Re: [leaf-user] ipsec and multiple IP problem
Hello Cpu, Does the same fix applies to our current openswan-2.4.4? Eric Hello, In addition to specifying a label I couldn't get openswan to work with secondary IPs unless I changed this line in _startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | to: eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p -cpu Charles Steinkuehler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sandro Doro wrote: Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. I haven't tried this with FreeS/WAN, but I suspect your problem is you don't have an eth0:0. You *DO* have a secondary IP address on your external interface, but it has no name (linux hasn't required the ethn:m syntax since at least 2.2). Try removing the secondary IP, re-adding it with an appropriate label then starting freeswan: ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label eth0:0 dev eth0 svi ipsec start ...if that works, you'll need to change how you're adding the IP alias in your startup scripts. - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE- --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164 2 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec and multiple IP problem
Hi Eric, I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the newer _startklips and the line is the same. To me, this suggests it's making the same assumptions about the interface. My guess is that it will work. original 2.4.4 /usr/lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | original 1.0.9 /lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | -cpu Eric Spakman wrote: Hello Cpu, Does the same fix applies to our current openswan-2.4.4? Eric Hello, In addition to specifying a label I couldn't get openswan to work with secondary IPs unless I changed this line in _startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | to: eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p -cpu Charles Steinkuehler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sandro Doro wrote: Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. I haven't tried this with FreeS/WAN, but I suspect your problem is you don't have an eth0:0. You *DO* have a secondary IP address on your external interface, but it has no name (linux hasn't required the ethn:m syntax since at least 2.2). Try removing the secondary IP, re-adding it with an appropriate label then starting freeswan: ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label eth0:0 dev eth0 svi ipsec start ...if that works, you'll need to change how you're adding the IP alias in your startup scripts. - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE- --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164 2 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --- This SF.net email is sponsored by:
Re: [leaf-user] ipsec and multiple IP problem
Hello Cpu, A pity 2.4.4 is not working ok for you. You are the first reporting a problem with it. I looked through various documents and it seems like all those ciphers are supported but probably internal. Does the _startklips fix still suports plain ethx interfaces? Eric Hi Eric, I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the newer _startklips and the line is the same. To me, this suggests it's making the same assumptions about the interface. My guess is that it will work. original 2.4.4 /usr/lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | original 1.0.9 /lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | -cpu Eric Spakman wrote: Hello Cpu, Does the same fix applies to our current openswan-2.4.4? Eric Hello, In addition to specifying a label I couldn't get openswan to work with secondary IPs unless I changed this line in _startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | to: eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p -cpu Charles Steinkuehler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sandro Doro wrote: Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. I haven't tried this with FreeS/WAN, but I suspect your problem is you don't have an eth0:0. You *DO* have a secondary IP address on your external interface, but it has no name (linux hasn't required the ethn:m syntax since at least 2.2). Try removing the secondary IP, re-adding it with an appropriate label then starting freeswan: ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label eth0:0 dev eth0 svi ipsec start ...if that works, you'll need to change how you're adding the IP alias in your startup scripts. - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE- --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164 2 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164 2 leaf-user mailing list: leaf-user@lists.sourceforge.net
Re: [leaf-user] ipsec and multiple IP problem
