[Openswan Users] openswan-2.4.0rc1 compilation errors

Oliver Tomkins oliver.tomkins at alliedvehicles.co.uk
Tue Aug 23 12:52:28 CEST 2005


Thanks Paul - that worked fine.

However the new release still does not allow me to have two connections 
at the same time.

Either of our two client machines can connect independently without any 
problems at all.  When one is connected the second is unable to do so.

The Windows 2000 client machines connect to our ipsec machine in the DMZ 
- this used DNAT to forward the relevant packets to the L2TP box that is 
on our internal subnet and allocates the client machines an IP address 
on our internal subnet.  The process is reversed with SNAT for the 
packets going back out to the client machines.

If a machine is connected then we can see the SA being established with 
the second machine and then the disconnection.  Nothing shows in the 
logs on the l2tp machine.

/var/log/secure/

Aug 23 10:20:31 mini pluto[15513]: "vpn2"[2] XXX.XXX.XXX.XXX #3: 
received Delete SA(0xc718e48d) payload: deleting IPSEC State #
4
Aug 23 10:20:31 mini pluto[15513]: | deleting state #4
Aug 23 10:20:31 mini pluto[15513]: | processing connection vpn2[2] 
XXX.XXX.XXX.XXX
Aug 23 10:20:31 mini pluto[15513]: | **emit ISAKMP Message:
Aug 23 10:20:31 mini pluto[15513]: |    initiator cookie:
Aug 23 10:20:31 mini pluto[15513]: |   ef 4e fc ec  71 00 40 29
Aug 23 10:20:31 mini pluto[15513]: |    responder cookie:
Aug 23 10:20:31 mini pluto[15513]: |   b8 e1 2d 19  18 cf 44 08
Aug 23 10:20:31 mini pluto[15513]: |    next payload type: ISAKMP_NEXT_HASH
Aug 23 10:20:31 mini pluto[15513]: |    ISAKMP version: ISAKMP Version 1.0
Aug 23 10:20:31 mini pluto[15513]: |    exchange type: ISAKMP_XCHG_INFO
Aug 23 10:20:31 mini pluto[15513]: |    flags: ISAKMP_FLAG_ENCRYPTION
Aug 23 10:20:31 mini pluto[15513]: |    message ID:  ab f5 18 3e
Aug 23 10:20:31 mini pluto[15513]: | ***emit ISAKMP Hash Payload:
Aug 23 10:20:31 mini pluto[15513]: |    next payload type: ISAKMP_NEXT_D
Aug 23 10:20:31 mini pluto[15513]: | emitting 20 zero bytes of HASH(1) 
into ISAKMP Hash Payload
Aug 23 10:20:31 mini pluto[15513]: | emitting length of ISAKMP Hash 
Payload: 24
Aug 23 10:20:31 mini pluto[15513]: | ***emit ISAKMP Delete Payload:
Aug 23 10:20:31 mini pluto[15513]: |    next payload type: ISAKMP_NEXT_NONE
Aug 23 10:20:31 mini pluto[15513]: |    DOI: ISAKMP_DOI_IPSEC
Aug 23 10:20:31 mini pluto[15513]: |    protocol ID: 3
Aug 23 10:20:31 mini pluto[15513]: |    SPI size: 4
Aug 23 10:20:31 mini pluto[15513]: |    number of SPIs: 1
Aug 23 10:20:31 mini pluto[15513]: | emitting 4 raw bytes of delete 
payload into ISAKMP Delete Payload
Aug 23 10:20:31 mini pluto[15513]: | delete payload  af 7f b6 09
Aug 23 10:20:31 mini pluto[15513]: | emitting length of ISAKMP Delete 
Payload: 16
Aug 23 10:20:31 mini pluto[15513]: | HASH(1) computed:
Aug 23 10:20:31 mini pluto[15513]: |   01 b3 d9 01  c3 62 81 c4  a3 08 
ff 98  b1 0a 95 37
Aug 23 10:20:31 mini pluto[15513]: |   e9 fa 67 95
Aug 23 10:20:31 mini pluto[15513]: | last Phase 1 IV:  a3 41 42 f7  9b 
c4 c4 64
Aug 23 10:20:31 mini pluto[15513]: | current Phase 1 IV:  a3 41 42 f7 
9b c4 c4 64
Aug 23 10:20:31 mini pluto[15513]: | computed Phase 2 IV:
Aug 23 10:20:31 mini pluto[15513]: |   b4 16 77 82  91 3e 11 12  dc 38 
51 b7  20 ee 09 95
Aug 23 10:20:31 mini pluto[15513]: |   e4 71 ac a0
Aug 23 10:20:31 mini pluto[15513]: | encrypting:
Aug 23 10:20:31 mini pluto[15513]: |   0c 00 00 18  01 b3 d9 01  c3 62 
