Sorry for my late answer but I had lots of matters to attend to.<div><br></div><div>First of all, thank you Paul for your reply. </div><div><br></div><div>I was thinking about the same thing, that since its an embedded system many kernel features would be disabled.</div>
<div>So I compared an ipsec barf with a pc to see what configs to activate.</div><div><br></div><div>I activated almost everything except some drivers. But the problem still exists!</div><div>So I went looking to an other direction to see what else it might goes wrong.</div>
<div><br></div><div>I found out that from the logs the following errors:</div><div><br></div><div><br></div><div><div>2010/12/03<span class="Apple-tab-span" style="white-space:pre"> </span>18:00:24<span class="Apple-tab-span" style="white-space:pre"> </span>debug<span class="Apple-tab-span" style="white-space:pre"> </span>HOOME<span class="Apple-tab-span" style="white-space:pre"> </span>authpriv<span class="Apple-tab-span" style="white-space:pre"> </span>pluto[27788]: | executing route-host: 2>&1 PLUTO_VERB=\'route-host\' PLUTO_VERSION=\'2.0\' PLUTO_CONNECTION=\'sample\' PLUTO_INTERFACE=\'eth2\' PLUTO_NEXT_HOP=\'192.168.173.20\' PLUTO_ME=\'192.168.173.111\' PLUTO_MY_ID=\'192.168.173.111\' PLUTO_MY_CLIENT=\'<a href="http://192.168.173.111/32\">192.168.173.111/32\</a>' PLUTO_MY_CLIENT_NET=\'192.168.173.111\' PLUTO_MY_CLIENT_MASK=\'255.255.255.255\' PLUTO_MY_PORT=\'0\' PLUTO_MY_PROTOCOL=\'0\' PLUTO_PEER=\'192.168.173.20\' PLUTO_PEER_ID=\'192.168.173.20\' PLUTO_PEER_CLIENT=\'<a href="http://192.168.173.20/32\">192.168.173.20/32\</a>' PLUTO_PEER_CLIENT_NET=\'192.168.173.20\' PLUTO_PEER_CLIENT_MASK=\'255.255.255.255\' PLUTO_PEER_PORT=\'0\' PLUTO_PEER_PROTOCOL=\'0\' PLUTO_PEER_CA=\'\' PLUTO_STACK=\'netkey\' PLUTO_CONN_POLICY=\'RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW\' ipsec _updown</div>
<div>2010/12/03<span class="Apple-tab-span" style="white-space:pre"> </span>18:00:24<span class="Apple-tab-span" style="white-space:pre"> </span>debug<span class="Apple-tab-span" style="white-space:pre"> </span>HOOME<span class="Apple-tab-span" style="white-space:pre"> </span>authpriv<span class="Apple-tab-span" style="white-space:pre"> </span>pluto[27788]: | popen(): cmd is 675 chars long</div>
<div>2010/12/03<span class="Apple-tab-span" style="white-space:pre"> </span>18:00:24<span class="Apple-tab-span" style="white-space:pre"> </span>debug<span class="Apple-tab-span" style="white-space:pre"> </span>HOOME<span class="Apple-tab-span" style="white-space:pre"> </span>authpriv<span class="Apple-tab-span" style="white-space:pre"> </span>pluto[27788]: | cmd( 0):2>&1 PLUTO_VERB=\'route-host\' PLUTO_VERSION=\'2.0\' PLUTO_CONNECTION=\'sample\' PLUTO:</div>
<div>2010/12/03<span class="Apple-tab-span" style="white-space:pre"> </span>18:00:24<span class="Apple-tab-span" style="white-space:pre"> </span>debug<span class="Apple-tab-span" style="white-space:pre"> </span>HOOME<span class="Apple-tab-span" style="white-space:pre"> </span>authpriv<span class="Apple-tab-span" style="white-space:pre"> </span>pluto[27788]: | cmd( 80):_INTERFACE=\'eth2\' PLUTO_NEXT_HOP=\'192.168.173.20\' PLUTO_ME=\'192.168.173.111\' PLU:</div>
<div>2010/12/03<span class="Apple-tab-span" style="white-space:pre"> </span>18:00:24<span class="Apple-tab-span" style="white-space:pre"> </span>debug<span class="Apple-tab-span" style="white-space:pre"> </span>HOOME<span class="Apple-tab-span" style="white-space:pre"> </span>authpriv<span class="Apple-tab-span" style="white-space:pre"> </span>pluto[27788]: | cmd( 160):TO_MY_ID=\'192.168.173.111\' PLUTO_MY_CLIENT=\'<a href="http://192.168.173.111/32\">192.168.173.111/32\</a>' PLUTO_MY_CLIENT_:</div>
