<html>
<body>
Hi.<br><br>
I have used the <i>openswan26.spec</i> to rpmbuild the tarball package in
my red hat enterprise es 3. All OK. I have installed the rpm with the
userland tool of openswan 2.1.1 and I have configured the configuration
files. I have defined a connection named "conntest" with an
other VPN gateway based on a superfreeswan.<br><br>
I think that the NAT-Traversal patch is still in the kernel because i
found a patch called <i>linux-2.4.21-ipsec.patch</i> in the
kernel-2.4.21-9.0.1.EL.src.rpm<br><br>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
...<br>
# 03/06/16 derek@ihtfp.com 1.1383<br>
# [IPSEC]: Implement UDP Encapsulation framework.<br>
#<br>
# In particular, implement ESPinUDP encapsulation for IPsec<br>
# Nat Traversal.<br>
...<br>
+<br>
+/* This defines the TYPE of Nat Traversal in use. Currently only
one<br>
+ * type of NAT-T is supported, draft-ietf-ipsec-udp-encaps-06<br>
+ */<br>
+struct sadb_x_nat_t_type {<br>
+
uint16_t
sadb_x_nat_t_type_len;<br>
+
uint16_t
sadb_x_nat_t_type_exttype;<br>
+
uint8_t
sadb_x_nat_t_type_type;<br>
+
uint8_t
sadb_x_nat_t_type_reserved[3];<br>
+} __attribute__((packed));<br>
+/* sizeof(struct sadb_x_nat_t_type) == 8 */<br>
+<br>
+/* Pass a NAT Traversal port (Source or Dest port) */<br>
+struct sadb_x_nat_t_port {<br>
+
uint16_t
sadb_x_nat_t_port_len;<br>
+
uint16_t
sadb_x_nat_t_port_exttype;<br>
+
uint16_t
sadb_x_nat_t_port_port;<br>
+
uint16_t
sadb_x_nat_t_port_reserved;<br>
+} __attribute__((packed));<br>
+/* sizeof(struct sadb_x_nat_t_port) == 8 */<br>
+<br>
...<br>
+/* The next four entries are for setting up NAT Traversal */<br>
+#define
SADB_X_EXT_NAT_T_TYPE
20<br>
+#define
SADB_X_EXT_NAT_T_SPORT
21<br>
+#define
SADB_X_EXT_NAT_T_DPORT
22<br>
+#define
SADB_X_EXT_NAT_T_OA
23<br>
+#define
SADB_EXT_MAX
23<br>
+<br>
...<br>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------<br><br>
and this patch is applied in the <i>kernel-2.4.spec</i>. But at the
moment the Nat-T it's not a problem ...<br>
If I try to start the service ...<br><br>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
[root@platoon etc]# service ipsec start<br>
ipsec_setup: Starting Openswan IPsec 2.1.1...<br>
ipsec_setup: insmod: ipsec: no module by that name found<br>
ipsec_setup: /sbin/insmod
/lib/modules/2.4.21-9.0.1.EL/kernel/net/key/af_key.o<br>
ipsec_setup: Using
/lib/modules/2.4.21-9.0.1.EL/kernel/net/key/af_key.o<br>
ipsec_setup: Symbol version prefix ''<br>
[root@platoon etc]#<br>
[root@platoon etc]# ipsec verify<br>
Checking your system to see if IPsec got installed and started
correctly:<br>
Version check and ipsec
on-path
[OK]<br>
Linux FreeS/WAN U2.1.1/K2.4.21-9.0.1.EL (native) (native)<br>
Checking for IPsec support in
kernel
[OK]<br>
Checking for RSA private key
(/etc/ipsec.secrets)
[OK]<br>
Checking that pluto is
running
[OK]<br>
Two or more interfaces found, checking IP
forwarding
[OK]<br>
Checking NAT and MASQUERADEing<br>
Checking for 'ip'
command
[OK]<br>
Checking for 'iptables'
command
[OK]<br>
Checking for 'setkey' command for native IPsec stack
support
[OK]<br><br>
Opportunistic Encryption DNS checks:<br>
Looking for TXT in forward dns zone:
platoon
[MISSING]<br>
Does the machine have at least one non-private
address?
