RE: [leaf-user] What is latest Freeswan for Bering 1.2?

[Tibbs, Richard]

OK, the verdict seems to be that Charles' suggestion worked (for pings
-- we are only testing the connection with pings) --- so I doubt that
ping tests the CLAMPMSS parm. A large file transfer would probably need
it so I put CLAMPMSS=yes in shorwall.conf.

We are now able to ping across campus.  Today ping, tomorrow MP3s!  

Thanks all
Rick. 







---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88alloc_id065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] What is latest Freeswan for Bering 1.2?

[Tibbs, Richard]

Dear List,
I am wondering if there is any newer version such as Freeswan 2.06 in a
.lrp that is available.  I am running Bering 1.2 (kernel 2.4.20).  The
current version of freeswan is 1.99.6.2.

TIA,
Rick.





---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88alloc_id065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] What is latest Freeswan for Bering 1.2?

[Peter Mueller]

 Dear List,
 I am wondering if there is any newer version such as Freeswan 
 2.06 in a
 .lrp that is available.  I am running Bering 1.2 (kernel 2.4.20).  The
 current version of freeswan is 1.99.6.2.

FreeSWAN is now OpenSWAN.  There are no updates for Bering.  For
Bering-uclibc though, you can get the latest openswan.

http://leaf.sourceforge.net/mod.php?mod=userpagemenu=91017page_id=51

Is there a feature you want that's available in 2.06 that isn't in 1.99?

Regards,

P


---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88alloc_id065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] What is latest Freeswan for Bering 1.2?

[Tibbs, Richard]

Hmm.
I have not had luck with Bering uclibc -- some of my nics are natsemi,
and I could not get a working natsemi.o.
The freeswan site says that up through v2.03 will work on 2.4.17+
kernels. There is also a super-freeswan 1.99.8 -- with the x509 and
NAT-t patches.
I thought I would give that a try.

Does anyone know if there is a makefile target for just the binary?
(no downloads I know of for just the binary from freeswan.org).

TIA,
Rick.

-Original Message-
From: Peter Mueller [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 10, 2004 12:58 PM
To: Tibbs, Richard; [EMAIL PROTECTED]
Subject: RE: [leaf-user] What is latest Freeswan for Bering 1.2?

 Dear List,
 I am wondering if there is any newer version such as Freeswan 
 2.06 in a
 .lrp that is available.  I am running Bering 1.2 (kernel 2.4.20).  The
 current version of freeswan is 1.99.6.2.

FreeSWAN is now OpenSWAN.  There are no updates for Bering.  For
Bering-uclibc though, you can get the latest openswan.

http://leaf.sourceforge.net/mod.php?mod=userpagemenu=91017page_id=51

Is there a feature you want that's available in 2.06 that isn't in 1.99?

Regards,

P



---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88alloc_id065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] What is latest Freeswan for Bering 1.2?

[Tibbs, Richard]

On the feature issue: We have had a problem with messages in the log
files saying no route available.
I have a successful road warrior from just outside the firewall, but
across campus, (beyond the next router) things stop working with the
above message.

I was hoping an upgrade to 1.99.8 or beyond might be better.  
Upgrading is fairly easy once I have a 2.4.x glibc binary.

Rick.

-Original Message-
From: Peter Mueller [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 10, 2004 12:58 PM
To: Tibbs, Richard; [EMAIL PROTECTED]
Subject: RE: [leaf-user] What is latest Freeswan for Bering 1.2?

 Dear List,
 I am wondering if there is any newer version such as Freeswan 
 2.06 in a
 .lrp that is available.  I am running Bering 1.2 (kernel 2.4.20).  The
 current version of freeswan is 1.99.6.2.

FreeSWAN is now OpenSWAN.  There are no updates for Bering.  For
Bering-uclibc though, you can get the latest openswan.

http://leaf.sourceforge.net/mod.php?mod=userpagemenu=91017page_id=51

Is there a feature you want that's available in 2.06 that isn't in 1.99?

Regards,

P



---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88alloc_id065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] What is latest Freeswan for Bering 1.2?

[Charles Steinkuehler]

Tibbs, Richard wrote:
On the feature issue: We have had a problem with messages in the log
files saying no route available.
I have a successful road warrior from just outside the firewall, but
across campus, (beyond the next router) things stop working with the
above message.
I was hoping an upgrade to 1.99.8 or beyond might be better.  
Upgrading is fairly easy once I have a 2.4.x glibc binary.
Do you have appropriate [left|right]nexthop stanzas in your connection 
descriptions?  This doesn't sound like a problem that will be solved by a 
newer version of [free|open]s/wan.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] What is latest Freeswan for Bering 1.2?

