[Openswan Users] initiate on demand different between 2.6.24 and 2.6.25+

Salih Goenuellue sag at open.ch
Wed Apr 28 04:45:41 EDT 2010 

Hi,

initiate on demand stopped to work for me after I upgraded to 2.6.25,
the 2.6.26dr1 tag from git was not any better, but the behavior have 
changed between 2.6.25 and 2.6.26. In 2.6.25 the tunnel was setup 
successfully but there was an invalid xfrm policy inserted:

------
src 192.168.211.10/32 dst 192.168.215.10/32 proto icmp type 8 uid 0
         dir out action allow index 12929 priority 2080 share any flag 
(0x00000000)
         lifetime config:
           limit: soft (INF)(bytes), hard (INF)(bytes)
           limit: soft (INF)(packets), hard (INF)(packets)
           expire add: soft 0(sec), hard 0(sec)
           expire use: soft 900(sec), hard 0(sec)
         lifetime current:
           0(bytes), 0(packets)
           add 2010-04-28 09:40:11 use 2010-04-28 09:40:13
         tmpl src 0.0.0.0 dst 0.0.0.0
                 proto esp spi 0x00000000(0) reqid 0(0x00000000) mode 
transport
                 level required share any
                 enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff


--------

removing the policy by hand with

  ip xfrm policy del dir out  index 12929

makes the pings succeed this might be caused by:

https://bugs.xelerance.com/issues/1087

In 2.6.26 the Tunnel is not setup and I see this policy inserted:

--------------------
src 192.168.211.0/24 dst 192.168.215.0/24 uid 0
         dir out action allow index 13737 priority 2344 share any flag 
(0x00000000)
         lifetime config:
           limit: soft (INF)(bytes), hard (INF)(bytes)
           limit: soft (INF)(packets), hard (INF)(packets)
           expire add: soft 0(sec), hard 0(sec)
           expire use: soft 0(sec), hard 0(sec)
         lifetime current:
           0(bytes), 0(packets)
           add 2010-04-28 10:21:53 use 2010-04-28 10:22:23
         tmpl src 0.0.0.0 dst 0.0.0.0
                 proto esp spi 0x00000000(0) reqid 0(0x00000000) mode 
transport
                 level required share any
                 enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

-------------------

any hints?


Here is my network:

"net-net":
192.168.211.0/24===192.168.210.2<192.168.210.2>[+S=C]...192.168.214.2<192.168.214.2>[+S=C]===192.168.215.0/24

I am trying to ping from 192.168.211.10 to 192.168.215.10


Here is pluto's logs for 2.6.26

| *received kernel message 
 
 

| netlink_get: XFRM_MSG_ACQUIRE message 
 
 

| add bare shunt 0x9f7e770 192.168.211.10/32:8 -1-> 192.168.215.10/32:0 
=> %hold 0    %acquire-netlink 
 

| find_connection: looking for policy for connection: 192.168.211.10:1/8 
-> 192.168.215.10:1/0 
 

| find_connection: conn "net-net" has compatible peers: 192.168.211.0/24 
-> 192.168.215.0/24 [pri: 12632074] 
 

| find_connection: comparing best "net-net" [pri:12632074]{0x9f7c760} 
(child none) to "net-net" [pri:12632074]{0x9f7c760} (child none) 
 

| find_connection: concluding with "net-net" [pri:12632074]{0x9f7c760} 
kind=CK_PERMANENT 
 

| delete bare shunt 0x9f7e770 192.168.211.10/32:8 -1-> 
192.168.215.10/32:0 => %hold 0    %acquire-netlink 
 

| * processed 0 messages from cryptographic helpers 
 
 

| next event EVENT_PENDING_DDNS in 52 seconds 
 
 

| next event EVENT_PENDING_DDNS in 52 seconds




and here the working one with one from 2.6.24

pluto[1515]: | *received kernel message
pluto[1515]: | netlink_get: XFRM_MSG_ACQUIRE message
pluto[1515]: | add bare shunt 0x87b8710 192.168.211.10/32:8 -1->
192.168.215.10/32:0 => %hold 0    %acquire-netlink
pluto[1515]: | find_connection: looking for policy for connection:
192.168.211.10:1/8 -> 192.168.215.10:1/0
pluto[1515]: | find_connection: conn "net-net" has compatible peers:
192.168.211.0/24 -> 192.168.215.0/24 [pri: 12632074]
pluto[1515]: | find_connection: comparing best "net-net"
[pri:12632074]{0x87b6760} (child none) to "net-net"
[pri:12632074]{0x87b6760} (child none)
pluto[1515]: | find_connection: concluding with "net-net"
[pri:12632074]{0x87b6760} kind=CK_PERMANENT
pluto[1515]: | assign hold, routing was prospective erouted, needs to be
erouted HOLD
pluto[1515]: | eroute_connection replace %trap with broad %hold eroute
192.168.211.0/24:0 --0-> 192.168.215.0/24:0 => %hold (raw_eroute)
pluto[1515]: | raw_eroute result=1
pluto[1515]: | adding specific host-to-host bare shunt
pluto[1515]: | delete narrow %hold eroute 192.168.211.10/32:8 --1->
192.168.215.10/32:0 => %hold (raw_eroute)
pluto[1515]: | raw_eroute result=1
pluto[1515]: | delete bare shunt 0x87b8710 192.168.211.10/32:8 -1->
192.168.215.10/32:0 => %hold 0    %acquire-netlink
pluto[1515]: initiate on demand from 192.168.211.10:8 to
192.168.215.10:0 proto=1 state: fos_start because: acquire

logs for 2.6.25 were almost identical to 2.6.24

ipsec.conf
----------


conn net-net
         ikev2=no
         pfs=no
         leftrsasigkey=%cert
         left=192.168.210.2
         leftcert=local.crt
         leftsubnet=192.168.211.0/24
         rightca=%same
         right=192.168.214.2
         rightsubnet=192.168.215.0/24
         ike= 3des-sha1;modp1024
         ikelifetime="600"
         rekeymargin="300"
         phase2= esp
         phase2alg= 3des-sha1
         salifetime="180"
         dpdaction=restart
         dpddelay=30
         dpdtimeout=120
         auto=route


Regards,

    -salih

More information about the Users mailing list