Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Tom Tom Eastep wrote: while true; do ip link ls dev ppp0 /dev/null 21 break echo Waiting for ppp0 to come up... sleep 5 done Yes, that is more or less the thing I finally did, although this will loop forever and without a console the poor luser might never know why. So I placed a max_loop limit into my code. Erich --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Richard Saunders wrote: Does this problem have anything to do with shorewall? Shorewall seems to startup without a problem and everything else runs fine. It's only ipsec that can't find a default route. I thought inetd may be responsible. Not that I know anything much about it. Shorewall is just one of the many services which may rely on routing being set up correctly. IPSEC is another one. Erich --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Richard Saunders wrote: Thanks Tom and Eric I don't know if it matters to me how long it takes to come up, so long as everything that is supposed to work works once it's up. When ppp0 is up its a router, until then it's lump of useless metal chewing power. I have put the loop here: #!/bin/sh # IPsec startup and shutdown script # Copyright (C) 1998, 1999, 2001 Henry Spencer. /..SNIP # misc setup umask 022 while true; do ip link ls dev ppp0 /dev/null 21 break echo Waiting for ppp0 to come up... sleep 5 done # do it case $1 in start|--start|stop|--stop) Is this alright? I won't get to test it until I can reboot on the weekend. Give it a chance to barf in the loop to tell you what is wrong. Erich --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Richard Saunders wrote: I managed to kick everyone off at lunchtime and reboot. The loop paused the startup for about half a second and off it went. Everything started up fine including ipsec. I doubt it looped at all then. Please ignore my previous post on the barf, I must be getting blind. Still consider adding some logging to syslog in case you don't have a console. Erich --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Thanks Eric Unfortunately that has had no effect, but I do think you are on the right track ie. ipsec is starting before ppp0 is fully up, but since I know nothing except being able to blindly follow instructions, I don't like my chances of finding a solution myself. Regarding WARNING: ppp0 has route filtering turned on, KLIPS may not work. This error has always been there and has never shown any detrimental effects as far as I know. There have been previous threads regarding this and I think the conclusion was to ignore it. At 06:08 PM 28/09/2005, you wrote: Hello Richard, I've looked through the changes between ipsec from 2.2.3 and 2.3rc1, there was a change in the start/stop levels of ipsecs init.d script due to warnings when stopping ipsec. The differences are: (2.2.3): RCDLINKS=0,K42 1,K42 2,S42 3,S42 4,S42 5,S42 6,K42 (2.3rc1): RCDLINKS=0,K19 1,K19 2,S21 3,S21 4,S21 5,S21 6,K19 It could be that the ppp interface isn't full brought up, before ipsec is started. You could try to change the /etc/init.d/ipsec script to read: RCDLINKS=0,K19 1,K19 2,S41 3,S41 4,S41 5,S41 6,K19 Although the following line in you log is also somewhat strange: Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route filtering turned on, KLIPS may not work Sep 28 14:26:52 firewall Did you also had that warning with 2.2.3? You can turn of route filtering by setting spoofprotect=no in lrcfg - 1) Network configuration - 2) network options file (/etc/network/options) Eric Spakman Hi I am setting up uClibc 2.3rc1. I have copied the ipsec.conf file from my uClibc 2.23 box which has always worked ok. When starting up I get the following errors in auth.log: Sep 28 13:57:09 firewall pluto[21197]: no public interfaces found in daemon.log: Sep 28 13:57:07 firewall ipsec_setup: no default route, %defaultroute cannot cope!!! Sep 28 13:57:08 firewall ipsec_setup: ...Openswan IPsec started Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in w2k: %defaultroute requested but not known Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in net-net: %defaultroute requested but not known When the box finishes starting if I type ipsec setup restart it runs fine. Sep 28 14:26:50 firewall ipsec_setup: Stopping Openswan IPsec... Sep 28 14:26:50 firewall ipsec_setup: stop ordered, but IPsec does not appear to be running! Sep 28 14:26:50 firewall ipsec_setup: doing cleanup anyway... Sep 28 14:26:51 firewall ipsec_setup: ...Openswan IPsec stopped Sep 28 14:26:51 firewall ipsec_setup: Starting Openswan IPsec 