[Tibbs, Richard]

Here is the ipsec.conf file.  If you want a barf, let me know.
TIA Rick.
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

 

# More elaborate and more varied sample configurations can be found

# in FreeS/WAN's doc/examples file, and in the HTML documentation.

 

 

 

# basic configuration

config setup

# THIS SETTING MUST BE CORRECT or almost nothing will work;

# %defaultroute is okay for most simple cases.

interfaces=%defaultroute

#interfaces=ipsec0=eth0

# Debug-logging controls:  none for (almost) none, all for
lots.
klipsdebug=none

plutodebug=none

# Use auto= parameters in conn descriptions to control startup
actions. 
plutoload=%search

plutostart=%search

# Close down old connection when new one using same ID shows up.

uniqueids=yes

nat_traversal=no


# defaults for subsequent connection descriptions

conn %default

# How persistent to be in (re)keying negotiations (0 means
very).   
keyingtries=0

# RSA authentication with keys from DNS.

#authby=rsasig

# Authentication by pre-shared secret key

authby=secret

right=137.45.192.190

#left=%defaultroute

rightsubnet=192.168.10.0/24

#leftnexthop=%direct

rightfirewall=yes

pfs=yes

auto=add

#leftrsasigkey=%dns

#rightrsasigkey=%dns

 

conn road-warrior

left=%any



-Original Message-
From: Charles Steinkuehler [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 10, 2004 1:42 PM
To: Tibbs, Richard
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] What is latest Freeswan for Bering 1.2?

Tibbs, Richard wrote:

 On the feature issue: We have had a problem with messages in the log
 files saying no route available.
 I have a successful road warrior from just outside the firewall, but
 across campus, (beyond the next router) things stop working with the
 above message.
 
 I was hoping an upgrade to 1.99.8 or beyond might be better.  
 Upgrading is fairly easy once I have a 2.4.x glibc binary.

Do you have appropriate [left|right]nexthop stanzas in your connection 
descriptions?  This doesn't sound like a problem that will be solved by
a 
newer version of [free|open]s/wan.

-- 
Charles Steinkuehler
[EMAIL PROTECTED]



---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88alloc_id065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] What is latest Freeswan for Bering 1.2?

[Charles Steinkuehler]

Tibbs, Richard wrote:
Here is the ipsec.conf file.  If you want a barf, let me know.
TIA Rick.
As mentioned, you need a nexthop value...in your case, a rightnexthop 
setting.  This should be set to the default gateway of the leaf box.

Alternatively, you can set right=%defaultroute and the rightnexthop setting 
(along with the appropriate IP for 'right') will get automatically filled in.

Per the ipsec.conf man page for Dachstein (substitute 'right' for 'left' 
given your config file):

quote
left
(required) the IP address of the left participant's public-network 
interface, in any form accepted by ipsec_ttoaddr(3). If it is the magic 
value %defaultroute, and interfaces=%defaultroute is used in the config 
setup section, left will be filled in automatically with the local address 
of the default-route interface (as determined at IPsec startup time); this 
also overrides any value supplied for leftnexthop. (Either left or right may 
be %defaultroute, but not both.) The magic value %any signifies an address 
to be filled in (by automatic keying) during negotiation; the magic value 
%opportunistic signifies that both left and leftnexthop are to be filled in 
(by automatic keying) from DNS data for left's client.

leftnexthop
next-hop gateway IP address for the left participant's connection to 
the public network; defaults to %direct (meaning right). If the value is to 
be overridden by the left=%defaultroute method (see above), an explicit 
value must not be given. If that method is not being used, but leftnexthop 
is %defaultroute, and interfaces=%defaultroute is used in the config setup 
section, the next-hop gateway address of the default-route interface will be 
used. The magic value %direct signifies a value to be filled in (by 
automatic keying) with the peer's address.
/quote

For the full man page:
http://lrp.steinkuehler.net/Packages/man/IPSec1.91/manpage.d/ipsec.conf.5.html
In summary, since you're explicitly setting 'right', but *NOT* setting 
'rightnexthop', FreeS/WAN by default assumes the far end of the connection 
is directly conected to your 'right' interface, which is what's causing your 
problems (ie: IPSec traffic not routed through your default gateway).

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] What is latest Freeswan for Bering 1.2?

[Erich Titl]

Rick

At 21:14 10.11.2004 -0500, you wrote:
No, didn't set CLAMPMSS.  The chief symptom so far has been a bad route.
I think it was an error like 
Ioctlsroute or some such code.

What is the MSS that you would recommend for Ipsec? The SA is getting 
established OK so far (so UDP is not the problem).
Rick.

I would just set CLAMPMSS to yes in shorewall.conf. It adapts to the actual MTU 
size less 40 I believe.

Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88alloc_id065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html