81 c4  a3 08 ff 98
Aug 23 10:20:31 mini pluto[15513]: |   b1 0a 95 37  e9 fa 67 95  00 00 
00 10  00 00 00 01
Aug 23 10:20:31 mini pluto[15513]: |   03 04 00 01  af 7f b6 09
Aug 23 10:20:31 mini pluto[15513]: | IV:
Aug 23 10:20:31 mini pluto[15513]: |   b4 16 77 82  91 3e 11 12  dc 38 
51 b7  20 ee 09 95
Aug 23 10:20:31 mini pluto[15513]: |   e4 71 ac a0
Aug 23 10:20:31 mini pluto[15513]: | encrypting using OAKLEY_3DES_CBC
Aug 23 10:20:31 mini pluto[15513]: | next IV:  d2 6c ac 38  80 d7 a2 a4
Aug 23 10:20:31 mini pluto[15513]: | emitting length of ISAKMP Message: 68
Aug 23 10:20:31 mini pluto[15513]: | sending 68 bytes for delete notify 
through eth0:500 to XXX.XXX.XXX.XXX:500:
Aug 23 10:20:31 mini pluto[15513]: |   ef 4e fc ec  71 00 40 29  b8 e1 
2d 19  18 cf 44 08
Aug 23 10:20:31 mini pluto[15513]: |   08 10 05 01  ab f5 18 3e  00 00 
00 44  8a 0a e2 67
Aug 23 10:20:31 mini pluto[15513]: |   c3 cd 2f 4f  2c 35 6d 28  ca cd 
74 c6  c8 3d 0f 62
Aug 23 10:20:31 mini pluto[15513]: |   36 c8 f4 6c  73 4d 1a 44  da b6 
10 fd  d2 6c ac 38
Aug 23 10:20:31 mini pluto[15513]: |   80 d7 a2 a4
Aug 23 10:20:31 mini pluto[15513]: | no suspended cryptographic state for 4
Aug 23 10:20:31 mini pluto[15513]: | ICOOKIE:  ef 4e fc ec  71 00 40 29
Aug 23 10:20:31 mini pluto[15513]: | RCOOKIE:  b8 e1 2d 19  18 cf 44 08
Aug 23 10:20:31 mini pluto[15513]: | peer:  51 ab d9 d3
Aug 23 10:20:31 mini pluto[15513]: | state hash entry 15
Aug 23 10:20:31 mini pluto[15513]: | command executing down-host
Aug 23 10:20:31 mini pluto[15513]: |   trusted_ca called with a=C=GB, 
L=City, O=Company Ltd, OU=Information Technol
ogy Dept, CN=cert.domain.co.uk, E=name at domain.co.uk b=C=GB, L=City, 
O=Company Ltd, OU=Information
  Technology Dept, CN=cert.domain.co.uk, E=name at domain.co.uk
Aug 23 10:20:31 mini pluto[15513]: | executing down-host: 2>&1 
PLUTO_VERSION='1.1' PLUTO_VERB='down-host' PLUTO_CONNECTION='vp
n2' PLUTO_NEXT_HOP='<FIREWALL IP>' PLUTO_INTERFACE='ipsec0' 
PLUTO_ME='<IPSEC IP>' PLUTO_MY_ID='C=GB, L=City, O=Allied Vehi
cles Ltd, OU=Information Technology Dept, CN=ipsec.alliedvehicles.co.uk, 
E=name at domain.co.uk' PLUTO_MY_CLIENT='<IPSEC IP>' 
PLUTO_MY_CLIENT_NET='<IPSEC IP>' PLUTO_MY_CLIENT_MASK='255.255.255.255' 
PLUTO_MY_PORT='1701' PLUTO_MY_PROTOCOL='17' PLUTO_PEER='XXX.XXX.XXX.XXX' 
PLUTO_PEER_ID='C=GB, L=City, O=Company Ltd, OU=Information Technology 
Dept, CN=machinename at domain.co.uk, E=name at domain.co.uk' 
PLUTO_PEER_CLIENT='XXX.XXX.XXX.XXX/32' 
PLUTO_PEER_CLIENT_NET='XXX.XXX.XXX.XXX' PL
UTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='1701' 
PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='C=GB, L=City, O=Company Ltd, 
OU=Information Technology Dept, CN=cert.domain.co.uk, 
E=name at domain.co.uk' PLUTO_CONN_POLICY
='RSASIG+ENCRYP
Aug 23 10:20:31 mini pluto[15513]: | eroute_connection replace with 
shunt eroute <IPSEC IP>/32:1701 --17-> XXX.XXX.XXX.XXX/32
:1701 => %trap (raw_eroute)
Aug 23 10:20:31 mini pluto[15513]: | pfkey_lib_debug:pfkey_msg_hdr_build:
Aug 23 10:20:31 mini pluto[15513]: | 
pfkey_lib_debug:pfkey_msg_hdr_build: on_entry &pfkey_ext=0p0xbfffe500 
pfkey_ext=0p0xbfffe
7f0 *pfkey_ext=0p(nil).
Aug 23 10:20:31 mini pluto[15513]: | 
pfkey_lib_debug:pfkey_msg_hdr_build: on_exit &pfkey_ext=0p0xbfffe500 
pfkey_ext=0p0xbfffe7
f0 *pfkey_ext=0p0x80f7ad8.
Aug 23 10:20:31 mini pluto[15513]: | pfkey_lib_debug:pfkey_sa_build: 
spi=00000104 replay=0 sa_state=0 auth=0 encrypt=0 flags=2

