Re: [leaf-user] ipsec setup
Am Montag, 10. November 2014, 22:56:28 schrieb Erich Titl: Hi Adam at 19.07.2007 00:57, Adam Niedzwiedzki wrote: Hi guys, insmod /lib/modules/ipsec.o has no issues (no errors) but I can't find af_key.o anywhere in the modules download. Any help appreciated Paul Wouters left the OpenSwan Project and it appears to be a dead duck now. AFAIK efforts have been made to port StrongSwan to LEAF and some progress was made but I am not sure about the current status. Anyway, 2.4.7 is _very_ old and I guess it will not work with the current kernel release. I don't have an environment to test ipsec anymore, so I am a bit offline. KP has done the port and may know more about the current status. What exactly was the question? The af_key module has been added with 5.12-beta1. And yes I've built a setup for strongswan, but it needs to be tested before it will be committed. If anyone is willing to help, pls write me off-list and I'll send a package for 5.1.2-beta1/-rc1. kp -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111iu=/4140/ostg.clktrk leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec setup
Hi Adam at 19.07.2007 00:57, Adam Niedzwiedzki wrote: Hi guys, insmod /lib/modules/ipsec.o has no issues (no errors) but I can't find af_key.o anywhere in the modules download. Any help appreciated Paul Wouters left the OpenSwan Project and it appears to be a dead duck now. AFAIK efforts have been made to port StrongSwan to LEAF and some progress was made but I am not sure about the current status. Anyway, 2.4.7 is _very_ old and I guess it will not work with the current kernel release. I don't have an environment to test ipsec anymore, so I am a bit offline. KP has done the port and may know more about the current status. cheers Erich -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111iu=/4140/ostg.clktrk leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec setup (not an ELF file) SOLVED
SOLVED this myself Don't try and restart /etc/init.d/ipsec from WITHIN the /etc/init.d/ directory. ie don't do ./ipsec --restart change to / then go full path /etc/init.d/ipsec --restart I'm guessing it's a bug somewhere, I'll leave the powers that be (the guys that KNOW what they're doing) to fix this one. Cheers Ad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Niedzwiedzki Sent: Thursday, 19 July 2007 9:57 AM To: leaf-user@lists.sourceforge.net Subject: [leaf-user] ipsec setup Hi guys, This has been fun dragging my old leaf boxes up to the new builds. I was running openvpn, and figured I'd upgrade to openswan (ipsec) for my vpns. The guide on the site Configuring openswan(ipsec) talks about openswan.lrp (but can't find it) so I'm guessing it's now ipsec.lrp. The guide talks about copying ipsec.o to modules (too easy), but starting ipsec up on my machine I get the following ipsec_setup: Starting Openswan IPsec 2.4.7... ipsec_setup: insmod: not an ELF file ipsec_setup: insmod: Could not load the module: Success ipsec_setup: insmod: af_key.o: no module by that name found ipsec_setup: ERROR: Failed to load or detect KLIPS and NETKEY ipsec_setup: Using ipsec ipsec_setup: insmod: not an ELF file ipsec_setup: insmod: Could not load the module: Success ipsec_setup: kernel appears to lack IPsec support (neither CONFIG_KLIPS or CONFIG_NET_KEY are set) insmod /lib/modules/ipsec.o has no issues (no errors) but I can't find af_key.o anywhere in the modules download. Any help appreciated Cheers Ad - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] ipsec setup
Hi guys, This has been fun dragging my old leaf boxes up to the new builds. I was running openvpn, and figured I'd upgrade to openswan (ipsec) for my vpns. The guide on the site Configuring openswan(ipsec) talks about openswan.lrp (but can't find it) so I'm guessing it's now ipsec.lrp. The guide talks about copying ipsec.o to modules (too easy), but starting ipsec up on my machine I get the following ipsec_setup: Starting Openswan IPsec 2.4.7... ipsec_setup: insmod: not an ELF file ipsec_setup: insmod: Could not load the module: Success ipsec_setup: insmod: af_key.o: no module by that name found ipsec_setup: ERROR: Failed to load or detect KLIPS and NETKEY ipsec_setup: Using ipsec ipsec_setup: insmod: not an ELF file ipsec_setup: insmod: Could not load the module: Success ipsec_setup: kernel appears to lack IPsec support (neither CONFIG_KLIPS or CONFIG_NET_KEY are set) insmod /lib/modules/ipsec.o has no issues (no errors) but I can't find af_key.o anywhere in the modules download. Any help appreciated Cheers Ad - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] IPSec errors, kernel/userland version mismatch?
Hi, I've been asked to add VPN capabilities to our router here at work. It's currently Bering-uClibc 2.3.1. I keep getting this error in the /var/secure log when starting up or connecting to the VPN: Connecting: ERROR: L2TP-PSK[2] 5.6.7.8 #3: pfkey write() of SADB_ADD message 5 for Add SA [EMAIL PROTECTED] failed. Errno 22: Invalid argument Starting the service: ipsec_setup: /usr/lib/ipsec/eroute: pfkey write failed, returning -1 with errno=22. ipsec_setup: Invalid argument, check kernel log messages for specifics. All I can find with Google is that this suggests a kernel module/userland tools version mismatch. gateway# uname -r 2.4.31 gateway# ipsec --version Linux Openswan U2.4.5/K1.0.9 (klips) See `ipsec --copyright' for copyright information. Erm, I *guess* that's a version mismatch. If it is, where can I grab ipsec.lrp version 2.4.31? Or is the version of the kernel not the same as the version of its modules? Regards, James. The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. The contents of an attachment to this email may contain software viruses that could damage your own computer systems. Whilst The Spur Group of Companies has taken every precaution to minimise the risk, we cannot accept liability for any damage that you sustain as a result of software viruses. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] IPSec errors, kernel/userland version mismatch?
connecting from any IP address: 193.175.198.98 %any: PSK MySecretKey # (Line above only works on recent versions of Openswan). # There is a subtle difference with the following # (see also 'man ipsec.secrets') which affects NATed # clients that use a PSK: 193.175.198.98 : PSK MySecretKey -Original Message- From: [EMAIL PROTECTED] [mailto:leaf-user- [EMAIL PROTECTED] On Behalf Of James Neave Sent: 30 March 2007 12:55 To: leaf-user@lists.sourceforge.net Subject: [leaf-user] IPSec errors, kernel/userland version mismatch? Hi, I've been asked to add VPN capabilities to our router here at work. It's currently Bering-uClibc 2.3.1. I keep getting this error in the /var/secure log when starting up or connecting to the VPN: Connecting: ERROR: L2TP-PSK[2] 5.6.7.8 #3: pfkey write() of SADB_ADD message 5 for Add SA [EMAIL PROTECTED] failed. Errno 22: Invalid argument Starting the service: ipsec_setup: /usr/lib/ipsec/eroute: pfkey write failed, returning -1 with errno=22. ipsec_setup: Invalid argument, check kernel log messages for specifics. All I can find with Google is that this suggests a kernel module/userland tools version mismatch. gateway# uname -r 2.4.31 gateway# ipsec --version Linux Openswan U2.4.5/K1.0.9 (klips) See `ipsec --copyright' for copyright information. Erm, I *guess* that's a version mismatch. If it is, where can I grab ipsec.lrp version 2.4.31? Or is the version of the kernel not the same as the version of its modules? Regards, James. The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. The contents of an attachment to this email may contain software viruses that could damage your own computer systems. Whilst The Spur Group of Companies has taken every precaution to minimise the risk, we cannot accept liability for any damage that you sustain as a result of software viruses. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDE V leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] ipsec
I was wondering if there is any documentation for using ipsec or some form of vpn and Bering uClibc. Specifically, I am using 3.0 beta 2 BuC with a standard 3 nic setup. I was wanting to setup (a secure) remote desktop to multiple windows servers on my dmz and possibly also a workstation on the local network. I have read that a vpn will be the most secure way to access these machines. Any help or tips you can give me will be much appreciated. Thanks, Andrew - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec
Hi Andrew, Documentation about openvpn is in the following location: http://leaf.sourceforge.net/doc/bk05ch07.html Ipsec (openswan) documentation: http://leaf.sourceforge.net/doc/bk05ch08.html Additional information on the shorewall site (www.shorewall.net) Regards, Eric I was wondering if there is any documentation for using ipsec or some form of vpn and Bering uClibc. Specifically, I am using 3.0 beta 2 BuC with a standard 3 nic setup. I was wanting to setup (a secure) remote desktop to multiple windows servers on my dmz and possibly also a workstation on the local network. I have read that a vpn will be the most secure way to access these machines. Any help or tips you can give me will be much appreciated. Thanks, Andrew - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Ipsec command not found
Hello Bodo, I got the same error with the package I just checked out from CVS. Then I checked the CVS revision: cvs status ipsec.lrp ==File: ipsec.lrp Status: Up-to-date Working revision:1.2 Repository revision: 1.2 /cvsroot/leaf/bin/packages/uclibc-0.9/20/2.4.32/ipsec.lrp,v ... This is the same (6 weeks old) revision as shown in the CVS view on http://cvs.sourceforge.net/viewcvs.py/leaf/bin/packages/uclibc-0.9/20/2.4. 32/ IIRC Sourceforge has 2 CVS servers: one for developers and one for anonymous access. Maybe the syncing of the developer CVS with the anonymous CVS does not work. I'm afraid this is the case Please send me the package. I will send you the package later today (UTC). I'm at work now ;-) Bodo Eric --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Ipsec command not found
Hello Huy, There is indeed a typo in the buildtool setup of openswan, I have corrected the setup and created a new package. It seems that Sourceforge's CVS is down at the moment so I can't commit the fix. I will send you a new package privately. Thanks for reporting. Eric Hi I am setting up a Bering uClibc 2.4 Release ipsec VPN with a old Bering 2.0 at one of our hosting center. Although the tunnel working perfectly when ever i type in any ipsec command such as ipsec eroute, ipsec manual con_name up, ipsec help ect. It alway faill with the following /usr/sbin/ipsec: unknown IPsec command `command' (`ipsec --help' for list) ipsec --help give this error: Usage: ipsec command argument ... where command is one of: ls: /usr/local/lib/ipsec: No such file or directory ls: /usr/local/libexec/ipsec: No such file or directory Most of these have their own manual pages, e.g. ipsec_auto(8). See also http://www.freeswan.org or the ipsec(8) manual page. Can anyone tell me what i miss. Thanks Huy --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec and multiple IP problem
Hello Cpu, Does the same fix applies to our current openswan-2.4.4? Eric Hello, In addition to specifying a label I couldn't get openswan to work with secondary IPs unless I changed this line in _startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | to: eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p -cpu Charles Steinkuehler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sandro Doro wrote: Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. I haven't tried this with FreeS/WAN, but I suspect your problem is you don't have an eth0:0. You *DO* have a secondary IP address on your external interface, but it has no name (linux hasn't required the ethn:m syntax since at least 2.2). Try removing the secondary IP, re-adding it with an appropriate label then starting freeswan: ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label eth0:0 dev eth0 svi ipsec start ...if that works, you'll need to change how you're adding the IP alias in your startup scripts. - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE- --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164 2 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec/openswan 2.4.2
Cpu, If I'm not mistaken you have to use the standard kernel ciphers, openswan doesn't use its own anymore. # # Cryptographic options # CONFIG_CRYPTO=y CONFIG_CRYPTO_HMAC=y CONFIG_CRYPTO_NULL=m CONFIG_CRYPTO_MD4=m CONFIG_CRYPTO_MD5=m CONFIG_CRYPTO_SHA1=m CONFIG_CRYPTO_SHA256=y CONFIG_CRYPTO_SHA512=m CONFIG_CRYPTO_WP512=m CONFIG_CRYPTO_DES=m CONFIG_CRYPTO_BLOWFISH=m CONFIG_CRYPTO_TWOFISH=m CONFIG_CRYPTO_SERPENT=m CONFIG_CRYPTO_AES=m .. Eric Hello Arne, I don't understand openswan 2.x. It doesn't have SHA2 (which I use). Can't modularize ciphers; no blowfish (missing usual ALGs). I tried using cryptoapi's sha512 but that didn't work. I tried searching the openswan mailing list, found a couple of similar concerns, but no answers. Perhaps I'm asking some dumb questions? I've downgraded to 1.0.9 on kernel 2.4.32. Effectively, a 2.4 ucBering hybrid. Here are the offending config lines: 2.4.32: CONFIG_KLIPS=m # # IPsec options (Openswan) # CONFIG_KLIPS_IPIP=y CONFIG_KLIPS_AH=y CONFIG_KLIPS_ESP=y CONFIG_KLIPS_ENC_3DES=y CONFIG_KLIPS_ENC_AES=y CONFIG_KLIPS_AUTH_HMAC_MD5=y CONFIG_KLIPS_AUTH_HMAC_SHA1=y CONFIG_KLIPS_ALG=y # CONFIG_KLIPS_IPCOMP is not set CONFIG_KLIPS_DEBUG=y CONFIG_IPSEC_NAT_TRAVERSAL=y 2.4.31 (the more familiar): CONFIG_IPSEC=m # # IPSec options (FreeS/WAN) # CONFIG_IPSEC_IPIP=y CONFIG_IPSEC_AH=y CONFIG_IPSEC_AUTH_HMAC_MD5=y CONFIG_IPSEC_AUTH_HMAC_SHA1=y CONFIG_IPSEC_ESP=y CONFIG_IPSEC_ENC_3DES=y CONFIG_IPSEC_ALG=y CONFIG_IPSEC_ALG_MD5=m CONFIG_IPSEC_ALG_SHA1=m CONFIG_IPSEC_ALG_SHA2=m -- look sha2 CONFIG_IPSEC_ALG_3DES=m CONFIG_IPSEC_ALG_AES=m CONFIG_IPSEC_ALG_BLOWFISH=m -- and all CONFIG_IPSEC_ALG_TWOFISH=m -- these CONFIG_IPSEC_ALG_SERPENT=m -- other CONFIG_IPSEC_ALG_CAST=m -- ciphers CONFIG_IPSEC_ALG_NULL=m # CONFIG_IPSEC_ALG_CRYPTOAPI is not set # CONFIG_IPSEC_ALG_1DES is not set CONFIG_IPSEC_IPCOMP=y CONFIG_IPSEC_DEBUG=y CONFIG_IPSEC_NAT_TRAVERSAL=y Any thoughts on getting strongswan to work with ucBering? Arne Bernin wrote: Hi all, i just finished packaging openswan 2.4.2 for bering-uclibc and did some initial testing, i am just wondering if someone else is using openswan/ipsec and is willing to test it, too. --arne __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec/openswan 2.4.2
Hello Cpu, I looked through the openswan source, it seems that those ciphers are linked into pluto. Eric Hello Arne, I don't understand openswan 2.x. It doesn't have SHA2 (which I use). Can't modularize ciphers; no blowfish (missing usual ALGs). I tried using cryptoapi's sha512 but that didn't work. I tried searching the openswan mailing list, found a couple of similar concerns, but no answers. Perhaps I'm asking some dumb questions? I've downgraded to 1.0.9 on kernel 2.4.32. Effectively, a 2.4 ucBering hybrid. Here are the offending config lines: 2.4.32: CONFIG_KLIPS=m # # IPsec options (Openswan) # CONFIG_KLIPS_IPIP=y CONFIG_KLIPS_AH=y CONFIG_KLIPS_ESP=y CONFIG_KLIPS_ENC_3DES=y CONFIG_KLIPS_ENC_AES=y CONFIG_KLIPS_AUTH_HMAC_MD5=y CONFIG_KLIPS_AUTH_HMAC_SHA1=y CONFIG_KLIPS_ALG=y # CONFIG_KLIPS_IPCOMP is not set CONFIG_KLIPS_DEBUG=y CONFIG_IPSEC_NAT_TRAVERSAL=y 2.4.31 (the more familiar): CONFIG_IPSEC=m # # IPSec options (FreeS/WAN) # CONFIG_IPSEC_IPIP=y CONFIG_IPSEC_AH=y CONFIG_IPSEC_AUTH_HMAC_MD5=y CONFIG_IPSEC_AUTH_HMAC_SHA1=y CONFIG_IPSEC_ESP=y CONFIG_IPSEC_ENC_3DES=y CONFIG_IPSEC_ALG=y CONFIG_IPSEC_ALG_MD5=m CONFIG_IPSEC_ALG_SHA1=m CONFIG_IPSEC_ALG_SHA2=m -- look sha2 CONFIG_IPSEC_ALG_3DES=m CONFIG_IPSEC_ALG_AES=m CONFIG_IPSEC_ALG_BLOWFISH=m -- and all CONFIG_IPSEC_ALG_TWOFISH=m -- these CONFIG_IPSEC_ALG_SERPENT=m -- other CONFIG_IPSEC_ALG_CAST=m -- ciphers CONFIG_IPSEC_ALG_NULL=m # CONFIG_IPSEC_ALG_CRYPTOAPI is not set # CONFIG_IPSEC_ALG_1DES is not set CONFIG_IPSEC_IPCOMP=y CONFIG_IPSEC_DEBUG=y CONFIG_IPSEC_NAT_TRAVERSAL=y Any thoughts on getting strongswan to work with ucBering? Arne Bernin wrote: Hi all, i just finished packaging openswan 2.4.2 for bering-uclibc and did some initial testing, i am just wondering if someone else is using openswan/ipsec and is willing to test it, too. --arne __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec and multiple IP problem
Hi Eric, I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the newer _startklips and the line is the same. To me, this suggests it's making the same assumptions about the interface. My guess is that it will work. original 2.4.4 /usr/lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | original 1.0.9 /lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | -cpu Eric Spakman wrote: Hello Cpu, Does the same fix applies to our current openswan-2.4.4? Eric Hello, In addition to specifying a label I couldn't get openswan to work with secondary IPs unless I changed this line in _startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | to: eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p -cpu Charles Steinkuehler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sandro Doro wrote: Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. I haven't tried this with FreeS/WAN, but I suspect your problem is you don't have an eth0:0. You *DO* have a secondary IP address on your external interface, but it has no name (linux hasn't required the ethn:m syntax since at least 2.2). Try removing the secondary IP, re-adding it with an appropriate label then starting freeswan: ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label eth0:0 dev eth0 svi ipsec start ...if that works, you'll need to change how you're adding the IP alias in your startup scripts. - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE- --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164 2 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --- This SF.net email is sponsored by:
Re: [leaf-user] ipsec and multiple IP problem
