[Openswan dev] Working KLIPS, but but with a few minor issues

David McCullough david_mccullough at mcafee.com
Tue Apr 13 21:44:35 EDT 2010 

Jivin Ruben Laban lays it down ...
> Hello list,
> 
> Latest git has a working KLIPS stack again:
> * Compiles fine
> * Loads fine
> * En/Decrypts fine
> * Unloads fine
> * etc
> 
> However, I did notice a few minor issues:
> * Bringing down/replacing a tunnel isn't "clean":
> 
> # ipsec auto --down tunnel2        
> 003 "tunnel2" #14: building of pfkey_msg_hdr flow eroute_connection replace with shunt failed, code -22

Ok,  should have looked harder when I found the other one.
I think the attached patch should fix it,  haven't had a chance to try it
yet though,

Cheers,
Davidm

> Replace:
> Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2": deleting connection
> Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #12: deleting state (STATE_MAIN_I4)
> Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: deleting state (STATE_QUICK_I2)
> Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: pfkey_lib_debug:pfkey_msg_parse: satype 1 conversion to proto failed for msg_type 14 (x-addflow(eroute)). 
> Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: pfkey_lib_debug:pfkey_msg_build: Trouble parsing newly built pfkey message, error=-22. 
> Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: pfkey_msg_build of flow eroute_connection replace with shunt failed, code -22
> Apr 13 20:27:39 vn-t-fw01 pluto[4667]: added connection description "tunnel2"
> 
> Down:
> Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2": terminating SAs using this connection
> Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #14: deleting state (STATE_QUICK_I2)
> Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #14: pfkey_lib_debug:pfkey_msg_hdr_build: satype 88 > max 9 
> Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #14: building of pfkey_msg_hdr flow eroute_connection replace with shunt failed, code -22
> Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #13: deleting state (STATE_MAIN_I4)
> 
> * The use of leftsourceip= generates an error in the log, but does work at advertized (as far as I could see):
> 
> Apr 13 20:36:30 vn-t-fw01 pluto[5197]: "tunnel2" #2: up-client output: /usr/local/lib/ipsec/_updown.klips: changesource `ip route change 172.16.1.0/24 dev ipsec0 src 172.16.4.11' failed (RTNETLINK answers: No such file or directory)
> 
> * While running some tests during this email I got this one, --replace followed by --up:
> 
> # ipsec auto --up tunnel2         
> 104 "tunnel2" #15: STATE_MAIN_I1: initiate
> 003 "tunnel2" #15: received Vendor ID payload [Openswan (this version) 2.6.master-201015.git ]
> 003 "tunnel2" #15: received Vendor ID payload [Dead Peer Detection]
> 106 "tunnel2" #15: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "tunnel2" #15: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "tunnel2" #15: received Vendor ID payload [CAN-IKEv2]
> 004 "tunnel2" #15: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
> 117 "tunnel2" #16: STATE_QUICK_I1: initiate
> 003 ERROR: "tunnel2" #16: pfkey write() of K_SADB_X_ADDFLOW message 71 for flow tun.100b at 172.16.2.10 failed. Errno 17: File exists
> 032 "tunnel2" #16: STATE_QUICK_I1: internal error
> 
> In log:
> Apr 13 20:33:52 vn-t-fw01 pluto[4667]: added connection description "tunnel2"
> Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: initiating Main Mode
> Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: received Vendor ID payload [Openswan (this version) 2.6.master-201015.git ]
> Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: received Vendor ID payload [Dead Peer Detection]
> Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: STATE_MAIN_I2: sent MI2, expecting MR2
> Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: STATE_MAIN_I3: sent MI3, expecting MR3
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: received Vendor ID payload [CAN-IKEv2]
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: Main mode peer ID is ID_IPV4_ADDR: '172.16.2.10'
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #16: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#15 msgid:e4021180 proposal=3DES(3)_192-MD5(1)_128, 3DES(3)_192-SHA1(2)_160 
> pfsgroup=OAKLEY_GROUP_MODP1536}
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: ERROR: "tunnel2" #16: pfkey write() of K_SADB_X_ADDFLOW message 71 for flow tun.100b at 172.16.2.10 failed. Errno 17: File exists
