[Openswan dev] Questions about fork and ipsec manual

Adrian Wee Chin Mun cmwee at itee.uq.edu.au
Mon Oct 16 01:53:06 EDT 2006


Hi,

      I have asked some parts of this questions in the user mailing list but
I feel that it is more suitable for the dev list for the things I would like
to ask. I am pretty sure the KLIPS/NETKEY is loaded (I tested with ipsec
--version) and it works with ipsec auto afterall.

      To bring things to perspective, I am working on implementing openswan
on a platform with a processor (MicroBlaze) that runs at 66Mhz connected to
a hardware crypto core on an FPGA (I am using 2.4.5 which includes OCF
support). I am using uClinux. However since the processor does not have a
Memory Management Unit, I cannot run fork in the usual sense of the word. An
unfortunate side effect of that is also the shell does not support
functions. I have extracted all the functions from the scripts to be
standalone with some cleaning.

      Therefore that is also the reason I am interested in a very thin app
(at least for the development stage). I have looked at the scripts and I saw
in _plutorun (around line 220)

 

until (

        if test -s $info

        then

                . $info

                export defaultroutephys defaultroutevirt defaultrouteaddr
defaul troutenexthop

        fi

        # eval allows $popts to contain redirection and other magic

        eval $execdir/pluto --nofork --secretsfile "$IPSEC_SECRETS"
--ipsecdir $ ipsecdir $popts

        status=$?

        echo "exit"

        echo $status

        ) | $libdir/_plutoload --wait "$plutowait" --post "$postpluto"

 

 

Executing _plutorun gives me this

 

 

Jan  1 05:06:53 pluto[200]: Starting Pluto (Openswan Version 2.4.5
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OEnMCu\177xOp at c) Jan  1 05:06:53 pluto[200]: Setting NAT-Traversal port-4500
floating to off

Jan  1 05:06:53 pluto[200]:    port floating activation criteria
nat_t=0/port_fload=1

Jan  1 05:06:53 pluto[200]:   including NAT-Traversal patch (Version 0.6c)
[disabled]

Jan  1 05:06:54 pluto[200]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0) Jan  1 05:06:54 pluto[200]: starting up 1
cryptographic helpers Jan  1 05:06:54 pluto[200]: failed to start child,
error = Function not implemented Jan  1 05:06:54 pluto[200]: Using KLIPS
IPsec interface code on 2.4.32-uc0 Jan  1 05:06:54 pluto[200]: FATAL ERROR:
readlink("/proc/self/exe") failed in init_adns(). Errno 2: No such file or
directory

 

I understand that the last error is probably something to do with the
location of the directories however what I am worried about is the failed to
start child. Which brings me to the big question, does Pluto and KLIPS need
forks? Is that child failure a result of Pluto and whether manual operations
will solve this problem?

 

Thank you

Adrian

 

-----Original Message-----

From: Paul Wouters [mailto:paul at xelerance.com]

Sent: Wednesday, 11 October 2006 3:58 PM

To: Adrian Wee Chin Mun

Cc: users at openswan.org

Subject: Re: [Openswan Users] ipsec manual problem with 2.4 kernel

 

On Wed, 11 Oct 2006, Adrian Wee Chin Mun wrote:

 

>             I am somewhat new to this so pardon the rather newbie
questions.

> First of all I am running 2 different Linux boxes, one with 2.4 kernel 

> and another with 2.6 kernel. I used rpm for the 2.6 (since it was 

> available) and compiled for the 2.4 (no rpm since it is an old FC1). I 

> am just using PC host-to-host for testing now.

 

Okay.

 

> First of all I am would like to implement openswan on an embedded 

> system and I will not need IKE so I am only using manual keying.

 

I don't think you want to implement "just manual keying without IKE".....

 

openswan runs fine with the IKE daemon on embedded platforms. Everyone is
doing it. buy a linksys router, flash openwrt, and 'ipkg update' and 'ipkg
install openswan' and you have a full IKE daemon on your embedded system.

 

Manual mode is not secure. Will you replace the keys you manually load into
the kernel every few hours?

 

> I can get ipsec manual to work with the 2.6 kernel.

 

> conn formanual

>         left=192.168.1.200

>         right=192.168.1.10

>         spi=0x200

>         esp=3des-md5-96

>         espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0

>         espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf

 

It should work. But it might very well be that manual mode is broken. I'll
issue a complete testrun once we are at 2.4.7dr2, but manual mode bugs are

*really* a low priority for us, as we believe there is no valid use for
manual mode (and on top of that, it is harder to setup then using IKE)

 

> However this doesn't seem to work with the one running on the 2.4 

> kernel

> 

> ipsec manual -up formanual

> 

> gives 'ipsec manual: fatal error in "formanual" no IPsec-enabled 

> interfaces found

 

What does "ipsec --version" say? Do you have an IPsec stack? You should
either see KLIPS or NETKEY. For 2.4 you should probably use KLIPS, as the
backports of the 2.6 NETKEY code tends to be very old and broken.

 

> So obviously the ipsec manual appears ok with the 2.6 kernel and will 

> not start for the 2.4 kernel. I have tried restarting the network and 

> ipsec services to no avail. Any help or comments would be appreciated.

 

I believe this is just because you have no IPsec stack loaded, you just have
the userland tools installed.

 

Paul

--

Building and integrating Virtual Private Networks with Openswan:

http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20061016/87cf0091/attachment-0001.html 


More information about the Dev mailing list