[Openswan Users] Problem with openswan in embedded system
Panagiotis Tamtamis
tamtamis at gmail.com
Fri Dec 10 05:43:07 EST 2010
Sorry for my late answer but I had lots of matters to attend to.
First of all, thank you Paul for your reply.
I was thinking about the same thing, that since its an embedded system many
kernel features would be disabled.
So I compared an ipsec barf with a pc to see what configs to activate.
I activated almost everything except some drivers. But the problem still
exists!
So I went looking to an other direction to see what else it might goes
wrong.
I found out that from the logs the following errors:
2010/12/03 18:00:24 debug HOOME authpriv pluto[27788]: | executing
route-host: 2>&1 PLUTO_VERB=\'route-host\' PLUTO_VERSION=\'2.0\'
PLUTO_CONNECTION=\'sample\' PLUTO_INTERFACE=\'eth2\'
PLUTO_NEXT_HOP=\'192.168.173.20\' PLUTO_ME=\'192.168.173.111\'
PLUTO_MY_ID=\'192.168.173.111\' PLUTO_MY_CLIENT=\'192.168.173.111/32\'
PLUTO_MY_CLIENT_NET=\'192.168.173.111\'
PLUTO_MY_CLIENT_MASK=\'255.255.255.255\' PLUTO_MY_PORT=\'0\'
PLUTO_MY_PROTOCOL=\'0\' PLUTO_PEER=\'192.168.173.20\'
PLUTO_PEER_ID=\'192.168.173.20\' PLUTO_PEER_CLIENT=\'192.168.173.20/32\'
PLUTO_PEER_CLIENT_NET=\'192.168.173.20\'
PLUTO_PEER_CLIENT_MASK=\'255.255.255.255\' PLUTO_PEER_PORT=\'0\'
PLUTO_PEER_PROTOCOL=\'0\' PLUTO_PEER_CA=\'\' PLUTO_STACK=\'netkey\'
PLUTO_CONN_POLICY=\'RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW\' ipsec
_updown
2010/12/03 18:00:24 debug HOOME authpriv pluto[27788]: | popen(): cmd is 675
chars long
2010/12/03 18:00:24 debug HOOME authpriv pluto[27788]: | cmd( 0):2>&1
PLUTO_VERB=\'route-host\' PLUTO_VERSION=\'2.0\' PLUTO_CONNECTION=\'sample\'
PLUTO:
2010/12/03 18:00:24 debug HOOME authpriv pluto[27788]: | cmd(
80):_INTERFACE=\'eth2\' PLUTO_NEXT_HOP=\'192.168.173.20\'
PLUTO_ME=\'192.168.173.111\' PLU:
2010/12/03 18:00:24 debug HOOME authpriv pluto[27788]: | cmd(
160):TO_MY_ID=\'192.168.173.111\' PLUTO_MY_CLIENT=\'192.168.173.111/32\'
PLUTO_MY_CLIENT_:
2010/12/03 18:00:24 debug HOOME authpriv pluto[27788]: | cmd(
240):NET=\'192.168.173.111\' PLUTO_MY_CLIENT_MASK=\'255.255.255.255\'
PLUTO_MY_PORT=\'0\' P:
2010/12/03 18:00:24 debug HOOME authpriv pluto[27788]: | cmd(
320):LUTO_MY_PROTOCOL=\'0\' PLUTO_PEER=\'192.168.173.20\'
PLUTO_PEER_ID=\'192.168.173.20\' :
2010/12/03 18:00:24 debug HOOME authpriv pluto[27788]: | cmd(
400):PLUTO_PEER_CLIENT=\'192.168.173.20/32\'
PLUTO_PEER_CLIENT_NET=\'192.168.173.20\' PLU:
2010/12/03 18:00:24 debug HOOME authpriv pluto[27788]: | cmd(
480):TO_PEER_CLIENT_MASK=\'255.255.255.255\' PLUTO_PEER_PORT=\'0\'
PLUTO_PEER_PROTOCOL=\'0:
2010/12/03 18:00:24 debug HOOME authpriv pluto[27788]: | cmd( 560):\'
PLUTO_PEER_CA=\'\' PLUTO_STACK=\'netkey\'
PLUTO_CONN_POLICY=\'RSASIG+ENCRYPT+TUNNE:
2010/12/03 18:00:24 debug HOOME authpriv pluto[27788]: | cmd(
640):L+PFS+UP+IKEv2ALLOW\' ipsec _updown:
2010/12/03 18:00:25 info HOOME daemon confd_ip[27777]: rule flush cache
2010/12/03 18:00:25 err HOOME daemon confd_ip[4115]: Error reading data:
Connection reset by peer
2010/12/03 18:00:25 warning HOOME authpriv pluto[27788]: \"sample\" #2:
route-host output: select() error: Bad file descriptor
2010/12/03 18:00:25 warning HOOME authpriv pluto[27788]: \"sample\" #2:
route-host command exited with status 255
And then I tried to run some commands like ip route list or ip addr list
It seems that the netlink socket in the system does not always provide the
data.
For example if I run the command for one time it might work. But if I do it
again it doesn't.
And from the strace I have some really strange outputs. It seems that the
data are indeed written but are not printed.
And the resource seems to be temporarily unavailable.
So I guess I will go into this direction to see why I have this behavior in
the system and why the route-host command which as it seems uses netlink
sockets and the confd_ip resource, fails.
Any hints are always welcomed.
I will also keep you posted in case I find out more.
2010/12/6 Paul Wouters <paul at xelerance.com>
> On Mon, 6 Dec 2010, Panagiotis Tamtamis wrote:
>
> I am trying to install and operate openswan to an embedded system. Its a
>> PBX to be exact. Openswan has been compiled and installed successfully as it
>> seems,
>> but when I am trying to make a tunnel I have an error which I
>> cannot comprehend.
>>
>
> 004 "sample" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
>> cipher=aes_128 prf=oakley_sha group=modp2048}
>> 002 "sample" #2: initiating Quick Mode
>> RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:af67a9c2
>> proposal=defaults
>> pfsgroup=OAKLEY_GROUP_MODP2048}
>> 117 "sample" #2: STATE_QUICK_I1: initiate
>> 002 "sample" #2: route-host output: select() error: Bad file descriptor
>> 003 "sample" #2: route-host command exited with status 255
>> 032 "sample" #2: STATE_QUICK_I1: internal error
>> 003 "sample" #2: ERROR: netlink response for Add SA
>> esp.76250eed at 192.168.173.20 included errno 3: No such process
>>
>
> I suspect you might be missing some kernel modules for netkey. Perhaps the
> crypto modules or af_key or XFRM_USER?
>
> Paul
>
--
Think simple!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101210/829b4e45/attachment-0001.html
More information about the Users
mailing list