Eric, Regarding openswan 2.x. It looks like one is supposed to use cryptoapi instead of Juanjo's crypto algorithms. But there is no real info on how to go from 1.x to 2.x. After getting stuck on SHA2_256 I gave up. Also, on 1.0.9 I made some modifications to ./pluto/kernel.c to allow for multiple ipsec connections from the same host and I would have to do the same for 2.4.4, which is quite different. It might not even work. Not worth the hassle right now. The _startklips fix is backward compatible. Most of my ipsec hosts use only a single ip address using interfaces=ipsec0=eth0. -cpu Eric Spakman wrote: Hello Cpu, A pity 2.4.4 is not working ok for you. You are the first reporting a problem with it. I looked through various documents and it seems like all those ciphers are supported but probably internal. Does the _startklips fix still suports plain ethx interfaces? Eric Hi Eric, I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the newer _startklips and the line is the same. To me, this suggests it's making the same assumptions about the interface. My guess is that it will work. original 2.4.4 /usr/lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | original 1.0.9 /lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | -cpu Eric Spakman wrote: Hello Cpu, Does the same fix applies to our current openswan-2.4.4? Eric Hello, In addition to specifying a label I couldn't get openswan to work with secondary IPs unless I changed this line in _startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | to: eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p -cpu Charles Steinkuehler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sandro Doro wrote: Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. I haven't tried this with FreeS/WAN, but I suspect your problem is you don't have an eth0:0. You *DO* have a secondary IP address on your external interface, but it has no name (linux hasn't required the ethn:m syntax since at least 2.2). Try removing the secondary IP, re-adding it with an appropriate label then starting freeswan: ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label eth0:0 dev eth0 svi ipsec start ...if that works, you'll need to change how you're adding the IP alias in your startup scripts. - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE- --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=12164 2 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list:
Re: [leaf-user] ipsec and multiple IP problem
Hi Cpu, Eric, Regarding openswan 2.x. It looks like one is supposed to use cryptoapi instead of Juanjo's crypto algorithms. But there is no real info on how to The cryptoapi stuff is optional and the other ciphers are internal to pluto: LIBDESSRCDIR=${OPENSWANSRCDIR}/linux/crypto/ciphers/des LIBDESLITE:=${OBJDIRTOP}/lib/libcrypto/libdes/libdes.a LIBAES=${OBJDIRTOP}/lib/libcrypto/libaes/libaes.a LIBBLOWFISH=${OBJDIRTOP}/lib/libcrypto/libblowfish/libblowfish.a LIBTWOFISH=${OBJDIRTOP}/lib/libcrypto/libtwofish/libtwofish.a LIBSERPENT=${OBJDIRTOP}/lib/libcrypto/libserpent/libserpent.a LIBSHA2=${OBJDIRTOP}/lib/libcrypto/libsha2/libsha2.a But it seems like this is only added if USE_EXTRACRYPTO is set, which will add an enormous bloat to the pluto binary. I will look into how to implement cryptoapi, so the ciphers can be used modular again. go from 1.x to 2.x. After getting stuck on SHA2_256 I gave up. Also, on 1.0.9 I made some modifications to ./pluto/kernel.c to allow for multiple ipsec connections from the same host and I would have to do the same for 2.4.4, which is quite different. It might not even work. Not worth the hassle right now. I understand, but note that 1.0.x is end of life. The _startklips fix is backward compatible. Most of my ipsec hosts use only a single ip address using interfaces=ipsec0=eth0. Ok, thanks! I will add this fix later today. -cpu Eric Eric Spakman wrote: Hello Cpu, A pity 2.4.4 is not working ok for you. You are the first reporting a problem with it. I looked through various documents and it seems like all those ciphers are supported but probably internal. Does the _startklips fix still suports plain ethx interfaces? Eric Hi Eric, I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the newer _startklips and the line is the same. To me, this suggests it's making the same assumptions about the interface. My guess is that it will work. original 2.4.4 /usr/lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | original 1.0.9 /lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | -cpu Eric Spakman wrote: Hello Cpu, Does the same fix applies to our current openswan-2.4.4? Eric Hello, In addition to specifying a label I couldn't get openswan to work with secondary IPs unless I changed this line in _startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | to: eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p -cpu Charles Steinkuehler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sandro Doro wrote: Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. I haven't tried this with FreeS/WAN, but I suspect your problem is you don't have an eth0:0. You *DO* have a secondary IP address on your external interface, but it has no name (linux hasn't required the ethn:m syntax since at least 2.2). Try removing the secondary IP, re-adding it with an appropriate label then starting freeswan: ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label eth0:0 dev eth0 svi ipsec start ...if that works, you'll need to change how you're adding the IP alias in your startup scripts. - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg 3 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE- --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121 64 2