Hello Cpu, A pity 2.4.4 is not working ok for you. You are the first reporting a problem with it. I looked through various documents and it seems like all those ciphers are supported but probably internal. Does the _startklips fix still suports plain ethx interfaces? Eric Hi Eric, I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the newer _startklips and the line is the same. To me, this suggests it's making the same assumptions about the interface. My guess is that it will work. original 2.4.4 /usr/lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | original 1.0.9 /lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | -cpu Eric Spakman wrote: Hello Cpu, Does the same fix applies to our current openswan-2.4.4? Eric Hello, In addition to specifying a label I couldn't get openswan to work with secondary IPs unless I changed this line in _startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | to: eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p -cpu Charles Steinkuehler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sandro Doro wrote: Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. I haven't tried this with FreeS/WAN, but I suspect your problem is you don't have an eth0:0. You *DO* have a secondary IP address on your external interface, but it has no name (linux hasn't required the ethn:m syntax since at least 2.2). Try removing the secondary IP, re-adding it with an appropriate label then starting freeswan: ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label eth0:0 dev eth0 svi ipsec start ...if that works, you'll need to change how you're adding the IP alias in your startup scripts. - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE- --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164 2 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164 2 leaf-user mailing list: leaf-user@lists.sourceforge.net
Re: [leaf-user] ipsec and multiple IP problem
Eric, Regarding openswan 2.x. It looks like one is supposed to use cryptoapi instead of Juanjo's crypto algorithms. But there is no real info on how to go from 1.x to 2.x. After getting stuck on SHA2_256 I gave up. Also, on 1.0.9 I made some modifications to ./pluto/kernel.c to allow for multiple ipsec connections from the same host and I would have to do the same for 2.4.4, which is quite different. It might not even work. Not worth the hassle right now. The _startklips fix is backward compatible. Most of my ipsec hosts use only a single ip address using interfaces=ipsec0=eth0. -cpu Eric Spakman wrote: Hello Cpu, A pity 2.4.4 is not working ok for you. You are the first reporting a problem with it. I looked through various documents and it seems like all those ciphers are supported but probably internal. Does the _startklips fix still suports plain ethx interfaces? Eric Hi Eric, I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the newer _startklips and the line is the same. To me, this suggests it's making the same assumptions about the interface. My guess is that it will work. original 2.4.4 /usr/lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | original 1.0.9 /lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | -cpu Eric Spakman wrote: Hello Cpu, Does the same fix applies to our current openswan-2.4.4? Eric Hello, In addition to specifying a label I couldn't get openswan to work with secondary IPs unless I changed this line in _startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | to: eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p -cpu Charles Steinkuehler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sandro Doro wrote: Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. I haven't tried this with FreeS/WAN, but I suspect your problem is you don't have an eth0:0. You *DO* have a secondary IP address on your external interface, but it has no name (linux hasn't required the ethn:m syntax since at least 2.2). Try removing the secondary IP, re-adding it with an appropriate label then starting freeswan: ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label eth0:0 dev eth0 svi ipsec start ...if that works, you'll need to change how you're adding the IP alias in your startup scripts. - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE- --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164 2 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list:
Re: [leaf-user] ipsec and multiple IP problem
Hi Cpu, Eric, Regarding openswan 2.x. It looks like one is supposed to use cryptoapi instead of Juanjo's crypto algorithms. But there is no real info on how to The cryptoapi stuff is optional and the other ciphers are internal to pluto: LIBDESSRCDIR=${OPENSWANSRCDIR}/linux/crypto/ciphers/des LIBDESLITE:=${OBJDIRTOP}/lib/libcrypto/libdes/libdes.a LIBAES=${OBJDIRTOP}/lib/libcrypto/libaes/libaes.a LIBBLOWFISH=${OBJDIRTOP}/lib/libcrypto/libblowfish/libblowfish.a LIBTWOFISH=${OBJDIRTOP}/lib/libcrypto/libtwofish/libtwofish.a LIBSERPENT=${OBJDIRTOP}/lib/libcrypto/libserpent/libserpent.a LIBSHA2=${OBJDIRTOP}/lib/libcrypto/libsha2/libsha2.a But it seems like this is only added if USE_EXTRACRYPTO is set, which will add an enormous bloat to the pluto binary. I will look into how to implement cryptoapi, so the ciphers can be used modular again. go from 1.x to 2.x. After getting stuck on SHA2_256 I gave up. Also, on 1.0.9 I made some modifications to ./pluto/kernel.c to allow for multiple ipsec connections from the same host and I would have to do the same for 2.4.4, which is quite different. It might not even work. Not worth the hassle right now. I understand, but note that 1.0.x is end of life. The _startklips fix is backward compatible. Most of my ipsec hosts use only a single ip address using interfaces=ipsec0=eth0. Ok, thanks! I will add this fix later today. -cpu Eric Eric Spakman wrote: Hello Cpu, A pity 2.4.4 is not working ok for you. You are the first reporting a problem with it. I looked through various documents and it seems like all those ciphers are supported but probably internal. Does the _startklips fix still suports plain ethx interfaces? Eric Hi Eric, I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the newer _startklips and the line is the same. To me, this suggests it's making the same assumptions about the interface. My guess is that it will work. original 2.4.4 /usr/lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | original 1.0.9 /lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | -cpu Eric Spakman wrote: Hello Cpu, Does the same fix applies to our current openswan-2.4.4? Eric Hello, In addition to specifying a label I couldn't get openswan to work with secondary IPs unless I changed this line in _startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | to: eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p -cpu Charles Steinkuehler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sandro Doro wrote: Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. I haven't tried this with FreeS/WAN, but I suspect your problem is you don't have an eth0:0. You *DO* have a secondary IP address on your external interface, but it has no name (linux hasn't required the ethn:m syntax since at least 2.2). Try removing the secondary IP, re-adding it with an appropriate label then starting freeswan: ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label eth0:0 dev eth0 svi ipsec start ...if that works, you'll need to change how you're adding the IP alias in your startup scripts. - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg 3 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE- --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121 64 2
Re: [leaf-user] ipsec and multiple IP problem
Hmmm... Where/how do you set USE_EXTRACRYPTO? -cpu Eric Spakman wrote: Hi Cpu, Eric, Regarding openswan 2.x. It looks like one is supposed to use cryptoapi instead of Juanjo's crypto algorithms. But there is no real info on how to The cryptoapi stuff is optional and the other ciphers are internal to pluto: LIBDESSRCDIR=${OPENSWANSRCDIR}/linux/crypto/ciphers/des LIBDESLITE:=${OBJDIRTOP}/lib/libcrypto/libdes/libdes.a LIBAES=${OBJDIRTOP}/lib/libcrypto/libaes/libaes.a LIBBLOWFISH=${OBJDIRTOP}/lib/libcrypto/libblowfish/libblowfish.a LIBTWOFISH=${OBJDIRTOP}/lib/libcrypto/libtwofish/libtwofish.a LIBSERPENT=${OBJDIRTOP}/lib/libcrypto/libserpent/libserpent.a LIBSHA2=${OBJDIRTOP}/lib/libcrypto/libsha2/libsha2.a But it seems like this is only added if USE_EXTRACRYPTO is set, which will add an enormous bloat to the pluto binary. I will look into how to implement cryptoapi, so the ciphers can be used modular again. go from 1.x to 2.x. After getting stuck on SHA2_256 I gave up. Also, on 1.0.9 I made some modifications to ./pluto/kernel.c to allow for multiple ipsec connections from the same host and I would have to do the same for 2.4.4, which is quite different. It might not even work. Not worth the hassle right now. I understand, but note that 1.0.x is end of life. The _startklips fix is backward compatible. Most of my ipsec hosts use only a single ip address using interfaces=ipsec0=eth0. Ok, thanks! I will add this fix later today. -cpu Eric Eric Spakman wrote: Hello Cpu, A pity 2.4.4 is not working ok for you. You are the first reporting a problem with it. I looked through various documents and it seems like all those ciphers are supported but probably internal. Does the _startklips fix still suports plain ethx interfaces? Eric Hi Eric, I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the newer _startklips and the line is the same. To me, this suggests it's making the same assumptions about the interface. My guess is that it will work. original 2.4.4 /usr/lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | original 1.0.9 /lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | -cpu Eric Spakman wrote: Hello Cpu, Does the same fix applies to our current openswan-2.4.4? Eric Hello, In addition to specifying a label I couldn't get openswan to work with secondary IPs unless I changed this line in _startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | to: eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p -cpu Charles Steinkuehler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sandro Doro wrote: Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. I haven't tried this with FreeS/WAN, but I suspect your problem is you don't have an eth0:0. You *DO* have a secondary IP address on your external interface, but it has no name (linux hasn't required the ethn:m syntax since at least 2.2). Try removing the secondary IP, re-adding it with an appropriate label then starting freeswan: ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label eth0:0 dev eth0 svi ipsec start ...if that works, you'll need to change how you're adding the IP alias in your startup scripts. - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg 3 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE- --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
Re: [leaf-user] ipsec and multiple IP problem
Hi Cpu, In makefile.inc But a much better fix will be to enable cryptoapi in the kernel config and rebuild openswan against it. Only the standard openswan patch doesn't contain that option and I have to make a patch against it. Eric Hmmm... Where/how do you set USE_EXTRACRYPTO? -cpu Eric Spakman wrote: Hi Cpu, Eric, Regarding openswan 2.x. It looks like one is supposed to use cryptoapi instead of Juanjo's crypto algorithms. But there is no real info on how to The cryptoapi stuff is optional and the other ciphers are internal to pluto: LIBDESSRCDIR=${OPENSWANSRCDIR}/linux/crypto/ciphers/des LIBDESLITE:=${OBJDIRTOP}/lib/libcrypto/libdes/libdes.a LIBAES=${OBJDIRTOP}/lib/libcrypto/libaes/libaes.a LIBBLOWFISH=${OBJDIRTOP}/lib/libcrypto/libblowfish/libblowfish.a LIBTWOFISH=${OBJDIRTOP}/lib/libcrypto/libtwofish/libtwofish.a LIBSERPENT=${OBJDIRTOP}/lib/libcrypto/libserpent/libserpent.a LIBSHA2=${OBJDIRTOP}/lib/libcrypto/libsha2/libsha2.a But it seems like this is only added if USE_EXTRACRYPTO is set, which will add an enormous bloat to the pluto binary. I will look into how to implement cryptoapi, so the ciphers can be used modular again. go from 1.x to 2.x. After getting stuck on SHA2_256 I gave up. Also, on 1.0.9 I made some modifications to ./pluto/kernel.c to allow for multiple ipsec connections from the same host and I would have to do the same for 2.4.4, which is quite different. It might not even work. Not worth the hassle right now. I understand, but note that 1.0.x is end of life. The _startklips fix is backward compatible. Most of my ipsec hosts use only a single ip address using interfaces=ipsec0=eth0. Ok, thanks! I will add this fix later today. -cpu Eric Eric Spakman wrote: Hello Cpu, A pity 2.4.4 is not working ok for you. You are the first reporting a problem with it. I looked through various documents and it seems like all those ciphers are supported but probably internal. Does the _startklips fix still suports plain ethx interfaces? Eric Hi Eric, I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the newer _startklips and the line is the same. To me, this suggests it's making the same assumptions about the interface. My guess is that it will work. original 2.4.4 /usr/lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | original 1.0.9 /lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | -cpu Eric Spakman wrote: Hello Cpu, Does the same fix applies to our current openswan-2.4.4? Eric Hello, In addition to specifying a label I couldn't get openswan to work with secondary IPs unless I changed this line in _startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | to: eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p -cpu Charles Steinkuehler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sandro Doro wrote: Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. I haven't tried this with FreeS/WAN, but I suspect your problem is you don't have an eth0:0. You *DO* have a secondary IP address on your external interface, but it has no name (linux hasn't required the ethn:m syntax since at least 2.2). Try removing the secondary IP, re-adding it with an appropriate label then starting freeswan: ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label eth0:0 dev eth0 svi ipsec start ...if that works, you'll need to change how you're adding the IP alias in your startup scripts. - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwC eLvg 3 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE-
Re: [leaf-user] ipsec and multiple IP problem
Hello Cpu, I think the fix to support cryptoapi is rather simple, it's just broken in the openswan sources (patch). If you change the following line in the kernel's linux/net/ipsec/Config.in from: bool ' IPsec Modular Extensions' CONFIG_KLIPS_ALG if [ $CONFIG_KLIPS_ALG != n ]; then source net/ipsec/alg/Config.in fi to: bool ' IPsec Modular Extensions' CONFIG_KLIPS_ALG if [ $CONFIG_KLIPS_ALG != n ]; then bool ' CryptoAPI algorithm interface' CONFIG_KLIPS_ENC_CRYPTOAPI fi Do a make menuconfig, enable klips cryptoapi support and (optional) disable klips 3des and aes (you can use the crypto ciphers now) it should work. Eric --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec/openswan 2.4.2
Hello Arne, I don't understand openswan 2.x. It doesn't have SHA2 (which I use). Can't modularize ciphers; no blowfish (missing usual ALGs). I tried using cryptoapi's sha512 but that didn't work. I tried searching the openswan mailing list, found a couple of similar concerns, but no answers. Perhaps I'm asking some dumb questions? I've downgraded to 1.0.9 on kernel 2.4.32. Effectively, a 2.4 ucBering hybrid. Here are the offending config lines: 2.4.32: CONFIG_KLIPS=m # # IPsec options (Openswan) # CONFIG_KLIPS_IPIP=y CONFIG_KLIPS_AH=y CONFIG_KLIPS_ESP=y CONFIG_KLIPS_ENC_3DES=y CONFIG_KLIPS_ENC_AES=y CONFIG_KLIPS_AUTH_HMAC_MD5=y CONFIG_KLIPS_AUTH_HMAC_SHA1=y CONFIG_KLIPS_ALG=y # CONFIG_KLIPS_IPCOMP is not set CONFIG_KLIPS_DEBUG=y CONFIG_IPSEC_NAT_TRAVERSAL=y 2.4.31 (the more familiar): CONFIG_IPSEC=m # # IPSec options (FreeS/WAN) # CONFIG_IPSEC_IPIP=y CONFIG_IPSEC_AH=y CONFIG_IPSEC_AUTH_HMAC_MD5=y CONFIG_IPSEC_AUTH_HMAC_SHA1=y CONFIG_IPSEC_ESP=y CONFIG_IPSEC_ENC_3DES=y CONFIG_IPSEC_ALG=y CONFIG_IPSEC_ALG_MD5=m CONFIG_IPSEC_ALG_SHA1=m CONFIG_IPSEC_ALG_SHA2=m -- look sha2 CONFIG_IPSEC_ALG_3DES=m CONFIG_IPSEC_ALG_AES=m CONFIG_IPSEC_ALG_BLOWFISH=m -- and all CONFIG_IPSEC_ALG_TWOFISH=m -- these CONFIG_IPSEC_ALG_SERPENT=m -- other CONFIG_IPSEC_ALG_CAST=m -- ciphers CONFIG_IPSEC_ALG_NULL=m # CONFIG_IPSEC_ALG_CRYPTOAPI is not set # CONFIG_IPSEC_ALG_1DES is not set CONFIG_IPSEC_IPCOMP=y CONFIG_IPSEC_DEBUG=y CONFIG_IPSEC_NAT_TRAVERSAL=y Any thoughts on getting strongswan to work with ucBering? Arne Bernin wrote: Hi all, i just finished packaging openswan 2.4.2 for bering-uclibc and did some initial testing, i am just wondering if someone else is using openswan/ipsec and is willing to test it, too. --arne __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec and multiple IP problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sandro Doro wrote: Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. I haven't tried this with FreeS/WAN, but I suspect your problem is you don't have an eth0:0. You *DO* have a secondary IP address on your external interface, but it has no name (linux hasn't required the ethn:m syntax since at least 2.2). Try removing the secondary IP, re-adding it with an appropriate label then starting freeswan: ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label eth0:0 dev eth0 svi ipsec start ...if that works, you'll need to change how you're adding the IP alias in your startup scripts. - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE- --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] ipsec and multiple IP problem
Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. Regards, Sandro Doro -- Sandro Doro e-mail: sandro.doro AT istruzione.it --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] ipsec/openswan 2.4.2
Hi all, i just finished packaging openswan 2.4.2 for bering-uclibc and did some initial testing, i am just wondering if someone else is using openswan/ipsec and is willing to test it, too. --arne -- Arne Bernin [EMAIL PROTECTED] http://www.ucBering.de --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628alloc_id=16845op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] IPSec qeustion
