Re: [leaf-user] ipsec and multiple IP problem
Hello Cpu,
Does the same fix applies to our current openswan-2.4.4?
Eric
Hello,
In addition to specifying a label I couldn't get openswan to work with
secondary IPs unless I changed this line in _startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
to:
eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p
-cpu
Charles Steinkuehler wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sandro Doro wrote:
Hi,
I am testing Bering 2.3.1 with a multiple IP interface as:
# ip addr show eth0
5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast
qlen
1000
link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet
82.46.148.130/24 brd 82.46.148.255 scope global eth0
inet 82.46.148.128/24 scope global secondary eth0 inet6
fe80::fcfd:58ff:fe24:f8e6/64 scope link
Using the included ipsec.lrp (v.1.0.9) I setup VPN with:
# /etc/ipsec.conf
[...]
interfaces=ipsec0=eth0 ipsec1=eth0:0 [...]
After /etc/init.d/ipsec restart the following messages is printed:
Device eth0:0 does not exist.
ipsec_setup: unable to determine address of `eth0:0'
This messages is printed also if I change the ip address with the
following command:
ip addr add 82.46.148.128/24 dev eth0 label eth0:0
I have read in
http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html
that this interface specification is correct. This is possible only in
v2 release (Bering v2.4) ?
Thank you for any suggestions.
I haven't tried this with FreeS/WAN, but I suspect your problem is you
don't have an eth0:0.
You *DO* have a secondary IP address on your external interface, but it
has no name (linux hasn't required the ethn:m syntax since at
least 2.2).
Try removing the secondary IP, re-adding it with an appropriate label
then starting freeswan:
ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label
eth0:0 dev eth0
svi ipsec start
...if that works, you'll need to change how you're adding the IP alias
in your startup scripts.
- --
Charles Steinkuehler
[EMAIL PROTECTED] -BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3
rd55FxcC8wzl6N+/BWa4368= =3irC
-END PGP SIGNATURE-
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164
2
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec and multiple IP problem
Hi Eric,
I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the newer
_startklips and the line is the same. To me, this suggests it's making the
same assumptions about the interface. My guess is that it will work.
original 2.4.4
/usr/lib/ipsec/_startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
original 1.0.9
/lib/ipsec/_startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
-cpu
Eric Spakman wrote:
Hello Cpu,
Does the same fix applies to our current openswan-2.4.4?
Eric
Hello,
In addition to specifying a label I couldn't get openswan to work with
secondary IPs unless I changed this line in _startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
to:
eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p
-cpu
Charles Steinkuehler wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sandro Doro wrote:
Hi,
I am testing Bering 2.3.1 with a multiple IP interface as:
# ip addr show eth0
5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast
qlen
1000
link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet
82.46.148.130/24 brd 82.46.148.255 scope global eth0
inet 82.46.148.128/24 scope global secondary eth0 inet6
fe80::fcfd:58ff:fe24:f8e6/64 scope link
Using the included ipsec.lrp (v.1.0.9) I setup VPN with:
# /etc/ipsec.conf
[...]
interfaces=ipsec0=eth0 ipsec1=eth0:0 [...]
After /etc/init.d/ipsec restart the following messages is printed:
Device eth0:0 does not exist.
ipsec_setup: unable to determine address of `eth0:0'
This messages is printed also if I change the ip address with the
following command:
ip addr add 82.46.148.128/24 dev eth0 label eth0:0
I have read in
http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html
that this interface specification is correct. This is possible only
in
v2 release (Bering v2.4) ?
Thank you for any suggestions.
I haven't tried this with FreeS/WAN, but I suspect your problem is you
don't have an eth0:0.
You *DO* have a secondary IP address on your external interface, but
it
has no name (linux hasn't required the ethn:m syntax since at
least 2.2).
Try removing the secondary IP, re-adding it with an appropriate label
then starting freeswan:
ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24
label
eth0:0 dev eth0
svi ipsec start
...if that works, you'll need to change how you're adding the IP alias
in your startup scripts.
- --
Charles Steinkuehler
[EMAIL PROTECTED] -BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3
rd55FxcC8wzl6N+/BWa4368= =3irC
-END PGP SIGNATURE-
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD
SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164
2
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files for problems? Stop! Download the new AJAX search engine that
makes
searching your log files as easy as surfing the web. DOWNLOAD
SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---
This SF.net email is sponsored by:
Re: [leaf-user] ipsec and multiple IP problem
Hello Cpu,
A pity 2.4.4 is not working ok for you. You are the first reporting a
problem with it.
