection attempt(s) and give you any errors there. Also, did you add leftfirewall=yes and rightfirewall=yes assuming these boxes are both being run with fiter=firewall or router. Personally, it sounds like the RSA authentication problem. ipsec barf or cat /var/log/auth.log should show the point of failure. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec errors
can someone point out the obvious mistake that I have made.. How about starting with: Mar 8 13:25:08 firewall ipsec__plutorun: ipsec_auto: fatal error in office: (/etc/ipsec.conf, line 25) duplicated parameter auto Mar 8 13:25:08 firewall ipsec__plutorun: ipsec_auto: fatal error in shop: (/etc/ipsec.conf, line 39) duplicated parameter auto ...and... conn office snip auto=add auto=start Try with just *ONE* auto= line and see what you get... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] ipsec errors
Ok, I've modified the config and am no longer getting any errors, however I cannot get to the other machine. I've tried to ping, and also tried to do a traceroute -i eth0 -f 20 192.168.1.1 and have gotten only the * * * as output from the traceroute. At anyrate.. I'm not seeing any erros, and am wondering if there is something I am missing... any thoughts... joey -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]] Sent: Friday, March 08, 2002 12:47 PM To: [EMAIL PROTECTED]; LRP Support Subject: Re: [Leaf-user] ipsec errors can someone point out the obvious mistake that I have made.. How about starting with: Mar 8 13:25:08 firewall ipsec__plutorun: ipsec_auto: fatal error in office: (/etc/ipsec.conf, line 25) duplicated parameter auto Mar 8 13:25:08 firewall ipsec__plutorun: ipsec_auto: fatal error in shop: (/etc/ipsec.conf, line 39) duplicated parameter auto ...and... conn office snip auto=add auto=start Try with just *ONE* auto= line and see what you get... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec errors
Ok, I've modified the config and am no longer getting any errors, however I cannot get to the other machine. I've tried to ping, and also tried to do a traceroute -i eth0 -f 20 192.168.1.1 and have gotten only the * * * as output from the traceroute. At anyrate.. I'm not seeing any erros, and am wondering if there is something I am missing... any thoughts... Check the output of ipsec look, and make sure you're allowing protocol 50 packets through the firewall. If you only allow the UDP keying traffic, the tunnels will get put in place, but the data packets (protocol 50) won't get through, so no traffic can flow... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] ipsec errors
Where do I check to see if protocol 50 packets are being allowed through? I'll be working more on it this weekend.. I'd really like to get this working so I'll try just about anything.. even possibly step/by/step support via phone (I'd beg someone to call my 800 number for a little assistance... Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charles Steinkuehler Sent: Friday, March 08, 2002 4:57 PM To: [EMAIL PROTECTED]; LRP Support Subject: Re: [Leaf-user] ipsec errors Ok, I've modified the config and am no longer getting any errors, however I cannot get to the other machine. I've tried to ping, and also tried to do a traceroute -i eth0 -f 20 192.168.1.1 and have gotten only the * * * as output from the traceroute. At anyrate.. I'm not seeing any erros, and am wondering if there is something I am missing... any thoughts... Check the output of ipsec look, and make sure you're allowing protocol 50 packets through the firewall. If you only allow the UDP keying traffic, the tunnels will get put in place, but the data packets (protocol 50) won't get through, so no traffic can flow... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec errors
All, If I remember correctly, and please correct me if I am wrong, the documentation with the ipsec lrp with the Dachstein CD says that using the leftfirewall=yes or rightfirewall=yes will automatically append the scripts to allow protocol 50 through. If I remember from the first post, the office connection had the left and rightfirewall commented out. Just another thought - Bill --- Charles Steinkuehler [EMAIL PROTECTED] wrote: Where do I check to see if protocol 50 packets are being allowed through? I'll be working more on it this weekend.. I'd really like to get this working so I'll try just about anything.. even possibly step/by/step support via phone (I'd beg someone to call my 800 number for a little assistance... The primary source is the output of net ipfilter list, which shows you exactly how your firewall rules are setup. You're looking for a line allowing protocol 50, preferrably with non-zero byte/packet counts: 1843 356K ACCEPT 50 -- 0xFF 0x00 eth0 snip You open protocol 50 traffic with the following in network.conf: EXTERN_PROTO0=50 0/0 Of course, you can change the 0/0 (the entire internet) to the address (or network) of your remote VPN link, if it's static. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user __ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] IPSEC ERRORS
Hi everyone. I am using Oxygen 1.8.0 and I am trying to configure ipsec on it. since the ipsec module i have is too big (494K) to put on a disk. I have two ways of actually mounting it: I either load the cd and pick the option that load ipsec tools or I copy the ipsec pkg on a floppy and then I mount it once I have my router up. Few error that I keep on getting: when I type: ipsec auto --up trial I get: whack: Pluto is not running (no /var/run/pluto.ctl) I dont think that I need a seperate package for pluto. That is not what the Freeswan doc says. when boot from cd, I type: ipsec setup --status I get: ipsec is running but... no pluto running! /var/run/ipsec.info missing that is even when i boot with the cd. with the cd booting also I get: /usr/local/ipsec/klipsdebug:trouble opening PF_KEY family socket with ERROR: unknown file open error 97 Another question is that is it necessary that I modify my Kernel to include KLIPS. I did not think so since I am using ipsec as a package (ipsec509.lrp). But I might be wrong. Thanks for any help _ Chat with friends online, try MSN Messenger: http://messenger.msn.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user