[Openswan dev] Error building klips-ipv6 (missing include?)
Ruben Laban
r.laban at ism.nl
Thu Aug 12 15:03:39 EDT 2010
On Thursday 12 August 2010 at 14:01 (CET), David McCullough wrote:
> Hmm, I didn't realise that ipsec_tunnel.h was used by userland at all :-(
>
> I have pushed some changes for that.
>
> Also the NF_IP_LOCAL_OUT is just a pain, depending on what order headers
> are included in and whether or not you are using CentOS or a linux kernel
> it's all over the place. Try the attached patch after pull that latest
> changes to klips-ipv6.
>
> I think that should do it, if not, let me know what kernel version you
> are using.
>
> I am running on 2.6.26 at the moment, but will try out 2.6.35 tomorrow
> and make sure all is well,
Getting further now. It compiles fine on 2.6.32 based kernel (Ubuntu Server
10.04), but fails on 2.6.24 based kernel (Ubuntu Server 8.04), but that isn't
much of a problem for me at this point.
Still have some issues at runtime though:
Pluto fails to add my IPv6 address to ipsec0, and only adds my IPv4 address to
it. Could very well be a config issue or something like that.
My /etc/ipsec.conf:
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug= options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"
# eg:
# plutodebug="control parsing"
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Only enable *debug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
#nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
#virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
# OE is now off by default. Uncomment and change to on, to enable.
OE=off
# which IPsec stack to use. netkey,klips,mast,auto or none
#protostack=netkey
protostack=klips
interfaces="ipsec0=eth1"
# Add connections here
# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
# # Left security gateway, subnet behind it, nexthop toward
right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward
left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=start
conn tunnel
left=172.16.2.10
leftsubnet=172.16.1.0/24
leftnexthop=172.16.2.20
leftsourceip=172.16.1.20
leftrsasigkey=0sAQN9vLW0owzEJrUApVpZ6dKtThF+PEW38lagLTMsa0nv9OdEouutbwzKzB2/ijdbzuC41wZNXUq9tPN6ocUCupqeBmoeEk56q0lTAo6n07nBjTETZ1b87u9fh6enGXF0eLBVQCgA6cVQt9oKeVX26fmDOE3XNetv5kw/N2T6VR5JJPg/VdfCxYyNZt3+y+Shi1u6jydS0F817IuB0oAqwAquEjKrijQ+qC8K2ochL6n4FfsSDVZAvI6Z7zezNPO8nd9IPlqCQ9PJLuJBAomlFjLCok7K9pArfbItTSEl1DNfejYeReYXoiivbyslEhhJPJYvkn93+2pYFMA5eke9JRf1
right=172.16.3.20
rightsubnet=172.16.4.0/24
rightnexthop=172.16.3.10
rightsourceip=172.16.4.10
#rightrsasigkey=0sAQOPw8o4T6RUPf9NiC5rYO7IpevEWptpYQOOgvVqNB2a93J6sveTG611EOW5M0q17rPPBJ+miNLi1256cAG0xwJ1Utx8gCMA7sBMZwtF8e4pJQsbqy9RHeoMVO39g3y6PRJigRO6tS5HK7qt0zOq5x5DvWx6FzS45EFTptdhCZSKOU3sj7vNiXRLVDfxC1b0SvkC/trowh6GNaNblx0VKQorWp1as3Xn7wFz7QiAUELOd0SNwPo3JFd45l8lS9xx4tXmcDaLZzDwMkaZd7Z6jjmjLC2dh4ksQdK+6Rd7/Zu1egVXcR7iGx6Igxabtkmg1oOuvrR8a1mmyUcmx3+XC7Ln
rightrsasigkey=0sAQOZP6OG/cuvLHNF8x+kpCFkYqUxFp+xSrKyC5G+jzKQJBFaUEQgB/lE6XJNq1nq+ZJSMwxKbh1zSratR4SI0+JjePeWZRSLaG5uHwqPAwu0Ydf7gDLkEAPgDRyOBSVUcsLENnjBsWMsYcNQTbXB+PAZI1NrI/ZFwgD1OXxgqNu45tTU4EDQGbsQvBOc436fwQOzCCLvpojYDJ7GWannWBGH2D3KzO39lMKHYP7I7PQJqEvLw1pT4hBgVXA9dB1Gx+Grsvq79vLWDXZRURrIiY4VwGbZGFOJPnxFrK+EWAjWPy93BTe7LUtVjYoZWk5KWMQ9IhTDGyVOXNNYMEzA8q2RwwuRkm/Ol6jFxAgwII3tnX1b