I looked through various documents and it seems like all those ciphers are
supported but probably internal.
Does the _startklips fix still suports plain ethx interfaces?
Eric
Hi Eric,
I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the
newer
_startklips and the line is the same. To me, this suggests it's making
the
same assumptions about the interface. My guess is that it will work.
original 2.4.4 /usr/lib/ipsec/_startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
original 1.0.9 /lib/ipsec/_startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
-cpu
Eric Spakman wrote:
Hello Cpu,
Does the same fix applies to our current openswan-2.4.4?
Eric
Hello,
In addition to specifying a label I couldn't get openswan to work
with secondary IPs unless I changed this line in _startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
to:
eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p
-cpu
Charles Steinkuehler wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sandro Doro wrote:
Hi,
I am testing Bering 2.3.1 with a multiple IP interface as:
# ip addr show eth0
5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc
pfifo_fast
qlen
1000
link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet
82.46.148.130/24 brd 82.46.148.255 scope global eth0
inet 82.46.148.128/24 scope global secondary eth0 inet6
fe80::fcfd:58ff:fe24:f8e6/64 scope link
Using the included ipsec.lrp (v.1.0.9) I setup VPN with:
# /etc/ipsec.conf
[...]
interfaces=ipsec0=eth0 ipsec1=eth0:0 [...]
After /etc/init.d/ipsec restart the following messages is
printed:
Device eth0:0 does not exist.
ipsec_setup: unable to determine address of `eth0:0'
This messages is printed also if I change the ip address with the
following command:
ip addr add 82.46.148.128/24 dev eth0 label eth0:0
I have read in
http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html
that this interface specification is correct. This is possible
only
in
v2 release (Bering v2.4) ?
Thank you for any suggestions.
I haven't tried this with FreeS/WAN, but I suspect your problem is
you don't have an eth0:0.
You *DO* have a secondary IP address on your external interface,
but
it
has no name (linux hasn't required the ethn:m syntax since at
least 2.2).
Try removing the secondary IP, re-adding it with an appropriate
label then starting freeswan:
ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24
label
eth0:0 dev eth0
svi ipsec start
...if that works, you'll need to change how you're adding the IP
alias in your startup scripts.
- --
Charles Steinkuehler
[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG
v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3
rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE-
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through
log
files
for problems? Stop! Download the new AJAX search engine that
makes searching your log files as easy as surfing the web.
DOWNLOAD
SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164
2
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files for problems? Stop! Download the new AJAX search engine that
makes
searching your log files as easy as surfing the web. DOWNLOAD
SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164
2
leaf-user mailing list: leaf-user@lists.sourceforge.net
Re: [leaf-user] ipsec and multiple IP problem
Eric,
Regarding openswan 2.x. It looks like one is supposed to use cryptoapi
instead of Juanjo's crypto algorithms. But there is no real info on how to
go from 1.x to 2.x. After getting stuck on SHA2_256 I gave up. Also, on
1.0.9 I made some modifications to ./pluto/kernel.c to allow for multiple
ipsec connections from the same host and I would have to do the same for
2.4.4, which is quite different. It might not even work. Not worth the
hassle right now.
The _startklips fix is backward compatible. Most of my ipsec hosts use
only
a single ip address using interfaces=ipsec0=eth0.
-cpu
Eric Spakman wrote:
Hello Cpu,
A pity 2.4.4 is not working ok for you. You are the first reporting a
problem with it.
I looked through various documents and it seems like all those ciphers
are
supported but probably internal.
Does the _startklips fix still suports plain ethx interfaces?
Eric
Hi Eric,
I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the
newer
_startklips and the line is the same. To me, this suggests it's making
the
same assumptions about the interface. My guess is that it will work.
original 2.4.4 /usr/lib/ipsec/_startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
original 1.0.9 /lib/ipsec/_startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
-cpu
Eric Spakman wrote:
Hello Cpu,
Does the same fix applies to our current openswan-2.4.4?
