[Openswan dev] Error building klips-ipv6 (missing include?)

Ruben Laban r.laban at ism.nl
Thu Aug 12 15:03:39 EDT 2010


On Thursday 12 August 2010 at 14:01 (CET), David McCullough wrote:
> Hmm,  I didn't realise that ipsec_tunnel.h was used by userland at all :-(
> 
> I have pushed some changes for that.
> 
> Also the NF_IP_LOCAL_OUT is just a pain,  depending on what order headers
> are included in and whether or not you are using CentOS or a linux kernel
> it's all over the place.  Try the attached patch after pull that latest
> changes to klips-ipv6.
> 
> I think that should do it,  if not,  let me know what kernel version you
> are using.
> 
> I am running on 2.6.26 at the moment,  but will try out 2.6.35 tomorrow
> and make sure all is well,

Getting further now. It compiles fine on 2.6.32 based kernel (Ubuntu Server 
10.04), but fails on 2.6.24 based kernel (Ubuntu Server 8.04), but that isn't 
much of a problem for me at this point.

Still have some issues at runtime though:

Pluto fails to add my IPv6 address to ipsec0, and only adds my IPv4 address to 
it. Could very well be a config issue or something like that.

My /etc/ipsec.conf:

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug= options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd 
private"
        # eg:
        # plutodebug="control parsing"
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Only enable *debug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        #nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
        # OE is now off by default. Uncomment and change to on, to enable.
        OE=off
        # which IPsec stack to use. netkey,klips,mast,auto or none
        #protostack=netkey
        protostack=klips
        interfaces="ipsec0=eth1"


# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward 
right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward 
left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it, 
#               # at startup, uncomment this.
#               #auto=start

conn tunnel
        left=172.16.2.10
        leftsubnet=172.16.1.0/24
        leftnexthop=172.16.2.20
        leftsourceip=172.16.1.20
        leftrsasigkey=0sAQN9vLW0owzEJrUApVpZ6dKtThF+PEW38lagLTMsa0nv9OdEouutbwzKzB2/ijdbzuC41wZNXUq9tPN6ocUCupqeBmoeEk56q0lTAo6n07nBjTETZ1b87u9fh6enGXF0eLBVQCgA6cVQt9oKeVX26fmDOE3XNetv5kw/N2T6VR5JJPg/VdfCxYyNZt3+y+Shi1u6jydS0F817IuB0oAqwAquEjKrijQ+qC8K2ochL6n4FfsSDVZAvI6Z7zezNPO8nd9IPlqCQ9PJLuJBAomlFjLCok7K9pArfbItTSEl1DNfejYeReYXoiivbyslEhhJPJYvkn93+2pYFMA5eke9JRf1
        right=172.16.3.20
        rightsubnet=172.16.4.0/24
        rightnexthop=172.16.3.10
        rightsourceip=172.16.4.10
        #rightrsasigkey=0sAQOPw8o4T6RUPf9NiC5rYO7IpevEWptpYQOOgvVqNB2a93J6sveTG611EOW5M0q17rPPBJ+miNLi1256cAG0xwJ1Utx8gCMA7sBMZwtF8e4pJQsbqy9RHeoMVO39g3y6PRJigRO6tS5HK7qt0zOq5x5DvWx6FzS45EFTptdhCZSKOU3sj7vNiXRLVDfxC1b0SvkC/trowh6GNaNblx0VKQorWp1as3Xn7wFz7QiAUELOd0SNwPo3JFd45l8lS9xx4tXmcDaLZzDwMkaZd7Z6jjmjLC2dh4ksQdK+6Rd7/Zu1egVXcR7iGx6Igxabtkmg1oOuvrR8a1mmyUcmx3+XC7Ln
        rightrsasigkey=0sAQOZP6OG/cuvLHNF8x+kpCFkYqUxFp+xSrKyC5G+jzKQJBFaUEQgB/lE6XJNq1nq+ZJSMwxKbh1zSratR4SI0+JjePeWZRSLaG5uHwqPAwu0Ydf7gDLkEAPgDRyOBSVUcsLENnjBsWMsYcNQTbXB+PAZI1NrI/ZFwgD1OXxgqNu45tTU4EDQGbsQvBOc436fwQOzCCLvpojYDJ7GWannWBGH2D3KzO39lMKHYP7I7PQJqEvLw1pT4hBgVXA9dB1Gx+Grsvq79vLWDXZRURrIiY4VwGbZGFOJPnxFrK+EWAjWPy93BTe7LUtVjYoZWk5KWMQ9IhTDGyVOXNNYMEzA8q2RwwuRkm/Ol6jFxAgwII3tnX1b
        ike=3des
        phase2alg=3des
        auto=add

