[Openswan Users] openswan startup and version interoperability

Andy Gay andy at andynet.net
Mon Jul 31 12:15:49 CEST 2006 

On Sat, 2006-07-29 at 09:15 -0700, Brian Sheets wrote:
> Sorry for the long delay,

Likewise. If you'd copied the mailing list, someone else may have been
able to help before now. Lots of smart people read the list!

>  I'm a pilot and I was out on a trip, here is
> the relevant error message 
> 
> an RSA Sig check failure SIG length does not match public key length
> with *AQO0YQUkd [preloaded key]
> Jul 29 14:19:30 l3-gateway1 pluto[6910]: "net-to-net" #1: Signature
> check (on @righthost) failed (wrong key?); tried *AQO0YQUkd
> Jul 29 14:19:30 l3-gateway1 pluto[6910]: | public key for @righthost
> failed: decrypted SIG payload into a malformed ECB (SIG length does not
> match pu
> blic key length)
> 
> I've regenerated the keys on both sides, but still the same message.

Sure sounds like some problem with ipsec.secrets though. Maybe this is a
time to enable some debugging after all!
Can we see all the logs first though. Do you have other connections that
are working?

> 
> Brian
> 
> -----Original Message-----
> From: Andy Gay [mailto:andy at andynet.net] 
> Sent: Sunday, July 23, 2006 11:07 PM
> To: Brian Sheets
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] openswan startup and version
> interoperability
> 
> On Sun, 2006-07-23 at 22:53 -0700, Brian Sheets wrote:
> > What level of debug to get the info I need to troubleshoot?
> 
> None. Debug is for developers looking for bugs in the code. It fills
> your logs with huge amounts of stuff that's not relevant. Slows
> everything to a crawl as well. If your problems are bad enough the
> developers may ask you to enable some debugging, but I've never seen
> that happen.
> Turning debug off does NOT stop normal logging of connection events.
> 
> > 
> > Brian
> > 
> > -----Original Message-----
> > From: Andy Gay [mailto:andy at andynet.net] 
> > Sent: Sunday, July 23, 2006 7:29 PM
> > To: Brian Sheets
> > Cc: users at openswan.org
> > Subject: Re: [Openswan Users] openswan startup and version
> > interoperability
> > 
> > On Sun, 2006-07-23 at 18:09 -0700, Brian Sheets wrote:
> > >  Debian linux, kernel vmlinuz-2.6.15-1-686, openswan version
> > > 1:2.4.5+dfsg-
> > >  0.2
> > >  
> > >  Trying to connect to openswan 2.2.0
> > >  
> > >  Config on both sides
> > >  
> > >  version 2.0     # conforms to second version of ipsec.conf
> > > specification
> > >  
> > >  config setup
> > >          plutodebug=all
> > 
> > Bad idea. Comment this out please.
> > 
> > >          interfaces=%defaultroute
> > >  
> > > 
> > >
> >
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:
> > >  !10.0.0.0/24
> > >  
> > >  conn net-to-net
> > >      left=207.7.xx.xx
> > >      leftsubnet=10.1.0.0/16
> > >      leftid=@l3-gateway1.xx.net       #
> > >      leftrsasigkey=<the really long key>
> > >      leftnexthop=%defaultroute      # correct in many situations
> > >      right=198.172.xx.xx
> > >      rightsubnet=10.200.0.0/16
> > >      rightid=@gateway1.xx.net
> > >      rightrsasigkey=<the other really long key>
> > >      rightnexthop=%defaultroute     # correct in many situations
> > >      auto=add                       # authorizes but doesn't start
> > this
> > >                                     # connection at startup
> > >  # Add connections here
> > >  
> > >  #Disable Opportunistic Encryption
> > >  include /etc/ipsec.d/examples/no_oe.conf
> > > 
> > >  
> > >  startup on the 2.6.15 kernal box gives me
> > >  
> > >  l3-gateway1:/etc/init.d# sh ./ipsec restart
> > >  ipsec_setup: Stopping Openswan IPsec...
> > >  ipsec_setup: Starting Openswan IPsec 2.4.5...
> > >  ipsec_setup: insmod
> > /lib/modules/2.6.15-1-686/kernel/net/key/af_key.ko
> > >  ipsec_setup: insmod /lib/modules/2.6.15-1-
> > >  686/kernel/net/ipv4/xfrm4_tunnel.ko
> > >  ipsec_setup: insmod
> > > /lib/modules/2.6.15-1-686/kernel/net/xfrm/xfrm_user.ko
> > >  ipsec_setup: insmod /lib/modules/2.6.15-1-
> > >  686/kernel/drivers/char/hw_random.ko
> > >  ipsec_setup: FATAL: Error inserting hw_random
> (/lib/modules/2.6.15-1-
> > >  686/kernel/drivers/char/hw_random.ko): No such device
> > >  ipsec_setup: insmod /lib/modules/2.6.15-1-
> > >  686/kernel/drivers/crypto/padlock.ko
> > >  ipsec_setup: FATAL: Error inserting padlock (/lib/modules/2.6.15-1-
> > >  686/kernel/drivers/crypto/padlock.ko): No such device
> > >  
> > >  In addition, ipsec auto --up net-to-net hangs from the command
> line,
> > > but
> > >  on the other, openswan 2.2 system, there is an attempt to make a
> > >  connection in the logs
> > >  
> > >  So, my question, are the errors bad?
> > No. Just means you don't have a hardware RNG or the padlock device.
> > 
> > >  What could be causing it to hang?
> > No idea. You'll need to post logs. PLEASE turn off plutodebug=all
> first!
> > 
> > >  
> > >  Thanks
> > >  
> > >  Brian
> > > 
> > > _______________________________________________
> > > Users at openswan.org
> > > http://lists.openswan.org/mailman/listinfo/users
> > > Building and Integrating Virtual Private Networks with Openswan:
> > >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n(3155
> > 
> > 
> > 
> > 
> 
> 
>

More information about the Users mailing list