Re: [leaf-user] problem with _startklips on bering rc3
On Fri, 2002-07-12 at 16:43, Chad Carr wrote: On 12 Jul 2002 12:48:01 +0200 Ronny Aasen [EMAIL PROTECTED] wrote: Hello i have a a testing setup with ipsec between 3 linux bering firewalls and a zywall 10 router, all on static ip address i also have roadwarrior support from dhcp clients on isdn/modem line using windows 98/ssh sentinel and windows 2000/xp (with the aid of vpn.ebootis.de) my problem arises when i try to setup a lan-lan tunnel between my master vpn bering firewall and a adsl gateway {worklan}[Bering1 static 194.248.214.187]{NET}[Bering2 adsl dynamic 880.212.112.*]{homelan} I realise i can't get ipsec on startup since the adsl ppp0 isn't up yet. but running ipsec setup i expected the tunnel to come up ipsec_setup: Stopping FreeS/WAN IPsec... ipsec_setup: stop ordered, but IPsec does not appear to be running! ipsec_setup: doing cleanup anyway... ipsec_setup: Starting FreeS/WAN IPsec 1.97... ipsec_setup: Using /lib/modules/ipsec.o ipsec_setup: unable to determine address of `ppp0' Is the above output the result of /etc/init.d/ipsec restart? Can you post the output of ipsec barf? Mon Jul 15 10:17:34 UTC 2002 + _ version + + ipsec --version Linux FreeS/WAN 1.97 See `ipsec --copyright' for copyright information. + _ proc/version + + cat /proc/version Linux version 2.4.18 (root@debian) (gcc version 2.95.2 2220 (Debian GNU/Linux)) #4 Sun Jun 9 09:46:15 CEST 2002 + _ proc/net/ipsec_eroute + + sort +3 /proc/net/ipsec_eroute sort: +3: No such file or directory + cat /proc/net/ipsec_eroute + _ proc/net/ipsec_spi + + cat /proc/net/ipsec_spi + _ proc/net/ipsec_spigrp + + cat /proc/net/ipsec_spigrp + _ ip/route + + ip route 80.212.112.0 dev ppp0 proto kernel scope link src 80.212.112.52 192.168.20.0/24 dev eth1 proto kernel scope link src 192.168.20.254 default via 80.212.112.0 dev ppp0 + _ proc/net/ipsec_tncfg + + cat /proc/net/ipsec_tncfg ipsec0 - NULL mtu=0(0) - 0 ipsec1 - NULL mtu=0(0) - 0 ipsec2 - NULL mtu=0(0) - 0 ipsec3 - NULL mtu=0(0) - 0 + _ proc/net/pf_key + + cat /proc/net/pf_key sock pid socket next prev e n p sndbfFlags Type St c1820b40 32315 c1152d5000 0 0 2 65535 3 1 + _ proc/net/pf_key-star + + cd /proc/net + egrep ^ pf_key_registered pf_key_supported pf_key_registered:satype socket pid sk pf_key_registered: 2 c1152d50 32315 c1820b40 pf_key_registered: 3 c1152d50 32315 c1820b40 pf_key_registered: 9 c1152d50 32315 c1820b40 pf_key_registered:10 c1152d50 32315 c1820b40 pf_key_supported:satype exttype alg_id ivlen minbits maxbits pf_key_supported: 2 14 3 0 160 160 pf_key_supported: 2 14 2 0 128 128 pf_key_supported: 3 15 3 128 168 168 pf_key_supported: 3 14 3 0 160 160 pf_key_supported: 3 14 2 0 128 128 pf_key_supported: 9 15 4 0 128 128 pf_key_supported: 9 15 3 0 32 128 pf_key_supported: 9 15 2 0 128 32 pf_key_supported: 9 15 1 0 32 32 pf_key_supported:10 15 2 0 1 1 + _ proc/sys/net/ipsec-star + + cd /proc/sys/net/ipsec + egrep ^ icmp inbound_policy_check tos icmp:1 inbound_policy_check:1 tos:1 + _ ipsec/status + + ipsec auto --status 000 000 rw-to-li1: 192.168.1.0/24===194.248.214.187---194.248.214.1...%any 000 rw-to-li1: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 rw-to-li1: policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: ; unrouted 000 rw-to-li1: newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0 000 + _ ip/address + + ip addr 1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:04:75:7c:0a:1c brd ff:ff:ff:ff:ff:ff 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:04:75:7c:02:0a brd ff:ff:ff:ff:ff:ff inet 192.168.20.254/24 brd 192.168.20.255 scope global eth1 5: ipsec0: NOARP mtu 0 qdisc noop qlen 10 link/ipip 6: ipsec1: NOARP mtu 0 qdisc noop qlen 10 link/ipip 7: ipsec2: NOARP mtu 0 qdisc noop qlen 10 link/ipip 8: ipsec3: NOARP mtu 0 qdisc noop qlen 10 link/ipip 9: ppp0: POINTOPOINT,MULTICAST,NOARP,UP mtu 1492 qdisc pfifo_fast qlen 3