Re: [leaf-user] ipsec and multiple IP problem
Hmmm... Where/how do you set USE_EXTRACRYPTO? -cpu Eric Spakman wrote: Hi Cpu, Eric, Regarding openswan 2.x. It looks like one is supposed to use cryptoapi instead of Juanjo's crypto algorithms. But there is no real info on how to The cryptoapi stuff is optional and the other ciphers are internal to pluto: LIBDESSRCDIR=${OPENSWANSRCDIR}/linux/crypto/ciphers/des LIBDESLITE:=${OBJDIRTOP}/lib/libcrypto/libdes/libdes.a LIBAES=${OBJDIRTOP}/lib/libcrypto/libaes/libaes.a LIBBLOWFISH=${OBJDIRTOP}/lib/libcrypto/libblowfish/libblowfish.a LIBTWOFISH=${OBJDIRTOP}/lib/libcrypto/libtwofish/libtwofish.a LIBSERPENT=${OBJDIRTOP}/lib/libcrypto/libserpent/libserpent.a LIBSHA2=${OBJDIRTOP}/lib/libcrypto/libsha2/libsha2.a But it seems like this is only added if USE_EXTRACRYPTO is set, which will add an enormous bloat to the pluto binary. I will look into how to implement cryptoapi, so the ciphers can be used modular again. go from 1.x to 2.x. After getting stuck on SHA2_256 I gave up. Also, on 1.0.9 I made some modifications to ./pluto/kernel.c to allow for multiple ipsec connections from the same host and I would have to do the same for 2.4.4, which is quite different. It might not even work. Not worth the hassle right now. I understand, but note that 1.0.x is end of life. The _startklips fix is backward compatible. Most of my ipsec hosts use only a single ip address using interfaces=ipsec0=eth0. Ok, thanks! I will add this fix later today. -cpu Eric Eric Spakman wrote: Hello Cpu, A pity 2.4.4 is not working ok for you. You are the first reporting a problem with it. I looked through various documents and it seems like all those ciphers are supported but probably internal. Does the _startklips fix still suports plain ethx interfaces? Eric Hi Eric, I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the newer _startklips and the line is the same. To me, this suggests it's making the same assumptions about the interface. My guess is that it will work. original 2.4.4 /usr/lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | original 1.0.9 /lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | -cpu Eric Spakman wrote: Hello Cpu, Does the same fix applies to our current openswan-2.4.4? Eric Hello, In addition to specifying a label I couldn't get openswan to work with secondary IPs unless I changed this line in _startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | to: eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p -cpu Charles Steinkuehler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sandro Doro wrote: Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. I haven't tried this with FreeS/WAN, but I suspect your problem is you don't have an eth0:0. You *DO* have a secondary IP address on your external interface, but it has no name (linux hasn't required the ethn:m syntax since at least 2.2). Try removing the secondary IP, re-adding it with an appropriate label then starting freeswan: ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label eth0:0 dev eth0 svi ipsec start ...if that works, you'll need to change how you're adding the IP alias in your startup scripts. - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg 3 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE- --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
Re: [leaf-user] ipsec and multiple IP problem
Hi Cpu, In makefile.inc But a much better fix will be to enable cryptoapi in the kernel config and rebuild openswan against it. Only the standard openswan patch doesn't contain that option and I have to make a patch against it. Eric Hmmm... Where/how do you set USE_EXTRACRYPTO? -cpu Eric Spakman wrote: Hi Cpu, Eric, Regarding openswan 2.x. It looks like one is supposed to use cryptoapi instead of Juanjo's crypto algorithms. But there is no real info on how to The cryptoapi stuff is optional and the other ciphers are internal to pluto: LIBDESSRCDIR=${OPENSWANSRCDIR}/linux/crypto/ciphers/des LIBDESLITE:=${OBJDIRTOP}/lib/libcrypto/libdes/libdes.a LIBAES=${OBJDIRTOP}/lib/libcrypto/libaes/libaes.a LIBBLOWFISH=${OBJDIRTOP}/lib/libcrypto/libblowfish/libblowfish.a LIBTWOFISH=${OBJDIRTOP}/lib/libcrypto/libtwofish/libtwofish.a LIBSERPENT=${OBJDIRTOP}/lib/libcrypto/libserpent/libserpent.a LIBSHA2=${OBJDIRTOP}/lib/libcrypto/libsha2/libsha2.a But it seems like this is only added if USE_EXTRACRYPTO is set, which will add an enormous bloat to the pluto binary. I will look into how to implement cryptoapi, so the ciphers can be used modular again. go from 1.x to 2.x. After getting stuck on SHA2_256 I gave up. Also, on 