[Openswan Users] openswan-2.4.0rc1 compilation errors
Oliver Tomkins
oliver.tomkins at alliedvehicles.co.uk
Tue Aug 23 12:52:28 CEST 2005
Thanks Paul - that worked fine.
However the new release still does not allow me to have two connections
at the same time.
Either of our two client machines can connect independently without any
problems at all. When one is connected the second is unable to do so.
The Windows 2000 client machines connect to our ipsec machine in the DMZ
- this used DNAT to forward the relevant packets to the L2TP box that is
on our internal subnet and allocates the client machines an IP address
on our internal subnet. The process is reversed with SNAT for the
packets going back out to the client machines.
If a machine is connected then we can see the SA being established with
the second machine and then the disconnection. Nothing shows in the
logs on the l2tp machine.
/var/log/secure/
Aug 23 10:20:31 mini pluto[15513]: "vpn2"[2] XXX.XXX.XXX.XXX #3:
received Delete SA(0xc718e48d) payload: deleting IPSEC State #
4
Aug 23 10:20:31 mini pluto[15513]: | deleting state #4
Aug 23 10:20:31 mini pluto[15513]: | processing connection vpn2[2]
XXX.XXX.XXX.XXX
Aug 23 10:20:31 mini pluto[15513]: | **emit ISAKMP Message:
Aug 23 10:20:31 mini pluto[15513]: | initiator cookie:
Aug 23 10:20:31 mini pluto[15513]: | ef 4e fc ec 71 00 40 29
Aug 23 10:20:31 mini pluto[15513]: | responder cookie:
Aug 23 10:20:31 mini pluto[15513]: | b8 e1 2d 19 18 cf 44 08
Aug 23 10:20:31 mini pluto[15513]: | next payload type: ISAKMP_NEXT_HASH
Aug 23 10:20:31 mini pluto[15513]: | ISAKMP version: ISAKMP Version 1.0
Aug 23 10:20:31 mini pluto[15513]: | exchange type: ISAKMP_XCHG_INFO
Aug 23 10:20:31 mini pluto[15513]: | flags: ISAKMP_FLAG_ENCRYPTION
Aug 23 10:20:31 mini pluto[15513]: | message ID: ab f5 18 3e
Aug 23 10:20:31 mini pluto[15513]: | ***emit ISAKMP Hash Payload:
Aug 23 10:20:31 mini pluto[15513]: | next payload type: ISAKMP_NEXT_D
Aug 23 10:20:31 mini pluto[15513]: | emitting 20 zero bytes of HASH(1)
into ISAKMP Hash Payload
Aug 23 10:20:31 mini pluto[15513]: | emitting length of ISAKMP Hash
Payload: 24
Aug 23 10:20:31 mini pluto[15513]: | ***emit ISAKMP Delete Payload:
Aug 23 10:20:31 mini pluto[15513]: | next payload type: ISAKMP_NEXT_NONE
Aug 23 10:20:31 mini pluto[15513]: | DOI: ISAKMP_DOI_IPSEC
Aug 23 10:20:31 mini pluto[15513]: | protocol ID: 3
Aug 23 10:20:31 mini pluto[15513]: | SPI size: 4
Aug 23 10:20:31 mini pluto[15513]: | number of SPIs: 1
Aug 23 10:20:31 mini pluto[15513]: | emitting 4 raw bytes of delete
payload into ISAKMP Delete Payload
Aug 23 10:20:31 mini pluto[15513]: | delete payload af 7f b6 09
Aug 23 10:20:31 mini pluto[15513]: | emitting length of ISAKMP Delete
Payload: 16
Aug 23 10:20:31 mini pluto[15513]: | HASH(1) computed:
Aug 23 10:20:31 mini pluto[15513]: | 01 b3 d9 01 c3 62 81 c4 a3 08
ff 98 b1 0a 95 37
Aug 23 10:20:31 mini pluto[15513]: | e9 fa 67 95
Aug 23 10:20:31 mini pluto[15513]: | last Phase 1 IV: a3 41 42 f7 9b
c4 c4 64
Aug 23 10:20:31 mini pluto[15513]: | current Phase 1 IV: a3 41 42 f7
9b c4 c4 64
Aug 23 10:20:31 mini pluto[15513]: | computed Phase 2 IV:
Aug 23 10:20:31 mini pluto[15513]: | b4 16 77 82 91 3e 11 12 dc 38
51 b7 20 ee 09 95
Aug 23 10:20:31 mini pluto[15513]: | e4 71 ac a0