<div>2010/12/03<span class="Apple-tab-span" style="white-space:pre"> </span>18:00:24<span class="Apple-tab-span" style="white-space:pre"> </span>debug<span class="Apple-tab-span" style="white-space:pre"> </span>HOOME<span class="Apple-tab-span" style="white-space:pre"> </span>authpriv<span class="Apple-tab-span" style="white-space:pre"> </span>pluto[27788]: | cmd( 240):NET=\'192.168.173.111\' PLUTO_MY_CLIENT_MASK=\'255.255.255.255\' PLUTO_MY_PORT=\'0\' P:</div>
<div>2010/12/03<span class="Apple-tab-span" style="white-space:pre"> </span>18:00:24<span class="Apple-tab-span" style="white-space:pre"> </span>debug<span class="Apple-tab-span" style="white-space:pre"> </span>HOOME<span class="Apple-tab-span" style="white-space:pre"> </span>authpriv<span class="Apple-tab-span" style="white-space:pre"> </span>pluto[27788]: | cmd( 320):LUTO_MY_PROTOCOL=\'0\' PLUTO_PEER=\'192.168.173.20\' PLUTO_PEER_ID=\'192.168.173.20\' :</div>
<div>2010/12/03<span class="Apple-tab-span" style="white-space:pre"> </span>18:00:24<span class="Apple-tab-span" style="white-space:pre"> </span>debug<span class="Apple-tab-span" style="white-space:pre"> </span>HOOME<span class="Apple-tab-span" style="white-space:pre"> </span>authpriv<span class="Apple-tab-span" style="white-space:pre"> </span>pluto[27788]: | cmd( 400):PLUTO_PEER_CLIENT=\'<a href="http://192.168.173.20/32\">192.168.173.20/32\</a>' PLUTO_PEER_CLIENT_NET=\'192.168.173.20\' PLU:</div>
<div>2010/12/03<span class="Apple-tab-span" style="white-space:pre"> </span>18:00:24<span class="Apple-tab-span" style="white-space:pre"> </span>debug<span class="Apple-tab-span" style="white-space:pre"> </span>HOOME<span class="Apple-tab-span" style="white-space:pre"> </span>authpriv<span class="Apple-tab-span" style="white-space:pre"> </span>pluto[27788]: | cmd( 480):TO_PEER_CLIENT_MASK=\'255.255.255.255\' PLUTO_PEER_PORT=\'0\' PLUTO_PEER_PROTOCOL=\'0:</div>
<div>2010/12/03<span class="Apple-tab-span" style="white-space:pre"> </span>18:00:24<span class="Apple-tab-span" style="white-space:pre"> </span>debug<span class="Apple-tab-span" style="white-space:pre"> </span>HOOME<span class="Apple-tab-span" style="white-space:pre"> </span>authpriv<span class="Apple-tab-span" style="white-space:pre"> </span>pluto[27788]: | cmd( 560):\' PLUTO_PEER_CA=\'\' PLUTO_STACK=\'netkey\' PLUTO_CONN_POLICY=\'RSASIG+ENCRYPT+TUNNE:</div>
<div>2010/12/03<span class="Apple-tab-span" style="white-space:pre"> </span>18:00:24<span class="Apple-tab-span" style="white-space:pre"> </span>debug<span class="Apple-tab-span" style="white-space:pre"> </span>HOOME<span class="Apple-tab-span" style="white-space:pre"> </span>authpriv<span class="Apple-tab-span" style="white-space:pre"> </span>pluto[27788]: | cmd( 640):L+PFS+UP+IKEv2ALLOW\' ipsec _updown:</div>
<div>2010/12/03<span class="Apple-tab-span" style="white-space:pre"> </span>18:00:25<span class="Apple-tab-span" style="white-space:pre"> </span>info<span class="Apple-tab-span" style="white-space:pre"> </span>HOOME<span class="Apple-tab-span" style="white-space:pre"> </span>daemon<span class="Apple-tab-span" style="white-space:pre"> </span>confd_ip[27777]: rule flush cache</div>
