Re: [leaf-user] problem with _startklips on bering rc3
On Fri, 2002-07-12 at 16:43, Chad Carr wrote:
On 12 Jul 2002 12:48:01 +0200
Ronny Aasen [EMAIL PROTECTED] wrote:
Hello
i have a a testing setup with ipsec between 3 linux bering firewalls and
a zywall 10 router, all on static ip address i also have roadwarrior
support from dhcp clients on isdn/modem line using windows 98/ssh
sentinel and windows 2000/xp (with the aid of vpn.ebootis.de)
my problem arises when i try to setup a lan-lan tunnel between my master
vpn bering firewall and a adsl gateway
{worklan}[Bering1 static 194.248.214.187]{NET}[Bering2 adsl
dynamic 880.212.112.*]{homelan}
I realise i can't get ipsec on startup since the adsl ppp0 isn't up yet.
but running ipsec setup i expected the tunnel to come up
ipsec_setup: Stopping FreeS/WAN IPsec...
ipsec_setup: stop ordered, but IPsec does not appear to be running!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting FreeS/WAN IPsec 1.97...
ipsec_setup: Using /lib/modules/ipsec.o
ipsec_setup: unable to determine address of `ppp0'
Is the above output the result of /etc/init.d/ipsec restart?
Can you post the output of ipsec barf?
Mon Jul 15 10:17:34 UTC 2002
+ _ version
+
+ ipsec --version
Linux FreeS/WAN 1.97
See `ipsec --copyright' for copyright information.
+ _ proc/version
+
+ cat /proc/version
Linux version 2.4.18 (root@debian) (gcc version 2.95.2 2220 (Debian GNU/Linux)) #4
Sun Jun 9 09:46:15 CEST 2002
+ _ proc/net/ipsec_eroute
+
+ sort +3 /proc/net/ipsec_eroute
sort: +3: No such file or directory
+ cat /proc/net/ipsec_eroute
+ _ proc/net/ipsec_spi
+
+ cat /proc/net/ipsec_spi
+ _ proc/net/ipsec_spigrp
+
+ cat /proc/net/ipsec_spigrp
+ _ ip/route
+
+ ip route
80.212.112.0 dev ppp0 proto kernel scope link src 80.212.112.52
192.168.20.0/24 dev eth1 proto kernel scope link src 192.168.20.254
default via 80.212.112.0 dev ppp0
+ _ proc/net/ipsec_tncfg
+
+ cat /proc/net/ipsec_tncfg
ipsec0 - NULL mtu=0(0) - 0
ipsec1 - NULL mtu=0(0) - 0
ipsec2 - NULL mtu=0(0) - 0
ipsec3 - NULL mtu=0(0) - 0
+ _ proc/net/pf_key
+
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbfFlags Type St
c1820b40 32315 c1152d5000 0 0 2 65535 3 1
+ _ proc/net/pf_key-star
+
+ cd /proc/net
+ egrep ^ pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c1152d50 32315 c1820b40
pf_key_registered: 3 c1152d50 32315 c1820b40
pf_key_registered: 9 c1152d50 32315 c1820b40
pf_key_registered:10 c1152d50 32315 c1820b40
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported:10 15 2 0 1 1
+ _ proc/sys/net/ipsec-star
+
+ cd /proc/sys/net/ipsec
+ egrep ^ icmp inbound_policy_check tos
icmp:1
inbound_policy_check:1
tos:1
+ _ ipsec/status
+
+ ipsec auto --status
000
000 rw-to-li1: 192.168.1.0/24===194.248.214.187---194.248.214.1...%any
000 rw-to-li1: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 rw-to-li1: policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: ;
unrouted
000 rw-to-li1: newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000
+ _ ip/address
+
+ ip addr
1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:7c:0a:1c brd ff:ff:ff:ff:ff:ff
4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:7c:02:0a brd ff:ff:ff:ff:ff:ff
inet 192.168.20.254/24 brd 192.168.20.255 scope global eth1
5: ipsec0: NOARP mtu 0 qdisc noop qlen 10
link/ipip
6: ipsec1: NOARP mtu 0 qdisc noop qlen 10
link/ipip
7: ipsec2: NOARP mtu 0 qdisc noop qlen 10
link/ipip
8: ipsec3: NOARP mtu 0 qdisc noop qlen 10
link/ipip
9: ppp0: POINTOPOINT,MULTICAST,NOARP,UP mtu 1492 qdisc pfifo_fast qlen 3
Re: [leaf-user] problem with _startklips on bering rc3
