[Openswan dev]
" rightsubnet=vhost:%no,%priv" Prevents Pluto from Starting
Meron Lavie
lavie at netvision.net.il
Mon Jul 17 21:28:36 CEST 2006
Dear Developers,
I am trying to enable WinXP/SP2 (with the registry fix) clients to access my
Openswan server on a Linux FC5. Since my roadwarriors are NAT-ed, I required
the "rightsubnet=vhost:%no,%priv" option. I tried the option both in 2.4.4
(installed from a bin RPM) and 2.4.5 compiled from sources. In both cases,
the option caused error messages and for Pluto to die.
You may note that without " rightsubnet=vhost:%no,%priv", there are no
problems in bringing up Pluto or in the ipsec verify output.
Your help would be greatly appreciated. I already posted in the Users list,
and they couldn't find anything wrong in theory in my setup.
I am enclosing below relevant files and oputput.
TIA,
Lavie
Please find below the output of /var/log.messages:
=======================================================
Jul 17 09:26:56 lavie010 ipsec_setup: ...Openswan IPsec started Jul 17
09:26:57 lavie010 ipsec_setup: Restarting Openswan IPsec 2.4.5...
Jul 17 09:26:57 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/net/key/af_key.ko
Jul 17 09:26:57 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/net/ipv4/xfrm4_tunnel.ko
Jul 17 09:26:57 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/char/hw_random.ko
Jul 17 09:26:57 lavie010 ipsec_setup: FATAL: Error inserting hw_random
(/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/char/hw_random.ko): No such
device Jul 17 09:26:57 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/crypto/padlock.ko
Jul 17 09:26:57 lavie010 ipsec_setup: FATAL: Error inserting padlock
(/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/crypto/padlock.ko): No such
device
Jul 17 09:26:58 lavie010 ipsec__plutorun: /usr/local/lib/ipsec/_plutorun:
line 211: 10237 Aborted /usr/local/libexec/ipsec/pluto
--nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d
--debug-control --debug-parsing --use-auto --uniqueids --nat_traversal
--virtual_private
%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24
Jul 17 09:26:58 lavie010 ipsec__plutorun: 003 ASSERTION FAILED at
connections.c:1382: isanyaddr(&c->spd.that.host_addr) Jul 17 09:26:58
lavie010 ipsec__plutorun: 000 %myid = (none) Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 debug parsing+control Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm
ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 Jul
17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP encrypt: id=3,
name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 Jul 17 09:26:58
lavie010 ipsec__plutorun: 000 algorithm ESP encrypt: id=7,
name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 Jul 17 09:26:58
lavie010 ipsec__plutorun: 000 algorithm ESP encrypt: id=11, name=ESP_NULL,
ivlen=0, keysizemin=0, keysizemax=0 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000
algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128,
keysizemax=256 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP
encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 Jul 17 09:26:58
lavie010 ipsec__plutorun: 000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 Jul 17
09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 Jul 17
09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP auth attr: id=251,
name=(null), keysizemin=0, keysizemax=0 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm
IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 Jul 17
09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE encrypt: id=7,
name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE hash: id=2,
name=OAKLEY_SHA1, hashsize=20 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000
algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 Jul 17
09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 stats
db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0}
attrs={0,0,0} Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 Jul 17 09:26:59
lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL":
%any[@myhost.myworkdomain.com]:17/%any...10.0.0.138---10.0.0.1:17/%any;
unrouted; eroute owner: #0
Jul 17 09:26:59 lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL":
srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
Jul 17 09:26:59 lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL":
ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 3
Jul 17 09:26:59 lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL": policy:
PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,32; interface: ;
Jul 17 09:26:59 lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL": newest
ISAKMP SA: #0; newest IPsec SA: #0;
Jul 17 09:26:59 lavie010 ipsec__plutorun: 000 Jul 17 09:26:59 lavie010
ipsec__plutorun: 000 Jul 17 09:26:59 lavie010 ipsec__plutorun: ...could not
add conn "L2TP-PSK-EXTERNAL"
Jul 17 09:26:59 lavie010 ipsec__plutorun: whack: is Pluto running?
connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused) Jul
17 09:26:59 lavie010 ipsec__plutorun: ...could not add conn
"L2TP-PSK-INTERNAL"
Jul 17 09:26:59 lavie010 ipsec__plutorun: whack: is Pluto running?
connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused) Jul
17 09:26:59 lavie010 ipsec__plutorun: !pluto failure!: exited with error
status 134 (signal 6) Jul 17 09:26:59 lavie010 ipsec__plutorun: restarting
IPsec after pause...
Jul 17 09:27:09 lavie010 kernel: NET: Unregistered protocol family 15 Jul 17
09:27:09 lavie010 ipsec_setup: ...Openswan IPsec stopped Jul 17 09:27:09
lavie010 ipsec_setup: Stopping Openswan IPsec...
Jul 17 09:27:09 lavie010 ipsec_setup: Removing orphaned
/var/run/pluto/pluto.pid:
Jul 17 09:27:09 lavie010 kernel: NET: Registered protocol family 15 Jul 17
09:27:10 lavie010 kernel: padlock: VIA PadLock not detected.
Jul 17 09:27:10 lavie010 ipsec_setup: KLIPS ipsec0 on eth0
10.0.0.1/255.0.0.0 broadcast 10.255.255.255 Jul 17 09:27:10 lavie010
ipsec_setup: ...Openswan IPsec started Jul 17 09:27:11 lavie010 ipsec_setup:
Restarting Openswan IPsec 2.4.5...
Jul 17 09:27:11 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/net/key/af_key.ko
Jul 17 09:27:11 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/net/ipv4/xfrm4_tunnel.ko
Jul 17 09:27:11 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/char/hw_random.ko
Jul 17 09:27:11 lavie010 ipsec_setup: FATAL: Error inserting hw_random
(/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/char/hw_random.ko): No such
device Jul 17 09:27:11 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/crypto/padlock.ko
Jul 17 09:27:11 lavie010 ipsec_setup: FATAL: Error inserting padlock
(/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/crypto/padlock.ko): No such
device
Below is the output fro ipsec verify:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.5/K2.6.17-1.2145_FC5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [FAILED]
whack: is Pluto running? connect() for "/var/run/pluto/pluto.ctl" failed
(111 Connection refused)
Two or more interfaces found, checking IP forwarding [FAILED]
whack: is Pluto running? connect() for "/var/run/pluto/pluto.ctl" failed
(111 Connection refused)
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Below is my ipsec.config:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
plutodebug="control parsing"
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.1.0/24
conn L2TP-PSK-INTERNAL
authby=secret
pfs=no
rekey=no
keyingtries=3
left=192.168.1.254
leftprotoport=17/%any
right=%any
rightprotoport=17/%any
auto=add
conn L2TP-PSK-EXTERNAL
authby=secret
pfs=no
rekey=no
keyingtries=3
left=10.0.0.1
leftnexthop=10.0.0.138
leftid=10.0.0.1
leftprotoport=17/%any
right=%any
rightsubnet=vhost:%no,%priv
rightprotoport=17/%any
rightid=@NATted.hostname.com
auto=add
#include /etc/ipsec.d/*.conf
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20060717/3942de82/attachment-0001.htm
More information about the Dev
mailing list