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   02 0e 00 09  17 00 00 00  47 00 00 00  3b 12 00 00
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   03 00 01 00  00 00 10 0b  00 00 00 00  00 00 00 00
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   00 00 00 00  00 00 00 00  03 00 05 00  00 00 00 00
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   02 00 00 00  ac 10 03 15  00 00 00 00  00 00 00 00
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   03 00 06 00  00 00 00 00  02 00 00 00  ac 10 02 0a
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   00 00 00 00  00 00 00 00  03 00 15 00  00 00 00 00
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   02 00 00 00  ac 10 04 00  00 00 00 00  00 00 00 00
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   03 00 16 00  00 00 00 00  02 00 00 00  ac 10 01 00
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   00 00 00 00  00 00 00 00  03 00 17 00  00 00 00 00
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   02 00 00 00  ff ff ff 00  00 00 00 00  00 00 00 00
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   03 00 18 00  00 00 00 00  02 00 00 00  ff ff ff 00
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   00 00 00 00  00 00 00 00
> Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | raw_eroute result=0 
> 
> This is the configuration I used for these test:
> 
> (Local is right in this case, using identical config on both end, except for protostack=, remote is netkey)
> (Kernel used on this particular instance is a 2.6.24 based Ubuntu kernel)
> 
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
> 
> # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
> 
> 
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
>         # Do not set debug options to debug configuration issues!
>         # plutodebug / klipsdebug = "all", "none" or a combation from below:
>         # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
>         # eg:
>         # plutodebug="control parsing"
>         #
>         # enable to get logs per-peer
>         # plutoopts="--perpeerlog"
>         #
>         # Again: only enable plutodebug or klipsdebug when asked by a developer
>         #
>         # NAT-TRAVERSAL support, see README.NAT-Traversal
>         nat_traversal=yes
>         # exclude networks used on server side by adding %v4:!a.b.c.0/24
>         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>         # OE is now off by default. Uncomment and change to on, to enable.
>         oe=off
>         # which IPsec stack to use. netkey,klips,mast,auto or none
>         protostack=klips
>         #protostack=mast
>         #protostack=netkey
>         dumpdir=/tmp
> 
> 
> # Add connections here
> 
> # sample VPN connection
> # for more examples, see /etc/ipsec.d/examples/
> #conn sample
> #               # Left security gateway, subnet behind it, nexthop toward right.
> #               left=10.0.0.1
> #               leftsubnet=172.16.0.0/24
> #               leftnexthop=10.22.33.44
> #               # Right security gateway, subnet behind it, nexthop toward left.
> #               right=10.12.12.1
> #               rightsubnet=192.168.0.0/24
> #               rightnexthop=10.101.102.103
> #               # To authorize this connection, but not actually start it, 
> #               # at startup, uncomment this.
> #               #auto=start
> conn tunnel2
>         left=172.16.2.10
>         leftsubnet=172.16.1.0/24
>         leftnexthop=172.16.2.20
>         leftsourceip=172.16.1.20
>         leftrsasigkey=0sAQN9...
>         right=172.16.3.21
>         rightsubnet=172.16.4.0/24
>         rightnexthop=172.16.3.10
>         rightsourceip=172.16.4.11
>         rightrsasigkey=0sAQOq...
>         ike=3des
>         phase2alg=3des
>         auto=add
> 
> -- 
> Regards,
> 
> Ruben Laban
> Senior Systems and Network Administrator
> ISM eCompany
> _______________________________________________
> Dev mailing list
> Dev at openswan.org
> http://lists.openswan.org/mailman/listinfo/dev
> 
> 

-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openswan-klips-esatype2.patch
Type: text/x-diff
Size: 1292 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20100414/b89f58a4/attachment.bin

More information about the Dev mailing list