1.0.9 I made some modifications to ./pluto/kernel.c to allow for multiple ipsec connections from the same host and I would have to do the same for 2.4.4, which is quite different. It might not even work. Not worth the hassle right now. I understand, but note that 1.0.x is end of life. The _startklips fix is backward compatible. Most of my ipsec hosts use only a single ip address using interfaces=ipsec0=eth0. Ok, thanks! I will add this fix later today. -cpu Eric Eric Spakman wrote: Hello Cpu, A pity 2.4.4 is not working ok for you. You are the first reporting a problem with it. I looked through various documents and it seems like all those ciphers are supported but probably internal. Does the _startklips fix still suports plain ethx interfaces? Eric Hi Eric, I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the newer _startklips and the line is the same. To me, this suggests it's making the same assumptions about the interface. My guess is that it will work. original 2.4.4 /usr/lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | original 1.0.9 /lib/ipsec/_startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | -cpu Eric Spakman wrote: Hello Cpu, Does the same fix applies to our current openswan-2.4.4? Eric Hello, In addition to specifying a label I couldn't get openswan to work with secondary IPs unless I changed this line in _startklips: eval `ip addr show $phys primary | grep inet | sed -n 1p | to: eval `ip addr show ${phys%%:*} label $phys | grep inet | sed -n 1p -cpu Charles Steinkuehler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sandro Doro wrote: Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. I haven't tried this with FreeS/WAN, but I suspect your problem is you don't have an eth0:0. You *DO* have a secondary IP address on your external interface, but it has no name (linux hasn't required the ethn:m syntax since at least 2.2). Try removing the secondary IP, re-adding it with an appropriate label then starting freeswan: ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label eth0:0 dev eth0 svi ipsec start ...if that works, you'll need to change how you're adding the IP alias in your startup scripts. - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwC eLvg 3 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE-
Re: [leaf-user] ipsec and multiple IP problem
Hello Cpu, I think the fix to support cryptoapi is rather simple, it's just broken in the openswan sources (patch). If you change the following line in the kernel's linux/net/ipsec/Config.in from: bool ' IPsec Modular Extensions' CONFIG_KLIPS_ALG if [ $CONFIG_KLIPS_ALG != n ]; then source net/ipsec/alg/Config.in fi to: bool ' IPsec Modular Extensions' CONFIG_KLIPS_ALG if [ $CONFIG_KLIPS_ALG != n ]; then bool ' CryptoAPI algorithm interface' CONFIG_KLIPS_ENC_CRYPTOAPI fi Do a make menuconfig, enable klips cryptoapi support and (optional) disable klips 3des and aes (you can use the crypto ciphers now) it should work. Eric --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec and multiple IP problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sandro Doro wrote: Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. I haven't tried this with FreeS/WAN, but I suspect your problem is you don't have an eth0:0. You *DO* have a secondary IP address on your external interface, but it has no name (linux hasn't required the ethn:m syntax since at least 2.2). Try removing the secondary IP, re-adding it with an appropriate label then starting freeswan: ip addr del 82.46.148.128/24 dev eth0 ip addr add 82.46.148.128/24 label eth0:0 dev eth0 svi ipsec start ...if that works, you'll need to change how you're adding the IP alias in your startup scripts. - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD7LMYLywbqEHdNFwRAugOAJ9ySUIKShtjxak6/YBdOhXEvwNIMwCeLvg3 rd55FxcC8wzl6N+/BWa4368= =3irC -END PGP SIGNATURE- --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] ipsec and multiple IP problem
Hi, I am testing Bering 2.3.1 with a multiple IP interface as: # ip addr show eth0 5: eth0: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether fe:fd:58:24:f8:e6 brd ff:ff:ff:ff:ff:ff inet 82.46.148.130/24 brd 82.46.148.255 scope global eth0 inet 82.46.148.128/24 scope global secondary eth0 inet6 fe80::fcfd:58ff:fe24:f8e6/64 scope link Using the included ipsec.lrp (v.1.0.9) I setup VPN with: # /etc/ipsec.conf [...] interfaces=ipsec0=eth0 ipsec1=eth0:0 [...] After /etc/init.d/ipsec restart the following messages is printed: Device eth0:0 does not exist. ipsec_setup: unable to determine address of `eth0:0' This messages is printed also if I change the ip address with the following command: ip addr add 82.46.148.128/24 dev eth0 label eth0:0 I have read in http://www.freeswan.ca/docs/HA/HA_VPNS_With_FreeSWAN.html that this interface specification is correct. This is possible only in v2 release (Bering v2.4) ? Thank you for any suggestions. Regards, Sandro Doro -- Sandro Doro e-mail: sandro.doro AT istruzione.it --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/