[Openswan dev] Error building klips-ipv6 (missing include?)

Ruben Laban r.laban at ism.nl
Tue Aug 17 03:15:23 EDT 2010 

On Tuesday 17 August 2010 at 07:46 (CET), David McCullough wrote:
> Jivin Paul Wouters lays it down ...
> 
> > On Tue, 17 Aug 2010, David McCullough wrote:
> > > Could be.  I don't actually use the openswan configurator to add the
> > > tunnels to pluto (long story).
> > > 
> > > I think you can ask it to print the commands it runs,  then we can see
> > > the "whack" lines it is using to add the tunnel to pluto.
> > 
> > Not sure if you can, apart from adding -x to the #!/bin/sh line of
> > "auto".
> 
> I thought that "ipsec auto --show --add ..." might do it.

Adding --show to either --add or --up isn't very useful. Probably due to the 
changes in config/conn handling.

# ipsec auto --show --add tunnel-v6-to-01
+ exec
+ ipsec addconn tunnel-v6-to-01
#

> > But plutodebug=all should show some errors, and with those we might be
> > able to see if some part is not entirely ipv6 ready as we expected it to
> > be.

Attached full log with plutodebug=all. It doesn't mention the adding of IP 
addresses to ipsec0, only the detection of the added one(s).

I just did some playing around though and got pluto to listen on IPv6 by doing 
the following:

# ip addr add 2a02:bd0:abcd:3::20/64 dev ipsec0
# ipsec whack --listen

This allows the conn to come up, but the tunnel itself I don't have working 
yet. Though this might be a problem with my test environment. I'm interop'ing 
between "Linux Openswan 2.6.master-201032.git-ge3b22fe7-dirty (klips)" and 
"Linux Openswan U2.6.master-201015.git/K2.6.32-02063202-generic (netkey)" 
currently. Encryption seems to work both ways, but decryption seems not. 
Though I'll be looking into that in a (hopefull) short while.

