[Openswan Users] openswan and red hat enterprise

Morgan Marodin mmarodin at develon.com
Fri Mar 26 12:03:06 CET 2004 

Hi.

I have used the openswan26.spec to rpmbuild the tarball package in my red 
hat enterprise es 3. All OK. I have installed the rpm with the userland 
tool of openswan 2.1.1 and I have configured the configuration files. I 
have defined a connection named "conntest" with an other VPN gateway based 
on a superfreeswan.

I think that the NAT-Traversal patch is still in the kernel because i found 
a patch called linux-2.4.21-ipsec.patch in the kernel-2.4.21-9.0.1.EL.src.rpm

--------------------------------------------------------------------------------------------------------------------------------------------------------------------
...
# 03/06/16      derek at ihtfp.com 1.1383
# [IPSEC]: Implement UDP Encapsulation framework.
#
# In particular, implement ESPinUDP encapsulation for IPsec
# Nat Traversal.
...
+
+/* This defines the TYPE of Nat Traversal in use.  Currently only one
+ * type of NAT-T is supported, draft-ietf-ipsec-udp-encaps-06
+ */
+struct sadb_x_nat_t_type {
+       uint16_t        sadb_x_nat_t_type_len;
+       uint16_t        sadb_x_nat_t_type_exttype;
+       uint8_t         sadb_x_nat_t_type_type;
+       uint8_t         sadb_x_nat_t_type_reserved[3];
+} __attribute__((packed));
+/* sizeof(struct sadb_x_nat_t_type) == 8 */
+
+/* Pass a NAT Traversal port (Source or Dest port) */
+struct sadb_x_nat_t_port {
+       uint16_t        sadb_x_nat_t_port_len;
+       uint16_t        sadb_x_nat_t_port_exttype;
+       uint16_t        sadb_x_nat_t_port_port;
+       uint16_t        sadb_x_nat_t_port_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_x_nat_t_port) == 8 */
+
...
+/* The next four entries are for setting up NAT Traversal */
+#define SADB_X_EXT_NAT_T_TYPE          20
+#define SADB_X_EXT_NAT_T_SPORT         21
+#define SADB_X_EXT_NAT_T_DPORT         22
+#define SADB_X_EXT_NAT_T_OA            23
+#define SADB_EXT_MAX                   23
+
...
--------------------------------------------------------------------------------------------------------------------------------------------------------------------

and this patch is applied in the kernel-2.4.spec. But at the moment the 
Nat-T it's not a problem ...
If I try to start the service ...

--------------------------------------------------------------------------------------------------------------------------------------------------------------------
[root at platoon etc]# service ipsec start
ipsec_setup: Starting Openswan IPsec 2.1.1...
ipsec_setup: insmod: ipsec: no module by that name found
ipsec_setup: /sbin/insmod /lib/modules/2.4.21-9.0.1.EL/kernel/net/key/af_key.o
ipsec_setup: Using /lib/modules/2.4.21-9.0.1.EL/kernel/net/key/af_key.o
ipsec_setup: Symbol version prefix ''
[root at platoon etc]#
[root at platoon etc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                         [OK]
Linux FreeS/WAN U2.1.1/K2.4.21-9.0.1.EL (native) (native)
Checking for IPsec support in kernel                                    [OK]
Checking for RSA private key (/etc/ipsec.secrets)                       [OK]
Checking that pluto is running                                          [OK]
Two or more interfaces found, checking IP forwarding                    [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                               [OK]
Checking for 'iptables' command                                         [OK]
Checking for 'setkey' command for native IPsec stack support            [OK]

Opportunistic Encryption DNS checks:
    Looking for TXT in forward dns zone: 
platoon                         [MISSING]
    Does the machine have at least one non-private address?              [OK]
    Looking for TXT in reverse dns zone: 
35.111.111.111.in-addr.arpa.   [MISSING]
--------------------------------------------------------------------------------------------------------------------------------------------------------------------

all seems well but ...

--------------------------------------------------------------------------------------------------------------------------------------------------------------------
[root at platoon etc]# ifconfig ipsec0
ipsec0: error fetching interface information: Device not found
--------------------------------------------------------------------------------------------------------------------------------------------------------------------

This is the interest part of /var/log/messages:

--------------------------------------------------------------------------------------------------------------------------------------------------------------------
[root at platoon log]#tail -f messages
Mar 26 11:19:40 platoon ipsec_setup: Starting Openswan IPsec 2.1.1...
Mar 26 11:19:40 platoon ipsec_setup: insmod: ipsec: no module by that name 
found
Mar 26 11:19:40 platoon ipsec_setup: /sbin/insmod 
/lib/modules/2.4.21-9.0.1.EL/kernel/net/key/af_key.o
Mar 26 11:19:40 platoon ipsec_setup: Using 
/lib/modules/2.4.21-9.0.1.EL/kernel/net/key/af_key.o
Mar 26 11:19:40 platoon ipsec_setup: Symbol version prefix ''
Mar 26 11:19:40 platoon ipsec_setup: KLIPS ipsec0 on eth0 
111.111.111.35/255.255.255.0 broadcast 111.111.111.255
Mar 26 11:19:40 platoon ipsec_setup: ...Openswan IPsec started
Mar 26 11:19:41 platoon ipsec__plutorun: ipsec_auto: fatal error in 
"packetdefault": %defaultroute requested but not known
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module ripemd160
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module cast128
Mar 26 11:19:41 platoon ipsec__plutorun: ipsec_auto: fatal error in 
"block": %defaultroute requested but not known
Mar 26 11:19:41 platoon ipsec__plutorun: ipsec_auto: fatal error in 
"clear-or-private": %defaultroute requested but not known
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module lzs
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module lzjh
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module ripemd160
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module cast128
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module lzs
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module lzjh
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module ripemd160
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module cast128
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module lzs
Mar 26 11:19:41 platoon modprobe: modprobe: Can't locate module lzjh
Mar 26 11:19:41 platoon ipsec__plutorun: ipsec_auto: fatal error in 
"clear": %defaultroute requested but not known
Mar 26 11:19:42 platoon ipsec__plutorun: ipsec_auto: fatal error in 
"private-or-clear": %defaultroute requested but not known
Mar 26 11:19:42 platoon ipsec__plutorun: ipsec_auto: fatal error in 
"private": %defaultroute requested but not known
Mar 26 11:19:42 platoon ipsec__plutorun: 021 no connection named 
"packetdefault"
Mar 26 11:19:42 platoon ipsec__plutorun: ...could not route conn 
"packetdefault"
Mar 26 11:19:42 platoon ipsec__plutorun: 021 no connection named "block"
Mar 26 11:19:42 platoon ipsec__plutorun: ...could not route conn "block"
Mar 26 11:19:42 platoon ipsec__plutorun: 021 no connection named 
"clear-or-private"
Mar 26 11:19:42 platoon ipsec__plutorun: ...could not route conn 
"clear-or-private"
Mar 26 11:19:42 platoon ipsec__plutorun: 021 no connection named "clear"
Mar 26 11:19:42 platoon ipsec__plutorun: ...could not route conn "clear"
Mar 26 11:19:42 platoon ipsec__plutorun: 021 no connection named 
"private-or-clear"
Mar 26 11:19:42 platoon ipsec__plutorun: ...could not route conn 
"private-or-clear"
Mar 26 11:19:42 platoon ipsec__plutorun: 021 no connection named "private"
Mar 26 11:19:42 platoon ipsec__plutorun: ...could not route conn "private"
Mar 26 11:19:42 platoon ipsec__plutorun: 104 "conntest" #1: STATE_MAIN_I1: 
initiate
Mar 26 11:19:42 platoon ipsec__plutorun: ...could not start conn "conntest"
Mar 26 11:20:09 platoon modprobe: modprobe: Can't locate module ipsec0
--------------------------------------------------------------------------------------------------------------------------------------------------------------------

BUT ... really ... the SA "conntest" was established.
In fact:

--------------------------------------------------------------------------------------------------------------------------------------------------------------------
[root at platoon log]# ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 111.111.111.35
000 interface eth1/eth1 192.168.100.1
000 %myid = (none)
000 debug none
000
000 "conntest": 
192.168.100.0/24===111.111.111.35...222.222.222.5---222.222.222.6===192.168.2.0/24; 
erouted; eroute owner: #4
000 "conntest":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 3
000 "conntest":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: eth0;
000 "conntest":   newest ISAKMP SA: #3; newest IPsec SA: #4;
000
000 #6: "conntest" STATE_QUICK_I1 (sent QI1, expecting QR1); 
EVENT_RETRANSMIT in 9s
000 #4: "conntest" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE 
in 28373s; newest IPSEC; eroute owner
000 #4: "conntest" esp.2ba2ac1f at 222.222.222.6 esp.42ef01c8 at 111.111.111.35 
tun.0 at 222.222.222.6 tun.0 at 111.111.111.35
000 #3: "conntest" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); 
EVENT_SA_REPLACE in 3173s; newest ISAKMP
000 #1: "conntest" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE 
in 2720s
000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------

ISAKMP SA established ... but I haven't the device ipsec0 and I haven't any 
route to the "rightsubnet".
This is my configuration of openswan:

--------------------------------------------------------------------------------------------------------------------------------------------------------------------
[root at platoon etc]# cat ipsec.conf
version 2.0

config setup
         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
         # klipsdebug=all
         # plutodebug=dns
         interfaces="ipsec0=eth0"
         #interfaces=%defaultroute
         klipsdebug=none
         plutodebug=none
         uniqueids=yes
         #nat_traversal=yes

conn %default
         keyingtries=3
         disablearrivalcheck=no
         authby=rsasig
         type=tunnel
         pfs=yes

conn conntest
         authby=secret
         pfs=no
         left=111.111.111.35
         leftid=111.111.111.35
         leftsubnet=192.168.100.0/24
         #leftupdown="/usr/lib/ipsec/_updown.conntest"
         right=222.222.222.6
         rightid=222.222.222.6
         rightsubnet=192.168.2.0/24
         rightnexthop=222.222.222.5
         auto=start
--------------------------------------------------------------------------------------------------------------------------------------------------------------------

What's the problem?

Thanks, Morgan 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040326/b918be65/attachment-0001.htm

More information about the Users mailing list