Re: [leaf-user] problem with _startklips on bering rc3
From your post: -- + iptables -L -v -n Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- lo * 0.0.0.0/0 0.0.0.0/0 952 86132 ppp0_inah -- ppp0 * 0.0.0.0/0 0.0.0.0/0 9 1163 eth1_inah -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 ipsec0_in ah -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 --- What in the world is going on with Shorewall? All of those ah in the protocol column are wrong. If you haven't modified the Shorewall 'firewall' script, please shorewall debug restart 2 /tmp/trace and send me the /tmp/trace file (if you have modified the script, put it back the way it was). -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] problem with _startklips on bering rc3
Same problem with Bering RC3 and IPSEC509 package, when i try to start ipsec he gives me the error: unable to determine address of eth0 (i have %defaultroute as interface in ipsec.conf) and i have many AH fields in the iptables -L output (AH is Authenticated Headers, right ???, but i cant find any note about that in the Shorewall rules file ..) Please Help me. Bye Marco - Original Message - From: Tom Eastep [EMAIL PROTECTED] To: leaf [EMAIL PROTECTED] Sent: Monday, July 15, 2002 4:00 PM Subject: Re: [leaf-user] problem with _startklips on bering rc3 From your post: -- + iptables -L -v -n Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- lo * 0.0.0.0/0 0.0.0.0/0 952 86132 ppp0_inah -- ppp0 * 0.0.0.0/0 0.0.0.0/0 9 1163 eth1_inah -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 ipsec0_in ah -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 -- - What in the world is going on with Shorewall? All of those ah in the protocol column are wrong. If you haven't modified the Shorewall 'firewall' script, please shorewall debug restart 2 /tmp/trace and send me the /tmp/trace file (if you have modified the script, put it back the way it was). -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] problem with _startklips on bering rc3 (fwd)
On Tue, 16 Jul 2002, Marco Cintolesi wrote: Same problem with Bering RC3 and IPSEC509 package, when i try to start ipsec he gives me the error: unable to determine address of eth0 (i have %defaultroute as interface in ipsec.conf) and i have many AH fields in the iptables -L output (AH is Authenticated Headers, right ???, but i cant find any note about that in the Shorewall rules file ..) Please Help me. Either you or the other person with this problem is going to have to send me the trace I requested -- I can't tell you anything without it. -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] problem with _startklips on bering rc3
On Tue, 16 Jul 2002, Marco Cintolesi wrote: Heres the debug from the shorewall, let me know if i make something wrong.. You haven't defined your ipsec tunnel in /etc/shorewall/tunnels -- that will prevent klips from working. Nevertheless, nothing in the trace shows why we're seeing 'ah' everywhere we should be seeing 'all' in the iptables output. What's the URL from which you got your IPSEC LRP? I'd like to take a look at what's in there. Thanks, -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] problem with _startklips on bering rc3