Hello list, Quick question, for Bering-uClibc. To use a box as an IPSec server, is it still FreeS/WAN that gets used? And is all the same documentation that was used for original Bering still valid? Thanks, James. The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. The contents of an attachment to this email may contain software viruses that could damage your own computer systems. Whilst The Spur Group of Companies has taken every precaution to minimise the risk, we cannot accept liability for any damage that you sustain as a result of software viruses. --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Tom Tom Eastep wrote: while true; do ip link ls dev ppp0 /dev/null 21 break echo Waiting for ppp0 to come up... sleep 5 done Yes, that is more or less the thing I finally did, although this will loop forever and without a console the poor luser might never know why. So I placed a max_loop limit into my code. Erich --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Richard Saunders wrote: Does this problem have anything to do with shorewall? Shorewall seems to startup without a problem and everything else runs fine. It's only ipsec that can't find a default route. I thought inetd may be responsible. Not that I know anything much about it. Shorewall is just one of the many services which may rely on routing being set up correctly. IPSEC is another one. Erich --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Richard Saunders wrote: Thanks Tom and Eric I don't know if it matters to me how long it takes to come up, so long as everything that is supposed to work works once it's up. When ppp0 is up its a router, until then it's lump of useless metal chewing power. I have put the loop here: #!/bin/sh # IPsec startup and shutdown script # Copyright (C) 1998, 1999, 2001 Henry Spencer. /..SNIP # misc setup umask 022 while true; do ip link ls dev ppp0 /dev/null 21 break echo Waiting for ppp0 to come up... sleep 5 done # do it case $1 in start|--start|stop|--stop) Is this alright? I won't get to test it until I can reboot on the weekend. Give it a chance to barf in the loop to tell you what is wrong. Erich --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Richard Saunders wrote: I managed to kick everyone off at lunchtime and reboot. The loop paused the startup for about half a second and off it went. Everything started up fine including ipsec. I doubt it looped at all then. Please ignore my previous post on the barf, I must be getting blind. Still consider adding some logging to syslog in case you don't have a console. Erich --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Thanks Eric Unfortunately that has had no effect, but I do think you are on the right track ie. ipsec is starting before ppp0 is fully up, but since I know nothing except being able to blindly follow instructions, I don't like my chances of finding a solution myself. Regarding WARNING: ppp0 has route filtering turned on, KLIPS may not work. This error has always been there and has never shown any detrimental effects as far as I know. There have been previous threads regarding this and I think the conclusion was to ignore it. At 06:08 PM 28/09/2005, you wrote: Hello Richard, I've looked through the changes between ipsec from 2.2.3 and 2.3rc1, there was a change in the start/stop levels of ipsecs init.d script due to warnings when stopping ipsec. The differences are: (2.2.3): RCDLINKS=0,K42 1,K42 2,S42 3,S42 4,S42 5,S42 6,K42 (2.3rc1): RCDLINKS=0,K19 1,K19 2,S21 3,S21 4,S21 5,S21 6,K19 It could be that the ppp interface isn't full brought up, before ipsec is started. You could try to change the /etc/init.d/ipsec script to read: RCDLINKS=0,K19 1,K19 2,S41 3,S41 4,S41 5,S41 6,K19 Although the following line in you log is also somewhat strange: Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route filtering turned on, KLIPS may not work Sep 28 14:26:52 firewall Did you also had that warning with 2.2.3? You can turn of route filtering by setting spoofprotect=no in lrcfg - 1) Network configuration - 2) network options file (/etc/network/options) Eric Spakman Hi I am setting up uClibc 2.3rc1. I have copied the ipsec.conf file from my uClibc 2.23 box which has always worked ok. When starting up I get the following errors in auth.log: Sep 28 13:57:09 firewall pluto[21197]: no public interfaces found in daemon.log: Sep 28 13:57:07 firewall ipsec_setup: no default route, %defaultroute cannot cope!!! Sep 28 13:57:08 firewall ipsec_setup: ...Openswan IPsec started Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in w2k: %defaultroute requested but not known Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in net-net: %defaultroute requested but not known When the box finishes starting if I type ipsec setup restart it runs fine. Sep 28 14:26:50 firewall ipsec_setup: Stopping Openswan IPsec... Sep 28 14:26:50 firewall ipsec_setup: stop ordered, but IPsec does not appear to be running! Sep 28 14:26:50 firewall ipsec_setup: doing cleanup anyway... Sep 28 14:26:51 firewall ipsec_setup: ...Openswan IPsec stopped Sep 28 14:26:51 firewall ipsec_setup: Starting Openswan IPsec 1.0.9... Sep 28 14:26:51 firewall ipsec_setup: Using /lib/modules/ipsec.o Sep 28 14:26:51 firewall ipsec_setup: KLIPS debug `none' Sep 28 14:26:52 firewall ipsec_setup: KLIPS ipsec0 on ppp0 220.245.99.4 peer 202.7.162.162/32 Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route filtering turned on, KLIPS may not work Sep 28 14:26:52 firewall ipsec_setup: (/proc/sys/net/ipv4/conf/ppp0/rp_filter = `1', should be 0) Sep 28 14:26:52 firewall ipsec_setup: ...Openswan IPsec started Here is my setup: # basic configuration config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes # defaults for subsequent connection descriptions conn %default keyingtries=0 conn net-net authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24 leftrsasigkey=[keyid AQON] leftnexthop=%defaultroute right=220.244.10.142 rightsubnet=192.168.0.0/27 rightrsasigkey=[keyid AQN7] rightnexthop=%defaultroute pfs=yes auto=add conn w2k authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24 leftnexthop=%defaultroute leftrsasigkey=%cert leftcert=fwCert.pem right=%any rightrsasigkey=%cert leftid=CN=fw pfs=yes auto=add # Any ideas on what might be happening? --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Rick Richard Saunders wrote: Thanks Eric Unfortunately that has had no effect, but I do think you are on the right track ie. ipsec is starting before ppp0 is fully up, but since I know nothing except being able to blindly follow instructions, I don't like my chances of finding a solution myself. This problem has always existed for any connection type. It shows up in a lot of different locations on all Bering versions. I saw this on ppp connections as well as pcmcia based ethernet connections. The common denominator of all these is, that you cannot predict reliably how long they take to come up, but the init script may terminate _before_ they are up completely. What is missing is a generic solution to assert _all_ necessary connections/services are up _before_ any service depending on them is started. This is true for ipsec but also for shorewall and probably other services. I am running a fair number of WRAP boards as IPSEC end points. These boards do not have a battery for the clock, so the time is lost at power down. I am using certificates for the ipsec links, therefore I need to have accurate sytem time. I am running ntpdate early at start up, but a slow connection may make a single ntpdate start fail. So I have to check connectivity to the uplink router and the presence of a default route before I even attempt to update my system time. cheers Erich --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
This problem has always existed for any connection type. It shows up in a lot of different locations on all Bering versions. I saw this on ppp connections as well as pcmcia based ethernet connections. The common denominator of all these is, that you cannot predict reliably how long they take to come up, but the init script may terminate _before_ they are up completely. Agreed. Shorewall by default has really awful failure modes if the upstream ppp interface isn't up yet. I'd love to have an is up? semaphore, but perhaps in some cases, we should instead be triggering the apps by the fact that the interface is up. Both /etc/network/interfaces and ppp have trigger scripts they can call for interface up. Then it comes down to what is up? -- link up? address configured and able to pass data? routing up? I don't want to confuse things with those last questions, there probably is no universal good way to do these things. Frankly, I wish shorewall was just a little smarter when it came to ephemeral interfaces. Paul --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Is it possible just to insert a pause somewhere in the startup scripts to wait for ppp0 to come up before continuing? At 07:43 AM 30/09/2005, you wrote: This problem has always existed for any connection type. It shows up in a lot of different locations on all Bering versions. I saw this on ppp connections as well as pcmcia based ethernet connections. The common denominator of all these is, that you cannot predict reliably how long they take to come up, but the init script may terminate _before_ they are up completely. Agreed. Shorewall by default has really awful failure modes if the upstream ppp interface isn't up yet. I'd love to have an is up? semaphore, but perhaps in some cases, we should instead be triggering the apps by the fact that the interface is up. Both /etc/network/interfaces and ppp have trigger scripts they can call for interface up. Then it comes down to what is up? -- link up? address configured and able to pass data? routing up? I don't want to confuse things with those last questions, there probably is no universal good way to do these things. Frankly, I wish shorewall was just a little smarter when it came to ephemeral interfaces. Paul --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Richard Saunders wrote: Is it possible just to insert a pause somewhere in the startup scripts to wait for ppp0 to come up before continuing? You could place a pause/check loop in /etc/shorewall/init. Or, better yet, configure Shorewall so that it doesn't require ppp0 to be up when it starts. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Richard Saunders wrote: Is it possible just to insert a pause somewhere in the startup scripts to wait for ppp0 to come up before continuing? Yes, that was my first aproach, unfortunately not a very smart one, as, for example, ppp may take a very long time to come up. Erich --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Erich Titl wrote: Richard Saunders wrote: Is it possible just to insert a pause somewhere in the startup scripts to wait for ppp0 to come up before continuing? Yes, that was my first aproach, unfortunately not a very smart one, as, for example, ppp may take a very long time to come up. while true; do ip link ls dev ppp0 /dev/null 21 break echo Waiting for ppp0 to come up... sleep 5 done -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Paul Traina wrote: This problem has always existed for any connection type. It shows up in a lot of different locations on all Bering versions. I saw this on ppp connections as well as pcmcia based ethernet connections. The common denominator of all these is, that you cannot predict reliably how long they take to come up, but the init script may terminate _before_ they are up completely. Agreed. Shorewall by default has really awful failure modes if the upstream ppp interface isn't up yet. I'd love to have an is up? semaphore, but perhaps in some cases, we should instead be triggering the apps by the fact that the interface is up. Both /etc/network/interfaces and ppp have trigger scripts they can call for interface up. Then it comes down to what is up? -- link up? address configured and able to pass data? routing up? Mhh... routing up is a pretty good indication for a dynamic interface to work, a check against the uplink router might be even better. I published an ipsec watchdog script some time ago on this list, which uses this method and has proven to be rather reliably. Erich --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Does this problem have anything to do with shorewall? Shorewall seems to startup without a problem and everything else runs fine. It's only ipsec that can't find a default route. I thought inetd may be responsible. Not that I know anything much about it. At 08:24 AM 30/09/2005, you wrote: Richard Saunders wrote: Is it possible just to insert a pause somewhere in the startup scripts to wait for ppp0 to come up before continuing? You could place a pause/check loop in /etc/shorewall/init. Or, better yet, configure Shorewall so that it doesn't require ppp0 to be up when it starts. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Richard Saunders wrote: Does this problem have anything to do with shorewall? Shorewall seems to startup without a problem and everything else runs fine. It's only ipsec that can't find a default route. I thought inetd may be responsible. Not that I know anything much about it. I was simply responding to Paul's and Erich's posts about Shorewall problems caused by devices that aren't up when Shorewall starts. If in your case Shorewall is starting without error when ppp0 is absent then Shorewall isn't involved in your ipsec issue. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Tom Eastep wrote: You could place a pause/check loop in /etc/shorewall/init. Or, better yet, configure Shorewall so that it doesn't require ppp0 to be up when it starts. I'm not sure I can come up with the semantics to do that, but I'd love to give it a try... Here's what I've got: Zones: net Net Internet loc Local Local networks dmz DMZ Demilitarized zone dsl DSL DSL modem nat area guest Guest Guest host network Interfaces: dsl eth0detect dhcp,routefilter net ppp0- tcpflags,blacklist,routefilter,norfc1918,nosmurfs,upnp loc eth1detect dhcp dmz eth2detect dhcp,routefilter guest ath0detect dhcp,routefilter Masq: (INT_QUEMADURA and EXT_QUEMADURA are internal and external IP addrs) (ditto EXT_GUEST so guest network users are natted to a different routed IP addr in case they do something evil like send spam) ppp0$INT_QUEMADURA $EXT_QUEMADURA ppp0eth1 ppp0ath0$EXT_GUEST eth0eth1 and rules (excerpted): DNAT net loc:$INT_QUEMADURA tcp 22 - $EXT_QUEMADURA Now, I'm assuming it's the masq entries referencing ppp0 that are kicking my ass? So this error, is caused by routefilter/ppp0 not existing (soft err): Setting up Kernel Route Filtering... Warning: Cannot set route filtering on ppp0 and this error is caused by masq? Adding IP Addresses... Device ppp0 does not exist. Cannot find device ppp0 Do you suggest I do snating instead? if so, who adds the ip aliases to ppp0 and when? I have 5 static IP addresses that I use, so snat is a fine option (I use one IP for the fw/home nat, one for the bastion host, and one for a separate guest network). --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Thanks Tom and Eric I don't know if it matters to me how long it takes to come up, so long as everything that is supposed to work works once it's up. When ppp0 is up its a router, until then it's lump of useless metal chewing power. I have put the loop here: #!/bin/sh # IPsec startup and shutdown script # Copyright (C) 1998, 1999, 2001 Henry Spencer. /..SNIP # misc setup umask 022 while true; do ip link ls dev ppp0 /dev/null 21 break echo Waiting for ppp0 to come up... sleep 5 done # do it case $1 in start|--start|stop|--stop) Is this alright? I won't get to test it until I can reboot on the weekend. At 08:35 AM 30/09/2005, you wrote: Richard Saunders wrote: Is it possible just to insert a pause somewhere in the startup scripts to wait for ppp0 to come up before continuing? Yes, that was my first aproach, unfortunately not a very smart one, as, for example, ppp may take a very long time to come up. Erich --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Paul Traina wrote: Adding IP Addresses... Device ppp0 does not exist. Cannot find device ppp0 Been a while since I had to deal with pppd but as I recall there is a user-provided script that gets run when the interface comes up. Add the IP addresses in that script rather than having Shorewall do it. And set route filtering there too while you are at it rather than using the Shorewall 'routefilter' option. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Richard Saunders wrote: # misc setup umask 022 while true; do ip link ls dev ppp0 /dev/null 21 break echo Waiting for ppp0 to come up... sleep 5 done # do it case $1 in start|--start|stop|--stop) Is this alright? I won't get to test it until I can reboot on the weekend. I don't have a ppp interface to test with so I don't know at what point 'ip link ls dev ppp0' returns 0 for an exit status. If the above doesn't work, the output of 'ip' may need to be piped into 'grep -q' looking for 'inet' or something like that -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
I managed to kick everyone off at lunchtime and reboot. The loop paused the startup for about half a second and off it went. Everything started up fine including ipsec. Thank you very much Tom and Erich. I am very grateful for your help. Richard Saunders At 10:56 AM 30/09/2005, you wrote: Richard Saunders wrote: # misc setup umask 022 while true; do ip link ls dev ppp0 /dev/null 21 break echo Waiting for ppp0 to come up... sleep 5 done # do it case $1 in start|--start|stop|--stop) Is this alright? I won't get to test it until I can reboot on the weekend. I don't have a ppp interface to test with so I don't know at what point 'ip link ls dev ppp0' returns 0 for an exit status. If the above doesn't work, the output of 'ip' may need to be piped into 'grep -q' looking for 'inet' or something like that -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Hello Richard, I've looked through the changes between ipsec from 2.2.3 and 2.3rc1, there was a change in the start/stop levels of ipsecs init.d script due to warnings when stopping ipsec. The differences are: (2.2.3): RCDLINKS=0,K42 1,K42 2,S42 3,S42 4,S42 5,S42 6,K42 (2.3rc1): RCDLINKS=0,K19 1,K19 2,S21 3,S21 4,S21 5,S21 6,K19 It could be that the ppp interface isn't full brought up, before ipsec is started. You could try to change the /etc/init.d/ipsec script to read: RCDLINKS=0,K19 1,K19 2,S41 3,S41 4,S41 5,S41 6,K19 Although the following line in you log is also somewhat strange: Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route filtering turned on, KLIPS may not work Sep 28 14:26:52 firewall Did you also had that warning with 2.2.3? You can turn of route filtering by setting spoofprotect=no in lrcfg - 1) Network configuration - 2) network options file (/etc/network/options) Eric Spakman Hi I am setting up uClibc 2.3rc1. I have copied the ipsec.conf file from my uClibc 2.23 box which has always worked ok. When starting up I get the following errors in auth.log: Sep 28 13:57:09 firewall pluto[21197]: no public interfaces found in daemon.log: Sep 28 13:57:07 firewall ipsec_setup: no default route, %defaultroute cannot cope!!! Sep 28 13:57:08 firewall ipsec_setup: ...Openswan IPsec started Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in w2k: %defaultroute requested but not known Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in net-net: %defaultroute requested but not known When the box finishes starting if I type ipsec setup restart it runs fine. Sep 28 14:26:50 firewall ipsec_setup: Stopping Openswan IPsec... Sep 28 14:26:50 firewall ipsec_setup: stop ordered, but IPsec does not appear to be running! Sep 28 14:26:50 firewall ipsec_setup: doing cleanup anyway... Sep 28 14:26:51 firewall ipsec_setup: ...Openswan IPsec stopped Sep 28 14:26:51 firewall ipsec_setup: Starting Openswan IPsec 1.0.9... Sep 28 14:26:51 firewall ipsec_setup: Using /lib/modules/ipsec.o Sep 28 14:26:51 firewall ipsec_setup: KLIPS debug `none' Sep 28 14:26:52 firewall ipsec_setup: KLIPS ipsec0 on ppp0 220.245.99.4 peer 202.7.162.162/32 Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route filtering turned on, KLIPS may not work Sep 28 14:26:52 firewall ipsec_setup: (/proc/sys/net/ipv4/conf/ppp0/rp_filter = `1', should be 0) Sep 28 14:26:52 firewall ipsec_setup: ...Openswan