[Openswan dev] " rightsubnet=vhost:%no,%priv" Prevents Pluto from Starting

Meron Lavie lavie at netvision.net.il
Mon Jul 17 21:28:36 CEST 2006


Dear Developers,

 

I am trying to enable WinXP/SP2 (with the registry fix) clients to access my
Openswan server on a Linux FC5. Since my roadwarriors are NAT-ed, I required
the "rightsubnet=vhost:%no,%priv" option. I tried the option both in 2.4.4
(installed from a bin RPM) and 2.4.5 compiled from sources. In both cases,
the option caused error messages and for Pluto to die.

 

You may note that without " rightsubnet=vhost:%no,%priv", there are no
problems in bringing up Pluto or in the ipsec verify output.

 

Your help would be greatly appreciated. I already posted in the Users list,
and they couldn't find anything wrong in theory in my setup.

 

I am enclosing below relevant files and oputput.

 

TIA,

 

Lavie 

 

Please find below the output of /var/log.messages:

=======================================================

Jul 17 09:26:56 lavie010 ipsec_setup: ...Openswan IPsec started Jul 17
09:26:57 lavie010 ipsec_setup: Restarting Openswan IPsec 2.4.5...

Jul 17 09:26:57 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/net/key/af_key.ko

Jul 17 09:26:57 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/net/ipv4/xfrm4_tunnel.ko

Jul 17 09:26:57 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/char/hw_random.ko

Jul 17 09:26:57 lavie010 ipsec_setup: FATAL: Error inserting hw_random
(/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/char/hw_random.ko): No such
device Jul 17 09:26:57 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/crypto/padlock.ko

Jul 17 09:26:57 lavie010 ipsec_setup: FATAL: Error inserting padlock
(/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/crypto/padlock.ko): No such
device

Jul 17 09:26:58 lavie010 ipsec__plutorun: /usr/local/lib/ipsec/_plutorun:
line 211: 10237 Aborted                 /usr/local/libexec/ipsec/pluto
--nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d
--debug-control --debug-parsing --use-auto --uniqueids --nat_traversal
--virtual_private
%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24

Jul 17 09:26:58 lavie010 ipsec__plutorun: 003 ASSERTION FAILED at
connections.c:1382: isanyaddr(&c->spd.that.host_addr) Jul 17 09:26:58
lavie010 ipsec__plutorun: 000 %myid = (none) Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 debug parsing+control Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm
ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 Jul
17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP encrypt: id=3,
name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 Jul 17 09:26:58
lavie010 ipsec__plutorun: 000 algorithm ESP encrypt: id=7,
name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 Jul 17 09:26:58
lavie010 ipsec__plutorun: 000 algorithm ESP encrypt: id=11, name=ESP_NULL,
ivlen=0, keysizemin=0, keysizemax=0 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000
algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128,
keysizemax=256 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP
encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 Jul 17 09:26:58
lavie010 ipsec__plutorun: 000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 Jul 17
09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 Jul 17
09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP auth attr: id=251,
name=(null), keysizemin=0, keysizemax=0 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm
IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 Jul 17
09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE encrypt: id=7,
name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE hash: id=2,
name=OAKLEY_SHA1, hashsize=20 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000
algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 Jul 17
09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 stats
db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0}
attrs={0,0,0} Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 Jul 17 09:26:59
lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL":
%any[@myhost.myworkdomain.com]:17/%any...10.0.0.138---10.0.0.1:17/%any;
unrouted; eroute owner: #0

Jul 17 09:26:59 lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL":
srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;

Jul 17 09:26:59 lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL":
ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 3

Jul 17 09:26:59 lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL":   policy:
PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,32; interface: ; 

Jul 17 09:26:59 lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL":   newest
ISAKMP SA: #0; newest IPsec SA: #0; 

Jul 17 09:26:59 lavie010 ipsec__plutorun: 000 Jul 17 09:26:59 lavie010
ipsec__plutorun: 000 Jul 17 09:26:59 lavie010 ipsec__plutorun: ...could not
add conn "L2TP-PSK-EXTERNAL"

Jul 17 09:26:59 lavie010 ipsec__plutorun: whack: is Pluto running?
connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused) Jul
17 09:26:59 lavie010 ipsec__plutorun: ...could not add conn
"L2TP-PSK-INTERNAL"

Jul 17 09:26:59 lavie010 ipsec__plutorun: whack: is Pluto running?
connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused) Jul
17 09:26:59 lavie010 ipsec__plutorun: !pluto failure!:  exited with error
status 134 (signal 6) Jul 17 09:26:59 lavie010 ipsec__plutorun: restarting
IPsec after pause...