1.0.9... Sep 28 14:26:51 firewall ipsec_setup: Using /lib/modules/ipsec.o Sep 28 14:26:51 firewall ipsec_setup: KLIPS debug `none' Sep 28 14:26:52 firewall ipsec_setup: KLIPS ipsec0 on ppp0 220.245.99.4 peer 202.7.162.162/32 Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route filtering turned on, KLIPS may not work Sep 28 14:26:52 firewall ipsec_setup: (/proc/sys/net/ipv4/conf/ppp0/rp_filter = `1', should be 0) Sep 28 14:26:52 firewall ipsec_setup: ...Openswan IPsec started Here is my setup: # basic configuration config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes # defaults for subsequent connection descriptions conn %default keyingtries=0 conn net-net authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24 leftrsasigkey=[keyid AQON] leftnexthop=%defaultroute right=220.244.10.142 rightsubnet=192.168.0.0/27 rightrsasigkey=[keyid AQN7] rightnexthop=%defaultroute pfs=yes auto=add conn w2k authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24 leftnexthop=%defaultroute leftrsasigkey=%cert leftcert=fwCert.pem right=%any rightrsasigkey=%cert leftid=CN=fw pfs=yes auto=add # Any ideas on what might be happening? --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Rick Richard Saunders wrote: Thanks Eric Unfortunately that has had no effect, but I do think you are on the right track ie. ipsec is starting before ppp0 is fully up, but since I know nothing except being able to blindly follow instructions, I don't like my chances of finding a solution myself. This problem has always existed for any connection type. It shows up in a lot of different locations on all Bering versions. I saw this on ppp connections as well as pcmcia based ethernet connections. The common denominator of all these is, that you cannot predict reliably how long they take to come up, but the init script may terminate _before_ they are up completely. What is missing is a generic solution to assert _all_ necessary connections/services are up _before_ any service depending on them is started. This is true for ipsec but also for shorewall and probably other services. I am running a fair number of WRAP boards as IPSEC end points. These boards do not have a battery for the clock, so the time is lost at power down. I am using certificates for the ipsec links, therefore I need to have accurate sytem time. I am running ntpdate early at start up, but a slow connection may make a single ntpdate start fail. So I have to check connectivity to the uplink router and the presence of a default route before I even attempt to update my system time. cheers Erich --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
This problem has always existed for any connection type. It shows up in a lot of different locations on all Bering versions. I saw this on ppp connections as well as pcmcia based ethernet connections. The common denominator of all these is, that you cannot predict reliably how long they take to come up, but the init script may terminate _before_ they are up completely. Agreed. Shorewall by default has really awful failure modes if the upstream ppp interface isn't up yet. I'd love to have an is up? semaphore, but perhaps in some cases, we should instead be triggering the apps by the fact that the interface is up. Both /etc/network/interfaces and ppp have trigger scripts they can call for interface up. Then it comes down to what is up? -- link up? address configured and able to pass data? routing up? I don't want to confuse things with those last questions, there probably is no universal good way to do these things. Frankly, I wish shorewall was just a little smarter when it came to ephemeral interfaces. Paul --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Is it possible just to insert a pause somewhere in the startup scripts to wait for ppp0 to come up before continuing? At 07:43 AM 30/09/2005, you wrote: This problem has always existed for any connection type. It shows up in a lot of different locations on all Bering versions. I saw this on ppp connections as well as pcmcia based ethernet connections. The common denominator of all these is, that you cannot predict reliably how long they take to come up, but the init script may terminate _before_ they are up completely. Agreed. Shorewall by default has really awful failure modes if the upstream ppp interface isn't up yet. I'd love to have an is up? semaphore, but perhaps in some cases, we should instead be triggering the apps by the fact that the interface is up. Both /etc/network/interfaces and ppp have trigger scripts they can call for interface up. Then it comes down to what is up? -- link up? address configured and able to pass data? routing up? I don't want to confuse things with those last questions, there probably is no universal good way to do these things. Frankly, I wish shorewall was just a little smarter when it came to ephemeral interfaces. Paul --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Richard Saunders wrote: Is it possible just to insert a pause somewhere in the startup scripts to wait for ppp0 to come up before continuing? You could place a pause/check loop in /etc/shorewall/init. Or, better yet, configure Shorewall so that it doesn't require ppp0 to be up when it starts. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Richard Saunders wrote: Is it possible just to insert a pause somewhere in the startup scripts to wait for ppp0 to come up before continuing? Yes, that was my first aproach, unfortunately not a very smart one, as, for example, ppp may take a very long time to come up. Erich --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Erich Titl wrote: Richard Saunders wrote: Is it possible just to insert a pause somewhere in the startup scripts to wait for ppp0 to come up before continuing? Yes, that was my first aproach, unfortunately not a very smart one, as, for example, ppp may take a very long time to come up. while true; do ip link ls dev ppp0 /dev/null 21 break echo Waiting for ppp0 to come up... sleep 5 done -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Paul Traina wrote: This problem has always existed for any connection type. It shows up in a lot of different locations on all Bering versions. I saw this on ppp connections as well as pcmcia based ethernet connections. The common denominator of all these is, that you cannot predict reliably how long they take to come up, but the init script may terminate _before_ they are up completely. Agreed. Shorewall by default has really awful failure modes if the upstream ppp interface isn't up yet. I'd love to have an is up? semaphore, but perhaps in some cases, we should instead be triggering the apps by the fact that the interface is up. Both /etc/network/interfaces and ppp have trigger scripts they can call for interface up. Then it comes down to what is up? -- link up? address configured and able to pass data? routing up? Mhh... routing up is a pretty good indication for a dynamic interface to work, a check against the uplink router might be even better. I published an ipsec watchdog script some time ago on this list, which uses this method and has proven to be rather reliably. Erich --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Does this problem have anything to do with shorewall? Shorewall seems to startup without a problem and everything else runs fine. It's only ipsec that can't find a default route. I thought inetd may be responsible. Not that I know anything much about it. At 08:24 AM 30/09/2005, you wrote: Richard Saunders wrote: Is it possible just to insert a pause somewhere in the startup scripts to wait for ppp0 to come up before continuing? You could place a pause/check loop in /etc/shorewall/init. Or, better yet, configure Shorewall so that it doesn't require ppp0 to be up when it starts. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Richard Saunders wrote: Does this problem have anything to do with shorewall? Shorewall seems to startup without a problem and everything else runs fine. It's only ipsec that can't find a default route. I thought inetd may be responsible. Not that I know anything much about it. I was simply responding to Paul's and Erich's posts about Shorewall problems caused by devices that aren't up when Shorewall starts. If in your case Shorewall is starting without error when ppp0 is absent then Shorewall isn't involved in your ipsec issue. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Tom Eastep wrote: You could place a pause/check loop in /etc/shorewall/init. Or, better yet, configure Shorewall so that it doesn't require ppp0 to be up when it starts. I'm not sure I can come up with the semantics to do that, but I'd love to give it a try... Here's what I've got: Zones: net Net Internet loc Local Local networks dmz DMZ Demilitarized zone dsl DSL DSL modem nat area guest Guest Guest host network Interfaces: dsl eth0detect dhcp,routefilter net ppp0- tcpflags,blacklist,routefilter,norfc1918,nosmurfs,upnp loc eth1detect dhcp dmz eth2detect dhcp,routefilter guest ath0detect dhcp,routefilter Masq: (INT_QUEMADURA and EXT_QUEMADURA are internal and external IP addrs) (ditto EXT_GUEST so