IPsec started Here is my setup: # basic configuration config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes # defaults for subsequent connection descriptions conn %default keyingtries=0 conn net-net authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24 leftrsasigkey=[keyid AQON] leftnexthop=%defaultroute right=220.244.10.142 rightsubnet=192.168.0.0/27 rightrsasigkey=[keyid AQN7] rightnexthop=%defaultroute pfs=yes auto=add conn w2k authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24 leftnexthop=%defaultroute leftrsasigkey=%cert leftcert=fwCert.pem right=%any rightrsasigkey=%cert leftid=CN=fw pfs=yes auto=add # Any ideas on what might be happening? --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Hi I am setting up uClibc 2.3rc1. I have copied the ipsec.conf file from my uClibc 2.23 box which has always worked ok. When starting up I get the following errors in auth.log: Sep 28 13:57:09 firewall pluto[21197]: no public interfaces found in daemon.log: Sep 28 13:57:07 firewall ipsec_setup: no default route, %defaultroute cannot cope!!! Sep 28 13:57:08 firewall ipsec_setup: ...Openswan IPsec started Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in w2k: %defaultroute requested but not known Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in net-net: %defaultroute requested but not known When the box finishes starting if I type ipsec setup restart it runs fine. Sep 28 14:26:50 firewall ipsec_setup: Stopping Openswan IPsec... Sep 28 14:26:50 firewall ipsec_setup: stop ordered, but IPsec does not appear to be running! Sep 28 14:26:50 firewall ipsec_setup: doing cleanup anyway... Sep 28 14:26:51 firewall ipsec_setup: ...Openswan IPsec stopped Sep 28 14:26:51 firewall ipsec_setup: Starting Openswan IPsec 1.0.9... Sep 28 14:26:51 firewall ipsec_setup: Using /lib/modules/ipsec.o Sep 28 14:26:51 firewall ipsec_setup: KLIPS debug `none' Sep 28 14:26:52 firewall ipsec_setup: KLIPS ipsec0 on ppp0 220.245.99.4 peer 202.7.162.162/32 Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route filtering turned on, KLIPS may not work Sep 28 14:26:52 firewall ipsec_setup: (/proc/sys/net/ipv4/conf/ppp0/rp_filter = `1', should be 0) Sep 28 14:26:52 firewall ipsec_setup: ...Openswan IPsec started Here is my setup: # basic configuration config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes # defaults for subsequent connection descriptions conn %default keyingtries=0 conn net-net authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24 leftrsasigkey=[keyid AQON] leftnexthop=%defaultroute right=220.244.10.142 rightsubnet=192.168.0.0/27 rightrsasigkey=[keyid AQN7] rightnexthop=%defaultroute pfs=yes auto=add conn w2k authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24 leftnexthop=%defaultroute leftrsasigkey=%cert leftcert=fwCert.pem right=%any rightrsasigkey=%cert leftid=CN=fw pfs=yes auto=add # Any ideas on what might be happening? --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] IPSEC md5sum not found
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tibbs, Richard wrote: | Dear list: | I have a subnet-to-subnet ipsec tunnel that is not coming up, and an | ipsec barf shows several | md5sum not found messages in association with all of the secrets. | | I looked through the ipsec.conf man page with no luck to find some way | to generate the md5 checksum. | | Is this a fatal error? No. The ipsec barf tool is trying to create an MD5 sum of your PSK, to avoid posting it 'in the clear' as debugging information. There *IS* no md5sum utility on most leaf systems, hence your error. I'm still awaiting enough free cycles to crawl through the ipsec barf you sent... - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCf3b+LywbqEHdNFwRAin9AJ0cjqPVLNsVsHTYC7eaxSzwN5yadwCfebGl zpK8wg9xxkyGGCiqUhK/1yA= =1f9u -END PGP SIGNATURE- --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC md5sum not found
Thanks Charles! I have plenty of other mysteries to explore. Rick. -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED] Sent: Monday, May 09, 2005 10:43 AM To: Tibbs, Richard Cc: Bering List Subject: Re: [leaf-user] IPSEC md5sum not found -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tibbs, Richard wrote: | Dear list: | I have a subnet-to-subnet ipsec tunnel that is not coming up, and an | ipsec barf shows several | md5sum not found messages in association with all of the secrets. | | I looked through the ipsec.conf man page with no luck to find some way | to generate the md5 checksum. | | Is this a fatal error? No. The ipsec barf tool is trying to create an MD5 sum of your PSK, to avoid posting it 'in the clear' as debugging information. There *IS* no md5sum utility on most leaf systems, hence your error. I'm still awaiting enough free cycles to crawl through the ipsec barf you sent... - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCf3b+LywbqEHdNFwRAin9AJ0cjqPVLNsVsHTYC7eaxSzwN5yadwCfebGl zpK8wg9xxkyGGCiqUhK/1yA= =1f9u -END PGP SIGNATURE- --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] IPSEC md5sum not found
Dear list: I have a subnet-to-subnet ipsec tunnel that is not coming up, and an ipsec barf shows several md5sum not found messages in association with all of the secrets. I looked through the ipsec.conf man page with no luck to find some way to generate the md5 checksum. Is this a fatal error? TIA, Rick. --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC md5sum not found
Rick Tibbs, Richard wrote: Dear list: I have a subnet-to-subnet ipsec tunnel that is not coming up, and an ipsec barf shows several md5sum not found messages in association with all of the secrets. I looked through the ipsec.conf man page with no luck to find some way to generate the md5 checksum. Let us know more. Do you use PSK, RSA keys or certificates? Is this a fatal error? Fatal in the sense of lethal, no, but apparently your tunnel does not come up. Post your barf output (not too much mangled) somewhere on the net so we can have a look. cheers Erich --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC md5sum not found
Actually, the errors are only on PSK lines in ipsec.secrets. I have transitioned to certificates, but no errors there. I left the PSK lines in to go back if desired. Rick. -Original Message- From: Erich Titl [mailto:[EMAIL PROTECTED] Sent: Sunday, May 08, 2005 12:26 PM To: Tibbs, Richard Cc: Bering List Subject: Re: [leaf-user] IPSEC md5sum not found Rick Tibbs, Richard wrote: Dear list: I have a subnet-to-subnet ipsec tunnel that is not coming up, and an ipsec barf shows several md5sum not found messages in association with all of the secrets. I looked through the ipsec.conf man page with no luck to find some way to generate the md5 checksum. Let us know more. Do you use PSK, RSA keys or certificates? Is this a fatal error? Fatal in the sense of lethal, no, but apparently your tunnel does not come up. Post your barf output (not too much mangled) somewhere on the net so we can have a look. cheers Erich --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] ipsec - no support for interface aliases
Hello Cpu, Thanks for your fix. I like some more feedback from other users so this can be added to ipsec the package. Anyone who can also test this? Eric -Original Message- From: cpu memhd[EMAIL PROTECTED] Sent: 19-4-05 18:50:02 To: leaf-user@lists.sourceforge.netleaf-user@lists.sourceforge.net Subject: [leaf-user] ipsec - no support for interface aliases Seems like the ipsec scripts rely heavily on ifconfig but that utility is not available on bering-uclibc. There are lots of modifications to make it work with the ip command. I was able to overcome this problem by replacing this line in _startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | With this: eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p | Before: Device eth2:0 does not exist. After: inet 192.168.8.10/16 brd 192.168.8.255 scope global secondary eth2:0 If there is no ethx:xxx label, the above modification still works (eg. ip addr show eth0 label eth0). Just thought I'd mention this because I think it's important enough to change. Openswan does support aliased interfaces and it's the only way to use a secondary ip, that I know of at least. __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ --- This SF.Net email is sponsored by: New Crystal Reports XI. Version 11 adds new functionality designed to reduce time involved in creating, integrating, and deploying reporting solutions. Free runtime info, new features, or free trial, at: http://www.businessobjects.com/devxi/728 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: New Crystal Reports XI. Version 11 adds new functionality designed to reduce time involved in creating, integrating, and deploying reporting solutions. Free runtime info, new features, or free trial, at: http://www.businessobjects.com/devxi/728 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ipsec - no support for interface aliases
Seems like the ipsec scripts rely heavily on ifconfig but that utility is not available on bering-uclibc. There are lots of modifications to make it work with the ip command. I was able to overcome this problem by replacing this line in _startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | With this: eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p | Before: Device eth2:0 does not exist. After: inet 192.168.8.10/16 brd 192.168.8.255 scope global secondary eth2:0 If there is no ethx:xxx label, the above modification still works (eg. ip addr show eth0 label eth0). Just thought I'd mention this because I think it's important enough to change. Openswan does support aliased interfaces and it's the only way to use a secondary ip, that I know of at least. __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ --- This SF.Net email is sponsored by: New Crystal Reports XI. Version 11 adds new functionality designed to reduce time involved in creating, integrating, and deploying reporting solutions. Free runtime info, new features, or free trial, at: http://www.businessobjects.com/devxi/728 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ipsec problem
Dear list, sorry for long post. I am having an issue with IPsec. I have a WinXP machine that can build a successful SA just outside office firewall (Bering 1.2) in road-warrior mode, but not from behind another bering 1.2 home firewall. Nat traversal patch is on WinXP. home-subnet - homefw --ethsw -- internet --ethsw- officefw--offic-sub 192.168.1.0 | | 192.168.10.0 Winxp (.3) | | won't work here will work Will work I have moved the laptop farther away from office fw and as soon as I am behind a NAT device, I get this message from officefw: road-warrior[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' What could be wrong here? TIA, Rick The ipsec configs of both firewalls are displayed below. When trying to tunnel from home, The auth.log on office fw says Jan 21 18:31:46 firewall pluto[1025]: packet from 216.x.y.z:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 0004] Jan 21 18:31:46 firewall pluto[1025]: packet from 216.x.y.z:500: ignoring Vendor ID payload [4048b7d56ebce885...] Jan 21 18:31:46 firewall pluto[1025]: packet from 216.x.y.z:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Jan 21 18:31:46 firewall pluto[1025]: packet from 216.x.y.z:500: ignoring Vendor ID payload [26244d38eddb61b3...] Jan 21 18:31:46 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: responding to Main Mode from unknown peer 216.x.y.z Jan 21 18:31:47 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3' Jan 21 18:31:47 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' Jan 21 18:31:47 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: sending notification INVALID_ID_INFORMATION to 216.x.y.z:500 Jan 21 18:31:48 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3' Jan 21 18:31:48 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' Jan 21 18:31:48 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: sending notification INVALID_ID_INFORMATION to 216.x.y.z:500 Jan 21 18:31:50 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3' Jan 21 18:31:50 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' Jan 21 18:31:50 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: sending notification INVALID_ID_INFORMATION to 216.x.y.z:500 Jan 21 18:31:54 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3' Jan 21 18:31:54 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' Jan 21 18:31:54 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: sending notification INVALID_ID_INFORMATION to 216.x.y.z:500 Jan 21 18:32:02 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3' Jan 21 18:32:02 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' Jan 21 18:32:02 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: sending notification INVALID_ID_INFORMATION to 216.x.y.z:500 Jan 21 18:32:18 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3' Jan 21 18:32:18 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' Jan 21 18:32:18 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: sending notification INVALID_ID_INFORMATION to 216.x.y.z:500 firewall: -root- == office ipsec.conf # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute #interfaces=ipsec0=eth0 # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes nat_traversal=no # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. #authby=rsasig # Authentication by pre-shared secret key authby=secret right=%defaultroute #left=%defaultroute rightsubnet=192.168.10.0/24 #leftnexthop=%direct rightfirewall=yes pfs=yes auto=add #leftrsasigkey=%dns #rightrsasigkey=%dns conn road-warrior left=%any = home ipsec.conf # basic configuration config setup # THIS
Re: [leaf-user] ipsec problem
Tibbs, Richard wrote: Dear list, sorry for long post. I am having an issue with IPsec. I have a WinXP machine that can build a successful SA just outside office firewall (Bering 1.2) in road-warrior mode, but not from behind another bering 1.2 home firewall. Nat traversal patch is on WinXP. home-subnet - homefw --ethsw -- internet --ethsw- officefw--offic-sub 192.168.1.0 | | 192.168.10.0 Winxp (.3) | | won't work here will work Will work I have moved the laptop farther away from office fw and as soon as I am behind a NAT device, I get this message from officefw: road-warrior[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' What could be wrong here? I'm not sure exactly what's wrong, but the errors in the log tickle my memory, especially: Jan 21 18:31:46 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: responding to Main Mode from unknown peer 216.x.y.z Jan 21 18:31:47 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3' Jan 21 18:31:47 firewall pluto[1025]: road-warrior[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' The last message indicates a problem with your connection description (the information provided while negotiating an SA doesn't match anything in ipsec.conf). It looks to me like IPSec is defaulting to using the IP address as it's identifier, and you may be running into problems when this doesn't match the 'visible' IP of the connection on the other end (due to NAT). Try putting [left|right]id stanzas in your ipsec.conf file(s). I like to use unresolved names, ie: [EMAIL PROTECTED] (see ipsec.conf man page for details and other options). Also, you mention enabling nat-traversal on the XP machine, but your connection defaults set nat_traversal=no, and the road-warrior connection descriptions don't seem to override this. This mis-match could also be causing your problem (or adding to it). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag--drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ipsec problem
Tibbs, Richard wrote: Charles, On the nat-traversal issue in bering fws -- I thought that parameter was if there was a router downstream that would subsequently nat the connection. I had an exchange with Microsoft about the need for a patch on the XP (or any machine) going through a nat box like bering. And I think a while back someone on the list volunteered that nat_traversal=yes was ineffective. There is a NAT box...the home FW between your XP system and the internet. The nat_traversal=yes could be ineffective...I don't use nat_traversal, so I'm not sure. IIRC it's not something that can be negotiated at connection time, however, so both ends need to be setup with agreeing NAT-T settings at configuration time. Let me try a domain name in my XP IPsec config, as well as -- I think -- the office fw config. Right? IOW, here is my current xp box security policy on the outbound direction: Mirr Desc Proto srcport destport srcDNS Scraddr destDNS destaddr Y - any any any myIPmyIP/32 Subnet 192.168.10.0/24 and for inbound. Y - any any any Subnet 192.168.10.0/24 myIPmyIP/32 So, at least the destdns for inbound needs to be mydomain.com and office fw ipsec.conf should have leftid = mydomain.com ? I don't grok XP ipsec config, and the above looks more like firewall rules than an IPSec connection config. If this were two linux boxen, they should have something like the following in the config files on *BOTH* ends of the link: conn roadwarrior [EMAIL PROTECTED] [EMAIL PROTECTED] ... NOTES: - These ID's could also go in conn %default, an included file, etc. - The @ sign is important! If you don't include the @, the name is resolved and the IP address is used as the identifier, typically *NOT* what you want (you're defaulting to the IP address of ipsec0 for the identifier already, by not specifying [left|right]id). - The ID's provided/expected by each end must match, (along with other settings, like [L|R]subnet, etc) or you'll get the 'no suitable connection' error. - I don't know how you specify this sort of ID in XP...perhps google can help you. BTW, don't know if it matters by I notice that the homefw ipsec conf has both left=216.12.22.89 left=%deafultroute. Could that be any problem? It could, but I suspect the latter value simply overwrites the earlier one (check the man page and your log files to be sure). One other issue that might be causing you problems: Are you establishing any IPSec links between your home FW and the office FW? If so, the problem could be that the office FW is getting confused by the fact that you've got multiple connections comming from the same IP address, which already has identity information associated with it (this would also explain the errors in the log about no valid connection description). Using explicit IDs might help you, but it might not (depends on what your other tunnels are like, as there are limitations based on when various information is transfered and how ipsec figures out which connection description to use). You fundamental problem is that the office FW can't figure out which connection description applies to the inbound connections from your XP box, and this is pretty much by definition a configuration problem (or a problem with the architecture of your network not properly taking into account the limitations of identifying inbound ipsec connections). If using explicit IDs doesn't get you anywhere, try to up the debugging level and post more information from your logs when trying to get the XP box to connect. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag--drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC pluto errors