Hello i have a a testing setup with ipsec between 3 linux bering firewalls and a zywall 10 router, all on static ip address i also have roadwarrior support from dhcp clients on isdn/modem line using windows 98/ssh sentinel and windows 2000/xp (with the aid of vpn.ebootis.de) my problem arises when i try to setup a lan-lan tunnel between my master vpn bering firewall and a adsl gateway {worklan}[Bering1 static 194.248.214.187]{NET}[Bering2 adsl dynamic 880.212.112.*]{homelan} I realise i can't get ipsec on startup since the adsl ppp0 isn't up yet. but running ipsec setup i expected the tunnel to come up ipsec_setup: Stopping FreeS/WAN IPsec... ipsec_setup: stop ordered, but IPsec does not appear to be running! ipsec_setup: doing cleanup anyway... ipsec_setup: Starting FreeS/WAN IPsec 1.97... ipsec_setup: Using /lib/modules/ipsec.o ipsec_setup: unable to determine address of `ppp0' I have tried with interface=%defaultroute and interface=ipsec0=ppp0 i use the latest bering rc3 # uname -a Linux frodeadsl 2.4.18 #4 Sun Jun 9 09:46:15 CEST 2002 i586 unknown # lrpkg -l NameVersionDescription ===-==-== initrd V1.0-rc3 root V1.0-rc3 etc V1.0-rc3 local V1.0-rc3 Local package. This package does not contain a modules V1.0-rc3 Modules package. Contains kernel modules and u keyboard0.3Use this package to adjust the keyboard settin dhcpd 2.0pl5 dhcpd - Autoconfigure client machines shorwall1.3.1 Shoreline Firewall (Shorewall) ppp 2.4.1-pppoePPPd Deamon pppoe 3.3-1 pppoe add-on for pppd dnscache1.05a dnscache from djbdns (V1.05a) package creates mawk 1.3.3 ipsec 1.97 Freeswan IPSEC libz1.1.4 zlib compression library. Needed for openssh ssh 3.2.3p1OpenSSH ssh scp programs. sshd3.2.3p1OpenSSH sshd daemon. # ip addr show 1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:04:75:7c:0a:1c brd ff:ff:ff:ff:ff:ff 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:04:75:7c:02:0a brd ff:ff:ff:ff:ff:ff inet 192.168.20.254/24 brd 192.168.20.255 scope global eth1 9: ppp0: POINTOPOINT,MULTICAST,NOARP,UP mtu 1492 qdisc pfifo_fast qlen 3 link/ppp inet 80.212.112.139 peer 80.212.112.0/32 scope global ppp0 126: ipsec0: NOARP mtu 0 qdisc noop qlen 10 link/ipip 127: ipsec1: NOARP mtu 0 qdisc noop qlen 10 link/ipip 128: ipsec2: NOARP mtu 0 qdisc noop qlen 10 link/ipip 129: ipsec3: NOARP mtu 0 qdisc noop qlen 10 link/ipip --- This sf.net email is sponsored by:ThinkGeek Gadgets, caffeine, t-shirts, fun stuff. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] problem with _startklips on bering rc3
On 12 Jul 2002 12:48:01 +0200 Ronny Aasen [EMAIL PROTECTED] wrote: Hello i have a a testing setup with ipsec between 3 linux bering firewalls and a zywall 10 router, all on static ip address i also have roadwarrior support from dhcp clients on isdn/modem line using windows 98/ssh sentinel and windows 2000/xp (with the aid of vpn.ebootis.de) my problem arises when i try to setup a lan-lan tunnel between my master vpn bering firewall and a adsl gateway {worklan}[Bering1 static 194.248.214.187]{NET}[Bering2 adsl dynamic 880.212.112.*]{homelan} I realise i can't get ipsec on startup since the adsl ppp0 isn't up yet. but running ipsec setup i expected the tunnel to come up ipsec_setup: Stopping FreeS/WAN IPsec... ipsec_setup: stop ordered, but IPsec does not appear to be running! ipsec_setup: doing cleanup anyway... ipsec_setup: Starting FreeS/WAN IPsec 1.97... ipsec_setup: Using /lib/modules/ipsec.o ipsec_setup: unable to determine address of `ppp0' Is the above output the result of /etc/init.d/ipsec restart? Can you post the output of ipsec barf? Thanks. -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Gadgets, caffeine, t-shirts, fun stuff. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html