ike=3des
phase2alg=3des
auto=add
conn tunnel-v6-to-01
connaddrfamily=ipv6
left=2a02:bd0:abcd:2::10
leftsubnet=2a02:bd0:abcd:1::/64
leftnexthop=2a02:bd0:abcd:2::20
#leftsourceip=2a02:bd0:abcd:1::20
leftrsasigkey=0sAQN9vLW0owzEJrUApVpZ6dKtThF+PEW38lagLTMsa0nv9OdEouutbwzKzB2/ijdbzuC41wZNXUq9tPN6ocUCupqeBmoeEk56q0lTAo6n07nBjTETZ1b87u9fh6enGXF0eLBVQCgA6cVQt9oKeVX26fmDOE3XNetv5kw/N2T6VR5JJPg/VdfCxYyNZt3+y+Shi1u6jydS0F817IuB0oAqwAquEjKrijQ+qC8K2ochL6n4FfsSDVZAvI6Z7zezNPO8nd9IPlqCQ9PJLuJBAomlFjLCok7K9pArfbItTSEl1DNfejYeReYXoiivbyslEhhJPJYvkn93+2pYFMA5eke9JRf1
right=2a02:bd0:abcd:3::20
rightsubnet=2a02:bd0:abcd:4::/64
rightnexthop=2a02:bd0:abcd:3::10
#rightsourceip=2a02:bd0:abcd:4:10
rightrsasigkey=0sAQOq7Cpk+IE9+tf/iasD4NO4KfIdc3x9hqmy+DvZj1/8CsC3FJOgxU1lbUl+8P3M0iIVuxav9448nHfK59/sD8I7rc9M7q5QKKUvz6ojQatcBUJkupxoWqzulCaH3M3LaEnwKMfLVykSwjEVCWo1tONbTGshiEkFsX8988hkDKCtMoUpvNMVOd2/VIbxZkAvbfzZHkHafBOqQ78r5A7MePoUae1kmotfAMokvCudSMzKBPdJCEWf0s6xVER0Oa1EQmtFqikJ+NjI9pA5+RXa0e/nN3y3yZ3WDTDaDZa46n/ppsvfR8lBY2o+khv8MD7vx9NHjreluIlVroks6gep7UOJ
ike=3des
phase2alg=3des
auto=add
And last bits of /var/log/auth.log:
Aug 12 20:24:48 vn-t-fw03 ipsec__plutorun: Starting Pluto subsystem...
Aug 12 20:24:48 vn-t-fw03 pluto[995]: Starting Pluto (Openswan Version
2.6.master-201032.git-ge3b22fe7-dirty; Vendor ID OEtgLqHz\134OYe) pid:995
Aug 12 20:24:48 vn-t-fw03 pluto[995]: SAref support [disabled]: Protocol not
available
Aug 12 20:24:48 vn-t-fw03 pluto[995]: SAbind support [disabled]: Protocol not
available
Aug 12 20:24:48 vn-t-fw03 pluto[995]: Setting NAT-Traversal port-4500 floating
to off
Aug 12 20:24:48 vn-t-fw03 pluto[995]: port floating activation criteria
nat_t=0/port_float=1
Aug 12 20:24:48 vn-t-fw03 pluto[995]: NAT-Traversal support [disabled]
Aug 12 20:24:48 vn-t-fw03 pluto[995]: using /dev/urandom as source of random
entropy
Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Aug 12 20:24:48 vn-t-fw03 pluto[995]: starting up 1 cryptographic helpers
Aug 12 20:24:48 vn-t-fw03 pluto[995]: started helper pid=1000 (fd:7)
Aug 12 20:24:48 vn-t-fw03 pluto[995]: Using KLIPS IPsec interface code on
2.6.32-24-generic-pae
Aug 12 20:24:48 vn-t-fw03 pluto[995]: Changed path to directory
'/etc/ipsec.d/cacerts'
Aug 12 20:24:48 vn-t-fw03 pluto[1000]: using /dev/urandom as source of random
entropy
Aug 12 20:24:48 vn-t-fw03 pluto[995]: Changed path to directory
'/etc/ipsec.d/aacerts'
Aug 12 20:24:48 vn-t-fw03 pluto[995]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Aug 12 20:24:48 vn-t-fw03 pluto[995]: Changing to directory
'/etc/ipsec.d/crls'
Aug 12 20:24:48 vn-t-fw03 pluto[995]: Warning: empty directory
Aug 12 20:24:48 vn-t-fw03 pluto[995]: added connection description "tunnel"
Aug 12 20:24:48 vn-t-fw03 pluto[995]: added connection description "tunnel-v6-
to-01"
Aug 12 20:24:48 vn-t-fw03 pluto[995]: listening for IKE messages
Aug 12 20:24:48 vn-t-fw03 pluto[995]: adding interface ipsec0/eth1
172.16.3.20:500
Aug 12 20:24:48 vn-t-fw03 pluto[995]: loading secrets from
"/etc/ipsec.secrets"
Aug 12 20:24:48 vn-t-fw03 pluto[995]: loaded private key for keyid:
PPK_RSA:AQOZP6OG/
After doing: ipsec auto --up tunnel-v6-to-01:
Aug 12 20:37:36 vn-t-fw03 pluto[995]: "tunnel-v6-to-01": We cannot identify
ourselves with either end of this connection.