Scott A. Young wrote: Erich, thanks for the info. So then I *_do_* need to generate certificates even if I'm just using pre-shared keys? IFAIK _no_, just make sure you do not have an empty file where a cert would be searched for. The code I looked at would do that weird thing with a file of length zero. Erich --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC pluto errors
Erich, thanks for the info. So then I *_do_* need to generate certificates even if I'm just using pre-shared keys? Scott. - Scott Young Network Integration Solutions Inc. Phone: 780-461-3371 Fax: 780-465-7270 email: [EMAIL PROTECTED] -Original Message- From: Erich Titl [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 6:04 AM To: Scott A. Young Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] IPSEC pluto errors Scott Scott A. Young wrote: Hi All, I'm also back on the subnet-to-subnet ipsec setup. Even with all the info on the list and archives, I'm at a loss. Both ends of connection are bering-uclibc v2.2.1 boxes w/ipsec. According to the bering userguide chapter 15, you don't need certificates if your using pre-shared keys. But, I'm getting the following errors, and I'm wondering if it's related some how. So what's up with the FATAL ERROR? It would seem without pluto, my ipsec configuration is unable to start? I can supply full details if required, but I'm hoping it's something much simpler then that. I had a look at the code, is it possible that you have an empty certificate file, possibly called cert? Else you can contact Andreas Steffen on the StrongSwan list. cheers Erich --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC pluto errors
Scott Scott A. Young wrote: Hi All, I'm also back on the subnet-to-subnet ipsec setup. Even with all the info on the list and archives, I'm at a loss. Both ends of connection are bering-uclibc v2.2.1 boxes w/ipsec. According to the bering userguide chapter 15, you don't need certificates if your using pre-shared keys. But, I'm getting the following errors, and I'm wondering if it's related some how. So what's up with the FATAL ERROR? It would seem without pluto, my ipsec configuration is unable to start? I can supply full details if required, but I'm hoping it's something much simpler then that. I had a look at the code, is it possible that you have an empty certificate file, possibly called cert? Else you can contact Andreas Steffen on the StrongSwan list. cheers Erich --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC subnet routing
Hello again. I have fought with this for a week now and I must be missing something. First of all, if I use a conn statement that has %defaultroute for right=, I get an error that the statement does not exist. However, if I use a right=(IP) and rightnexthop=(gateway), the conn statement works fine. Can anyone explain this? But... Non of the conn statements below work. My guess is that the conn statements that contain the also= parameter must be missing something. So I added esp=aes and auto=start or auto=add depending on the side of the connection. Still no joy. Can anyone please tell me what I am doing wrong here? If you need error logs, I can provide them. Thanks in advance! Troy. -Original Message- From: Erich Titl [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 3:30 AM Cc: Troy Aden; Leaf-User (E-mail) Subject: Re: [leaf-user] IPSEC subnet routing Looking at my mail there are a few typos. Long live cut and paste :-( Erich Titl wrote: Troy It is a bit confusing for me, as I am always using left for the local system, right for the remote. Assumptions S'Toon external IP address 135.115.157.162 internal networks 192.168.161.0/24 192.168.162.0/24 192.168.163.0/24 Victoria external IP address 24.35.38.129 internal network 172.0.0.0/8 Please observe the difference in auto= between the two systems, only one should start the connection. At 18:59 15.11.2004 -0600, Troy Aden wrote: First of all, thanks so much for the quick reply! I am sorry to bug you a second time but I need some baby steps here. Can you please give me a example with the configs I provided. I need to see the also=common_conn_params in terms of my config. For example, if I had a 192.168.161.0/24, 192.168.162.0/24,192.168.163.0/24, networks on router A side. And I wanted Router B to connect to ONLY those subnets. Can you please type in exactly what I would need on both router A (S'toon) and router B (Victoria). From that, I should be able to figure out what I need to do to be more pricise about the Router B networks within the 172.0.0.0/8 range. Again.Thanks in advance!!! Sorry to be a pain. Troy. Router A (S'toon) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn victoria right=%defaultroute left=24.35.38.129 leftsubnet=172.0.0.0/8 esp=aes auto=start conn victoria_1 also=victoria rightsubnet=192.168.161.0/24 conn victoria_2 also=victoria rightsubnet=192.168.162.0/24 conn victoria_3 also=victoria rightsubnet=192.168.163.0/24 Router B (Victoria) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn stoon right=%defaultroute rightsubnet=172.0.0.0/8 left=135.115.157.162 esp=aes auto=add conn stoon_1 also=stoon leftsubnet=192.168.161.0/24 conn stoon_2 also=stoon leftsubnet=192.168.162.0/24 conn stoon_3 also=stoon leftsubnet=192.168.163.0/24 HTH Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16
Re: [leaf-user] IPSEC subnet routing
Troy Troy Aden wrote: Hello again. I have fought with this for a week now and I must be missing something. First of all, if I use a conn statement that has %defaultroute for right=, I get an error that the statement does not exist. However, if I use a right=(IP) and rightnexthop=(gateway), the conn statement works fine. Can anyone explain this? But... Non of the conn statements below work. My guess is that the conn statements that contain the also= parameter must be missing something. So I added esp=aes and auto=start or auto=add depending on the side of the connection. Still no joy. Can anyone please tell me what I am doing wrong here? If you need error logs, I can provide them. try to put the connection referencet to by the also statement at the end of your file here are the files I use, it's still 1.99 but it should not matter kerberos # /etc/ipsec.conf - FreeS/WAN IPsec configuration file # More elaborate and more varied sample configurations can be found # in FreeS/WAN's doc/examples file, and in the HTML documentation. # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none #plutodebug=all # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=rsasig leftrsasigkey=%dns rightrsasigkey=%dns include /etc/ipsec.d/connections/test /etc/ipsec.d/connections/test # # this is the barebone description of multiple connections through # the same ipsec endpoints # conntest_to_dmz also=test leftsubnet=195.141.2.160/27 auto=add conntest ike=aes esp=aes left=%defaultroute leftcert=aspcert.pem leftrsasigkey=%cert right=%any rightsubnet=10.250.99.0/24 rightrsasigkey=%cert rightid=C=CH,L=Schlieren,O=RUF Gruppe,OU=ASP Plus,CN=test.asp.ruf.ch keylife=10m rekeymargin=3m rekeyfuzz=150% right = remote left = local HTH Erich --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC subnet routing
For the also parameter : # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=135.115.157.162 rightsubnet=192.168.0.0/16 rightnexthop=135.115.157.224 pfs=yes conn block auto=ignore conn private also=block conn private-or-clear also=block conn clear also=block conn packetdefault also=block conn victoria left=24.35.38.129 leftsubnet=172.0.0.0/8 leftnexthop=24.35.38.1 esp=aes auto=start For the subnets, you can specify a leftsubnet=192.168.160/22, but the subnet 192.168.160.0/24 will be routed too. I don't known any other manner to specify several subnets for one connection. You can perhaps specify several connections : conn victoria_1 left=24.35.38.129 leftsubnet=192.168.161.0/24 leftnexthop=24.35.38.1 esp=aes auto=start conn victoria_2 also = victoria_1 leftsubnet=192.168.162.0/24 conn victoria_3 also = victoria_1 leftsubnet=192.168.163.0/24 But I never tested it, and I find it not very elegant... Fabrice Troy Aden wrote: First of all, thanks so much for the quick reply! I am sorry to bug you a second time but I need some baby steps here. Can you please give me a example with the configs I provided. I need to see the also=common_conn_params in terms of my config. For example, if I had a 192.168.161.0/24, 192.168.162.0/24,192.168.163.0/24, networks on router A side. And I wanted Router B to connect to ONLY those subnets. Can you please type in exactly what I would need on both router A (S'toon) and router B (Victoria). From that, I should be able to figure out what I need to do to be more pricise about the Router B networks within the 172.0.0.0/8 range. Again.Thanks in advance!!! Sorry to be a pain. Troy. Router A (S'toon) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=135.115.157.162 rightsubnet=192.168.0.0/16 rightnexthop=135.115.157.224 pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn victoria left=24.35.38.129 leftsubnet=172.0.0.0/8 leftnexthop=24.35.38.1 esp=aes auto=start Router B (Victoria) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=24.35.38.129 rightsubnet=172.0.0.0/8 rightnexthop=24.35.38.1 pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn stoon left=135.115.157.162 leftsubnet=192.168.0.0/16 leftnexthop=135.115.157.224 esp=aes auto=start --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC subnet routing
Troy It is a bit confusing for me, as I am always using left for the local system, right for the remote. Assumptions S'Toon external IP address 135.115.157.162 internal networks 192.168.161.0/24 192.168.162.0/24 192.168.163.0/24 Victoria external IP address 24.35.38.129 internal network 172.0.0.0/8 Please observe the difference in auto= between the two systems, only one should start the connection. At 18:59 15.11.2004 -0600, Troy Aden wrote: First of all, thanks so much for the quick reply! I am sorry to bug you a second time but I need some baby steps here. Can you please give me a example with the configs I provided. I need to see the also=common_conn_params in terms of my config. For example, if I had a 192.168.161.0/24, 192.168.162.0/24,192.168.163.0/24, networks on router A side. And I wanted Router B to connect to ONLY those subnets. Can you please type in exactly what I would need on both router A (S'toon) and router B (Victoria). From that, I should be able to figure out what I need to do to be more pricise about the Router B networks within the 172.0.0.0/8 range. Again.Thanks in advance!!! Sorry to be a pain. Troy. Router A (S'toon) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn victoria right=%defaultroute left=24.35.38.129 leftsubnet=172.0.0.0/8 esp=aes auto=start conn victoria_1 also=victoria rightsubnet=192.168.161.0/24 conn victoria_2 also=victoria rightsubnet=192.168.162.0/24 conn victoria_2 also=victoria rightsubnet=192.168.163.0/24 Router B (Victoria) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn stoon right=%defaultroute rightsubnet=172.0.0.0/8 left=135.115.157.162 esp=aes auto=add conn stoon_1 also=stoon leftsubnet=192.168.161.0/24 conn stoon_1 also=stoon leftsubnet=192.168.162.0/24 conn stoon_1 also=stoon leftsubnet=192.168.163.0/24 HTH Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC subnet routing
Looking at my mail there are a few typos. Long live cut and paste :-( Erich Titl wrote: Troy It is a bit confusing for me, as I am always using left for the local system, right for the remote. Assumptions S'Toon external IP address 135.115.157.162 internal networks 192.168.161.0/24 192.168.162.0/24 192.168.163.0/24 Victoria external IP address 24.35.38.129 internal network 172.0.0.0/8 Please observe the difference in auto= between the two systems, only one should start the connection. At 18:59 15.11.2004 -0600, Troy Aden wrote: First of all, thanks so much for the quick reply! I am sorry to bug you a second time but I need some baby steps here. Can you please give me a example with the configs I provided. I need to see the also=common_conn_params in terms of my config. For example, if I had a 192.168.161.0/24, 192.168.162.0/24,192.168.163.0/24, networks on router A side. And I wanted Router B to connect to ONLY those subnets. Can you please type in exactly what I would need on both router A (S'toon) and router B (Victoria). From that, I should be able to figure out what I need to do to be more pricise about the Router B networks within the 172.0.0.0/8 range. Again.Thanks in advance!!! Sorry to be a pain. Troy. Router A (S'toon) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn victoria right=%defaultroute left=24.35.38.129 leftsubnet=172.0.0.0/8 esp=aes auto=start conn victoria_1 also=victoria rightsubnet=192.168.161.0/24 conn victoria_2 also=victoria rightsubnet=192.168.162.0/24 conn victoria_3 also=victoria rightsubnet=192.168.163.0/24 Router B (Victoria) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn stoon right=%defaultroute rightsubnet=172.0.0.0/8 left=135.115.157.162 esp=aes auto=add conn stoon_1 also=stoon leftsubnet=192.168.161.0/24 conn stoon_2 also=stoon leftsubnet=192.168.162.0/24 conn stoon_3 also=stoon leftsubnet=192.168.163.0/24 HTH Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED]
Re: [leaf-user] IPSEC subnet routing
Erich Titl wrote: Troy Troy Aden wrote: Hello all, This may seem a silly question but I have not been able to find any info in any how-to or docs and I am hoping someone here can help me out. http://www.freeswan.org/freeswan_trees/freeswan-1.98b/doc/manpage.d/ipsec.conf.5.html The question is : How do I setup the IPSEC config so that I route only specific subnets over the IPSEC tunnel. Currently, I have set it up by simply using a large subnet mask that encompasses all the networks on either side of the link. (see my exmaple below) The problem is that I need to be more granular now and only route specific subnets over the link. I have played with it for awhile now and I can't seem to have more than one subnet declaration in my default conn statement. For example lets say I want only 192.168.130.0/24 and 192.168.134.0/24 to get routed over the IPSEC on router A and I only want 172.31.0.0/16 and 172.161.0.0/16 on router B. These are the only subnets I would like to be able to communicate over the IPSEC link... Is there a clean way to do this? Please have a look at my configs below and let me know how I should do this. Define a single connection for each subnet. You can use the also= statement to include common parameters. e.g. conn xx also=common_conn_params rightsubnet=10.0.0.32/27 auto=add conn comon_conn_params left=xx.yy.zz.nn leftsubnet=aa.bb.cc.dd/nn .. Another option for complex routing problems with IPSec is to switch to using host-host tunnels, with another tunneling protocol on top of IPSec (typically GRE). You can then run routing protocols like RIP or BGP across the GRE tunnels, or use the kernel routing tables (rather than the IPSec configuration) to set up all your subnet routing (if it's not complex or dynamic enough to require a routing protocol). There's a nice picture of the basic idea on the Cisco website: http://www.cisco.com/warp/public/707/gre_ipsec_ospf.html#diag -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] IPSEC pluto errors
Hi All, I'm also back on the subnet-to-subnet ipsec setup. Even with all the info on the list and archives, I'm at a loss. Both ends of connection are bering-uclibc v2.2.1 boxes w/ipsec. According to the bering userguide chapter 15, you don't need certificates if your using pre-shared keys. But, I'm getting the following errors, and I'm wondering if it's related some how. *** auth.log: Nov 1 13:46:41 r2 ipsec__plutorun: Starting Pluto subsystem... Nov 1 13:46:41 r2 pluto[21628]: Starting Pluto (Openswan Version 1.0.7) Nov 1 13:46:41 r2 pluto[21628]: including X.509 patch with traffic selectors (Version 0.9.42) Nov 1 13:46:41 r2 pluto[21628]: including NAT-Traversal patch (Version 0.6) [disabled] Nov 1 13:46:41 r2 pluto[21628]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Nov 1 13:46:41 r2 pluto[21628]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0) Nov 1 13:46:41 r2 pluto[21628]: ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0) Nov 1 13:46:41 r2 pluto[21628]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0) Nov 1 13:46:41 r2 pluto[21628]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) Nov 1 13:46:41 r2 pluto[21628]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0) Nov 1 13:46:41 r2 pluto[21628]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0) Nov 1 13:46:41 r2 pluto[21628]: ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0) Nov 1 13:46:41 r2 pluto[21628]: Changing to directory '/etc/ipsec.d/cacerts' Nov 1 13:46:41 r2 pluto[21628]: Warning: empty directory Nov 1 13:46:41 r2 pluto[21628]: Changing to directory '/etc/ipsec.d/crls' Nov 1 13:46:41 r2 pluto[21628]: Warning: empty directory Nov 1 13:46:41 r2 pluto[21628]: FATAL ERROR: unable to malloc 0 bytes for cert *** end auth.log So what's up with the FATAL ERROR? It would seem without pluto, my ipsec configuration is unable to start? I can supply full details if required, but I'm hoping it's something much simpler then that. Thanks, Scott. --- Scott Young Network Integration Solutions Inc. 9415 Ottewell Road Edmonton, Alberta T6B2E1 Canada Phone: 780-461-3371 Fax: 780-465-7270 --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] IPSEC subnet routing
Hello all, This may seem a silly question but I have not been able to find any info in any how-to or docs and I am hoping someone here can help me out. The question is : How do I setup the IPSEC config so that I route only specific subnets over the IPSEC tunnel. Currently, I have set it up by simply using a large subnet mask that encompasses all the networks on either side of the link. (see my exmaple below) The problem is that I need to be more granular now and only route specific subnets over the link. I have played with it for awhile now and I can't seem to have more than one subnet declaration in my default conn statement. For example lets say I want only 192.168.130.0/24 and 192.168.134.0/24 to get routed over the IPSEC on router A and I only want 172.31.0.0/16 and 172.161.0.0/16 on router B. These are the only subnets I would like to be able to communicate over the IPSEC link... Is there a clean way to do this? Please have a look at my configs below and let me know how I should do this. Thanks in advance! Troy. router A (S'toon) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=135.115.157.162 rightsubnet=192.168.0.0/16 rightnexthop=135.115.157.224 pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn victoria left=24.35.38.129 leftsubnet=172.0.0.0/8 leftnexthop=24.35.38.1 esp=aes auto=start Router B (Victoria) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=24.35.38.129 rightsubnet=172.0.0.0/8 rightnexthop=24.35.38.1 pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn stoon left=135.115.157.162 leftsubnet=192.168.0.0/16 leftnexthop=135.115.157.224 esp=aes auto=start --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC subnet routing
