[Openswan dev] Error building klips-ipv6 (missing include?)
David McCullough
david_mccullough at mcafee.com
Tue Aug 17 01:07:42 EDT 2010
Jivin Ruben Laban lays it down ...
> On Thursday 12 August 2010 at 14:01 (CET), David McCullough wrote:
> > Hmm, I didn't realise that ipsec_tunnel.h was used by userland at all :-(
> >
> > I have pushed some changes for that.
> >
> > Also the NF_IP_LOCAL_OUT is just a pain, depending on what order headers
> > are included in and whether or not you are using CentOS or a linux kernel
> > it's all over the place. Try the attached patch after pull that latest
> > changes to klips-ipv6.
> >
> > I think that should do it, if not, let me know what kernel version you
> > are using.
> >
> > I am running on 2.6.26 at the moment, but will try out 2.6.35 tomorrow
> > and make sure all is well,
>
> Getting further now. It compiles fine on 2.6.32 based kernel (Ubuntu Server
> 10.04), but fails on 2.6.24 based kernel (Ubuntu Server 8.04), but that isn't
> much of a problem for me at this point.
>
> Still have some issues at runtime though:
>
> Pluto fails to add my IPv6 address to ipsec0, and only adds my IPv4 address to
> it. Could very well be a config issue or something like that.
Could be. I don't actually use the openswan configurator to add the tunnels
to pluto (long story).
I think you can ask it to print the commands it runs, then we can see the
"whack" lines it is using to add the tunnel to pluto.
For example, on a tunnel setup as:
fec0::1:0:0:0:0/64===fec0::3:0:0:0:1...fec0::3:0:0:0:2===fec0::2:0:0:0:0/64
The whack command that gets run is:
whack --name "test-ip6-ip6" --encrypt --ipv6 --tunnelipv6 --tunnel --ike 3DES-SHA-MODP1024 --esp 3DES-SHA1 --host fec0:0:0:3::1 --client fec0::1:0:0:0:0/64 --updown "ipsec _updown" --sendcert always --to --host fec0:0:0:3::2 --client fec0::2:0:0:0:0/64 --updown "ipsec _updown" --sendcert always --psk --pfs --ipseclifetime 3600 --ikelifetime 3600 --keyingtries 0 --rekeymargin 600 --rekeyfuzz 100 --dpdaction restart_by_peer --dpddelay 9 --dpdtimeout 30
I can't see a problem with your config, but unfortunately I haven't much
experience with openswan/ipv6/ipsec.conf combinations. Perhaps someone else
has used it with netkey ? I think it should be the same at that level.
Check the top of the output from "ipsec auto --status" or the syslog
startup from pluto to see that it knows about the IPv6 addresses
and interfaces.
Cheers,
Davidm
> My /etc/ipsec.conf:
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
>
> # This file: /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual: ipsec.conf.5
>
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> # Do not set debug= options to debug configuration issues!
> # plutodebug / klipsdebug = "all", "none" or a combation from below:
> # "raw crypt parsing emitting control klips pfkey natt x509 dpd
> private"
> # eg:
> # plutodebug="control parsing"
> #
> # enable to get logs per-peer
> # plutoopts="--perpeerlog"
> #
> # Only enable *debug=all if you are a developer
> #
> # NAT-TRAVERSAL support, see README.NAT-Traversal
> #nat_traversal=yes
> # exclude networks used on server side by adding %v4:!a.b.c.0/24
> #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> # OE is now off by default. Uncomment and change to on, to enable.
> OE=off
> # which IPsec stack to use. netkey,klips,mast,auto or none
> #protostack=netkey
> protostack=klips
> interfaces="ipsec0=eth1"
>
>
> # Add connections here
>
> # sample VPN connection
> # for more examples, see /etc/ipsec.d/examples/
> #conn sample
> # # Left security gateway, subnet behind it, nexthop toward
> right.
> # left=10.0.0.1
> # leftsubnet=172.16.0.0/24
> # leftnexthop=10.22.33.44
> # # Right security gateway, subnet behind it, nexthop toward
> left.