Eric
Hello,
In addition to specifying a label I couldn't get openswan to work
with secondary IPs unless I changed this line in _startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
to:
eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p
-cpu
Charles Steinkuehler wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sandro Doro wrote:
Hi,
I am testing Bering 2.3.1 with a multiple IP interface as:
# ip addr show eth0
5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc
pfifo_fast
qlen
1000
link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet
82.46.148.130/24 brd 82.46.148.255 scope global eth0
inet 82.46.148.128/24 scope global secondary eth0 inet6
fe80::fcfd:58ff:fe24:f8e6/64 scope link
Using the included ipsec.lrp (v.1.0.9) I setup VPN with:
# /etc/ipsec.conf
[...]
interfaces=ipsec0=eth0 ipsec1=eth0:0 [...]
After /etc/init.d/ipsec restart the following messages is
printed:
Device eth0:0 does not exist.
ipsec_setup: unable to determine address of `eth0:0'
This messages is printed also if I change the ip address with the
following command:
ip addr add 82.46.148.128/24 dev eth0 label eth0:0
I have read in
http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html
that this interface specification is correct. This is possible
only
in
v2 release (Bering v2.4) ?
Thank you for any suggestions.
I haven't tried this with FreeS/WAN, but I suspect your problem is
you don't have an eth0:0.
You *DO* have a secondary IP address on your external interface,
but
it
has no name (linux hasn't required the ethn:m syntax since at
least 2.2).
Try removing the secondary IP, re-adding it with an appropriate
label then starting freeswan:
ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24
label
eth0:0 dev eth0
svi ipsec start
...if that works, you'll need to change how you're adding the IP
alias in your startup scripts.
- --
Charles Steinkuehler
[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version:
GnuPG
v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3
rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE-
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through
log
files
for problems? Stop! Download the new AJAX search engine that
makes searching your log files as easy as surfing the web.
DOWNLOAD
SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164
2
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through
log
files for problems? Stop! Download the new AJAX search engine that
makes
searching your log files as easy as surfing the web. DOWNLOAD
SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
leaf-user mailing list:
Re: [leaf-user] ipsec and multiple IP problem
Hi Cpu,
Eric,
Regarding openswan 2.x. It looks like one is supposed to use cryptoapi
instead of Juanjo's crypto algorithms. But there is no real info on how to
The cryptoapi stuff is optional and the other ciphers are internal to pluto:
LIBDESSRCDIR=${OPENSWANSRCDIR}/linux/crypto/ciphers/des
LIBDESLITE:=${OBJDIRTOP}/lib/libcrypto/libdes/libdes.a
LIBAES=${OBJDIRTOP}/lib/libcrypto/libaes/libaes.a
LIBBLOWFISH=${OBJDIRTOP}/lib/libcrypto/libblowfish/libblowfish.a
LIBTWOFISH=${OBJDIRTOP}/lib/libcrypto/libtwofish/libtwofish.a
LIBSERPENT=${OBJDIRTOP}/lib/libcrypto/libserpent/libserpent.a
LIBSHA2=${OBJDIRTOP}/lib/libcrypto/libsha2/libsha2.a
But it seems like this is only added if USE_EXTRACRYPTO is set, which
will add an enormous bloat to the pluto binary.
I will look into how to implement cryptoapi, so the ciphers can be used
modular again.
go from 1.x to 2.x. After getting stuck on SHA2_256 I gave up. Also, on
1.0.9 I made some modifications to ./pluto/kernel.c to allow for multiple
ipsec connections from the same host and I would have to do the same for
2.4.4, which is quite different. It might not even work. Not worth the
hassle right now.
I understand, but note that 1.0.x is end of life.
The _startklips fix is backward compatible. Most of my ipsec hosts use
only a single ip address using interfaces=ipsec0=eth0.
Ok, thanks! I will add this fix later today.
-cpu
Eric
Eric Spakman wrote:
Hello Cpu,
A pity 2.4.4 is not working ok for you. You are the first reporting a
problem with it. I looked through various documents and it seems like all
those ciphers
are
supported but probably internal.
Does the _startklips fix still suports plain ethx interfaces?
Eric
Hi Eric,
I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the
newer
_startklips and the line is the same. To me, this suggests it's
making the
same assumptions about the interface. My guess is that it will work.
original 2.4.4 /usr/lib/ipsec/_startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
original 1.0.9 /lib/ipsec/_startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
-cpu
Eric Spakman wrote:
Hello Cpu,
Does the same fix applies to our current openswan-2.4.4?