From your post: -- + iptables -L -v -n Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- lo * 0.0.0.0/0 0.0.0.0/0 952 86132 ppp0_inah -- ppp0 * 0.0.0.0/0 0.0.0.0/0 9 1163 eth1_inah -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 ipsec0_in ah -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 --- What in the world is going on with Shorewall? All of those ah in the protocol column are wrong. If you haven't modified the Shorewall 'firewall' script, please shorewall debug restart 2 /tmp/trace and send me the /tmp/trace file (if you have modified the script, put it back the way it was). -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] problem with _startklips on bering rc3
Same problem with Bering RC3 and IPSEC509 package, when i try to start ipsec he gives me the error: unable to determine address of eth0 (i have %defaultroute as interface in ipsec.conf) and i have many AH fields in the iptables -L output (AH is Authenticated Headers, right ???, but i cant find any note about that in the Shorewall rules file ..) Please Help me. Bye Marco - Original Message - From: Tom Eastep [EMAIL PROTECTED] To: leaf [EMAIL PROTECTED] Sent: Monday, July 15, 2002 4:00 PM Subject: Re: [leaf-user] problem with _startklips on bering rc3 From your post: -- + iptables -L -v -n Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- lo * 0.0.0.0/0 0.0.0.0/0 952 86132 ppp0_inah -- ppp0 * 0.0.0.0/0 0.0.0.0/0 9 1163 eth1_inah -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 ipsec0_in ah -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 -- - What in the world is going on with Shorewall? All of those ah in the protocol column are wrong. If you haven't modified the Shorewall 'firewall' script, please shorewall debug restart 2 /tmp/trace and send me the /tmp/trace file (if you have modified the script, put it back the way it was). -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] problem with _startklips on bering rc3 (fwd)
On Tue, 16 Jul 2002, Marco Cintolesi wrote: Same problem with Bering RC3 and IPSEC509 package, when i try to start ipsec he gives me the error: unable to determine address of eth0 (i have %defaultroute as interface in ipsec.conf) and i have many AH fields in the iptables -L output (AH is Authenticated Headers, right ???, but i cant find any note about that in the Shorewall rules file ..) Please Help me. Either you or the other person with this problem is going to have to send me the trace I requested -- I can't tell you anything without it. -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] problem with _startklips on bering rc3
On Tue, 16 Jul 2002, Marco Cintolesi wrote: Heres the debug from the shorewall, let me know if i make something wrong.. You haven't defined your ipsec tunnel in /etc/shorewall/tunnels -- that will prevent klips from working. Nevertheless, nothing in the trace shows why we're seeing 'ah' everywhere we should be seeing 'all' in the iptables output. What's the URL from which you got your IPSEC LRP? I'd like to take a look at what's in there. Thanks, -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] problem with _startklips on bering rc3
Hello
i have a a testing setup with ipsec between 3 linux bering firewalls and
a zywall 10 router, all on static ip address i also have roadwarrior
support from dhcp clients on isdn/modem line using windows 98/ssh
sentinel and windows 2000/xp (with the aid of vpn.ebootis.de)
my problem arises when i try to setup a lan-lan tunnel between my master
vpn bering firewall and a adsl gateway
{worklan}[Bering1 static 194.248.214.187]{NET}[Bering2 adsl
dynamic 880.212.112.*]{homelan}
I realise i can't get ipsec on startup since the adsl ppp0 isn't up yet.