ipsec.conf

config setup
         # Debug-logging controls:  "none" for (almost) none, "all" for 
lots.
         # klipsdebug=none
         # plutodebug="control parsing"
         #klipsdebug=all
         plutodebug=all
         uniqueids=no

# Add connections here

conn vpn
                 type=tunnel
                 pfs=no
                 compress=yes
                 auto=add
                 left=%defaultroute
                 leftrsasigkey=%cert
                 #leftid=@ipsec.domain.co.uk
                 leftcert=ipsec.domain.co.uk.pem
                 leftprotoport=17/1701
                 right=%any
                 rightid="C=GB,L=City,O=Company Ltd,OU=Information 
Technology Dept,CN=name1.domain.co.uk,E=it at domain.co.uk"
                 #right=%any
                 rightrsasigkey=%cert
                 rightprotoport=17/1701
                 rightca=%same

conn vpn2
                 type=tunnel
                 pfs=no
                 compress=yes
                 auto=add
		left=%defaultroute
                 leftrsasigkey=%cert
                 #leftid=@ipsec.domain.co.uk
                 leftcert=ipsec.domain.co.uk.pem
                 leftprotoport=17/1701
                 right=%any
                 rightid="C=GB,L=City,O=Company Ltd,OU=Information 
Technology Dept,CN=name2.domain.co.uk,E=it at domain.co.uk"
                 #right=%any
                 rightrsasigkey=%cert
                 rightprotoport=17/1701
                 rightca=%same
	
l2tpd.conf

[global]
;listen-addr = XXX.XXX.XXX.XXX

[lns default]
exclusive = no
ip range = <INTERNAL IP RANGE>
local ip = <L2TP ADDRESS ON LOCAL SUBNET>
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tp.domain.co.uk
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

Any ideas?

Thanks,

Olly.
~










Paul Wouters wrote:
> On Mon, 22 Aug 2005, Oliver Tomkins wrote:
> 
>> Yeah that is the code that I have here as well.
>>
>> It's redhat 7.3 and gcc-2.96-113
>>
>> Thanks,
>>
>> Olly.
>>
>> Paul Wouters wrote:
>>
>>> On Mon, 22 Aug 2005, Oliver Tomkins wrote:
>>>
>>>> However, dr8, dr9 and rc1 all give me this problem when I try to 
>>>> upgrade?
>>>>
>>>> ike_alg.c: In function `ike_alg_register_hash':
>>>> ike_alg.c:642: parse error before `int'
>>>> ike_alg.c:646: `ret' undeclared (first use in this function)
> 
> 
> Either wait for 2.4.0rc2 or apply the following fix:
> 
> Modified Files:
>         ike_alg.c
> Log Message:
>         remove gcc-3/C++-ism.
> 
> 
> Index: ike_alg.c
> ===================================================================
> RCS file: /xelerance/master/openswan-2/programs/pluto/ike_alg.c,v
> retrieving revision 1.18
> retrieving revision 1.19
> diff -u -d -r1.18 -r1.19
> --- ike_alg.c   5 Aug 2005 19:10:43 -0000       1.18
> +++ ike_alg.c   22 Aug 2005 17:25:17 -0000      1.19
> @@ -636,10 +636,9 @@
>  ike_alg_register_hash(struct hash_desc *hash_desc)
>  {
>         const char *alg_name;
> +       int ret=0;
> 
>         alg_name = "<none>";
> -
> -       int ret=0;
>         if (hash_desc->common.algo_id > OAKLEY_HASH_MAX) {
>                 plog ("ike_alg_register_hash(): hash alg=%d < max=%d",
>                                 hash_desc->common.algo_id, 
> OAKLEY_HASH_MAX);
> 
> Paul
> 
> 
> 
> 

The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, please notify the sender immediately by reply e-mail and delete this message. Allied Vehicles cannot accept any responsibility for the accuracy or completeness of this message as it has been transmitted over a public network.
For details of our products and services please visit our website at www.alliedvehicles.co.uk


More information about the Users mailing list