> # right=10.12.12.1
> # rightsubnet=192.168.0.0/24
> # rightnexthop=10.101.102.103
> # # To authorize this connection, but not actually start it,
> # # at startup, uncomment this.
> # #auto=start
>
> conn tunnel
> left=172.16.2.10
> leftsubnet=172.16.1.0/24
> leftnexthop=172.16.2.20
> leftsourceip=172.16.1.20
> leftrsasigkey=0sAQN9vLW0owzEJrUApVpZ6dKtThF+PEW38lagLTMsa0nv9OdEouutbwzKzB2/ijdbzuC41wZNXUq9tPN6ocUCupqeBmoeEk56q0lTAo6n07nBjTETZ1b87u9fh6enGXF0eLBVQCgA6cVQt9oKeVX26fmDOE3XNetv5kw/N2T6VR5JJPg/VdfCxYyNZt3+y+Shi1u6jydS0F817IuB0oAqwAquEjKrijQ+qC8K2ochL6n4FfsSDVZAvI6Z7zezNPO8nd9IPlqCQ9PJLuJBAomlFjLCok7K9pArfbItTSEl1DNfejYeReYXoiivbyslEhhJPJYvkn93+2pYFMA5eke9JRf1
> right=172.16.3.20
> rightsubnet=172.16.4.0/24
> rightnexthop=172.16.3.10
> rightsourceip=172.16.4.10
> #rightrsasigkey=0sAQOPw8o4T6RUPf9NiC5rYO7IpevEWptpYQOOgvVqNB2a93J6sveTG611EOW5M0q17rPPBJ+miNLi1256cAG0xwJ1Utx8gCMA7sBMZwtF8e4pJQsbqy9RHeoMVO39g3y6PRJigRO6tS5HK7qt0zOq5x5DvWx6FzS45EFTptdhCZSKOU3sj7vNiXRLVDfxC1b0SvkC/trowh6GNaNblx0VKQorWp1as3Xn7wFz7QiAUELOd0SNwPo3JFd45l8lS9xx4tXmcDaLZzDwMkaZd7Z6jjmjLC2dh4ksQdK+6Rd7/Zu1egVXcR7iGx6Igxabtkmg1oOuvrR8a1mmyUcmx3+XC7Ln
> rightrsasigkey=0sAQOZP6OG/cuvLHNF8x+kpCFkYqUxFp+xSrKyC5G+jzKQJBFaUEQgB/lE6XJNq1nq+ZJSMwxKbh1zSratR4SI0+JjePeWZRSLaG5uHwqPAwu0Ydf7gDLkEAPgDRyOBSVUcsLENnjBsWMsYcNQTbXB+PAZI1NrI/ZFwgD1OXxgqNu45tTU4EDQGbsQvBOc436fwQOzCCLvpojYDJ7GWannWBGH2D3KzO39lMKHYP7I7PQJqEvLw1pT4hBgVXA9dB1Gx+Grsvq79vLWDXZRURrIiY4VwGbZGFOJPnxFrK+EWAjWPy93BTe7LUtVjYoZWk5KWMQ9IhTDGyVOXNNYMEzA8q2RwwuRkm/Ol6jFxAgwII3tnX1b
> ike=3des
> phase2alg=3des
> auto=add
>
> conn tunnel-v6-to-01
> connaddrfamily=ipv6
> left=2a02:bd0:abcd:2::10
> leftsubnet=2a02:bd0:abcd:1::/64
> leftnexthop=2a02:bd0:abcd:2::20
> #leftsourceip=2a02:bd0:abcd:1::20
> leftrsasigkey=0sAQN9vLW0owzEJrUApVpZ6dKtThF+PEW38lagLTMsa0nv9OdEouutbwzKzB2/ijdbzuC41wZNXUq9tPN6ocUCupqeBmoeEk56q0lTAo6n07nBjTETZ1b87u9fh6enGXF0eLBVQCgA6cVQt9oKeVX26fmDOE3XNetv5kw/N2T6VR5JJPg/VdfCxYyNZt3+y+Shi1u6jydS0F817IuB0oAqwAquEjKrijQ+qC8K2ochL6n4FfsSDVZAvI6Z7zezNPO8nd9IPlqCQ9PJLuJBAomlFjLCok7K9pArfbItTSEl1DNfejYeReYXoiivbyslEhhJPJYvkn93+2pYFMA5eke9JRf1
> right=2a02:bd0:abcd:3::20
> rightsubnet=2a02:bd0:abcd:4::/64
> rightnexthop=2a02:bd0:abcd:3::10
> #rightsourceip=2a02:bd0:abcd:4:10
> rightrsasigkey=0sAQOq7Cpk+IE9+tf/iasD4NO4KfIdc3x9hqmy+DvZj1/8CsC3FJOgxU1lbUl+8P3M0iIVuxav9448nHfK59/sD8I7rc9M7q5QKKUvz6ojQatcBUJkupxoWqzulCaH3M3LaEnwKMfLVykSwjEVCWo1tONbTGshiEkFsX8988hkDKCtMoUpvNMVOd2/VIbxZkAvbfzZHkHafBOqQ78r5A7MePoUae1kmotfAMokvCudSMzKBPdJCEWf0s6xVER0Oa1EQmtFqikJ+NjI9pA5+RXa0e/nN3y3yZ3WDTDaDZa46n/ppsvfR8lBY2o+khv8MD7vx9NHjreluIlVroks6gep7UOJ
> ike=3des
> phase2alg=3des
> auto=add
>
>
> And last bits of /var/log/auth.log:
>
> Aug 12 20:24:48 vn-t-fw03 ipsec__plutorun: Starting Pluto subsystem...
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: Starting Pluto (Openswan Version