Eric
Hello,
In addition to specifying a label I couldn't get openswan to work
with secondary IPs unless I changed this line in _startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
to:
eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n
1p
-cpu
Charles Steinkuehler wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sandro Doro wrote:
Hi,
I am testing Bering 2.3.1 with a multiple IP interface as:
# ip addr show eth0
5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc
pfifo_fast
qlen
1000
link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet
82.46.148.130/24 brd 82.46.148.255 scope global eth0
inet 82.46.148.128/24 scope global secondary eth0 inet6
fe80::fcfd:58ff:fe24:f8e6/64 scope link
Using the included ipsec.lrp (v.1.0.9) I setup VPN with:
# /etc/ipsec.conf
[...]
interfaces=ipsec0=eth0 ipsec1=eth0:0 [...]
After /etc/init.d/ipsec restart the following messages is
printed:
Device eth0:0 does not exist.
ipsec_setup: unable to determine address of `eth0:0'
This messages is printed also if I change the ip address with
the following command:
ip addr add 82.46.148.128/24 dev eth0 label eth0:0
I have read in
http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html
that this interface specification is correct. This is
possible only
in
v2 release (Bering v2.4) ?
Thank you for any suggestions.
I haven't tried this with FreeS/WAN, but I suspect your problem
is you don't have an eth0:0.
You *DO* have a secondary IP address on your external
interface, but
it
has no name (linux hasn't required the ethn:m syntax
since at least 2.2).
Try removing the secondary IP, re-adding it with an appropriate
label then starting freeswan:
ip addr del 82.46.148.128/24 dev eth0 ip addr add
82.46.148.128/24
label
eth0:0 dev eth0
svi ipsec start
...if that works, you'll need to change how you're adding the
IP
alias in your startup scripts.
- --
Charles Steinkuehler
[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version:
GnuPG
v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg
3
rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE-
---
This SF.net email is sponsored by: Splunk Inc. Do you grep
through log
files
for problems? Stop! Download the new AJAX search engine that
makes searching your log files as easy as surfing the web.
DOWNLOAD
SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121
64
2
Re: [leaf-user] ipsec and multiple IP problem
Hmmm... Where/how do you set USE_EXTRACRYPTO?
-cpu
Eric Spakman wrote:
Hi Cpu,
Eric,
Regarding openswan 2.x. It looks like one is supposed to use cryptoapi
instead of Juanjo's crypto algorithms. But there is no real info on how
to
The cryptoapi stuff is optional and the other ciphers are internal to
pluto:
LIBDESSRCDIR=${OPENSWANSRCDIR}/linux/crypto/ciphers/des
LIBDESLITE:=${OBJDIRTOP}/lib/libcrypto/libdes/libdes.a
LIBAES=${OBJDIRTOP}/lib/libcrypto/libaes/libaes.a
LIBBLOWFISH=${OBJDIRTOP}/lib/libcrypto/libblowfish/libblowfish.a
LIBTWOFISH=${OBJDIRTOP}/lib/libcrypto/libtwofish/libtwofish.a
LIBSERPENT=${OBJDIRTOP}/lib/libcrypto/libserpent/libserpent.a
LIBSHA2=${OBJDIRTOP}/lib/libcrypto/libsha2/libsha2.a
But it seems like this is only added if USE_EXTRACRYPTO is set, which
will add an enormous bloat to the pluto binary.
I will look into how to implement cryptoapi, so the ciphers can be used
modular again.
go from 1.x to 2.x. After getting stuck on SHA2_256 I gave up. Also, on
1.0.9 I made some modifications to ./pluto/kernel.c to allow for
multiple
ipsec connections from the same host and I would have to do the same
for
2.4.4, which is quite different. It might not even work. Not worth the
hassle right now.
I understand, but note that 1.0.x is end of life.
The _startklips fix is backward compatible. Most of my ipsec hosts use
only a single ip address using interfaces=ipsec0=eth0.
Ok, thanks! I will add this fix later today.
-cpu
Eric
Eric Spakman wrote:
Hello Cpu,
A pity 2.4.4 is not working ok for you. You are the first reporting a
problem with it. I looked through various documents and it seems like
all
those ciphers
are
supported but probably internal.
Does the _startklips fix still suports plain ethx interfaces?