[OK]<br>
Looking for TXT in reverse dns zone:
35.111.111.111.in-addr.arpa. [MISSING]<br>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------<br><br>
all seems well but ...<br><br>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
[root@platoon etc]# ifconfig ipsec0<br>
ipsec0: error fetching interface information: Device not found<br>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------<br><br>
This is the interest part of /var/log/messages:<br><br>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
[root@platoon log]#tail -f messages<br>
Mar 26 11:19:40 platoon ipsec_setup: Starting Openswan IPsec
2.1.1...<br>
Mar 26 11:19:40 platoon ipsec_setup: insmod: ipsec: no module by that
name found<br>
Mar 26 11:19:40 platoon ipsec_setup: /sbin/insmod
/lib/modules/2.4.21-9.0.1.EL/kernel/net/key/af_key.o<br>
Mar 26 11:19:40 platoon ipsec_setup: Using
/lib/modules/2.4.21-9.0.1.EL/kernel/net/key/af_key.o<br>
Mar 26 11:19:40 platoon ipsec_setup: Symbol version prefix ''<br>
Mar 26 11:19:40 platoon ipsec_setup: KLIPS ipsec0 on eth0
111.111.111.35/255.255.255.0 broadcast 111.111.111.255<br>
Mar 26 11:19:40 platoon ipsec_setup: ...Openswan IPsec started<br>
Mar 26 11:19:41 platoon ipsec__plutorun: ipsec_auto: fatal error in
"packetdefault": %defaultroute requested but not known<br>
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module
ripemd160<br>
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module
cast128<br>
Mar 26 11:19:41 platoon ipsec__plutorun: ipsec_auto: fatal error in
"block": %defaultroute requested but not known<br>
Mar 26 11:19:41 platoon ipsec__plutorun: ipsec_auto: fatal error in
"clear-or-private": %defaultroute requested but not known<br>
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module lzs<br>
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module
lzjh<br>
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module
ripemd160<br>
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module
cast128<br>
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module lzs<br>
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module
lzjh<br>
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module
ripemd160<br>
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module
cast128<br>
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module lzs<br>
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module
lzjh<br>
Mar 26 11:19:41 platoon ipsec__plutorun: ipsec_auto: fatal error in
"clear": %defaultroute requested but not known<br>
Mar 26 11:19:42 platoon ipsec__plutorun: ipsec_auto: fatal error in
"private-or-clear": %defaultroute requested but not known<br>
Mar 26 11:19:42 platoon ipsec__plutorun: ipsec_auto: fatal error in
"private": %defaultroute requested but not known<br>
Mar 26 11:19:42 platoon ipsec__plutorun: 021 no connection named
"packetdefault"<br>
Mar 26 11:19:42 platoon ipsec__plutorun: ...could not route conn
"packetdefault"<br>
Mar 26 11:19:42 platoon ipsec__plutorun: 021 no connection named
"block"<br>
Mar 26 11:19:42 platoon ipsec__plutorun: ...could not route conn
"block"<br>
Mar 26 11:19:42 platoon ipsec__plutorun: 021 no connection named
"clear-or-private"<br>
Mar 26 11:19:42 platoon ipsec__plutorun: ...could not route conn
"clear-or-private"<br>
Mar 26 11:19:42 platoon ipsec__plutorun: 021 no connection named
"clear"<br>
Mar 26 11:19:42 platoon ipsec__plutorun: ...could not route conn
"clear"<br>
Mar 26 11:19:42 platoon ipsec__plutorun: 021 no connection named
"private-or-clear"<br>
Mar 26 11:19:42 platoon ipsec__plutorun: ...could not route conn
"private-or-clear"<br>
Mar 26 11:19:42 platoon ipsec__plutorun: 021 no connection named
"private"<br>
Mar 26 11:19:42 platoon ipsec__plutorun: ...could not route conn
"private"<br>
Mar 26 11:19:42 platoon ipsec__plutorun: 104 "conntest" #1:
STATE_MAIN_I1: initiate<br>
Mar 26 11:19:42 platoon ipsec__plutorun: ...could not start conn
"conntest"<br>
Mar 26 11:20:09 platoon modprobe: modprobe: Can't locate module
ipsec0<br>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------<br><br>
BUT ... really ... the SA "conntest" was established.<br>
In fact:<br><br>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
[root@platoon log]# ipsec auto --status<br>
000 interface lo/lo 127.0.0.1<br>
000 interface eth0/eth0 111.111.111.35<br>
000 interface eth1/eth1 192.168.100.1<br>
000 %myid = (none)<br>
000 debug none<br>
000<br>
000 "conntest":
192.168.100.0/24===111.111.111.35...222.222.222.5---222.222.222.6===192.168.2.0/24;
erouted; eroute owner: #4<br>
000 "conntest": ike_life: 3600s; ipsec_life:
28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3<br>
000 "conntest": policy: PSK+ENCRYPT+TUNNEL+UP;
prio: 24,24; interface: eth0;<br>
000 "conntest": newest ISAKMP SA: #3; newest IPsec
SA: #4;<br>
000<br>
000 #6: "conntest" STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 9s<br>
000 #4: "conntest" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28373s; newest IPSEC; eroute owner<br>
000 #4: "conntest" esp.2ba2ac1f@222.222.222.6
esp.42ef01c8@111.111.111.35 tun.0@222.222.222.6
tun.0@111.111.111.35<br>
000 #3: "conntest" STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3173s; newest ISAKMP<br>
000 #1: "conntest" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2720s<br>
000 <br>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------<br><br>
<i>ISAKMP SA established</i> ... but I haven't the device ipsec0 and I
haven't any route to the "rightsubnet".<br>
This is my configuration of openswan:<br><br>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
[root@platoon etc]# cat ipsec.conf<br>
version 2.0<br><br>
config setup<br>
# Debug-logging
controls: "none" for (almost) none, "all" for
lots.<br>
# klipsdebug=all<br>
# plutodebug=dns<br>
interfaces="ipsec0=eth0"<br>
#interfaces=%defaultroute<br>
klipsdebug=none<br>
plutodebug=none<br>
uniqueids=yes<br>
#nat_traversal=yes<br><br>
conn %default<br>
keyingtries=3<br>
disablearrivalcheck=no<br>
authby=rsasig<br>
type=tunnel<br>
pfs=yes<br>
<br>
conn conntest<br>
authby=secret<br>
pfs=no<br>
left=111.111.111.35<br>
leftid=111.111.111.35<br>
leftsubnet=192.168.100.0/24<br>
#leftupdown="/usr/lib/ipsec/_updown.conntest"<br>
right=222.222.222.6<br>
rightid=222.222.222.6<br>
rightsubnet=192.168.2.0/24<br>
rightnexthop=222.222.222.5<br>
auto=start<br>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------<br><br>
What's the problem?<br><br>
Thanks, Morgan</body>
</html>