> 2.6.master-201032.git-ge3b22fe7-dirty; Vendor ID OEtgLqHz\134OYe) pid:995
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: SAref support [disabled]: Protocol not
> available
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: SAbind support [disabled]: Protocol not
> available
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: Setting NAT-Traversal port-4500 floating
> to off
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: port floating activation criteria
> nat_t=0/port_float=1
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: NAT-Traversal support [disabled]
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: using /dev/urandom as source of random
> entropy
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_enc(): Activating
> OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_enc(): Activating
> OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_enc(): Activating
> OAKLEY_SERPENT_CBC: Ok (ret=0)
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_enc(): Activating
> OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_hash(): Activating
> OAKLEY_SHA2_512: Ok (ret=0)
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: ike_alg_register_hash(): Activating
> OAKLEY_SHA2_256: Ok (ret=0)
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: starting up 1 cryptographic helpers
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: started helper pid=1000 (fd:7)
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: Using KLIPS IPsec interface code on
> 2.6.32-24-generic-pae
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: Changed path to directory
> '/etc/ipsec.d/cacerts'
> Aug 12 20:24:48 vn-t-fw03 pluto[1000]: using /dev/urandom as source of random
> entropy
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: Changed path to directory
> '/etc/ipsec.d/aacerts'
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: Changed path to directory
> '/etc/ipsec.d/ocspcerts'
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: Changing to directory
> '/etc/ipsec.d/crls'
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: Warning: empty directory
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: added connection description "tunnel"
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: added connection description "tunnel-v6-
> to-01"
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: listening for IKE messages
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: adding interface ipsec0/eth1
> 172.16.3.20:500
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: loading secrets from
> "/etc/ipsec.secrets"
> Aug 12 20:24:48 vn-t-fw03 pluto[995]: loaded private key for keyid:
> PPK_RSA:AQOZP6OG/
>
> After doing: ipsec auto --up tunnel-v6-to-01:
>
> Aug 12 20:37:36 vn-t-fw03 pluto[995]: "tunnel-v6-to-01": We cannot identify
> ourselves with either end of this connection.
