[Openswan dev] Working KLIPS, but but with a few minor issues

Ruben Laban r.laban at ism.nl
Tue Apr 13 14:48:56 EDT 2010


Hello list,

Latest git has a working KLIPS stack again:
* Compiles fine
* Loads fine
* En/Decrypts fine
* Unloads fine
* etc

However, I did notice a few minor issues:
* Bringing down/replacing a tunnel isn't "clean":

# ipsec auto --down tunnel2        
003 "tunnel2" #14: building of pfkey_msg_hdr flow eroute_connection replace with shunt failed, code -22

And in logs:

Replace:
Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2": deleting connection
Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #12: deleting state (STATE_MAIN_I4)
Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: deleting state (STATE_QUICK_I2)
Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: pfkey_lib_debug:pfkey_msg_parse: satype 1 conversion to proto failed for msg_type 14 (x-addflow(eroute)). 
Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: pfkey_lib_debug:pfkey_msg_build: Trouble parsing newly built pfkey message, error=-22. 
Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: pfkey_msg_build of flow eroute_connection replace with shunt failed, code -22
Apr 13 20:27:39 vn-t-fw01 pluto[4667]: added connection description "tunnel2"

Down:
Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2": terminating SAs using this connection
Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #14: deleting state (STATE_QUICK_I2)
Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #14: pfkey_lib_debug:pfkey_msg_hdr_build: satype 88 > max 9 
Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #14: building of pfkey_msg_hdr flow eroute_connection replace with shunt failed, code -22
Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #13: deleting state (STATE_MAIN_I4)

* The use of leftsourceip= generates an error in the log, but does work at advertized (as far as I could see):

Apr 13 20:36:30 vn-t-fw01 pluto[5197]: "tunnel2" #2: up-client output: /usr/local/lib/ipsec/_updown.klips: changesource `ip route change 172.16.1.0/24 dev ipsec0 src 172.16.4.11' failed (RTNETLINK answers: No such file or directory)

* While running some tests during this email I got this one, --replace followed by --up:

# ipsec auto --up tunnel2         
104 "tunnel2" #15: STATE_MAIN_I1: initiate
003 "tunnel2" #15: received Vendor ID payload [Openswan (this version) 2.6.master-201015.git ]
003 "tunnel2" #15: received Vendor ID payload [Dead Peer Detection]
106 "tunnel2" #15: STATE_MAIN_I2: sent MI2, expecting MR2
108 "tunnel2" #15: STATE_MAIN_I3: sent MI3, expecting MR3
003 "tunnel2" #15: received Vendor ID payload [CAN-IKEv2]
004 "tunnel2" #15: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "tunnel2" #16: STATE_QUICK_I1: initiate
003 ERROR: "tunnel2" #16: pfkey write() of K_SADB_X_ADDFLOW message 71 for flow tun.100b at 172.16.2.10 failed. Errno 17: File exists
032 "tunnel2" #16: STATE_QUICK_I1: internal error

In log:
Apr 13 20:33:52 vn-t-fw01 pluto[4667]: added connection description "tunnel2"
Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: initiating Main Mode
Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: received Vendor ID payload [Openswan (this version) 2.6.master-201015.git ]
Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: received Vendor ID payload [Dead Peer Detection]
Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: STATE_MAIN_I2: sent MI2, expecting MR2
Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: STATE_MAIN_I3: sent MI3, expecting MR3
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: received Vendor ID payload [CAN-IKEv2]
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: Main mode peer ID is ID_IPV4_ADDR: '172.16.2.10'
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #16: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#15 msgid:e4021180 proposal=3DES(3)_192-MD5(1)_128, 3DES(3)_192-SHA1(2)_160 
pfsgroup=OAKLEY_GROUP_MODP1536}
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: ERROR: "tunnel2" #16: pfkey write() of K_SADB_X_ADDFLOW message 71 for flow tun.100b at 172.16.2.10 failed. Errno 17: File exists
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   02 0e 00 09  17 00 00 00  47 00 00 00  3b 12 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   03 00 01 00  00 00 10 0b  00 00 00 00  00 00 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   00 00 00 00  00 00 00 00  03 00 05 00  00 00 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   02 00 00 00  ac 10 03 15  00 00 00 00  00 00 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   03 00 06 00  00 00 00 00  02 00 00 00  ac 10 02 0a
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   00 00 00 00  00 00 00 00  03 00 15 00  00 00 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   02 00 00 00  ac 10 04 00  00 00 00 00  00 00 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   03 00 16 00  00 00 00 00  02 00 00 00  ac 10 01 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   00 00 00 00  00 00 00 00  03 00 17 00  00 00 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   02 00 00 00  ff ff ff 00  00 00 00 00  00 00 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   03 00 18 00  00 00 00 00  02 00 00 00  ff ff ff 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   00 00 00 00  00 00 00 00
Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | raw_eroute result=0 

This is the configuration I used for these test:

(Local is right in this case, using identical config on both end, except for protostack=, remote is netkey)
(Kernel used on this particular instance is a 2.6.24 based Ubuntu kernel)

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. netkey,klips,mast,auto or none
        protostack=klips
        #protostack=mast
        #protostack=netkey
        dumpdir=/tmp


# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it, 
#               # at startup, uncomment this.
#               #auto=start
conn tunnel2
        left=172.16.2.10
        leftsubnet=172.16.1.0/24
        leftnexthop=172.16.2.20
        leftsourceip=172.16.1.20
        leftrsasigkey=0sAQN9...
        right=172.16.3.21
        rightsubnet=172.16.4.0/24
        rightnexthop=172.16.3.10
        rightsourceip=172.16.4.11
        rightrsasigkey=0sAQOq...
        ike=3des
        phase2alg=3des
        auto=add

-- 
Regards,

Ruben Laban
Senior Systems and Network Administrator
ISM eCompany


More information about the Dev mailing list