Jul 17 09:27:09 lavie010 kernel: NET: Unregistered protocol family 15 Jul 17
09:27:09 lavie010 ipsec_setup: ...Openswan IPsec stopped Jul 17 09:27:09
lavie010 ipsec_setup: Stopping Openswan IPsec...

Jul 17 09:27:09 lavie010 ipsec_setup: Removing orphaned
/var/run/pluto/pluto.pid:

Jul 17 09:27:09 lavie010 kernel: NET: Registered protocol family 15 Jul 17
09:27:10 lavie010 kernel: padlock: VIA PadLock not detected.

Jul 17 09:27:10 lavie010 ipsec_setup: KLIPS ipsec0 on eth0
10.0.0.1/255.0.0.0 broadcast 10.255.255.255 Jul 17 09:27:10 lavie010
ipsec_setup: ...Openswan IPsec started Jul 17 09:27:11 lavie010 ipsec_setup:
Restarting Openswan IPsec 2.4.5...

Jul 17 09:27:11 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/net/key/af_key.ko

Jul 17 09:27:11 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/net/ipv4/xfrm4_tunnel.ko

Jul 17 09:27:11 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/char/hw_random.ko

Jul 17 09:27:11 lavie010 ipsec_setup: FATAL: Error inserting hw_random
(/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/char/hw_random.ko): No such
device Jul 17 09:27:11 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/crypto/padlock.ko

Jul 17 09:27:11 lavie010 ipsec_setup: FATAL: Error inserting padlock
(/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/crypto/padlock.ko): No such
device

 

Below is the output fro ipsec verify:

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path                                 [OK]

Linux Openswan U2.4.5/K2.6.17-1.2145_FC5 (netkey)

Checking for IPsec support in kernel                            [OK]

NETKEY detected, testing for disabled ICMP send_redirects       [OK]

NETKEY detected, testing for disabled ICMP accept_redirects     [OK]

Checking for RSA private key (/etc/ipsec.secrets)               [OK]

Checking that pluto is running                                  [FAILED]

  whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" failed
(111 Connection refused)

Two or more interfaces found, checking IP forwarding            [FAILED]

  whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" failed
(111 Connection refused)

Checking NAT and MASQUERADEing                              

Checking for 'ip' command                                       [OK]

Checking for 'iptables' command                                 [OK]

Opportunistic Encryption Support                                [DISABLED]

 

 

Below is my ipsec.config:

version 2.0     # conforms to second version of ipsec.conf specification

        

# basic configuration

config setup

        # Debug-logging controls:  "none" for (almost) none, "all" for lots.

        # klipsdebug=none

        plutodebug="control parsing"

        nat_traversal=yes

 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.1.0/24

        

conn L2TP-PSK-INTERNAL

        authby=secret

        pfs=no  

        rekey=no

        keyingtries=3

        left=192.168.1.254

        leftprotoport=17/%any

        right=%any

        rightprotoport=17/%any

        auto=add

 

conn L2TP-PSK-EXTERNAL

        authby=secret

        pfs=no

        rekey=no

        keyingtries=3

        left=10.0.0.1

        leftnexthop=10.0.0.138

        leftid=10.0.0.1

        leftprotoport=17/%any

        right=%any

        rightsubnet=vhost:%no,%priv

        rightprotoport=17/%any

        rightid=@NATted.hostname.com

        auto=add

 

#include /etc/ipsec.d/*.conf

#Disable Opportunistic Encryption

include /etc/ipsec.d/examples/no_oe.conf

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20060717/3942de82/attachment-0001.htm


More information about the Dev mailing list