Regards,
Ruben Laban
-------------- next part --------------
Aug 17 08:14:05 vn-t-fw03 ipsec__plutorun: Starting Pluto subsystem...
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: Starting Pluto (Openswan Version 2.6.master-201032.git-ge3b22fe7-dirty; Vendor ID OEtgLqHz\134OYe) pid:2824
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: SAref support [disabled]: Protocol not available
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: SAbind support [disabled]: Protocol not available
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: Setting NAT-Traversal port-4500 floating to off
Aug 17 08:14:05 vn-t-fw03 pluto[2824]:    port floating activation criteria nat_t=0/port_float=1
Aug 17 08:14:05 vn-t-fw03 pluto[2824]:    NAT-Traversal support  [disabled]
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | opening /dev/urandom
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: using /dev/urandom as source of random entropy
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | event added at head of queue
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | event added at head of queue
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | event added after event EVENT_PENDING_DDNS
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: starting up 1 cryptographic helpers
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: started helper pid=2826 (fd:7)
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: Using KLIPS IPsec interface code on 2.6.32-24-generic-pae
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | process 2824 listening for PF_KEY_V2 on file descriptor 8
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | finish_pfkey_msg: K_SADB_REGISTER message 1 for AH 
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: |   02 07 00 02  02 00 00 00  01 00 00 00  08 0b 00 00
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | pfkey_get: K_SADB_REGISTER message 1
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | AH registered with kernel.
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | finish_pfkey_msg: K_SADB_REGISTER message 2 for ESP 
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: |   02 07 00 03  02 00 00 00  02 00 00 00  08 0b 00 00
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | pfkey_get: K_SADB_REGISTER message 2
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | alg_init():memset(0x8157860, 0, 2016) memset(0x8158040, 0, 2048) 
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=9 sadb_supported_len=24
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | kernel_alg_add():satype=3, exttype=14, alg_id=3
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14, satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | kernel_alg_add():satype=3, exttype=14, alg_id=2
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14, satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=9 sadb_supported_len=32
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | kernel_alg_add():satype=3, exttype=15, alg_id=3
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=15, satype=3, alg_id=3, alg_ivlen=64, alg_minbits=192, alg_maxbits=192, res=0, ret=1
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | kernel_alg_add():satype=3, exttype=15, alg_id=12
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=15, satype=3, alg_id=12, alg_ivlen=128, alg_minbits=128, alg_maxbits=256, res=0, ret=1
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | kernel_alg_add():satype=3, exttype=15, alg_id=3
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | kernel_alg_add(): discarding already setup satype=3, exttype=15, alg_id=3
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=15, satype=3, alg_id=3, alg_ivlen=64, alg_minbits=168, alg_maxbits=168, res=0, ret=0
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | ESP registered with kernel.
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | finish_pfkey_msg: K_SADB_REGISTER message 3 for IPCOMP 
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: |   02 07 00 0a  02 00 00 00  03 00 00 00  08 0b 00 00
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | pfkey_get: K_SADB_REGISTER message 3
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | IPCOMP registered with kernel.
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | finish_pfkey_msg: K_SADB_REGISTER message 4 for IPIP 
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: |   02 07 00 09  02 00 00 00  04 00 00 00  08 0b 00 00
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | pfkey_get: K_SADB_REGISTER message 4
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | IPIP registered with kernel.
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | event added after event EVENT_PENDING_DDNS
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: Changed path to directory '/etc/ipsec.d/cacerts'
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: Changed path to directory '/etc/ipsec.d/aacerts'
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: Changing to directory '/etc/ipsec.d/crls'
Aug 17 08:14:05 vn-t-fw03 pluto[2824]:   Warning: empty directory
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | inserting event EVENT_LOG_DAILY, timeout in 56755 seconds
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | event added after event EVENT_REINIT_SECRET
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | next event EVENT_PENDING_DDNS in 60 seconds
Aug 17 08:14:05 vn-t-fw03 pluto[2826]: | opening /dev/urandom
Aug 17 08:14:05 vn-t-fw03 pluto[2826]: using /dev/urandom as source of random entropy
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: |  
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | *received whack message
Aug 17 08:14:05 vn-t-fw03 pluto[2826]: ! helper 0 waiting on fd: 8
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | alg_info_parse_str() ealg_buf=3des aalg_buf=eklen=0  aklen=0
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | enum_search_prefix () calling enum_search(0x812b454, "OAKLEY_3DES")
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | enum_search_ppfixi () calling enum_search(0x812b454, "OAKLEY_3DES_CBC")
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | parser_alg_info_add() ealg_getbyname("3des")=5
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | __alg_info_ike_add() ealg=5 aalg=1 modp_id=5, cnt=1
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | __alg_info_ike_add() ealg=5 aalg=2 modp_id=5, cnt=2
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | __alg_info_ike_add() ealg=5 aalg=1 modp_id=2, cnt=3
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | __alg_info_ike_add() ealg=5 aalg=2 modp_id=2, cnt=4
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | Added new connection tunnel-v6-to-01 with policy RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | from whack: got --esp=3des
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | alg_info_parse_str() ealg_buf=3des aalg_buf=eklen=0  aklen=0