Troy Troy Aden wrote: Hello all, This may seem a silly question but I have not been able to find any info in any how-to or docs and I am hoping someone here can help me out. http://www.freeswan.org/freeswan_trees/freeswan-1.98b/doc/manpage.d/ipsec.conf.5.html The question is : How do I setup the IPSEC config so that I route only specific subnets over the IPSEC tunnel. Currently, I have set it up by simply using a large subnet mask that encompasses all the networks on either side of the link. (see my exmaple below) The problem is that I need to be more granular now and only route specific subnets over the link. I have played with it for awhile now and I can't seem to have more than one subnet declaration in my default conn statement. For example lets say I want only 192.168.130.0/24 and 192.168.134.0/24 to get routed over the IPSEC on router A and I only want 172.31.0.0/16 and 172.161.0.0/16 on router B. These are the only subnets I would like to be able to communicate over the IPSEC link... Is there a clean way to do this? Please have a look at my configs below and let me know how I should do this. Define a single connection for each subnet. You can use the also= statement to include common parameters. e.g. conn xx also=common_conn_params rightsubnet=10.0.0.32/27 auto=add conn comon_conn_params left=xx.yy.zz.nn leftsubnet=aa.bb.cc.dd/nn .. cheers Erich --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC subnet routing
First of all, thanks so much for the quick reply! I am sorry to bug you a second time but I need some baby steps here. Can you please give me a example with the configs I provided. I need to see the also=common_conn_params in terms of my config. For example, if I had a 192.168.161.0/24, 192.168.162.0/24,192.168.163.0/24, networks on router A side. And I wanted Router B to connect to ONLY those subnets. Can you please type in exactly what I would need on both router A (S'toon) and router B (Victoria). From that, I should be able to figure out what I need to do to be more pricise about the Router B networks within the 172.0.0.0/8 range. Again.Thanks in advance!!! Sorry to be a pain. Troy. Router A (S'toon) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=135.115.157.162 rightsubnet=192.168.0.0/16 rightnexthop=135.115.157.224 pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn victoria left=24.35.38.129 leftsubnet=172.0.0.0/8 leftnexthop=24.35.38.1 esp=aes auto=start Router B (Victoria) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=24.35.38.129 rightsubnet=172.0.0.0/8 rightnexthop=24.35.38.1 pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn stoon left=135.115.157.162 leftsubnet=192.168.0.0/16 leftnexthop=135.115.157.224 esp=aes auto=start -Original Message- From: Erich Titl [mailto:[EMAIL PROTECTED] Sent: Monday, November 15, 2004 2:33 PM To: Troy Aden Cc: Leaf-User (E-mail) Subject: Re: [leaf-user] IPSEC subnet routing Troy Troy Aden wrote: Hello all, This may seem a silly question but I have not been able to find any info in any how-to or docs and I am hoping someone here can help me out. http://www.freeswan.org/freeswan_trees/freeswan-1.98b/doc/manpage.d/ipsec.co nf.5.html The question is : How do I setup the IPSEC config so that I route only specific subnets over the IPSEC tunnel. Currently, I have set it up by simply using a large subnet mask that encompasses all the networks on either side of the link. (see my exmaple below) The problem is that I need to be more granular now and only route specific subnets over the link. I have played with it for awhile now and I can't seem to have more than one subnet declaration in my default conn statement. For example lets say I want only 192.168.130.0/24 and 192.168.134.0/24 to get routed over the IPSEC on router A and I only want 172.31.0.0/16 and 172.161.0.0/16 on router B. These are the only subnets I would like to be able to communicate over the IPSEC link... Is there a clean way to do this? Please have a look at my configs below and let me know how I should do this. Define a single connection for each subnet. You can use the also= statement to include common parameters. e.g. conn xx also=common_conn_params rightsubnet=10.0.0.32/27 auto=add conn comon_conn_params left=xx.yy.zz.nn leftsubnet=aa.bb.cc.dd/nn .. cheers Erich --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies
[leaf-user] ipsec subnet-to-subnet vpn
Hi All, First of all, thanks to everyone involved with this project. The support from the mailing list archives is great! I've been trying to get an ipsec vpn between two bering-uclibc v2.2.1 routers going. Before boring everyone with the details, I'm wondering if there is a definitive example of subet-to-subnet ipsec setup with shorewall. I will post full deatils, as per instructions, but at this point, I think I just need a good example to work from. Both routers are the same, with the following .lrp's loaded: NameVersionDescription ===-==-== initrd V2.2.1 uClibc- LEAF Bering-uClibc initial filesystem rootV2.2.1 uClibc- Core LEAF Bering-uClibc package config 0.4Core config and backup system package etc V2.2.1 uClibc- local V2.2.1 uClibc- LEAF Bering local package iptables1.2.11 IP packet filter administration tools for 2.4. shorwall ulogd 1.02 The Netfilter Userspace Logging Daemon dropbear0.43 Rev 2 Dropbear SSH 2 server and scp client ntpdate 4.1.0-8client for setting system time from NTP server ntpsimpl4.1.0-8NTP v4 daemon for simple systems from Debian sh-httpd1.2.5 Rev 3Small shell-based web server weblet 1.0.0 Rev 4http-server content lpthread0.9.20 The libpthread library mawk1.3.3-9Mawk is an interpreter for the AWK Programming libm0.9.20 The libm library modules V2.2.1 uClibc- Define contain your LEAF Bering modules ipsec 1.0.7 Openswan IPSEC dnsmasq 2.15 Rev 1 Dnsmasq is lightweight, easy to configure DNS TIA, Scott. --- Scott Young Network Integration Solutions Inc. Phone: 780-461-3371 Fax: 780-465-7270 --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_idU88alloc_id065op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] ipsec subnet-to-subnet vpn
shared secrets file} Now type: 'shorewall restart' Ok I like to do a terminate statement first. : 'ipsec whack -terminate -name example' { I always do this first just incase there is an existing tunnel} Then try bring up the tunnel: 'ipsec whack -initiate -name example' {Those are double dashes incase they come out garbled on your end} If it worked you should see an output something like this: 002 example #32: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK 122 example #32: STATE_QUICK_I1: initiate 002 example #32: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 002 example #32: sent QI2, IPsec SA established 004 example #32: STATE_QUICK_I2: sent QI2, IPsec SA established Troy -Original Message- From: Scott A. Young [mailto:[EMAIL PROTECTED] Sent: Sunday, October 31, 2004 7:14 PM To: Troy Aden Subject: RE: [leaf-user] ipsec subnet-to-subnet vpn That would be perfect... Pre-shared-keys is where I'm starting as well. Thanks, Scott. - Scott Young Network Integration Solutions Inc. Phone: 780-461-3371 Fax: 780-465-7270 email: [EMAIL PROTECTED] -Original Message- From: Troy Aden [mailto:[EMAIL PROTECTED] Sent: Sunday, October 31, 2004 5:21 PM To: Scott A. Young Subject: RE: [leaf-user] ipsec subnet-to-subnet vpn I think I can help you out. I have a working config using pre-shared keys.. Are you interested in this? If so, I will send it on. Troy -Original Message- From: Scott A. Young [mailto:[EMAIL PROTECTED] Sent: Sunday, October 31, 2004 5:49 PM To: [EMAIL PROTECTED] Subject: [leaf-user] ipsec subnet-to-subnet vpn Hi All, First of all, thanks to everyone involved with this project. The support from the mailing list archives is great! I've been trying to get an ipsec vpn between two bering-uclibc v2.2.1 routers going. Before boring everyone with the details, I'm wondering if there is a definitive example of subet-to-subnet ipsec setup with shorewall. I will post full deatils, as per instructions, but at this point, I think I just need a good example to work from. Both routers are the same, with the following .lrp's loaded: NameVersionDescription ===-==-=== == = initrd V2.2.1 uClibc- LEAF Bering-uClibc initial filesystem rootV2.2.1 uClibc- Core LEAF Bering-uClibc package config 0.4Core config and backup system package etc V2.2.1 uClibc- local V2.2.1 uClibc- LEAF Bering local package iptables1.2.11 IP packet filter administration tools for 2.4. shorwall ulogd 1.02 The Netfilter Userspace Logging Daemon dropbear0.43 Rev 2 Dropbear SSH 2 server and scp client ntpdate 4.1.0-8client for setting system time from NTP server ntpsimpl4.1.0-8NTP v4 daemon for simple systems from Debian sh-httpd1.2.5 Rev 3Small shell-based web server weblet 1.0.0 Rev 4http-server content lpthread0.9.20 The libpthread library mawk1.3.3-9Mawk is an interpreter for the AWK Programming libm0.9.20 The libm library modules V2.2.1 uClibc- Define contain your LEAF Bering modules ipsec 1.0.7 Openswan IPSEC dnsmasq 2.15 Rev 1 Dnsmasq is lightweight, easy to configure DNS TIA, Scott. --- Scott Young Network Integration Solutions Inc. Phone: 780-461-3371 Fax: 780-465-7270 --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_idU88alloc_id065op=click -- -- leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] IPsec and NAT traversal: Bering 1.2 and Linksys BEFSR41
Hello! I'm trying to set up a VPN between a Windows 2000 notebook and a Bering 1.2 LEAF firewall, running SuperFreeS/WAN 1.99.6.2. On this firewall, I have two tunnels set up. One is a tunnel between two LEAF firewalls bridiging two subnets, and works great. The other is a tunnel designed for road warrior usage. I'm using the Windows 2000 VPN tool (http://vpn.ebootis.de/) on the 2000 notebook to try to connect to my LEAF firewall. If I connect the notebook directly to the Internet with a real-world IP, it works great. If, however, I put it behind a router (in this case, a Linksys BEFSR41) it does not work. I've made sure that IPsec passthru is turned on in the Linksys, and it is. I can browse the Internet from behind the router, but not connect to the VPN. Here is the relevant parts of my firewall's ipsec.conf: config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default keyingtries=3 conn RoadWarrior authby=secret left=FirewallExternalIP leftsubnet=InternalNetwork/22 leftnexthop=FirewallExternalGateway leftfirewall=yes right=%any keylife=30m auto=add Also, here is the Windows computer's ipsec.conf: conn AmherstOfficeToRoadWarrior left=FirewallExternalIP leftsubnet=InternalNetwork/255.255.252.0 right=%any presharedkey=SharedKey network=lan rekey=1800S/3K auto=start pfs=yes Like I said, the VPN works when not behind the router, so I know that the IP's and shared secret are correct. Here are the errors I get on the LEAF firewall. I'm typing these by hand, so I'm only including what look to be the interesting parts. If you need more, let me know. RoadWarrior[1] Linksys IP #3 responding to Main Mode from unknown peer Linksys External IP RoadWarrior[1] Linksys IP #3 Main mode peer ID is ID_IPV4_ADDR: Internal IP of notebook behind Linksys RoadWarrior[1] Linksys IP #3 No suitable connection for peer 'Internal IP of notebook behind Linksys RoadWarrior[1] Linksys IP #3 sending notiviation INVALID_ID_INFORMATION to Linksys External IP:500 These lines repeat several times. As you can see, the LEAF firewall sees the packets as coming from the Linksys IP address (because of NAT), but the packets themselves say that the endpoint has the IP address of an internal-to-the-Linksys IP. Obviously, this is not correct. What do I need to do to make this work? I was told that the IP passthru was supposed to be transparent and just plug-in-and-go. I've *never* found anything related to IPsec plug-in-and-go: why should this be any different? :) Any suggestions would be *greatly* appreciated! Thank you! Tim Massey --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPsec and NAT traversal: Bering 1.2 and Linksys BEFSR41
Timothy J. Massey wrote: Hello! I'm trying to set up a VPN between a Windows 2000 notebook and a Bering 1.2 LEAF firewall, running SuperFreeS/WAN 1.99.6.2. On this firewall, I have two tunnels set up. One is a tunnel between two LEAF firewalls bridiging two subnets, and works great. The other is a tunnel designed for road warrior usage. I'm using the Windows 2000 VPN tool (http://vpn.ebootis.de/) on the 2000 notebook to try to connect to my LEAF firewall. If I connect the notebook directly to the Internet with a real-world IP, it works great. If, however, I put it behind a router (in this case, a Linksys BEFSR41) it does not work. I've made sure that IPsec passthru is turned on in the Linksys, and it is. I can browse the Internet from behind the router, but not connect to the VPN. Here is the relevant parts of my firewall's ipsec.conf: config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default keyingtries=3 conn RoadWarrior authby=secret left=FirewallExternalIP leftsubnet=InternalNetwork/22 leftnexthop=FirewallExternalGateway leftfirewall=yes right=%any keylife=30m auto=add Also, here is the Windows computer's ipsec.conf: conn AmherstOfficeToRoadWarrior left=FirewallExternalIP leftsubnet=InternalNetwork/255.255.252.0 right=%any presharedkey=SharedKey network=lan rekey=1800S/3K auto=start pfs=yes Like I said, the VPN works when not behind the router, so I know that the IP's and shared secret are correct. Here are the errors I get on the LEAF firewall. I'm typing these by hand, so I'm only including what look to be the interesting parts. If you need more, let me know. RoadWarrior[1] Linksys IP #3 responding to Main Mode from unknown peer Linksys External IP RoadWarrior[1] Linksys IP #3 Main mode peer ID is ID_IPV4_ADDR: Internal IP of notebook behind Linksys RoadWarrior[1] Linksys IP #3 No suitable connection for peer 'Internal IP of notebook behind Linksys RoadWarrior[1] Linksys IP #3 sending notiviation INVALID_ID_INFORMATION to Linksys External IP:500 These lines repeat several times. As you can see, the LEAF firewall sees the packets as coming from the Linksys IP address (because of NAT), but the packets themselves say that the endpoint has the IP address of an internal-to-the-Linksys IP. Obviously, this is not correct. What do I need to do to make this work? I was told that the IP passthru was supposed to be transparent and just plug-in-and-go. I've *never* found anything related to IPsec plug-in-and-go: why should this be any different? :) Any suggestions would be *greatly* appreciated! Thank you! Your problem may have nothing to do with IP addresses. Based on the limited information above, I'd start checking your configuration files on both ends, looking to make sure the peer names match. The linux IPSec implementation is *VERY* picky about how connection names are matched. The No suitable connection for peer whatever error typically means IPSec can't find a valid tunnel description in your configuration file that matches what the client's trying to setup, ie: your connection descriptions on each end don't match. Note that the peer ID defaults to the IP address, which can be a bad thing (espeically for road-warrior clients), so I usually assign actual names to the machines in question. Depending on how you're authenticating, this can also allow you to specify unique connection descriptions for different road-warrior clients, despite the fact that you don't know their IP in advance (if you use certs or rsa keys, but not pre-shared-secrets). An example of setting the peer name on the linux side: [EMAIL PROTECTED] [EMAIL PROTECTED] Note the @ symbol, which prevents ipsec from trying to resolve the domain name and use the IP address as the peer name instead. For details, see the IPSec man pages: quote leftid how the left participant should be identified for authentication; defaults to left. Can be an IP address (in any ipsec_ttoaddr(3) syntax) or a fully-qualified domain name preceded by @ (which is used as a literal string and not resolved). /quote You have to have a connection description with matching [left|right]id's, and matching tunnel specifications (ie: subnet-host, host-host, or subnet-subnet, with identical IPs) to avoid the No suitable connection error. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED]
[leaf-user] Ipsec roadwarrior won't pass through a Bering Firewall
Dear list: Erich Titl has already given me great help (off-list -- much thanks to him) on this, but I thought I would post to the leaf list and verify some conclusions. They are: 1) The Nat-traversal patch available in Bering ipsec does UDP encapsulation after any masquerading. The particular situation is a win2k machine with a roadwarrior IP security policy as described in the Bering users guide, as well as the Freeswan site. 2) It will be necessary to perform nat-traversal on the win2k box itself. If anyone can verify the above two points are true, I would be grateful. Each fw masquerades outbound. See log file records from office fw at the end. I have the following configuration Offce win2k 137.45.192.86 eth sw- 137.45.192.69(office FW) - 192.168.10.0/24 ping works fine | (Campus Net) | (Internet) | HomeFW 192.168.1.0/24 | win2k box, IP security Policy as described in the bering users guide Can't ping from (192.168.1.3) to 192.168.10.x behind office fw. I am using two Bering 1.2 firewalls with SuperFreeSwan and the nat-traversal patch is enabled (on both -- most importantly the home FW). Each Win2k box is set up quite identically, following some road-warrior configs from the freeswan examples. The differences are: 1)The home win2k box goes the HomeFW. 2)The outbound/inbound IP security filters of course name a different src/dest endpoint. The symptoms are as follows: I can ping, telnet etc from a machine just outside the office firewall, but not from a virtually identical setup behind the home FW. The auth.log on the office firewall gives a few interesting records: From the home fw (216.12.22.89) we see in the office FW auth.log a record: Jul 28 18:45:25 firewall pluto[21755]: road-warrior[2] 216.12.22.89#1: sent MR3, ISAKMP SA established So the Key mgmt SA is accepted. But from there things go downhill. Why would this log message be issued on the office FW one second later? Jul 28 18:45:26 firewall pluto[21755]: road-warrior[2] 216.12.22.89 #1: cannot respond to IPsec SA request because no connection is known for 192.168.10.0/24= ==137.45.192.69...216.12.22.89[192.168.1.3]===192.168.1.3/32 I think the above record from auth.log is where things go wrong, but why? Is it the apparently strange IP addresses, as the tail of auth.log complains: firewall pluto[21755]: road-warrior[2] 216.12.22.89 #721: Main mode peer ID is ID_IPV4_ADDR: '216.12.22.89' Jul 29 09:46:59 firewall pluto[21755]: road-warrior[2] 216.12.22.89 #721: we r equire peer to have ID '192.168.1.3', but peer declares '216.12.22.89' Why doesn't nat traversal on Bering take care of this? Is there something wrong with my config? TIA for any help Rick. My Office IPSec.conf is: # /etc/ipsec.conf - FreeS/WAN IPsec configuration file # More elaborate and more varied sample configurations can be found # in FreeS/WAN's doc/examples file, and in the HTML documentation. # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute #interfaces=ipsec0=eth0 # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes nat_traversal=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. #authby=rsasig # Authentication by pre-shared secret key authby=secret #left=137.45.192.69 left=%defaultroute leftsubnet=192.168.10.0/24 #leftnexthop=%direct leftfirewall=yes pfs=yes auto=add #leftrsasigkey=%dns #rightrsasigkey=%dns conn road-warrior right=%any # connection description for (experimental!) opportunistic encryption # (requires KEY record in your DNS reverse map; see doc/opportunism.howto) #conn me-to-anyone # left=%defaultroute # right=%opportunistic # uncomment to enable incoming; change to auto=route for outgoing #auto=add # sample VPN connection conn sample # Left security gateway, subnet behind it, next hop toward right. left=10.0.0.1 leftsubnet=172.16.0.0/24 leftnexthop=10.22.33.44 # Right security gateway, subnet behind it, next hop toward left. right=10.12.12.1 rightsubnet=192.168.0.0/24 rightnexthop=10.101.102.103 # To authorize this connection, but not
