On 11/18/2010 04:42 AM, Paul Wouters wrote:
> On Wed, 17 Nov 2010, Danilo Godec wrote:
>
>> Anyway, we assumed that there is no reason why this wouldn't work with
>> CheckPoint so we rolled out our first 'production' server with OpenSuSE
>> 11.2 and OpenSwan 2.6.29 (at that time), but we weren't able to
>> establish a VPN tunnel with CheckPoint, so we changed the setup to MAST
>> on the spot.
>>
>> Now as to the problem with KLIPS - I now have a working configuration
>> for MAST. As far as I understand, the only thing I really need to change
>> is 'protostack'. When I do that and start 'ipsec', it 'hangs' there:
>>
>> 000 #1: "mercator-all":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
>> EVENT_RETRANSMIT in 11s; nodpd; idle; import:admin initiate
>> 000 #1: pending Phase 2 for "mercator-all" replacing #0
> Try recompiling openswan klips without USE_MAST support?
>
> I think you might be seeing both ipsecX and mastX devices, which I've
> seen happening, and though it should not matter, seems to interfere
> somehow. We're looking at making a module parameter to tell it
> which virtual interface to initialise.
I compiled the kernel module with 'make
KERNELSRC=/usr/src/linux-obj/x86_64/xen USE_MAST="false" module' -
should that do the trick?
>> I guess some 'debug' options would help, but which?
> you could try: ipsec klipsdebug --all and run the test, then run dmesg.
With the new kernel module, this is what I get when I just do the
'rcipsec start':
> [ 929.402967] klips_info:ipsec_init: KLIPS startup, Openswan KLIPS
> IPsec stack version:
> 2.6.31
>
> [ 929.403188] NET: Registered protocol family
> 15
>
> [ 929.404089] registered KLIPS
> /proc/sys/net
>
> [ 929.404103] klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0
> (EALG_MAX=255,
> AALG_MAX=251)
>
> [ 929.404222] klips_info:ipsec_alg_init: calling
> ipsec_alg_static_init()
>
> [ 929.404269] ipsec_aes_init(alg_type=15 alg_id=12 name=aes):
> ret=0
>
> [ 929.404319] klips_debug: experimental ipsec_alg_AES_MAC not
> registered [Ok]
> (auth_id=0)
>
> [ 929.404320] ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0
Then I do the 'ipsec klipsdebug --all' and dmesg give this:
> [ 1084.848116] klips_debug:pfkey_x_debug_process:
> set
>
> [ 1084.848173] klips_debug:pfkey_msg_interp: parsing message type
> 16(x-debug) with msg_parser
> 0pffffffffa05fc920.
>
> [ 1084.848267] klips_debug:pfkey_x_msg_debug_parse:
> .
>
> [ 1084.848311] ipsec_sa_put: ipsec_sa ffff8800e66cd400
> SA:unk0:0@<invalid>, ref:0 reference count (1--) decremented by
> pfkey_msg_interp:3112.
>
> [ 1084.848411] ipsec_sa_put: freeing
> ffff8800e66cd400
>
> [ 1084.848456] klips_debug:ipsec_sa_wipe: removing
> SA=unk0:0@<invalid>(0pffff8800e66cd400), SAref=0,
> table=0(0pffff8800e0fe0000), entry=0 from the
> refTable.
>
> [ 1084.848563] klips_debug:pfkey_release: sock=0pffff8800e7cf5780
> sk=0pffff8800e66cdc00
>
> [ 1084.848649] klips_debug:pfkey_destroy_socket:
> 0pffff8800e66cdc00
>
> [ 1084.848697] klips_debug:pfkey_remove_socket:
> 0pffff8800e66cdc00
>
> [ 1084.848747] klips_debug:pfkey_destroy_socket: pfkey_remove_socket
> called,
> sk=0pffff8800e66cdc00
>
> [ 1084.848834] klips_debug:pfkey_destroy_socket:
> sk(0pffff8800e66cdc00)->(&0pffff8800e66cdcb8)receive_queue.{next=0pffff8800e66cdcb8,prev=0pffff8800e66cdcb8}.
>
> [ 1084.848932] klips_debug:pfkey_destroy_socket:
> destroyed.
