[Openswan dev] Arkoon starter app for Openswan 1.0.2
Joshua Jackson
sfs at vortech.net
Fri Apr 9 06:58:34 CEST 2004
On Friday 09 April 2004 06:11, Paul Wouters wrote:
> On Fri, 9 Apr 2004, Joshua Jackson wrote:
> > Attached is a tgz of the source for the Arkoon starter application which
> > has been patched to work with openswan 1.0.2. XAUTH support is missing,
> > but the remainder of the features (X509, DPD, NAT-T, etc) are working and
> > it also contains the %defaultroute patch.
>
> Thanks!
>
> I have also made it available at:
>
> ftp://ftp.openswan.org/openswan/contrib/
>
> I've tested it on openswan-1 HEAD (current cvs, which means 1.0.3)
>
> - I had to change the define for ipsec.conf, since we do not ship it
> standard in /etc/ipsec.d/ipsec.conf
> - ignoring unknown keyword 'dumpdir' in config setup
> - ignoring unknown keyword 'plutoload' in config setup
> - ignoring unknown keyword 'plutostart' in config setup
> - can't load config: bad addr leftnexthop=%direct [illegal (non-DNS-name)
> character in name]
>
> I can see that plutoload/start don't really matter. But dumpdir would be
> nice. And the "%direct" is also something that is unfortunately needed for
> some local LAN connections in openswan-1. Openswan-2 no longer needs to
> nexthop settings.
>
> Starting didn't load any connections.
>
> It claimed:
>
> Loading conn peace-bofh
> Loading conn me-to-anyone
>
> peace-bofh was on "auto=ignore" so it should probably say it skipped
> loading it?
>
> The OE conn failed to load as well. When manually trying to --add it when
> starter is running, I got:
>
> # ipsec auto --add me-to-anyone
> ipsec_auto: fatal error in "me-to-anyone": %defaultroute requested but not
> known
>
> # route -n|
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface 209.112.44.120 193.110.157.22 255.255.255.255 UGH 0 0
> 0 eth0 193.110.157.16 0.0.0.0 255.255.255.240 U 0 0
> 0 eth0 193.110.157.16 0.0.0.0 255.255.255.240 U 0 0
> 0 ipsec0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
> 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
> 0 lo 0.0.0.0 193.110.157.30 0.0.0.0 UG 0 0
> 0 eth0
>
>
> Stopping with service ipsec stop caused starter to say:
>
> Apr 9 12:00:24 bofh pluto[19034]: FATAL ERROR: socket() in init_pfkeyfd().
> Errno 97: Address family not supported by protocol
>
> It kept running though.
>
> On another stop (now with --debug) I got:
>
> FATAL ERROR: socket() in init_pfkeyfd(). Errno 97: Address family not
> supported by protocol child 19281 (Pluto) has quit (exit code 1)
> pluto has died -- restart scheduled (5sec)
> pluto refused to be started
>
>
> The OE connection works without using starter.
>
> Anyway, thanks for the work on starter!
>
> Paul
Note that there are a pile of features in Free / Open swan that starter does
not support and never has. Here is an example config from one of my firewall
for which starter works:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
conn %default
authby=rsasig
keyingtries=0
rightrsasigkey=%cert
leftrsasigkey=%cert
ike="aes128-md5,3des-md5"
esp="aes128-md5,3des-md5"
type=tunnel
conn vortech-colo-1
right=66.xxx.xxx.102
rightnexthop=66.xxx.xxx.1
rightsubnet=38.xxx.xxx.0/24
rightcert=wolf1_cert.pem
rightid="CN=wolf1"
left=24.xxx.xxx.146
leftnexthop=24.xxx.xxx.145
leftsubnet=192.168.0.0/24
leftcert=wolverine_cert.pem
leftid="CN=wolverine"
dpddelay=15
dpdtimeout=60
dpdaction=hold
auto=start
Starter offers just enough functionality for me to use it in my embedded
firewall app. While it doesn't support the full feature set, it does let me
establish x509 and PSK tunnels between firewalls. It also cuts the overall
size of the IPSEC implementation down to a small fraction of its original
size as it eliminates most of the scripts and the need for awk.
--
Joshua Jackson
Vortech Consulting
http://www.vortech.net
More information about the Dev
mailing list