Re: [leaf-user] Ipsec roadwarrior won't pass through a Bering Firewall
On Friday 30 July 2004 09:51 am, Tibbs, Richard wrote: snipped completely Why doesn't nat traversal on Bering take care of this? Is there something wrong with my config? Is your right side running a firewall (yes)? Does your right side have a subnet (yes)? %any doesn't cover everything except for a host-to-host or host-to-subnet connection. Your key also needs to be indentified by the connection name. Your config is incomplete for a subnet-to-subnet tunnel. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPsec between FreeS/WAN 1.91 (Dachstein) and Linksys router/Windows 2000 computer
[EMAIL PROTECTED] wrote on 04/23/2004 05:52:30 PM: Sorry for the delay, but I wanted to write and let others (and future searchers) know what the resolution to this problem was: Timothy J. Massey wrote: Hello! I'm using a Dachstein firewall with FreeS/WAN 1.91. I would like to set up an IPsec VPN with either a Linksys BEFVP41 router, or a Windows 2000 computer behind it. To be clear, the problem is entirely on the Linksys end (ie: the windows box that works when not behind the router is behind the linksys router, not the Dachstein box)? Correct. Assuming an affirmative answer to the above, you'll need to setup the Linksys box in a VPN pass-through mode (I'm not sure if it supports this), or provide some details about how you're trying to get it to connect to the Dachstein box. I was not able to make this work, though I did not try *really* hard. It certainly did not work out of the box as I might have expected it to. I could make a Windows 2000 computer connect to Dachstein if the Windows box were directly connected to the Internet. However, if I moved it behind the Linksys, with IPsec pass-through enabled, it would not work. From my research, it seems that you need nat_transversal=yes in your IPsec configuration, but 1.92 does not support this. 1.91 is the newest version for Dachstein, AFAIK. After a quick review of the Linksys manual for your box, it looks like it should work fine as an IPSec gateway with Dachstein's IPSec, as long as you get the configuration correct. Make sure you're selecting 3DES, SHA, IKE (with perfect-forward-security), and have a properly setup pre-shared key. This was the largest source of problem. The Bering instructions say to use MD5, unless I'm reading them wrong. I assumed that the default would be the same for Dachstein's IPsec. This is no the case. Specifically, you need 1024-bit SHA. The Linksys supports 768 and 1024. Dachstein supports 1024 and 1536. Obviously, only 1024 is in common. Also, is there a newer version of FreeS/WAN for Dachstein? I have some routing issues that is making the migration to Bering difficult at the moment... Not That I'm aware of... Nor am I. I would upgrade to Bering here, but there are some routing issues more easily solved with Dachstein. Thank you very much for your help. The pointer to SHA was invaluable. I would have probably only tried that if I got to the, well, let's see what else I can change stage. It saved me much frustration. Tim Massey --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPsec between FreeS/WAN 1.91 (Dachstein) and Linksys router/Windows 2000 computer
Hi On 23 Apr 2004 at 16:52, Charles Steinkuehler wrote about Re: [leaf-user] IPsec between FreeS/WAN 1.91 (Dac: Timothy J. Massey wrote: Hello! I'm using a Dachstein firewall with FreeS/WAN 1.91. I would like to set up an IPsec VPN with either a Linksys BEFVP41 router, or a Windows 2000 computer behind it. I have been unable to do either. The router won't negotiate a tunnel with the LEAF firewall, and I can't seem to make the IPsec passthrough work, either. The Windows 2000 computer does work if plug it into the Internet directly, but not from behind the router. Any ideas on what I could try? Even a success story would be enough: it would be nice to know that it's possible. [...] After a quick review of the Linksys manual for your box, it looks like it should work fine as an IPSec gateway with Dachstein's IPSec, as long as you get the configuration correct. Make sure you're selecting 3DES, SHA, IKE (with perfect-forward-security), and have a properly setup pre-shared key. You also need to verify the basic tunnel configuration is correct (ie: subnet-subnet, host-host, or subnet-host) and the IP's/networks match on both ends. There's probably useful information in the logs on both ends (web-accessible on the Linksys, and in /var/log/auth.log on the Dachstein box...also accessible via the web if you're running weblet). We could probably help a lot more with some additional debugging info from the logs and details of your ipsec.conf from Dachstein and the configuration settings on the Linksys. You could also try an update to Windows 2000 with NAT-T enhacements published bt M$ a year ago http://support.microsoft.com/default.aspx?scid=kb;en-us;818043#6 Note that the article states you need Windows 2000 Service pack 3 or greater but it doesn't says if the update got bundled with the Service Pack 4. Regards, - Ramiro --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] IPsec between FreeS/WAN 1.91 (Dachstein) and Linksys router/Windows 2000 computer
Hello! I'm using a Dachstein firewall with FreeS/WAN 1.91. I would like to set up an IPsec VPN with either a Linksys BEFVP41 router, or a Windows 2000 computer behind it. I have been unable to do either. The router won't negotiate a tunnel with the LEAF firewall, and I can't seem to make the IPsec passthrough work, either. The Windows 2000 computer does work if plug it into the Internet directly, but not from behind the router. Any ideas on what I could try? Even a success story would be enough: it would be nice to know that it's possible. Also, is there a newer version of FreeS/WAN for Dachstein? I have some routing issues that is making the migration to Bering difficult at the moment... Thank you very much for any help you might be able to give me. Tim Massey --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPsec between FreeS/WAN 1.91 (Dachstein) and Linksys router/Windows 2000 computer
Timothy J. Massey wrote: Hello! I'm using a Dachstein firewall with FreeS/WAN 1.91. I would like to set up an IPsec VPN with either a Linksys BEFVP41 router, or a Windows 2000 computer behind it. I have been unable to do either. The router won't negotiate a tunnel with the LEAF firewall, and I can't seem to make the IPsec passthrough work, either. The Windows 2000 computer does work if plug it into the Internet directly, but not from behind the router. Any ideas on what I could try? Even a success story would be enough: it would be nice to know that it's possible. To be clear, the problem is entirely on the Linksys end (ie: the windows box that works when not behind the router is behind the linksys router, not the Dachstein box)? Assuming an affirmative answer to the above, you'll need to setup the Linksys box in a VPN pass-through mode (I'm not sure if it supports this), or provide some details about how you're trying to get it to connect to the Dachstein box. After a quick review of the Linksys manual for your box, it looks like it should work fine as an IPSec gateway with Dachstein's IPSec, as long as you get the configuration correct. Make sure you're selecting 3DES, SHA, IKE (with perfect-forward-security), and have a properly setup pre-shared key. You also need to verify the basic tunnel configuration is correct (ie: subnet-subnet, host-host, or subnet-host) and the IP's/networks match on both ends. There's probably useful information in the logs on both ends (web-accessible on the Linksys, and in /var/log/auth.log on the Dachstein box...also accessible via the web if you're running weblet). We could probably help a lot more with some additional debugging info from the logs and details of your ipsec.conf from Dachstein and the configuration settings on the Linksys. Also, is there a newer version of FreeS/WAN for Dachstein? I have some routing issues that is making the migration to Bering difficult at the moment... Not That I'm aware of... -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC help needed....
I checked and after loading the module, and making the changes to the /etc/network.conf file, saved to disk and the work VPN works!!! Thanks for the help, now I can work from home :) -Original Message- From: Kevin [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 9:07 PM To: 'Charles Steinkuehler' Cc: '[EMAIL PROTECTED]' Subject: RE: [leaf-user] IPSEC help needed Thanks Charles - yes I just need to allow the passthrough of the IPSEC protocol for everything to work. I will update the firewall like below and bring the laptop home tomorrow to try it out. The IT guys do not understand my router and all they have troubleshooting guides for are the commercial routers for consumers I will try the rules first, then the kernel and module. SNIP --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC help needed....
There is no ipsec.o module in Dachstein for IPSEC. I have a pair of boxes with an IPSEC VPN between them on static ip's and its all in the configuration of IPSEC, that is the secret. Read the howto's and look at the freeswan site if its still around. We need a bit more than just to get the work VPN software to work correctly. Are you setting up a subnet to subnet or single client to subnet? The howto's are out there, just look. Email the list again if you need more help. Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sent: Tuesday, April 20, 2004 10:27 AM To: [EMAIL PROTECTED] Subject: [leaf-user] IPSEC help needed I am using Dachstein 1.02 and need IPSEC enabled to get the work VPN software to work correctly. I do not see a module IPSEC that is loaded, should I have one to make this work correctly? Here are the modules loaded: Linux version 2.2.19-3-LEAF ([EMAIL PROTECTED]) (gcc version 2.7.2.3) #1 Sat Dec 1 12:15:05 CST 2001 Installed Modules: ip_masq_vdolive 1180 0 (unused) ip_masq_user3708 0 (unused) ip_masq_raudio 2980 0 (unused) ip_masq_quake 1220 0 (unused) ip_masq_portfw 2416 0 (unused) ip_masq_mfw 3196 0 (unused) ip_masq_irc 1924 0 ip_masq_ftp 3576 0 ip_masq_cuseeme 964 0 (unused) ip_masq_autofw 2476 0 (unused) ne 6292 2 83906236 0 [ne] bsd_comp3708 0 (unused) ppp_deflate40672 0 (unused) ppp20828 2 [bsd_comp ppp_deflate] slhc4436 0 [ppp] Here are the packages: NameVersionDescription ===-==-= = root4.0.6Linux Router Project etc 4.0.1 /etc/ of the main root, minus any other packag ramlog 1.1Creates additinal ramdisks on boot local 4.0.6 Local package. This package does not contain a modules 4.0.6 Modules package. Contains kernel modules and u ppp 2.3.11 PPPd Deamon for Dial-Up dhcpd 2.0pl5 dhcpd - Autoconfigure client machines dnscache1.05a dnscache from djbdns (V1.05a) package creates ifconfig1.45 ifconfig and route commnads pppoe 2.6Roaring Penguin PPPoE Client LRP Package weblet 1.2.0 weblet - LRP status via a small web server sshd3.0p1 OpenSSH sshd daemon. oidentd 1.6.0 There shouldn't be any configuration needed un libzso.1 used for SSHD only psentry 1.0If this package failed to load, please create This is the block that needs to pass through: Apr 19 07:10:48 amberton kernel: Packet log: input DENY ppp0 PROTO=50 207.11.4.7:65535 68.19.16.103:65535 L=168 S=0x00 I=8699 F=0x T=243 (#70) I am not sure if I need a rule set or a package loaded, any help would be beneficial. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC help needed....
Kevin wrote: I am using Dachstein 1.02 and need IPSEC enabled to get the work VPN software to work correctly. I do not see a module IPSEC that is loaded, should I have one to make this work correctly? Here are the modules loaded: Linux version 2.2.19-3-LEAF ([EMAIL PROTECTED]) (gcc version 2.7.2.3) #1 Sat Dec 1 12:15:05 CST 2001 Installed Modules: ip_masq_vdolive 1180 0 (unused) ip_masq_user3708 0 (unused) ip_masq_raudio 2980 0 (unused) ip_masq_quake 1220 0 (unused) ip_masq_portfw 2416 0 (unused) ip_masq_mfw 3196 0 (unused) ip_masq_irc 1924 0 ip_masq_ftp 3576 0 ip_masq_cuseeme 964 0 (unused) ip_masq_autofw 2476 0 (unused) ne 6292 2 83906236 0 [ne] bsd_comp3708 0 (unused) ppp_deflate40672 0 (unused) ppp20828 2 [bsd_comp ppp_deflate] slhc4436 0 [ppp] Here are the packages: snip This is the block that needs to pass through: Apr 19 07:10:48 amberton kernel: Packet log: input DENY ppp0 PROTO=50 207.11.4.7:65535 68.19.16.103:65535 L=168 S=0x00 I=8699 F=0x T=243 (#70) I am not sure if I need a rule set or a package loaded, any help would be beneficial. Actually, I think you need a rule set and a module loaded. I'm going to work under the assumption that you need to masquerade an IPSec connection (ie: you're running an ipsec client on an internal system, rather than trying to run ipsec on the firewall itself). To do this, you first need to make sure you're using the proper kernel. Masqerading ipsec and running ipsec on the firewall are mutually exclusive, and require different kernels. The 'plain' kernels avaialble from my site support ipsec masquerading, while kernels with -IPSec in the name support running ipsec directly on the firewall. Which kernel flavor you want depends on your system, but you probably want either the 'small' or 'normal' kernel: http://lrp2.steinkuehler.net/files/kernels/Dachstein-small/ http://lrp2.steinkuehler.net/files/kernels/Dachstein-normal/ The floppy version ships with the small kernel w/o ipsec by default. Once you have an approprate kernel (or have verified you're running the linux-2.2.19-3-LEAF-small.zImage.upx kernel by filesize), you need to copy the ip_masq_ipsec.o masquerading 'helper' module to your modules directory and add it to /etc/modules. The last thing you need to do is allow the actual IPSec traffic through your firewall. This typically involves UDP port 500, and *PROTOCOL* 50 or 51, depending on whether you're running ESP or AH. To do this, add the following in /etc/network.conf EXTERN_UDP_PORTS=0/0_500 EXTERN_PORTS=50_0/0 51_0/0 -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC help needed....
Thanks Charles - yes I just need to allow the passthrough of the IPSEC protocol for everything to work. I will update the firewall like below and bring the laptop home tomorrow to try it out. The IT guys do not understand my router and all they have troubleshooting guides for are the commercial routers for consumers I will try the rules first, then the kernel and module. As Matt stated, I will also search the HOWTO's and ask the IT guys what type of connection this is if I need more help. -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 7:41 AM To: Kevin Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] IPSEC help needed Kevin wrote: SNIP Actually, I think you need a rule set and a module loaded. I'm going to work under the assumption that you need to masquerade an IPSec connection (ie: you're running an ipsec client on an internal system, rather than trying to run ipsec on the firewall itself). To do this, you first need to make sure you're using the proper kernel. Masqerading ipsec and running ipsec on the firewall are mutually exclusive, and require different kernels. The 'plain' kernels avaialble from my site support ipsec masquerading, while kernels with -IPSec in the name support running ipsec directly on the firewall. Which kernel flavor you want depends on your system, but you probably want either the 'small' or 'normal' kernel: http://lrp2.steinkuehler.net/files/kernels/Dachstein-small/ http://lrp2.steinkuehler.net/files/kernels/Dachstein-normal/ The floppy version ships with the small kernel w/o ipsec by default. Once you have an approprate kernel (or have verified you're running the linux-2.2.19-3-LEAF-small.zImage.upx kernel by filesize), you need to copy the ip_masq_ipsec.o masquerading 'helper' module to your modules directory and add it to /etc/modules. The last thing you need to do is allow the actual IPSec traffic through your firewall. This typically involves UDP port 500, and *PROTOCOL* 50 or 51, depending on whether you're running ESP or AH. To do this, add the following in /etc/network.conf EXTERN_UDP_PORTS=0/0_500 EXTERN_PORTS=50_0/0 51_0/0 -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC help needed....
Kevin wrote: Thanks Charles - yes I just need to allow the passthrough of the IPSEC protocol for everything to work. I will update the firewall like below and bring the laptop home tomorrow to try it out. The IT guys do not understand my router and all they have troubleshooting guides for are the commercial routers for consumers I will try the rules first, then the kernel and module. As Matt stated, I will also search the HOWTO's and ask the IT guys what type of connection this is if I need more help. You'll need the rules and the module. You won't need to mess with the kernel if you're running Dachstein from floppy. If you're running off of CD, the default kernel is configured to run IPSec on the firewall so it won't work w/o changing the kernel (kind of hard on the CD-ROM, but you could install to a HDD or similar). Post to the list if you need further help. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] IPSEC help needed....