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | enum_search_prefix () calling enum_search(0x812a454, "ESP_3DES")
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | parser_alg_info_add() ealg_getbyname("3des")=3
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | __alg_info_esp_add() ealg=3 aalg=1 cnt=1
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | __alg_info_esp_add() ealg=3 aalg=2 cnt=2
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | esp string values: 3DES(3)_000-MD5(1)_000, 3DES(3)_000-SHA1(2)_000; flags=-strict
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | ike (phase1) algorihtm values: 3DES_CBC(5)_000-MD5(1)_000-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5), 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2), 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | counting wild cards for 2a02:bd0:abcd:2::10 is 0
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | counting wild cards for 2a02:bd0:abcd:3::20 is 0
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | virt was not set in whack message - this is a CK_PERMANENT
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | alg_info_addref() alg_info->ref_cnt=1
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | alg_info_addref() alg_info->ref_cnt=1
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: added connection description "tunnel-v6-to-01"
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | 2a02:bd0:abcd:1::/64===2a02:bd0:abcd:2::10<2a02:bd0:abcd:2::10>[+S=C]---2a02:bd0:abcd:2::20...2a02:bd0:abcd:3::10---2a02:bd0:abcd:3::20<2a02:bd0:abcd:3::20>[+S=C]===2a02:bd0:abcd:4::/64
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | * processed 0 messages from cryptographic helpers 
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | next event EVENT_PENDING_DDNS in 60 seconds
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | next event EVENT_PENDING_DDNS in 60 seconds
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: |  
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | *received whack message
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | * processed 0 messages from cryptographic helpers 
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | next event EVENT_PENDING_DDNS in 60 seconds
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | next event EVENT_PENDING_DDNS in 60 seconds
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: |  
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | *received whack message
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | * processed 0 messages from cryptographic helpers 
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | next event EVENT_PENDING_DDNS in 60 seconds
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | next event EVENT_PENDING_DDNS in 60 seconds
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: |  
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | *received whack message
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: listening for IKE messages
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | found lo with address 127.0.0.1
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | found eth0 with address 10.0.112.103
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | found eth1 with address 172.16.3.20
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | found eth2 with address 172.16.4.10
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | found ipsec0 with address 172.16.3.20
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | IP interface eth2 172.16.4.10 has no matching ipsec* interface -- ignored
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: adding interface ipsec0/eth1 172.16.3.20:500
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | IP interface eth0 10.0.112.103 has no matching ipsec* interface -- ignored
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | found eth2 with address 2a02:0bd0:abcd:0004:0000:0000:0000:0010
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | found eth1 with address 2a02:0bd0:abcd:0003:0000:0000:0000:0020
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | IP interface eth1 2a02:bd0:abcd:3::20 has no matching ipsec* interface -- ignored
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | IP interface lo ::1 has no matching ipsec* interface -- ignored
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | IP interface eth2 2a02:bd0:abcd:4::10 has no matching ipsec* interface -- ignored
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: loading secrets from "/etc/ipsec.secrets"
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: loaded private key for keyid: PPK_RSA:AQOZP6OG/
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | * processed 0 messages from cryptographic helpers 
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | next event EVENT_PENDING_DDNS in 60 seconds
Aug 17 08:14:05 vn-t-fw03 pluto[2824]: | next event EVENT_PENDING_DDNS in 60 seconds
Aug 17 08:15:05 vn-t-fw03 pluto[2824]: |  
Aug 17 08:15:05 vn-t-fw03 pluto[2824]: | next event EVENT_PENDING_DDNS in 0 seconds
Aug 17 08:15:05 vn-t-fw03 pluto[2824]: | *time to handle event
Aug 17 08:15:05 vn-t-fw03 pluto[2824]: | handling event EVENT_PENDING_DDNS
Aug 17 08:15:05 vn-t-fw03 pluto[2824]: | event after this is EVENT_SHUNT_SCAN in 60 seconds
Aug 17 08:15:05 vn-t-fw03 pluto[2824]: | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
Aug 17 08:15:05 vn-t-fw03 pluto[2824]: | event added at head of queue
Aug 17 08:15:05 vn-t-fw03 pluto[2824]: | next event EVENT_PENDING_DDNS in 60 seconds
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: |  
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: | next event EVENT_PENDING_DDNS in 0 seconds
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: | *time to handle event
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: | handling event EVENT_PENDING_DDNS
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: | event after this is EVENT_SHUNT_SCAN in 0 seconds
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: | event added after event EVENT_PENDING_PHASE2
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: | handling event EVENT_SHUNT_SCAN
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: | event after this is EVENT_PENDING_PHASE2 in 0 seconds
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: | event added after event EVENT_PENDING_DDNS
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: | scanning for shunt eroutes
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: | handling event EVENT_PENDING_PHASE2
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: | event after this is EVENT_PENDING_DDNS in 60 seconds
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: | event added after event EVENT_PENDING_DDNS
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: | pending review: connection "tunnel-v6-to-01" was not up, skipped
Aug 17 08:16:05 vn-t-fw03 pluto[2824]: | next event EVENT_PENDING_DDNS in 60 seconds

More information about the Dev mailing list