guest network users are natted to a different routed IP addr in case they do something evil like send spam) ppp0$INT_QUEMADURA $EXT_QUEMADURA ppp0eth1 ppp0ath0$EXT_GUEST eth0eth1 and rules (excerpted): DNAT net loc:$INT_QUEMADURA tcp 22 - $EXT_QUEMADURA Now, I'm assuming it's the masq entries referencing ppp0 that are kicking my ass? So this error, is caused by routefilter/ppp0 not existing (soft err): Setting up Kernel Route Filtering... Warning: Cannot set route filtering on ppp0 and this error is caused by masq? Adding IP Addresses... Device ppp0 does not exist. Cannot find device ppp0 Do you suggest I do snating instead? if so, who adds the ip aliases to ppp0 and when? I have 5 static IP addresses that I use, so snat is a fine option (I use one IP for the fw/home nat, one for the bastion host, and one for a separate guest network). --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Thanks Tom and Eric I don't know if it matters to me how long it takes to come up, so long as everything that is supposed to work works once it's up. When ppp0 is up its a router, until then it's lump of useless metal chewing power. I have put the loop here: #!/bin/sh # IPsec startup and shutdown script # Copyright (C) 1998, 1999, 2001 Henry Spencer. /..SNIP # misc setup umask 022 while true; do ip link ls dev ppp0 /dev/null 21 break echo Waiting for ppp0 to come up... sleep 5 done # do it case $1 in start|--start|stop|--stop) Is this alright? I won't get to test it until I can reboot on the weekend. At 08:35 AM 30/09/2005, you wrote: Richard Saunders wrote: Is it possible just to insert a pause somewhere in the startup scripts to wait for ppp0 to come up before continuing? Yes, that was my first aproach, unfortunately not a very smart one, as, for example, ppp may take a very long time to come up. Erich --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Paul Traina wrote: Adding IP Addresses... Device ppp0 does not exist. Cannot find device ppp0 Been a while since I had to deal with pppd but as I recall there is a user-provided script that gets run when the interface comes up. Add the IP addresses in that script rather than having Shorewall do it. And set route filtering there too while you are at it rather than using the Shorewall 'routefilter' option. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Richard Saunders wrote: # misc setup umask 022 while true; do ip link ls dev ppp0 /dev/null 21 break echo Waiting for ppp0 to come up... sleep 5 done # do it case $1 in start|--start|stop|--stop) Is this alright? I won't get to test it until I can reboot on the weekend. I don't have a ppp interface to test with so I don't know at what point 'ip link ls dev ppp0' returns 0 for an exit status. If the above doesn't work, the output of 'ip' may need to be piped into 'grep -q' looking for 'inet' or something like that -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
I managed to kick everyone off at lunchtime and reboot. The loop paused the startup for about half a second and off it went. Everything started up fine including ipsec. Thank you very much Tom and Erich. I am very grateful for your help. Richard Saunders At 10:56 AM 30/09/2005, you wrote: Richard Saunders wrote: # misc setup umask 022 while true; do ip link ls dev ppp0 /dev/null 21 break echo Waiting for ppp0 to come up... sleep 5 done # do it case $1 in start|--start|stop|--stop) Is this alright? I won't get to test it until I can reboot on the weekend. I don't have a ppp interface to test with so I don't know at what point 'ip link ls dev ppp0' returns 0 for an exit status. If the above doesn't work, the output of 'ip' may need to be piped into 'grep -q' looking for 'inet' or something like that -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Hello Richard, I've looked through the changes between ipsec from 2.2.3 and 2.3rc1, there was a change in the start/stop levels of ipsecs init.d script due to warnings when stopping ipsec. The differences are: (2.2.3): RCDLINKS=0,K42 1,K42 2,S42 3,S42 4,S42 5,S42 6,K42 (2.3rc1): RCDLINKS=0,K19 1,K19 2,S21 3,S21 4,S21 5,S21 6,K19 It could be that the ppp interface isn't full brought up, before ipsec is started. You could try to change the /etc/init.d/ipsec script to read: RCDLINKS=0,K19 1,K19 2,S41 3,S41 4,S41 5,S41 6,K19 Although the following line in you log is also somewhat strange: Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route filtering turned on, KLIPS may not work Sep 28 14:26:52 firewall Did you also had that warning with 2.2.3? You can turn of route filtering by setting