I am using Dachstein 1.02 and need IPSEC enabled to get the work VPN software to work correctly. I do not see a module IPSEC that is loaded, should I have one to make this work correctly? Here are the modules loaded: Linux version 2.2.19-3-LEAF ([EMAIL PROTECTED]) (gcc version 2.7.2.3) #1 Sat Dec 1 12:15:05 CST 2001 Installed Modules: ip_masq_vdolive 1180 0 (unused) ip_masq_user3708 0 (unused) ip_masq_raudio 2980 0 (unused) ip_masq_quake 1220 0 (unused) ip_masq_portfw 2416 0 (unused) ip_masq_mfw 3196 0 (unused) ip_masq_irc 1924 0 ip_masq_ftp 3576 0 ip_masq_cuseeme 964 0 (unused) ip_masq_autofw 2476 0 (unused) ne 6292 2 83906236 0 [ne] bsd_comp3708 0 (unused) ppp_deflate40672 0 (unused) ppp20828 2 [bsd_comp ppp_deflate] slhc4436 0 [ppp] Here are the packages: NameVersionDescription ===-==-= = root4.0.6Linux Router Project etc 4.0.1 /etc/ of the main root, minus any other packag ramlog 1.1Creates additinal ramdisks on boot local 4.0.6 Local package. This package does not contain a modules 4.0.6 Modules package. Contains kernel modules and u ppp 2.3.11 PPPd Deamon for Dial-Up dhcpd 2.0pl5 dhcpd - Autoconfigure client machines dnscache1.05a dnscache from djbdns (V1.05a) package creates ifconfig1.45 ifconfig and route commnads pppoe 2.6Roaring Penguin PPPoE Client LRP Package weblet 1.2.0 weblet - LRP status via a small web server sshd3.0p1 OpenSSH sshd daemon. oidentd 1.6.0 There shouldn't be any configuration needed un libzso.1 used for SSHD only psentry 1.0If this package failed to load, please create This is the block that needs to pass through: Apr 19 07:10:48 amberton kernel: Packet log: input DENY ppp0 PROTO=50 207.11.4.7:65535 68.19.16.103:65535 L=168 S=0x00 I=8699 F=0x T=243 (#70) I am not sure if I need a rule set or a package loaded, any help would be beneficial. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] IPSec, PPP dropped then reconnect internet connection
Having just recently placed a mail server on my DMZ I am now addressing an issue whereby my PPP link (over PPPoE) would drop, then come back up but my routing table would be thereafter mucked up and require manual intervention to reset the networking/shorewall/ipsec utilities to get proper connectivity restored. (Manual intervention was tolerable for my personal use but I need to have my mail server up 7/24). I am running Bering 1.2. eth0=internet, eth1=private, eth2=DMZ. I am running IPSec. Relevant package versions are: Name Ver Description initrd V1.2 LEAF Bering initial filesystem root V1.2 Core LEAF Bering package iptables 1.2.8IP packet filter admin' tools for 2.4. ppp 2.4.1-pppoe Point-to-Point Protocol (PPP) daemon pppoe3.3-1PPPoE add-on for pppd shorwall 1.4.2Shoreline Firewall (Shorewall) ipsec1.99.6.2 Super Freeswan IPSEC After a bootup of my LEAF box and all was working well, my routing table would be as follows: === 216.99.105.4 dev ppp0 proto kernel scope link src 216.99.99.35 216.99.105.4 dev ipsec0 proto kernel scope link src 216.99.99.35 10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.254 172.16.0.0/24 dev eth0 proto kernel scope link src 172.16.0.1 192.168.1.0/24 via 216.99.105.4 dev ipsec0 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.254 default via 216.99.105.4 dev ppp0 After a PPP link drop (simulated by my powering off my DSL modem) my routing table would be as follows: === 216.99.105.4 dev ipsec0 proto kernel scope link src 216.99.99.35 10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.254 172.16.0.0/24 dev eth0 proto kernel scope link src 172.16.0.1 192.168.1.0/24 via 216.99.105.4 dev ipsec0 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.254 After the PPP link restored (simulated by my powering back on, my DSL modem) my routing table would be as follows: === 216.99.105.4 dev ipsec0 proto kernel scope link src 216.99.99.35 216.99.105.4 dev ppp0 proto kernel scope link src 216.99.99.35 10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.254 172.16.0.0/24 dev eth0 proto kernel scope link src 172.16.0.1 192.168.1.0/24 via 216.99.105.4 dev ipsec0 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.254 default via 216.99.105.4 dev ipsec0 And thus I don't have connectivity to the internet thereafter. It would appear to me that the 'default' traffic is trying to get out on the ipsec interface which is, as expected, not working. I resolved this problem by adding to (the bottom of ) the /etc/ppp/ip-down an 'svi ipsec stop' command. To /etc/ppp/ip-up I added 'svi ipsec start'. This has, AFAICT, resolved the issue. Having apparently solved my problem (hacker! :) I'd like to inquire: - is this the proper way to solve this problem? - should a change be made to some parts of the IPSec and/or PPP packages to preclude this issue from effecting others? - and/or should some change to some documentation be made to make mention of this problem and resolution? I checked the mail archives and relevant documentation (http://leaf.sourceforge.net/doc/guide/buipsec.html) but there was no mention (that I could find) of this problem or resolution. Thanks for any feedback! Cheers, scott; canada --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPsec pluto etc: static build requred?
I'm just getting started with Leaf Bering. I've built a new 2.4.20 kernel using the woody environment and have iptables built statically and all is well as far as that goes. There are newer 2.4 kernels around Freeswan is a it of a mystery though. I'm using super-freeswan-1.99.6.2. Compiling FreeS/WAN for Bering is nontrivial, because the Bering userland libc is so ancient and the kernel and userland compile environment is different. I see several possibilities: - use the Bering package. It is compiled from super-FreeS/WAN. We use it for certificate authentication - The userland stuff of freeswan cannot be compiled separately (make programs), but needs patches for the potato environment. These patches should be available from Jacques or Eric, somebody did build the ipsec.lrp - The userland stuff can also be compiled statically. Go to the pluto directory and add -static to the LDFLAGS = line in the Makefile (about line 90 in mine) and then call make programs - I think I at one time I used the userland binaries that I compiled in a SuSE environment and they worked (Don't know why, though..) HTH Alex --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] IPsec pluto etc: static build requred?
I'm just getting started with Leaf Bering. I've built a new 2.4.20 kernel using the woody environment and have iptables built statically and all is well as far as that goes. Freeswan is a it of a mystery though. I'm using super-freeswan-1.99.6.2. Pluto whack and other utilities are linked to libc.6 on the woody system, while I'm using libc-2.0.7.so on my userland system which, of course, is causing some rather erratic behavior when starting ipsec. What is the best way around this? I'm digging through the docs and don't really find an easy way of building all the utilities alone statically. The temptation here is to just modify the Makefile.inc to pass the arg to build everything statically linked. Do I have it right? Is there a doc that covers the problem? Any patches? Any help would be appreciated. Thanks. -- -- * Tom Redfern | Address:Box 21 Snoqualmie WA 98065-0021 USA * * | Email: [EMAIL PROTECTED] * -- --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSec WiFi vs. weblet
Hi Christopher, Happy New Year to you and the list. Yes, I use IPSec. Best Regards, Francois BERGERET, France. -Message d'origine- De : Christopher Harewood [mailto:[EMAIL PROTECTED] Envoye : vendredi 26 decembre 2003 17:20 A : Francois BERGERET Cc : [EMAIL PROTECTED] Objet : RE: [leaf-user] IPSec WiFi vs. weblet I already had a similar entry in my policy file: vpn fw ACCEPT fwvpn ACCEPT to no avail. Are you using IPSec, Francois? On Mon, 15 Dec 2003, Francois BERGERET wrote: Hi all, I use two wireless networks simultaneous in a Soekris embeded PC with Bering V1.2. + one normaly wired LAN. Weblet run fine from all subnets. I have not uncomment this in ssh.httpd.conf file : #Who can access the server? #CLIENT_ADDRS=192.168.1 In Shorewall policy file, I have this : fw loc ACCEPT loc fw ACCEPT and the same for all invoqued interfaces wlan0 and wlan1 zone aliases. I hope this could help. If not, let me know what you want more. Good Luck. Best Regards, Francois BERGERET, France. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Christopher Harewood Envoye : lundi 15 decembre 2003 07:10 Cc : [EMAIL PROTECTED] Objet : Re: [leaf-user] IPSec WiFi vs. weblet The 192.168.3.0 subnet is my IPSec vpn. Hence, in /etc/shorewall/rules: ACCEPTloc fw tcp 80 ACCEPTvpn fw tcp 80 No weblet over the vpn, and no hits in the firewall log, so I surmise that it's not a Shorewall issue. But I've been wrong before. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click -- -- leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSec WiFi vs. weblet
Eureka! Determined to resolve this issue, I attempted to access the weblet over the VPN, and checked to see if any log file was touched. Just one. daemon.log. Which told me that I had failed to place a carriage return after the second entry in hosts.allow for my ipsec'd subnet. One carriage return later, all is well. Rejoice, etc. Thanks to one and all for their help. Perhaps Jacq^H^H^H^HEric can add this to the next round of documentation. Or are trailing carriare returns just *nix common sense? :Max --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSec WiFi vs. weblet
At 06:20 PM 12/29/2003 +0100, Christopher Harewood wrote: Eureka! Determined to resolve this issue, I attempted to access the weblet over the VPN, and checked to see if any log file was touched. Just one. daemon.log. Which told me that I had failed to place a carriage return after the second entry in hosts.allow for my ipsec'd subnet. One carriage return later, all is well. Rejoice, etc. Thanks to one and all for their help. Perhaps Jacq^H^H^H^HEric can add this to the next round of documentation. Or are trailing carriare returns just *nix common sense? Not quite *nix comon sense, but a good bit more general than this specific file (/etc/hosts.allow). Some text files need a NEWLINE (0x0A or LineFeed, not a carriage return or 0x0D ... though properly configured Unix/Linux keyboard/text-processor combos do insert the correct character when the ENTER key is pressed, editing on a DOS/WIndows system and moving the file to a Unix/Linux system can introduce problems here) at the end of the last line of text. Some do not. As best as I can recall, adding one never hurts. Whether this means the docs for a specific package should mention it or not is unclear to me ... if it should, I suspect a lot of documentation needs this addition, not just this package. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] IPSEC
Hope everyone had a happy Christmas, can anyone point me to documentation about the Bering uClib2.0 IPSEC package ? The links at Freeswan don't seem very relevant to the config in Bering. I'm trying to set the RSA keys up but not having any success so far. Best wishes for the new year, robert von Knobloch --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC
Am Freitag, 26. Dezember 2003 12:28 schrieb Robert Sabine von Knobloch: Hope everyone had a happy Christmas, can anyone point me to documentation about the Bering uClib2.0 IPSEC package ? The links at Freeswan don't seem very relevant to the config in Bering. I'm trying to set the RSA keys up but not having any success so far. any success so far isn't precise enough to help you. What says lrpkg -l? I'm also intested in /var/log/auth.log and /var/log/messages... kp --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSec WiFi vs. weblet
Hi all, I use two wireless networks simultaneous in a Soekris embeded PC with Bering V1.2. + one normaly wired LAN. Weblet run fine from all subnets. I have not uncomment this in ssh.httpd.conf file : #Who can access the server? #CLIENT_ADDRS=192.168.1 In Shorewall policy file, I have this : fw loc ACCEPT loc fw ACCEPT and the same for all invoqued interfaces wlan0 and wlan1 zone aliases. I hope this could help. If not, let me know what you want more. Good Luck. Best Regards, Francois BERGERET, France. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Christopher Harewood Envoye : lundi 15 decembre 2003 07:10 Cc : [EMAIL PROTECTED] Objet : Re: [leaf-user] IPSec WiFi vs. weblet The 192.168.3.0 subnet is my IPSec vpn. Hence, in /etc/shorewall/rules: ACCEPTloc fw tcp 80 ACCEPTvpn fw tcp 80 No weblet over the vpn, and no hits in the firewall log, so I surmise that it's not a Shorewall issue. But I've been wrong before. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click -- -- leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSec WiFi vs. weblet
Tried both of these before posting. 192.168.1.0 is my wired subnet, 192.68.3.0 is my wireless subnet. hosts.allow: ALL: 192.168.1.0/255.255.255.0 ALL: 192.168.3.0/255.255.255.0 sh-httpd.conf (pertinent parts) # Who are we - used for CGI scripts SERVER_NAME=ice.rawdata.lab SERVER_ADDR=192.168.1.99 SERVER_PORT=80 # Who can access the server? CLIENT_ADDRS=192.168.1. 192.168.3. On Sat, 13 Dec 2003, Lynn Avants wrote: A declaration of the wireless host(s) in the /etc/host.allow file on the Bering machine and likely in /etc/sh-httpd.conf as well --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSec WiFi vs. weblet
Christopher Harewood wrote: Tried both of these before posting. 192.168.1.0 is my wired subnet, 192.68.3.0 is my wireless subnet. hosts.allow: ALL: 192.168.1.0/255.255.255.0 ALL: 192.168.3.0/255.255.255.0 sh-httpd.conf (pertinent parts) # Who are we - used for CGI scripts SERVER_NAME=ice.rawdata.lab SERVER_ADDR=192.168.1.99 SERVER_PORT=80 # Who can access the server? CLIENT_ADDRS=192.168.1. 192.168.3. On Sat, 13 Dec 2003, Lynn Avants wrote: A declaration of the wireless host(s) in the /etc/host.allow file on the Bering machine and likely in /etc/sh-httpd.conf as well Did you open the port up on the firewall in the /etc/shorewall/rules for normal weblet access from the loc - which would appear to be 192.168.1 ACCEPT loc fwtcp 80 perhaps you need an whatever the name of your other 192.168.3 internal network is. ACCEPT ?? fwtcp 80 --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSec WiFi vs. weblet
On Saturday 13 December 2003 12:25 am, Christopher Harewood wrote: I have finally (through the alignment of planets, presumably) set up IPSec on the wifi connection to my Bering box. All works well (browse Samba shares with no problems, net access, etc. The only thing that fails to load over the ipsec tunnel is the weblet. It works fine from any wired local machine. Any ideas? A declaration of the wireless host(s) in the /etc/host.allow file on the Bering machine and likely in /etc/sh-httpd.conf as well -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] IPSec WiFi vs. weblet
I have finally (through the alignment of planets, presumably) set up IPSec on the wifi connection to my Bering box. All works well (browse Samba shares with no problems, net access, etc. The only thing that fails to load over the ipsec tunnel is the weblet. It works fine from any wired local machine. Any ideas? :Max --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC NAT traversal with shorewall HELP!
On Tuesday 25 November 2003 08:47 pm, Troy Aden wrote: [...] My goal with this configuration is to have two networks linked via IPSEC. I would expect that all users from site A will be able to communicate with all users on site B transparently meaning that for all intents and purposes users on site A's internal network would be able to communicate with users from site B's internal network as if they were on the same LAN. If I am off base in how this works, please feel free to correct me. DNS, WINS, and other forms of broadcast traffic will not work ideally across the tunnel transparently. For SMB networking, you'll likely have to link PDC's and/or WIN servers on each subnet. There is some information on this at http://leaf.sf.net/devel/guitarlynn/ipsec.txt -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC NAT traversal with shorewall HELP!
Thanks! Ok I followed your procedure and I am getting this when I initiate the tunnel from the Victoria side: ipsec whack --initiate --name victoria 002 victoria #1: initiating Main Mode 104 victoria #1: STATE_MAIN_I1: initiate 106 victoria #1: STATE_MAIN_I2: sent MI2, expecting MR2 108 victoria #1: STATE_MAIN_I3: sent MI3, expecting MR3 002 victoria #1: Main mode peer ID is ID_IPV4_ADDR: '139.142.224.39' 002 victoria #1: ISAKMP SA established 004 victoria #1: STATE_MAIN_I4: ISAKMP SA established 002 victoria #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK 117 victoria #2: STATE_QUICK_I1: initiate 010 victoria #2: STATE_QUICK_I1: retransmission; will wait 20s for response It never completes the tunnel. Can anyone please tell me what I am missing here? Thanks in advance! Troy -Original Message- From: Lynn Avants [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 1:10 AM To: Troy Aden; Leaf-User ([EMAIL PROTECTED]) Subject: Re: [leaf-user] IPSEC NAT traversal with shorewall HELP! On Tuesday 25 November 2003 08:47 pm, Troy Aden wrote: [...] My goal with this configuration is to have two networks linked via IPSEC. I would expect that all users from site A will be able to communicate with all users on site B transparently meaning that for all intents and purposes users on site A's internal network would be able to communicate with users from site B's internal network as if they were on the same LAN. If I am off base in how this works, please feel free to correct me. DNS, WINS, and other forms of broadcast traffic will not work ideally across the tunnel transparently. For SMB networking, you'll likely have to link PDC's and/or WIN servers on each subnet. There is some information on this at http://leaf.sf.net/devel/guitarlynn/ipsec.txt -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html