[Openswan Users] RES: RES: RES: RES: Openswan with L2TP

Giovani Moda giovani at mrinformatica.com.br
Thu Sep 24 18:03:28 EDT 2009


> Yes, the saref patch should be enough.

Well, recompiled kernel with saref.pacth, recompiled openswan-2.6.23
with MAST and USE_SAREF_KERNEL=true, installed everything and on the
first run I actually had a mast0 interface. When I tried to connect, I
got a kernel crash and now I can't seem to make mast work again. Here's
the output:

Sep 24 18:52:57 combo pluto[2395]: Using KLIPSng (mast) IPsec interface
code on 2.6.23.17-90_mr.fc7
Sep 24 18:52:57 combo pluto[2395]: Changed path to directory
'/etc/ipsec.d/cacerts'
Sep 24 18:52:57 combo pluto[2395]:   loaded CA cert file 'cacert.pem'
(1379 bytes)
Sep 24 18:52:57 combo pluto[2395]: Could not change to directory
'/etc/ipsec.d/aacerts': /
Sep 24 18:52:57 combo pluto[2395]: Could not change to directory
'/etc/ipsec.d/ocspcerts': /
Sep 24 18:52:57 combo pluto[2395]: Changing to directory
'/etc/ipsec.d/crls'
Sep 24 18:52:57 combo pluto[2395]:   loaded crl file 'crl.pem' (568
bytes)
Sep 24 18:52:57 combo pluto[2395]: listening for IKE messages
Sep 24 18:52:57 combo pluto[2395]: | useful mast device -1
Sep 24 18:52:57 combo pluto[2395]: ERROR: PF_KEY K_SADB_X_PLUMBIF
response for configure_mast_device  included errno 2: No such file or
directory
Sep 24 18:52:58 combo pluto[2395]: plumb command exited with status 1
Sep 24 18:52:58 combo pluto[2395]: NAT-Traversal: Trying new style NAT-T
Sep 24 18:52:58 combo pluto[2395]: NAT-Traversal: ESPINUDP(1) setup
failed for new style NAT-T family IPv4 (errno=19)
Sep 24 18:52:58 combo pluto[2395]: NAT-Traversal: Trying old style NAT-T
Sep 24 18:52:58 combo pluto[2395]: adding interface mast0/eth1
192.168.1.2:500 (fd=12)
Sep 24 18:52:58 combo pluto[2395]: adding interface mast0/eth1
192.168.1.2:4500 (fd=13)
Sep 24 18:52:58 combo pluto[2395]: adding interface mast0/eth0
192.168.0.100:500 (fd=14)
Sep 24 18:52:58 combo pluto[2395]: adding interface mast0/eth0
192.168.0.100:4500 (fd=15)
Sep 24 18:52:58 combo pluto[2395]: | useful mast device 0
Sep 24 18:52:58 combo pluto[2395]: | useful mast device 0
Sep 24 18:52:58 combo pluto[2395]: loading secrets from
"/etc/ipsec.secrets"
Sep 24 18:52:58 combo pluto[2395]: loaded private key for keyid:
PPK_RSA:AQN3e2u6L
Sep 24 18:52:58 combo pluto[2395]:   loaded private key file
'/etc/ipsec.d/private/combo.key' (1692 bytes)
Sep 24 18:52:58 combo pluto[2395]: loaded private key for keyid:
PPK_RSA:AwEAAco2G

Although it mentions mast0, I have no interface created by that name.
With protostak=klips, I have no problem:

Sep 24 18:57:41 combo pluto[15527]: Using KLIPS IPsec interface code on
2.6.23.17-90_mr.fc7
Sep 24 18:57:41 combo pluto[15527]: Changed path to directory
'/etc/ipsec.d/cacerts'
Sep 24 18:57:41 combo pluto[15527]:   loaded CA cert file 'cacert.pem'
(1379 bytes)
Sep 24 18:57:41 combo pluto[15527]: Could not change to directory
'/etc/ipsec.d/aacerts': /
Sep 24 18:57:41 combo pluto[15527]: Could not change to directory
'/etc/ipsec.d/ocspcerts': /
Sep 24 18:57:41 combo pluto[15527]: Changing to directory
'/etc/ipsec.d/crls'
Sep 24 18:57:41 combo pluto[15527]:   loaded crl file 'crl.pem' (568
bytes)
Sep 24 18:57:41 combo pluto[15527]: listening for IKE messages
Sep 24 18:57:41 combo pluto[15527]: NAT-Traversal: Trying new style
NAT-T
Sep 24 18:57:41 combo pluto[15527]: adding interface ipsec0/eth1
192.168.1.2:500
Sep 24 18:57:41 combo pluto[15527]: adding interface ipsec0/eth1
192.168.1.2:4500
Sep 24 18:57:41 combo pluto[15527]: loading secrets from
"/etc/ipsec.secrets"
Sep 24 18:57:41 combo pluto[15527]: loaded private key for keyid:
PPK_RSA:AQN3e2u6L
Sep 24 18:57:41 combo pluto[15527]:   loaded private key file
'/etc/ipsec.d/private/combo.key' (1692 bytes)
Sep 24 18:57:41 combo pluto[15527]: loaded private key for keyid:
PPK_RSA:AwEAAco2G

With protostack=klips, kernel also crashes when connecting L2TP/IPSEC.
Tried this setup with Fedora 7, kernel 2.6.23-17 and CentsOS 5.3, kernel
2.6.18-128.7.1.el5. Same errors on both. Any hints?

Thanks,

Giovani
 

__________ Information from ESET NOD32 Antivirus, version of virus
signature database 4455 (20090924) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 


More information about the Users mailing list