but running ipsec setup i expected the tunnel to come up
ipsec_setup: Stopping FreeS/WAN IPsec...
ipsec_setup: stop ordered, but IPsec does not appear to be running!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting FreeS/WAN IPsec 1.97...
ipsec_setup: Using /lib/modules/ipsec.o
ipsec_setup: unable to determine address of `ppp0'
I have tried with interface=%defaultroute
and interface=ipsec0=ppp0
i use the latest bering rc3
# uname -a
Linux frodeadsl 2.4.18 #4 Sun Jun 9 09:46:15 CEST 2002 i586 unknown
# lrpkg -l
NameVersionDescription
===-==-==
initrd
V1.0-rc3
root
V1.0-rc3
etc
V1.0-rc3
local V1.0-rc3 Local package. This package does not
contain a
modules V1.0-rc3 Modules package. Contains kernel modules
and u
keyboard0.3Use this package to adjust the keyboard
settin
dhcpd 2.0pl5 dhcpd - Autoconfigure client
machines
shorwall1.3.1 Shoreline Firewall
(Shorewall)
ppp 2.4.1-pppoePPPd
Deamon
pppoe 3.3-1 pppoe add-on for
pppd
dnscache1.05a dnscache from djbdns (V1.05a) package
creates
mawk
1.3.3
ipsec 1.97 Freeswan
IPSEC
libz1.1.4 zlib compression library. Needed for
openssh
ssh 3.2.3p1OpenSSH ssh scp
programs.
sshd3.2.3p1OpenSSH sshd daemon.
# ip addr show
1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:7c:0a:1c brd ff:ff:ff:ff:ff:ff
4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:7c:02:0a brd ff:ff:ff:ff:ff:ff
inet 192.168.20.254/24 brd 192.168.20.255 scope global eth1
9: ppp0: POINTOPOINT,MULTICAST,NOARP,UP mtu 1492 qdisc pfifo_fast qlen
3
link/ppp
inet 80.212.112.139 peer 80.212.112.0/32 scope global ppp0
126: ipsec0: NOARP mtu 0 qdisc noop qlen 10
link/ipip
127: ipsec1: NOARP mtu 0 qdisc noop qlen 10
link/ipip
128: ipsec2: NOARP mtu 0 qdisc noop qlen 10
link/ipip
129: ipsec3: NOARP mtu 0 qdisc noop qlen 10
link/ipip
---
This sf.net email is sponsored by:ThinkGeek
Gadgets, caffeine, t-shirts, fun stuff.
http://thinkgeek.com/sf
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] problem with _startklips on bering rc3
On 12 Jul 2002 12:48:01 +0200
Ronny Aasen [EMAIL PROTECTED] wrote:
Hello
i have a a testing setup with ipsec between 3 linux bering firewalls and
a zywall 10 router, all on static ip address i also have roadwarrior
support from dhcp clients on isdn/modem line using windows 98/ssh
sentinel and windows 2000/xp (with the aid of vpn.ebootis.de)
my problem arises when i try to setup a lan-lan tunnel between my master
vpn bering firewall and a adsl gateway
{worklan}[Bering1 static 194.248.214.187]{NET}[Bering2 adsl
dynamic 880.212.112.*]{homelan}
I realise i can't get ipsec on startup since the adsl ppp0 isn't up yet.
but running ipsec setup i expected the tunnel to come up
ipsec_setup: Stopping FreeS/WAN IPsec...
ipsec_setup: stop ordered, but IPsec does not appear to be running!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting FreeS/WAN IPsec 1.97...
ipsec_setup: Using /lib/modules/ipsec.o
ipsec_setup: unable to determine address of `ppp0'
Is the above output the result of /etc/init.d/ipsec restart?
Can you post the output of ipsec barf?
Thanks.
--
Chad Carr [EMAIL PROTECTED]
---
This sf.net email is sponsored by:ThinkGeek
Gadgets, caffeine, t-shirts, fun stuff.
http://thinkgeek.com/sf
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