conn tunnel-v6-to-01
        connaddrfamily=ipv6
        left=2a02:bd0:abcd:2::10
        leftsubnet=2a02:bd0:abcd:1::/64
        leftnexthop=2a02:bd0:abcd:2::20
        #leftsourceip=2a02:bd0:abcd:1::20
        leftrsasigkey=0sAQN9vLW0owzEJrUApVpZ6dKtThF+PEW38lagLTMsa0nv9OdEouutbwzKzB2/ijdbzuC41wZNXUq9tPN6ocUCupqeBmoeEk56q0lTAo6n07nBjTETZ1b87u9fh6enGXF0eLBVQCgA6cVQt9oKeVX26fmDOE3XNetv5kw/N2T6VR5JJPg/VdfCxYyNZt3+y+Shi1u6jydS0F817IuB0oAqwAquEjKrijQ+qC8K2ochL6n4FfsSDVZAvI6Z7zezNPO8nd9IPlqCQ9PJLuJBAomlFjLCok7K9pArfbItTSEl1DNfejYeReYXoiivbyslEhhJPJYvkn93+2pYFMA5eke9JRf1
        right=2a02:bd0:abcd:3::20
        rightsubnet=2a02:bd0:abcd:4::/64
        rightnexthop=2a02:bd0:abcd:3::10
        #rightsourceip=2a02:bd0:abcd:4:10
        rightrsasigkey=0sAQOq7Cpk+IE9+tf/iasD4NO4KfIdc3x9hqmy+DvZj1/8CsC3FJOgxU1lbUl+8P3M0iIVuxav9448nHfK59/sD8I7rc9M7q5QKKUvz6ojQatcBUJkupxoWqzulCaH3M3LaEnwKMfLVykSwjEVCWo1tONbTGshiEkFsX8988hkDKCtMoUpvNMVOd2/VIbxZkAvbfzZHkHafBOqQ78r5A7MePoUae1kmotfAMokvCudSMzKBPdJCEWf0s6xVER0Oa1EQmtFqikJ+NjI9pA5+RXa0e/nN3y3yZ3WDTDaDZa46n/ppsvfR8lBY2o+khv8MD7vx9NHjreluIlVroks6gep7UOJ
        ike=3des
        phase2alg=3des
        auto=add


And last bits of /var/log/auth.log:

Aug 12 20:24:48 vn-t-fw03 ipsec__plutorun: Starting Pluto subsystem...
Aug 12 20:24:48 vn-t-fw03 pluto[995]: Starting Pluto (Openswan Version 
2.6.master-201032.git-ge3b22fe7-dirty; Vendor ID OEtgLqHz\134OYe) pid:995
Aug 12 20:24:48 vn-t-fw03 pluto[995]: SAref support [disabled]: Protocol not 
available
Aug 12 20:24:48 vn-t-fw03 pluto[995]: SAbind support [disabled]: Protocol not 
available
Aug 12 20:24:48 vn-t-fw03 pluto[995]: Setting NAT-Traversal port-4500 floating 
to off
Aug 12 20:24:48 vn-t-fw03 pluto[995]:    port floating activation criteria 
nat_t=0/port_float=1
Aug 12 20:24:48 vn-t-fw03 pluto[995]:    NAT-Traversal support  [disabled]
Aug 12 20:24:48 vn-t-fw03 pluto[995]: using /dev/urandom as source of random 
entropy
Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_enc(): Activating 
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_enc(): Activating 
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_enc(): Activating 
OAKLEY_SERPENT_CBC: Ok (ret=0)
Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_enc(): Activating 
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_512: Ok (ret=0)
Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_256: Ok (ret=0)
Aug 12 20:24:48 vn-t-fw03 pluto[995]: starting up 1 cryptographic helpers
Aug 12 20:24:48 vn-t-fw03 pluto[995]: started helper pid=1000 (fd:7)
Aug 12 20:24:48 vn-t-fw03 pluto[995]: Using KLIPS IPsec interface code on 
2.6.32-24-generic-pae
Aug 12 20:24:48 vn-t-fw03 pluto[995]: Changed path to directory 
'/etc/ipsec.d/cacerts'
Aug 12 20:24:48 vn-t-fw03 pluto[1000]: using /dev/urandom as source of random 
entropy
Aug 12 20:24:48 vn-t-fw03 pluto[995]: Changed path to directory 
'/etc/ipsec.d/aacerts'
Aug 12 20:24:48 vn-t-fw03 pluto[995]: Changed path to directory 
'/etc/ipsec.d/ocspcerts'
Aug 12 20:24:48 vn-t-fw03 pluto[995]: Changing to directory 
'/etc/ipsec.d/crls'
Aug 12 20:24:48 vn-t-fw03 pluto[995]:   Warning: empty directory
Aug 12 20:24:48 vn-t-fw03 pluto[995]: added connection description "tunnel"
Aug 12 20:24:48 vn-t-fw03 pluto[995]: added connection description "tunnel-v6-
to-01"
Aug 12 20:24:48 vn-t-fw03 pluto[995]: listening for IKE messages
Aug 12 20:24:48 vn-t-fw03 pluto[995]: adding interface ipsec0/eth1 
172.16.3.20:500
Aug 12 20:24:48 vn-t-fw03 pluto[995]: loading secrets from 
"/etc/ipsec.secrets"
Aug 12 20:24:48 vn-t-fw03 pluto[995]: loaded private key for keyid: 
PPK_RSA:AQOZP6OG/