>
> [ 1084.848979] klips_debug:pfkey_list_remove_socket: removing
> sock=0pffff8800e7cf5780
>
> [ 1084.849061] klips_debug:pfkey_list_remove_socket: removing
> sock=0pffff8800e7cf5780
>
> [ 1084.849148] klips_debug:pfkey_list_remove_socket: removing
> sock=0pffff8800e7cf5780
>
> [ 1084.849744] klips_debug:pfkey_list_remove_socket: removing
> sock=0pffff8800e7cf5780
>
> [ 1084.849828] klips_debug:pfkey_list_remove_socket: removing
> sock=0pffff8800e7cf5780
>
> [ 1084.849915] klips_debug:pfkey_list_remove_socket: removing
> sock=0pffff8800e7cf5780
>
> [ 1084.849999] klips_debug:pfkey_list_remove_socket: removing
> sock=0pffff8800e7cf5780
>
> [ 1084.850082] klips_debug:pfkey_list_remove_socket: removing
> sock=0pffff8800e7cf5780
>
> [ 1084.850168] klips_debug:pfkey_list_remove_socket: removing
> sock=0pffff8800e7cf5780
>
> [ 1084.850252] klips_debug:pfkey_list_remove_socket: removing
> sock=0pffff8800e7cf5780
>
> [ 1084.850335] klips_debug:pfkey_list_remove_socket: removing
> sock=0pffff8800e7cf5780
>
> [ 1084.850420] klips_debug:pfkey_list_remove_socket: removing
> sock=0pffff8800e7cf5780
>
> [ 1084.850505] klips_debug:pfkey_list_remove_socket: removing
> sock=0pffff8800e7cf5780
>
> [ 1084.850587] klips_debug:pfkey_release: succeeded.
Then I do 'ipsec auto --up myconnection' - this command kinda hangs
there so I put it in background and dmesg spits out:
> [ 1163.449415] ipsec_tunnel_start_xmit:
> STARTING
>
> [ 1163.449517] klips_debug:ipsec_xmit_strip_hard_header: >>>
> skb->len=148 hard_header_len:4
> 45:00:00:94
>
> [ 1163.449649] klips_debug: IP: ihl:20 ver:4 tos:0 tlen:148 id:0 DF
> frag_off:0 ttl:64 proto:17 (UDP) chk:22347 saddr:10.239.255.244:500
> daddr:192.168.23.130:500
>
> [ 1163.449805] klips_debug:ipsec_xmit_strip_hard_header: Original
> head,tailroom:
> 16,28
>
> [ 1163.449892] klips_debug:ipsec_findroute:
> 10.239.255.244:500->192.168.23.130:500
> 17
>
> [ 1163.449977] klips_debug:rj_match: * See if we match exactly as a
> host
> destination
>
> [ 1163.450063] klips_debug:rj_match: ** try to match a leaf,
> t=0pffff8800e0c85c00
>
> [ 1163.450148] klips_debug:udp port check: fragoff: 0 len:
> 144>28
>
> [ 1163.450196] klips_debug:udp port in packet: port 500 ->
> 500
>
> [ 1163.450244] klips_debug:ipsec_xmit_SAlookup: checking for local
> udp/500 IKE packet saddr=aeffff4, er=0pffff8800e0c85c00,
> daddr=c0a81782, er_dst=0, proto=17 sport=500
> dport=500
> [ 1163.450383] klips_debug:ipsec_xmit_encap_bundle: PASS: calling
> dev_queue_xmit
>
> [ 1163.450436] klips_debug:ipsec_xsm: processing completed due to
> IPSEC_XMIT_PASS.