Eric
Hi Eric,
I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the
newer
_startklips and the line is the same. To me, this suggests it's
making the
same assumptions about the interface. My guess is that it will work.
original 2.4.4 /usr/lib/ipsec/_startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
original 1.0.9 /lib/ipsec/_startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
-cpu
Eric Spakman wrote:
Hello Cpu,
Does the same fix applies to our current openswan-2.4.4?
Eric
Hello,
In addition to specifying a label I couldn't get openswan to work
with secondary IPs unless I changed this line in _startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
to:
eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n
1p
-cpu
Charles Steinkuehler wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sandro Doro wrote:
Hi,
I am testing Bering 2.3.1 with a multiple IP interface as:
# ip addr show eth0
5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc
pfifo_fast
qlen
1000
link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet
82.46.148.130/24 brd 82.46.148.255 scope global eth0
inet 82.46.148.128/24 scope global secondary eth0 inet6
fe80::fcfd:58ff:fe24:f8e6/64 scope link
Using the included ipsec.lrp (v.1.0.9) I setup VPN with:
# /etc/ipsec.conf
[...]
interfaces=ipsec0=eth0 ipsec1=eth0:0 [...]
After /etc/init.d/ipsec restart the following messages is
printed:
Device eth0:0 does not exist.
ipsec_setup: unable to determine address of `eth0:0'
This messages is printed also if I change the ip address with
the following command:
ip addr add 82.46.148.128/24 dev eth0 label eth0:0
I have read in
http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html
that this interface specification is correct. This is
possible only
in
v2 release (Bering v2.4) ?
Thank you for any suggestions.
I haven't tried this with FreeS/WAN, but I suspect your problem
is you don't have an eth0:0.
You *DO* have a secondary IP address on your external
interface, but
it
has no name (linux hasn't required the ethn:m syntax
since at least 2.2).
Try removing the secondary IP, re-adding it with an appropriate
label then starting freeswan:
ip addr del 82.46.148.128/24 dev eth0 ip addr add
82.46.148.128/24
label
eth0:0 dev eth0
svi ipsec start
...if that works, you'll need to change how you're adding the
IP
alias in your startup scripts.
- --
Charles Steinkuehler
[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version:
GnuPG
v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg
3
rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE-
---
This SF.net email is sponsored by: Splunk Inc. Do you grep
through log
files
for problems? Stop! Download the new AJAX search engine that
makes searching your log files as easy as surfing the web.
DOWNLOAD
SPLUNK!
Re: [leaf-user] ipsec and multiple IP problem
Hi Cpu,
In makefile.inc
But a much better fix will be to enable cryptoapi in the kernel config and
rebuild openswan against it. Only the standard openswan patch doesn't
contain that option and I have to make a patch against it.
Eric
Hmmm... Where/how do you set USE_EXTRACRYPTO?
-cpu
Eric Spakman wrote:
Hi Cpu,
Eric,
Regarding openswan 2.x. It looks like one is supposed to use
cryptoapi instead of Juanjo's crypto algorithms. But there is no real
info on how
to
The cryptoapi stuff is optional and the other ciphers are internal to
pluto:
LIBDESSRCDIR=${OPENSWANSRCDIR}/linux/crypto/ciphers/des
LIBDESLITE:=${OBJDIRTOP}/lib/libcrypto/libdes/libdes.a
LIBAES=${OBJDIRTOP}/lib/libcrypto/libaes/libaes.a
LIBBLOWFISH=${OBJDIRTOP}/lib/libcrypto/libblowfish/libblowfish.a
LIBTWOFISH=${OBJDIRTOP}/lib/libcrypto/libtwofish/libtwofish.a
LIBSERPENT=${OBJDIRTOP}/lib/libcrypto/libserpent/libserpent.a
LIBSHA2=${OBJDIRTOP}/lib/libcrypto/libsha2/libsha2.a
But it seems like this is only added if USE_EXTRACRYPTO is set, which
will add an enormous bloat to the pluto binary. I will look into how to
implement cryptoapi, so the ciphers can be used modular again.
go from 1.x to 2.x. After getting stuck on SHA2_256 I gave up. Also,
on 1.0.9 I made some modifications to ./pluto/kernel.c to allow for
multiple
ipsec connections from the same host and I would have to do the same
for
2.4.4, which is quite different. It might not even work. Not worth
the hassle right now.
I understand, but note that 1.0.x is end of life.