>
>
> And just in case, the output of 'ip address list':
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 00:0c:29:3a:e5:18 brd ff:ff:ff:ff:ff:ff
> inet 10.0.112.103/24 brd 10.0.112.255 scope global eth0
> inet6 fe80::20c:29ff:fe3a:e518/64 scope link
> valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 00:0c:29:3a:e5:22 brd ff:ff:ff:ff:ff:ff
> inet 172.16.3.20/24 brd 172.16.3.255 scope global eth1
> inet6 2a02:bd0:abcd:3::20/64 scope global
> valid_lft forever preferred_lft forever
> inet6 fe80::20c:29ff:fe3a:e522/64 scope link
> valid_lft forever preferred_lft forever
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 00:0c:29:3a:e5:2c brd ff:ff:ff:ff:ff:ff
> inet 172.16.4.10/24 brd 172.16.4.255 scope global eth2
> inet6 2a02:bd0:abcd:4::10/64 scope global
> valid_lft forever preferred_lft forever
> inet6 fe80::20c:29ff:fe3a:e52c/64 scope link
> valid_lft forever preferred_lft forever
> 5: ipsec0: <NOARP,UP,LOWER_UP> mtu 16260 qdisc pfifo_fast state UNKNOWN qlen 10
> link/ether 00:0c:29:3a:e5:22 brd ff:ff:ff:ff:ff:ff
> inet 172.16.3.20/24 brd 172.16.3.255 scope global ipsec0
> inet6 fe80::20c:29ff:fe3a:e522/64 scope link
> valid_lft forever preferred_lft forever
> 6: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
> link/void
> 71: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 00:0c:29:3a:e5:18 brd ff:ff:ff:ff:ff:ff
> inet 10.0.112.103/24 brd 10.0.112.255 scope global eth0
> inet6 fe80::20c:29ff:fe3a:e518/64 scope link
> valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 00:0c:29:3a:e5:22 brd ff:ff:ff:ff:ff:ff
> inet 172.16.3.20/24 brd 172.16.3.255 scope global eth1
> inet6 2a02:bd0:abcd:3::20/64 scope global
> valid_lft forever preferred_lft forever
> inet6 fe80::20c:29ff:fe3a:e522/64 scope link
> valid_lft forever preferred_lft forever
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 00:0c:29:3a:e5:2c brd ff:ff:ff:ff:ff:ff
> inet 172.16.4.10/24 brd 172.16.4.255 scope global eth2
> inet6 2a02:bd0:abcd:4::10/64 scope global
> valid_lft forever preferred_lft forever
> inet6 fe80::20c:29ff:fe3a:e52c/64 scope link
> valid_lft forever preferred_lft forever
> 5: ipsec0: <NOARP,UP,LOWER_UP> mtu 16260 qdisc pfifo_fast state UNKNOWN qlen 10
> link/ether 00:0c:29:3a:e5:22 brd ff:ff:ff:ff:ff:ff
> inet 172.16.3.20/24 brd 172.16.3.255 scope global ipsec0
> inet6 fe80::20c:29ff:fe3a:e522/64 scope link
> valid_lft forever preferred_lft forever
> 6: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
> link/void
> 7: mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
> link/[65534] : mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
> link/[65534]
>
>
> And 'ip route list':
>
> 172.16.4.0/24 dev eth2 proto kernel scope link src 172.16.4.10
> 172.16.3.0/24 dev eth1 proto kernel scope link src 172.16.3.20
> 172.16.3.0/24 dev ipsec0 proto kernel scope link src 172.16.3.20
> 10.0.112.0/24 dev eth0 proto kernel scope link src 10.0.112.103
> 10.0.0.0/23 via 10.0.112.1 dev eth0
> default via 172.16.3.10 dev eth1 metric 100
>
> And 'ip -6 route list':
>
> 2a02:bd0:abcd:3::/64 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440
> hoplimit 0
> 2a02:bd0:abcd:4::/64 dev eth2 proto kernel metric 256 mtu 1500 advmss 1440
> hoplimit 0
> 2a02:bd0:abcd::/48 via 2a02:bd0:abcd:3::10 dev eth1 metric 1024 mtu 1500
> advmss 1440 hoplimit 0
> fe80::/64 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
> fe80::/64 dev eth2 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
> fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
> fe80::/64 dev ipsec0 proto kernel metric 256 mtu 16260 advmss 16200
> hoplimit 0
>
>
> Do I need to do anything configuration-wise to make it work (properly)?
>
> Regards,
> Ruben Laban
>
>
--
David McCullough, david_mccullough at mcafee.com, Ph:+61 734352815
McAfee - SnapGear http://www.mcafee.com http://www.uCdot.org
More information about the Dev
mailing list