After doing: ipsec auto --up tunnel-v6-to-01:

Aug 12 20:37:36 vn-t-fw03 pluto[995]: "tunnel-v6-to-01": We cannot identify 
ourselves with either end of this connection.


And just in case, the output of 'ip address list':

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state 
UNKNOWN qlen 1000
    link/ether 00:0c:29:3a:e5:18 brd ff:ff:ff:ff:ff:ff
    inet 10.0.112.103/24 brd 10.0.112.255 scope global eth0
    inet6 fe80::20c:29ff:fe3a:e518/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state 
UNKNOWN qlen 1000
    link/ether 00:0c:29:3a:e5:22 brd ff:ff:ff:ff:ff:ff
    inet 172.16.3.20/24 brd 172.16.3.255 scope global eth1
    inet6 2a02:bd0:abcd:3::20/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe3a:e522/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state 
UNKNOWN qlen 1000
    link/ether 00:0c:29:3a:e5:2c brd ff:ff:ff:ff:ff:ff
    inet 172.16.4.10/24 brd 172.16.4.255 scope global eth2
    inet6 2a02:bd0:abcd:4::10/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe3a:e52c/64 scope link 
       valid_lft forever preferred_lft forever
5: ipsec0: <NOARP,UP,LOWER_UP> mtu 16260 qdisc pfifo_fast state UNKNOWN qlen 10
    link/ether 00:0c:29:3a:e5:22 brd ff:ff:ff:ff:ff:ff
    inet 172.16.3.20/24 brd 172.16.3.255 scope global ipsec0
    inet6 fe80::20c:29ff:fe3a:e522/64 scope link 
       valid_lft forever preferred_lft forever
6: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
    link/void 
71: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state 
UNKNOWN qlen 1000
    link/ether 00:0c:29:3a:e5:18 brd ff:ff:ff:ff:ff:ff
    inet 10.0.112.103/24 brd 10.0.112.255 scope global eth0
    inet6 fe80::20c:29ff:fe3a:e518/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state 
UNKNOWN qlen 1000
    link/ether 00:0c:29:3a:e5:22 brd ff:ff:ff:ff:ff:ff
    inet 172.16.3.20/24 brd 172.16.3.255 scope global eth1
    inet6 2a02:bd0:abcd:3::20/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe3a:e522/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state 
UNKNOWN qlen 1000
    link/ether 00:0c:29:3a:e5:2c brd ff:ff:ff:ff:ff:ff
    inet 172.16.4.10/24 brd 172.16.4.255 scope global eth2
    inet6 2a02:bd0:abcd:4::10/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe3a:e52c/64 scope link 
       valid_lft forever preferred_lft forever
5: ipsec0: <NOARP,UP,LOWER_UP> mtu 16260 qdisc pfifo_fast state UNKNOWN qlen 10
    link/ether 00:0c:29:3a:e5:22 brd ff:ff:ff:ff:ff:ff
    inet 172.16.3.20/24 brd 172.16.3.255 scope global ipsec0
    inet6 fe80::20c:29ff:fe3a:e522/64 scope link 
       valid_lft forever preferred_lft forever
6: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
    link/void 
7: mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
    link/[65534] : mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
    link/[65534] 


And 'ip route list':

172.16.4.0/24 dev eth2  proto kernel  scope link  src 172.16.4.10 
172.16.3.0/24 dev eth1  proto kernel  scope link  src 172.16.3.20 
172.16.3.0/24 dev ipsec0  proto kernel  scope link  src 172.16.3.20 
10.0.112.0/24 dev eth0  proto kernel  scope link  src 10.0.112.103 
10.0.0.0/23 via 10.0.112.1 dev eth0 
default via 172.16.3.10 dev eth1  metric 100 

And 'ip -6 route list':

2a02:bd0:abcd:3::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 
hoplimit 0
2a02:bd0:abcd:4::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 
hoplimit 0
2a02:bd0:abcd::/48 via 2a02:bd0:abcd:3::10 dev eth1  metric 1024  mtu 1500 
advmss 1440 hoplimit 0
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev ipsec0  proto kernel  metric 256  mtu 16260 advmss 16200 
hoplimit 0


Do I need to do anything configuration-wise to make it work (properly)?

Regards,
Ruben Laban


More information about the Dev mailing list