[Openswan dev] Working KLIPS, but but with a few minor issues
Ruben Laban
r.laban at ism.nl
Tue Apr 13 14:48:56 EDT 2010
Hello list,
Latest git has a working KLIPS stack again:
* Compiles fine
* Loads fine
* En/Decrypts fine
* Unloads fine
* etc
However, I did notice a few minor issues:
* Bringing down/replacing a tunnel isn't "clean":
# ipsec auto --down tunnel2
003 "tunnel2" #14: building of pfkey_msg_hdr flow eroute_connection replace with shunt failed, code -22
And in logs:
Replace:
Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2": deleting connection
Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #12: deleting state (STATE_MAIN_I4)
Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: deleting state (STATE_QUICK_I2)
Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: pfkey_lib_debug:pfkey_msg_parse: satype 1 conversion to proto failed for msg_type 14 (x-addflow(eroute)).
Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: pfkey_lib_debug:pfkey_msg_build: Trouble parsing newly built pfkey message, error=-22.
Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: pfkey_msg_build of flow eroute_connection replace with shunt failed, code -22
Apr 13 20:27:39 vn-t-fw01 pluto[4667]: added connection description "tunnel2"
Down:
Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2": terminating SAs using this connection
Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #14: deleting state (STATE_QUICK_I2)
Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #14: pfkey_lib_debug:pfkey_msg_hdr_build: satype 88 > max 9
Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #14: building of pfkey_msg_hdr flow eroute_connection replace with shunt failed, code -22
Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #13: deleting state (STATE_MAIN_I4)
* The use of leftsourceip= generates an error in the log, but does work at advertized (as far as I could see):
Apr 13 20:36:30 vn-t-fw01 pluto[5197]: "tunnel2" #2: up-client output: /usr/local/lib/ipsec/_updown.klips: changesource `ip route change 172.16.1.0/24 dev ipsec0 src 172.16.4.11' failed (RTNETLINK answers: No such file or directory)
* While running some tests during this email I got this one, --replace followed by --up:
# ipsec auto --up tunnel2
104 "tunnel2" #15: STATE_MAIN_I1: initiate
003 "tunnel2" #15: received Vendor ID payload [Openswan (this version) 2.6.master-201015.git ]
003 "tunnel2" #15: received Vendor ID payload [Dead Peer Detection]
106 "tunnel2" #15: STATE_MAIN_I2: sent MI2, expecting MR2
108 "tunnel2" #15: STATE_MAIN_I3: sent MI3, expecting MR3
003 "tunnel2" #15: received Vendor ID payload [CAN-IKEv2]
004 "tunnel2" #15: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "tunnel2" #16: STATE_QUICK_I1: initiate
003 ERROR: "tunnel2" #16: pfkey write() of K_SADB_X_ADDFLOW message 71 for flow tun.100b at 172.16.2.10 failed. Errno 17: File exists
032 "tunnel2" #16: STATE_QUICK_I1: internal error
In log:
Apr 13 20:33:52 vn-t-fw01 pluto[4667]: added connection description "tunnel2"
Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: initiating Main Mode
Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: received Vendor ID payload [Openswan (this version) 2.6.master-201015.git ]
Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: received Vendor ID payload [Dead Peer Detection]
Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: STATE_MAIN_I2: sent MI2, expecting MR2
Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: STATE_MAIN_I3: sent MI3, expecting MR3
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: received Vendor ID payload [CAN-IKEv2]
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: Main mode peer ID is ID_IPV4_ADDR: '172.16.2.10'
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #16: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#15 msgid:e4021180 proposal=3DES(3)_192-MD5(1)_128, 3DES(3)_192-SHA1(2)_160
pfsgroup=OAKLEY_GROUP_MODP1536}
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: ERROR: "tunnel2" #16: pfkey write() of K_SADB_X_ADDFLOW message 71 for flow tun.100b at 172.16.2.10 failed. Errno 17: File exists
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 02 0e 00 09 17 00 00 00 47 00 00 00 3b 12 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 03 00 01 00 00 00 10 0b 00 00 00 00 00 00 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 00 00 00 00 00 00 00 00 03 00 05 00 00 00 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 02 00 00 00 ac 10 03 15 00 00 00 00 00 00 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 03 00 06 00 00 00 00 00 02 00 00 00 ac 10 02 0a
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 00 00 00 00 00 00 00 00 03 00 15 00 00 00 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 02 00 00 00 ac 10 04 00 00 00 00 00 00 00 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 03 00 16 00 00 00 00 00 02 00 00 00 ac 10 01 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 00 00 00 00 00 00 00 00 03 00 17 00 00 00 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 02 00 00 00 ff ff ff 00 00 00 00 00 00 00 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 03 00 18 00 00 00 00 00 02 00 00 00 ff ff ff 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 00 00 00 00 00 00 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | raw_eroute result=0
This is the configuration I used for these test:
(Local is right in this case, using identical config on both end, except for protostack=, remote is netkey)
(Kernel used on this particular instance is a 2.6.24 based Ubuntu kernel)
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. netkey,klips,mast,auto or none
protostack=klips
#protostack=mast
#protostack=netkey
dumpdir=/tmp
# Add connections here
# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=start
conn tunnel2
left=172.16.2.10
leftsubnet=172.16.1.0/24
leftnexthop=172.16.2.20
leftsourceip=172.16.1.20
leftrsasigkey=0sAQN9...
right=172.16.3.21
rightsubnet=172.16.4.0/24
rightnexthop=172.16.3.10
rightsourceip=172.16.4.11
rightrsasigkey=0sAQOq...
ike=3des
phase2alg=3des
auto=add
--
Regards,
Ruben Laban
Senior Systems and Network Administrator
ISM eCompany
More information about the Dev
mailing list