Aug 23 10:20:31 mini pluto[15513]: | encrypting:
Aug 23 10:20:31 mini pluto[15513]: | 0c 00 00 18 01 b3 d9 01 c3 62
81 c4 a3 08 ff 98
Aug 23 10:20:31 mini pluto[15513]: | b1 0a 95 37 e9 fa 67 95 00 00
00 10 00 00 00 01
Aug 23 10:20:31 mini pluto[15513]: | 03 04 00 01 af 7f b6 09
Aug 23 10:20:31 mini pluto[15513]: | IV:
Aug 23 10:20:31 mini pluto[15513]: | b4 16 77 82 91 3e 11 12 dc 38
51 b7 20 ee 09 95
Aug 23 10:20:31 mini pluto[15513]: | e4 71 ac a0
Aug 23 10:20:31 mini pluto[15513]: | encrypting using OAKLEY_3DES_CBC
Aug 23 10:20:31 mini pluto[15513]: | next IV: d2 6c ac 38 80 d7 a2 a4
Aug 23 10:20:31 mini pluto[15513]: | emitting length of ISAKMP Message: 68
Aug 23 10:20:31 mini pluto[15513]: | sending 68 bytes for delete notify
through eth0:500 to XXX.XXX.XXX.XXX:500:
Aug 23 10:20:31 mini pluto[15513]: | ef 4e fc ec 71 00 40 29 b8 e1
2d 19 18 cf 44 08
Aug 23 10:20:31 mini pluto[15513]: | 08 10 05 01 ab f5 18 3e 00 00
00 44 8a 0a e2 67
Aug 23 10:20:31 mini pluto[15513]: | c3 cd 2f 4f 2c 35 6d 28 ca cd
74 c6 c8 3d 0f 62
Aug 23 10:20:31 mini pluto[15513]: | 36 c8 f4 6c 73 4d 1a 44 da b6
10 fd d2 6c ac 38
Aug 23 10:20:31 mini pluto[15513]: | 80 d7 a2 a4
Aug 23 10:20:31 mini pluto[15513]: | no suspended cryptographic state for 4
Aug 23 10:20:31 mini pluto[15513]: | ICOOKIE: ef 4e fc ec 71 00 40 29
Aug 23 10:20:31 mini pluto[15513]: | RCOOKIE: b8 e1 2d 19 18 cf 44 08
Aug 23 10:20:31 mini pluto[15513]: | peer: 51 ab d9 d3
Aug 23 10:20:31 mini pluto[15513]: | state hash entry 15
Aug 23 10:20:31 mini pluto[15513]: | command executing down-host
Aug 23 10:20:31 mini pluto[15513]: | trusted_ca called with a=C=GB,
L=City, O=Company Ltd, OU=Information Technol
ogy Dept, CN=cert.domain.co.uk, E=name at domain.co.uk b=C=GB, L=City,
O=Company Ltd, OU=Information
Technology Dept, CN=cert.domain.co.uk, E=name at domain.co.uk
Aug 23 10:20:31 mini pluto[15513]: | executing down-host: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='down-host' PLUTO_CONNECTION='vp
n2' PLUTO_NEXT_HOP='<FIREWALL IP>' PLUTO_INTERFACE='ipsec0'
PLUTO_ME='<IPSEC IP>' PLUTO_MY_ID='C=GB, L=City, O=Allied Vehi
cles Ltd, OU=Information Technology Dept, CN=ipsec.alliedvehicles.co.uk,
E=name at domain.co.uk' PLUTO_MY_CLIENT='<IPSEC IP>'
PLUTO_MY_CLIENT_NET='<IPSEC IP>' PLUTO_MY_CLIENT_MASK='255.255.255.255'
PLUTO_MY_PORT='1701' PLUTO_MY_PROTOCOL='17' PLUTO_PEER='XXX.XXX.XXX.XXX'
PLUTO_PEER_ID='C=GB, L=City, O=Company Ltd, OU=Information Technology
Dept, CN=machinename at domain.co.uk, E=name at domain.co.uk'
PLUTO_PEER_CLIENT='XXX.XXX.XXX.XXX/32'
PLUTO_PEER_CLIENT_NET='XXX.XXX.XXX.XXX' PL
UTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='1701'
PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='C=GB, L=City, O=Company Ltd,
OU=Information Technology Dept, CN=cert.domain.co.uk,
E=name at domain.co.uk' PLUTO_CONN_POLICY
='RSASIG+ENCRYP
Aug 23 10:20:31 mini pluto[15513]: | eroute_connection replace with
shunt eroute <IPSEC IP>/32:1701 --17-> XXX.XXX.XXX.XXX/32
:1701 => %trap (raw_eroute)
Aug 23 10:20:31 mini pluto[15513]: | pfkey_lib_debug:pfkey_msg_hdr_build:
Aug 23 10:20:31 mini pluto[15513]: |
pfkey_lib_debug:pfkey_msg_hdr_build: on_entry &pfkey_ext=0p0xbfffe500
pfkey_ext=0p0xbfffe
7f0 *pfkey_ext=0p(nil).