The _startklips fix is backward compatible. Most of my ipsec hosts
use only a single ip address using interfaces=ipsec0=eth0.
Ok, thanks! I will add this fix later today.
-cpu
Eric
Eric Spakman wrote:
Hello Cpu,
A pity 2.4.4 is not working ok for you. You are the first reporting
a problem with it. I looked through various documents and it seems
like
all
those ciphers
are
supported but probably internal.
Does the _startklips fix still suports plain ethx interfaces?
Eric
Hi Eric,
I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at
the newer
_startklips and the line is the same. To me, this suggests it's
making the
same assumptions about the interface. My guess is that it will
work.
original 2.4.4 /usr/lib/ipsec/_startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
original 1.0.9 /lib/ipsec/_startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
-cpu
Eric Spakman wrote:
Hello Cpu,
Does the same fix applies to our current openswan-2.4.4?
Eric
Hello,
In addition to specifying a label I couldn't get openswan to
work with secondary IPs unless I changed this line in
_startklips:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
to:
eval `ip addr show ${phys%%:*} label $phys | grep inet | sed
-n
1p
-cpu
Charles Steinkuehler wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sandro Doro wrote:
Hi,
I am testing Bering 2.3.1 with a multiple IP interface
as:
# ip addr show eth0
5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc
pfifo_fast
qlen
1000
link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet
82.46.148.130/24 brd 82.46.148.255 scope global eth0
inet 82.46.148.128/24 scope global secondary eth0 inet6
fe80::fcfd:58ff:fe24:f8e6/64 scope link
Using the included ipsec.lrp (v.1.0.9) I setup VPN with:
# /etc/ipsec.conf
[...]
interfaces=ipsec0=eth0 ipsec1=eth0:0 [...]
After /etc/init.d/ipsec restart the following messages
is printed:
Device eth0:0 does not exist.
ipsec_setup: unable to determine address of `eth0:0'
This messages is printed also if I change the ip address
with the following command:
ip addr add 82.46.148.128/24 dev eth0 label eth0:0
I have read in
http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html
that this interface specification is correct. This is
possible only
in
v2 release (Bering v2.4) ?
Thank you for any suggestions.
I haven't tried this with FreeS/WAN, but I suspect your
problem is you don't have an eth0:0.
You *DO* have a secondary IP address on your external
interface, but
it
has no name (linux hasn't required the ethn:m syntax
since at least 2.2).
Try removing the secondary IP, re-adding it with an
appropriate label then starting freeswan:
ip addr del 82.46.148.128/24 dev eth0 ip addr add
82.46.148.128/24
label
eth0:0 dev eth0
svi ipsec start
...if that works, you'll need to change how you're adding
the IP
alias in your startup scripts.
- --
Charles Steinkuehler
[EMAIL PROTECTED] -BEGIN PGP SIGNATURE-
Version:
GnuPG
v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwC
eLvg 3
rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE-
Re: [leaf-user] ipsec and multiple IP problem
Hello Cpu, I think the fix to support cryptoapi is rather simple, it's just broken in the openswan sources (patch). If you change the following line in the kernel's linux/net/ipsec/Config.in from: bool ' IPsec Modular Extensions' CONFIG_KLIPS_ALG if [ $CONFIG_KLIPS_ALG != n ]; then source net/ipsec/alg/Config.in fi to: bool ' IPsec Modular Extensions' CONFIG_KLIPS_ALG if [ $CONFIG_KLIPS_ALG != n ]; then bool ' CryptoAPI algorithm interface' CONFIG_KLIPS_ENC_CRYPTOAPI fi Do a make menuconfig, enable klips cryptoapi support and (optional) disable klips 3des and aes (you can use the crypto ciphers now) it should work. Eric --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec and multiple IP problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sandro Doro wrote: Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. I haven't tried this with FreeS/WAN, but I suspect your problem is you don't have an eth0:0. You *DO* have a secondary IP address on your external interface, but it has no name (linux hasn't required the ethn:m syntax since at least 2.2). Try removing the secondary IP, re-adding it with an appropriate label then starting freeswan: ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label eth0:0 dev eth0 svi ipsec start ...if that works, you'll need to change how you're adding the IP alias in your startup scripts. - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE- --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] ipsec and multiple IP problem
Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. Regards, Sandro Doro -- Sandro Doro e-mail: sandro.doro AT istruzione.it --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