And just in case, the output of 'ip address list':
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 00:0c:29:3a:e5:18 brd ff:ff:ff:ff:ff:ff
inet 10.0.112.103/24 brd 10.0.112.255 scope global eth0
inet6 fe80::20c:29ff:fe3a:e518/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 00:0c:29:3a:e5:22 brd ff:ff:ff:ff:ff:ff
inet 172.16.3.20/24 brd 172.16.3.255 scope global eth1
inet6 2a02:bd0:abcd:3::20/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe3a:e522/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 00:0c:29:3a:e5:2c brd ff:ff:ff:ff:ff:ff
inet 172.16.4.10/24 brd 172.16.4.255 scope global eth2
inet6 2a02:bd0:abcd:4::10/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe3a:e52c/64 scope link
valid_lft forever preferred_lft forever
5: ipsec0: <NOARP,UP,LOWER_UP> mtu 16260 qdisc pfifo_fast state UNKNOWN qlen 10
link/ether 00:0c:29:3a:e5:22 brd ff:ff:ff:ff:ff:ff
inet 172.16.3.20/24 brd 172.16.3.255 scope global ipsec0
inet6 fe80::20c:29ff:fe3a:e522/64 scope link
valid_lft forever preferred_lft forever
6: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
link/void
71: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 00:0c:29:3a:e5:18 brd ff:ff:ff:ff:ff:ff
inet 10.0.112.103/24 brd 10.0.112.255 scope global eth0
inet6 fe80::20c:29ff:fe3a:e518/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 00:0c:29:3a:e5:22 brd ff:ff:ff:ff:ff:ff
inet 172.16.3.20/24 brd 172.16.3.255 scope global eth1
inet6 2a02:bd0:abcd:3::20/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe3a:e522/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 00:0c:29:3a:e5:2c brd ff:ff:ff:ff:ff:ff
inet 172.16.4.10/24 brd 172.16.4.255 scope global eth2
inet6 2a02:bd0:abcd:4::10/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe3a:e52c/64 scope link
valid_lft forever preferred_lft forever
5: ipsec0: <NOARP,UP,LOWER_UP> mtu 16260 qdisc pfifo_fast state UNKNOWN qlen 10
link/ether 00:0c:29:3a:e5:22 brd ff:ff:ff:ff:ff:ff
inet 172.16.3.20/24 brd 172.16.3.255 scope global ipsec0
inet6 fe80::20c:29ff:fe3a:e522/64 scope link
valid_lft forever preferred_lft forever
6: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
link/void
7: mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
link/[65534] : mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
link/[65534]
And 'ip route list':
172.16.4.0/24 dev eth2 proto kernel scope link src 172.16.4.10
172.16.3.0/24 dev eth1 proto kernel scope link src 172.16.3.20
172.16.3.0/24 dev ipsec0 proto kernel scope link src 172.16.3.20
10.0.112.0/24 dev eth0 proto kernel scope link src 10.0.112.103
10.0.0.0/23 via 10.0.112.1 dev eth0
default via 172.16.3.10 dev eth1 metric 100
And 'ip -6 route list':
2a02:bd0:abcd:3::/64 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440
hoplimit 0
2a02:bd0:abcd:4::/64 dev eth2 proto kernel metric 256 mtu 1500 advmss 1440
hoplimit 0
2a02:bd0:abcd::/48 via 2a02:bd0:abcd:3::10 dev eth1 metric 1024 mtu 1500
advmss 1440 hoplimit 0
fe80::/64 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth2 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev ipsec0 proto kernel metric 256 mtu 16260 advmss 16200
hoplimit 0
Do I need to do anything configuration-wise to make it work (properly)?
Regards,
Ruben Laban
More information about the Dev
mailing list