spoofprotect=no in lrcfg - 1) Network configuration - 2) network options file (/etc/network/options) Eric Spakman Hi I am setting up uClibc 2.3rc1. I have copied the ipsec.conf file from my uClibc 2.23 box which has always worked ok. When starting up I get the following errors in auth.log: Sep 28 13:57:09 firewall pluto[21197]: no public interfaces found in daemon.log: Sep 28 13:57:07 firewall ipsec_setup: no default route, %defaultroute cannot cope!!! Sep 28 13:57:08 firewall ipsec_setup: ...Openswan IPsec started Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in w2k: %defaultroute requested but not known Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in net-net: %defaultroute requested but not known When the box finishes starting if I type ipsec setup restart it runs fine. Sep 28 14:26:50 firewall ipsec_setup: Stopping Openswan IPsec... Sep 28 14:26:50 firewall ipsec_setup: stop ordered, but IPsec does not appear to be running! Sep 28 14:26:50 firewall ipsec_setup: doing cleanup anyway... Sep 28 14:26:51 firewall ipsec_setup: ...Openswan IPsec stopped Sep 28 14:26:51 firewall ipsec_setup: Starting Openswan IPsec 1.0.9... Sep 28 14:26:51 firewall ipsec_setup: Using /lib/modules/ipsec.o Sep 28 14:26:51 firewall ipsec_setup: KLIPS debug `none' Sep 28 14:26:52 firewall ipsec_setup: KLIPS ipsec0 on ppp0 220.245.99.4 peer 202.7.162.162/32 Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route filtering turned on, KLIPS may not work Sep 28 14:26:52 firewall ipsec_setup: (/proc/sys/net/ipv4/conf/ppp0/rp_filter = `1', should be 0) Sep 28 14:26:52 firewall ipsec_setup: ...Openswan IPsec started Here is my setup: # basic configuration config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes # defaults for subsequent connection descriptions conn %default keyingtries=0 conn net-net authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24 leftrsasigkey=[keyid AQON] leftnexthop=%defaultroute right=220.244.10.142 rightsubnet=192.168.0.0/27 rightrsasigkey=[keyid AQN7] rightnexthop=%defaultroute pfs=yes auto=add conn w2k authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24 leftnexthop=%defaultroute leftrsasigkey=%cert leftcert=fwCert.pem right=%any rightrsasigkey=%cert leftid=CN=fw pfs=yes auto=add # Any ideas on what might be happening? --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Hi I am setting up uClibc 2.3rc1. I have copied the ipsec.conf file from my uClibc 2.23 box which has always worked ok. When starting up I get the following errors in auth.log: Sep 28 13:57:09 firewall pluto[21197]: no public interfaces found in daemon.log: Sep 28 13:57:07 firewall ipsec_setup: no default route, %defaultroute cannot cope!!! Sep 28 13:57:08 firewall ipsec_setup: ...Openswan IPsec started Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in w2k: %defaultroute requested but not known Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in net-net: %defaultroute requested but not known When the box finishes starting if I type ipsec setup restart it runs fine. Sep 28 14:26:50 firewall ipsec_setup: Stopping Openswan IPsec... Sep 28 14:26:50 firewall ipsec_setup: stop ordered, but IPsec does not appear to be running! Sep 28 14:26:50 firewall ipsec_setup: doing cleanup anyway... Sep 28 14:26:51 firewall ipsec_setup: ...Openswan IPsec stopped Sep 28 14:26:51 firewall ipsec_setup: Starting Openswan IPsec 1.0.9... Sep 28 14:26:51 firewall ipsec_setup: Using /lib/modules/ipsec.o Sep 28 14:26:51 firewall ipsec_setup: KLIPS debug `none' Sep 28 14:26:52 firewall ipsec_setup: KLIPS ipsec0 on ppp0 220.245.99.4 peer 202.7.162.162/32 Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route filtering turned on, KLIPS may not work Sep 28 14:26:52 firewall ipsec_setup: (/proc/sys/net/ipv4/conf/ppp0/rp_filter = `1', should be 0) Sep 28 14:26:52 firewall ipsec_setup: ...Openswan IPsec started Here is my setup: # basic configuration config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes # defaults for subsequent connection descriptions conn %default keyingtries=0 conn net-net authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24 leftrsasigkey=[keyid AQON] leftnexthop=%defaultroute right=220.244.10.142 rightsubnet=192.168.0.0/27 rightrsasigkey=[keyid AQN7] rightnexthop=%defaultroute pfs=yes auto=add conn w2k authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24 leftnexthop=%defaultroute leftrsasigkey=%cert leftcert=fwCert.pem right=%any rightrsasigkey=%cert leftid=CN=fw pfs=yes auto=add # Any ideas on what might be happening? --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