Aug 23 10:20:31 mini pluto[15513]: |
pfkey_lib_debug:pfkey_msg_hdr_build: on_exit &pfkey_ext=0p0xbfffe500
pfkey_ext=0p0xbfffe7
f0 *pfkey_ext=0p0x80f7ad8.
Aug 23 10:20:31 mini pluto[15513]: | pfkey_lib_debug:pfkey_sa_build:
spi=00000104 replay=0 sa_state=0 auth=0 encrypt=0 flags=2
ipsec.conf
config setup
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
# klipsdebug=none
# plutodebug="control parsing"
#klipsdebug=all
plutodebug=all
uniqueids=no
# Add connections here
conn vpn
type=tunnel
pfs=no
compress=yes
auto=add
left=%defaultroute
leftrsasigkey=%cert
#leftid=@ipsec.domain.co.uk
leftcert=ipsec.domain.co.uk.pem
leftprotoport=17/1701
right=%any
rightid="C=GB,L=City,O=Company Ltd,OU=Information
Technology Dept,CN=name1.domain.co.uk,E=it at domain.co.uk"
#right=%any
rightrsasigkey=%cert
rightprotoport=17/1701
rightca=%same
conn vpn2
type=tunnel
pfs=no
compress=yes
auto=add
left=%defaultroute
leftrsasigkey=%cert
#leftid=@ipsec.domain.co.uk
leftcert=ipsec.domain.co.uk.pem
leftprotoport=17/1701
right=%any
rightid="C=GB,L=City,O=Company Ltd,OU=Information
Technology Dept,CN=name2.domain.co.uk,E=it at domain.co.uk"
#right=%any
rightrsasigkey=%cert
rightprotoport=17/1701
rightca=%same
l2tpd.conf
[global]
;listen-addr = XXX.XXX.XXX.XXX
[lns default]
exclusive = no
ip range = <INTERNAL IP RANGE>
local ip = <L2TP ADDRESS ON LOCAL SUBNET>
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tp.domain.co.uk
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
Any ideas?
Thanks,
Olly.
~
Paul Wouters wrote:
> On Mon, 22 Aug 2005, Oliver Tomkins wrote:
>
>> Yeah that is the code that I have here as well.
>>
>> It's redhat 7.3 and gcc-2.96-113
>>
>> Thanks,
>>
>> Olly.
>>
>> Paul Wouters wrote:
>>
>>> On Mon, 22 Aug 2005, Oliver Tomkins wrote:
>>>
>>>> However, dr8, dr9 and rc1 all give me this problem when I try to
>>>> upgrade?
>>>>
>>>> ike_alg.c: In function `ike_alg_register_hash':
>>>> ike_alg.c:642: parse error before `int'
>>>> ike_alg.c:646: `ret' undeclared (first use in this function)
>
>
> Either wait for 2.4.0rc2 or apply the following fix:
>
> Modified Files:
> ike_alg.c
> Log Message:
> remove gcc-3/C++-ism.
>
>
> Index: ike_alg.c
> ===================================================================
> RCS file: /xelerance/master/openswan-2/programs/pluto/ike_alg.c,v
> retrieving revision 1.18
> retrieving revision 1.19
> diff -u -d -r1.18 -r1.19
> --- ike_alg.c 5 Aug 2005 19:10:43 -0000 1.18
> +++ ike_alg.c 22 Aug 2005 17:25:17 -0000 1.19
> @@ -636,10 +636,9 @@
> ike_alg_register_hash(struct hash_desc *hash_desc)
> {
> const char *alg_name;
> + int ret=0;
>
> alg_name = "<none>";
> -
> - int ret=0;
> if (hash_desc->common.algo_id > OAKLEY_HASH_MAX) {
> plog ("ike_alg_register_hash(): hash alg=%d < max=%d",
> hash_desc->common.algo_id,
> OAKLEY_HASH_MAX);
>
> Paul
>
>
>
>
The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, please notify the sender immediately by reply e-mail and delete this message. Allied Vehicles cannot accept any responsibility for the accuracy or completeness of this message as it has been transmitted over a public network.
For details of our products and services please visit our website at www.alliedvehicles.co.uk
More information about the Users
mailing list