>
> [ 1163.450541] klips_debug:ipsec_xmit_send: ...done, calling ip_send()
> on
> device:ppp0
>
> [ 1163.450624] klips_debug: IP: ihl:20 ver:4 tos:0 tlen:148 id:0 DF
> frag_off:0 ttl:64 proto:17 (UDP) chk:22347 saddr:10.239.255.244:500
> daddr:192.168.23.130:500
>
> [ 1169.460219] klips_debug:@@ flags = 6 @key=0pffff8800e71d3cc0 key =
> 00000000->00000000
> @mask=0p(null)
>
> [ 1169.460326] klips_debug:@@ flags = 4 @key=0pffff8800e0c85ca0 key =
> 00000000->00000000 @mask=0pffff8800e6e8b620 mask =
> 00000000->00000000
>
> [ 1169.460431] klips_debug:* off =
> 0
>
> [ 1169.460477] klips_debug:@ flags = 6 @key=0pffff8800e71d3cd4 key =
> ffffffff->ffffffff
> @mask=0p(null)
>
> [ 1169.460575] klips_debug: off =
> 0
>
> [ 1169.460620] klips_debug:ipsec_eroute_get_info:
> buffer=0pffff8800d2366000, *start=0p(null), offset=0,
> length=1024
>
> [ 1169.460708] klips_debug:rj_walktree: for: rn=0pffff8800e83b91c8
> rj_b=-3 rj_flags=6 leaf key =
> 00000000->00000000
>
> [ 1169.460798] klips_debug:rj_walktree: processing leaves,
> rn=0pffff8800e0c85c00 rj_b=-1 rj_flags=4 leaf key =
> 00000000->00000000
>
> [ 1169.460896] klips_debug:rj_walktree: while: base=0p(null)
> rn=0pffff8800e83b91c8 rj_b=-3 rj_flags=6 leaf key =
> 00000000->00000000
>
> [ 1169.460992] klips_debug:rj_walktree: for: rn=0pffff8800e0c85c00
> rj_b=-1 rj_flags=4 leaf key =
> 00000000->00000000
>
> [ 1169.461083] klips_debug:rj_walktree: processing leaves,
> rn=0pffff8800e83b9228 rj_b=-3 rj_flags=6 leaf key =
> ffffffff->ffffffff
>
> [ 1169.461176] klips_debug:rj_walktree: while: base=0p(null)
> rn=0pffff8800e0c85c00 rj_b=-1 rj_flags=4 leaf key =
> 00000000->00000000
>
> [ 1169.461293] klips_debug:ipsec_rj_walker_procprint:
> rn=0pffff8800e0c85c00,
> w0=0pffff8800e7a03d38
>
> [ 1169.461392] klips_debug:@@ flags = 6 @key=0pffff8800e71d3cc0 key =
> 00000000->00000000
> @mask=0p(null)
>
> [ 1169.461492] klips_debug:@@ flags = 4 @key=0pffff8800e0c85ca0 key =
> 00000000->00000000 @mask=0pffff8800e6e8b620 mask =
> 00000000->00000000
>
> [ 1169.461598] klips_debug:* off =
> 0
>
> [ 1169.461643] klips_debug:@ flags = 6 @key=0pffff8800e71d3cd4 key =
> ffffffff->ffffffff
> @mask=0p(null)
>
> [ 1169.461740] klips_debug: off =
> 0
>
> [ 1169.461784] klips_debug:ipsec_eroute_get_info:
> buffer=0pffff8800d2366000, *start=0p(null), offset=61,
> length=963
>
> [ 1169.461876] klips_debug:rj_walktree: for: rn=0pffff8800e83b91c8
> rj_b=-3 rj_flags=6 leaf key =
> 00000000->00000000
>
> [ 1169.461966] klips_debug:rj_walktree: processing leaves,
> rn=0pffff8800e0c85c00 rj_b=-1 rj_flags=4 leaf key =
> 00000000->00000000
>
> [ 1169.462059] klips_debug:rj_walktree: while: base=0p(null)
> rn=0pffff8800e83b91c8 rj_b=-3 rj_flags=6 leaf key =
> 00000000->00000000
>
> [ 1169.462157] klips_debug:rj_walktree: for: rn=0pffff8800e0c85c00
> rj_b=-1 rj_flags=4 leaf key =
> 00000000->00000000
>
> [ 1169.462250] klips_debug:rj_walktree: processing leaves,
> rn=0pffff8800e83b9228 rj_b=-3 rj_flags=6 leaf key =
> ffffffff->ffffffff
>
> [ 1169.462344] klips_debug:rj_walktree: while: base=0p(null)
> rn=0pffff8800e0c85c00 rj_b=-1 rj_flags=4 leaf key =