<div>2010/12/03<span class="Apple-tab-span" style="white-space:pre"> </span>18:00:25<span class="Apple-tab-span" style="white-space:pre"> </span>err<span class="Apple-tab-span" style="white-space:pre"> </span>HOOME<span class="Apple-tab-span" style="white-space:pre"> </span>daemon<span class="Apple-tab-span" style="white-space:pre"> </span>confd_ip[4115]: Error reading data: Connection reset by peer</div>
<div>2010/12/03<span class="Apple-tab-span" style="white-space:pre"> </span>18:00:25<span class="Apple-tab-span" style="white-space:pre"> </span>warning<span class="Apple-tab-span" style="white-space:pre"> </span>HOOME<span class="Apple-tab-span" style="white-space:pre"> </span>authpriv<span class="Apple-tab-span" style="white-space:pre"> </span>pluto[27788]: \"sample\" #2: route-host output: select() error: Bad file descriptor</div>
<div>2010/12/03<span class="Apple-tab-span" style="white-space:pre"> </span>18:00:25<span class="Apple-tab-span" style="white-space:pre"> </span>warning<span class="Apple-tab-span" style="white-space:pre"> </span>HOOME<span class="Apple-tab-span" style="white-space:pre"> </span>authpriv<span class="Apple-tab-span" style="white-space:pre"> </span>pluto[27788]: \"sample\" #2: route-host command exited with status 255</div>
</div><div><br></div><div><br></div><div>And then I tried to run some commands like ip route list or ip addr list</div><div><br></div><div>It seems that the netlink socket in the system does not always provide the data.</div>
<div>For example if I run the command for one time it might work. But if I do it again it doesn't.</div><div><br></div><div>And from the strace I have some really strange outputs. It seems that the data are indeed written but are not printed.</div>
<div>And the resource seems to be temporarily unavailable.</div><div><br></div><div>So I guess I will go into this direction to see why I have this behavior in the system and why the route-host command which as it seems uses netlink sockets and the confd_ip resource, fails.</div>
<div><br></div><div>Any hints are always welcomed.</div><div>I will also keep you posted in case I find out more.</div><div><br></div><div><br><div class="gmail_quote">2010/12/6 Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">On Mon, 6 Dec 2010, Panagiotis Tamtamis wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I am trying to install and operate openswan to an embedded system. Its a PBX to be exact. Openswan has been compiled and installed successfully as it seems,<br>
but when I am trying to make a tunnel I have an error which I cannot comprehend.<br>
</blockquote>
<br>
</div><div class="im"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
004 "sample" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}<br>
002 "sample" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:af67a9c2 proposal=defaults<br>
pfsgroup=OAKLEY_GROUP_MODP2048}<br>
117 "sample" #2: STATE_QUICK_I1: initiate<br>
002 "sample" #2: route-host output: select() error: Bad file descriptor<br>
003 "sample" #2: route-host command exited with status 255<br>
032 "sample" #2: STATE_QUICK_I1: internal error<br>
003 "sample" #2: ERROR: netlink response for Add SA <a href="mailto:esp.76250eed@192.168.173.20" target="_blank">esp.76250eed@192.168.173.20</a> included errno 3: No such process<br>
</blockquote>
<br></div>
I suspect you might be missing some kernel modules for netkey. Perhaps the crypto modules or af_key or XFRM_USER?<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Think simple!<br>
</div>