> 00000000->00000000
>
> [ 1169.462439] klips_debug:ipsec_rj_walker_procprint:
> rn=0pffff8800e0c85c00,
> w0=0pffff8800e7a03d38
>
> [ 1169.462539] klips_debug:@@ flags = 6 @key=0pffff8800e71d3cc0 key =
> 00000000->00000000
> @mask=0p(null)
>
> [ 1169.462639] klips_debug:@@ flags = 4 @key=0pffff8800e0c85ca0 key =
> 00000000->00000000 @mask=0pffff8800e6e8b620 mask =
> 00000000->00000000
>
> [ 1169.462748] klips_debug:* off =
> 0
>
> [ 1169.462791] klips_debug:@ flags = 6 @key=0pffff8800e71d3cd4 key =
> ffffffff->ffffffff
> @mask=0p(null)
>
> [ 1169.462889] klips_debug: off =
> 0
>
> [ 1169.462929] klips_debug:ipsec_eroute_get_info:
> buffer=0pffff8800d2366000, *start=0p(null), offset=61,
> length=1024
>
> [ 1169.463022] klips_debug:rj_walktree: for: rn=0pffff8800e83b91c8
> rj_b=-3 rj_flags=6 leaf key =
> 00000000->00000000
>
> [ 1169.463115] klips_debug:rj_walktree: processing leaves,
> rn=0pffff8800e0c85c00 rj_b=-1 rj_flags=4 leaf key =
> 00000000->00000000
>
> [ 1169.463209] klips_debug:rj_walktree: while: base=0p(null)
> rn=0pffff8800e83b91c8 rj_b=-3 rj_flags=6 leaf key =
> 00000000->00000000
>
> [ 1169.463301] klips_debug:rj_walktree: for: rn=0pffff8800e0c85c00
> rj_b=-1 rj_flags=4 leaf key =
> 00000000->00000000
>
> [ 1169.463396] klips_debug:rj_walktree: processing leaves,
> rn=0pffff8800e83b9228 rj_b=-3 rj_flags=6 leaf key =
> ffffffff->ffffffff
>
> [ 1169.463491] klips_debug:rj_walktree: while: base=0p(null)
> rn=0pffff8800e0c85c00 rj_b=-1 rj_flags=4 leaf key =
> 00000000->00000000
>
> [ 1169.463586] klips_debug:ipsec_rj_walker_procprint:
> rn=0pffff8800e0c85c00,
> w0=0pffff8800e7a03d38
>
> [
> 1173.468100]
>
> [
> 1173.468102]
>
> [ 1173.468104] ipsec_tunnel_start_xmit:
> STARTING
>
> [ 1173.468211] klips_debug:ipsec_xmit_strip_hard_header: >>>
> skb->len=148 hard_header_len:4
> 45:00:00:94
>
> [ 1173.468341] klips_debug: IP: ihl:20 ver:4 tos:0 tlen:148 id:0 DF
> frag_off:0 ttl:64 proto:17 (UDP) chk:22347 saddr:10.239.255.244:500
> daddr:192.168.23.130:500
>
> [ 1173.468499] klips_debug:ipsec_xmit_strip_hard_header: Original
> head,tailroom:
> 16,28
>
> [ 1173.468587] klips_debug:ipsec_findroute:
> 10.239.255.244:500->192.168.23.130:500
> 17
>
> [ 1173.468671] klips_debug:rj_match: * See if we match exactly as a
> host
> destination
>
> [ 1173.468756] klips_debug:rj_match: ** try to match a leaf,
> t=0pffff8800e0c85c00
>
> [ 1173.468842] klips_debug:udp port check: fragoff: 0 len:
> 144>28
>
> [ 1173.468890] klips_debug:udp port in packet: port 500 ->
> 500
>
> [ 1173.468938] klips_debug:ipsec_xmit_SAlookup: checking for local
> udp/500 IKE packet saddr=aeffff4, er=0pffff8800e0c85c00,
> daddr=c0a81782, er_dst=0, proto=17 sport=500
> dport=500
> [ 1173.469075] klips_debug:ipsec_xmit_encap_bundle: PASS: calling
> dev_queue_xmit
>
> [ 1173.469125] klips_debug:ipsec_xsm: processing completed due to
> IPSEC_XMIT_PASS.
>
> [ 1173.469211] klips_debug:ipsec_xmit_send: ...done, calling ip_send()
> on
> device:ppp0
>
> [ 1173.469296] klips_debug: IP: ihl:20 ver:4 tos:0 tlen:148 id:0 DF
> frag_off:0 ttl:64 proto:17 (UDP) chk:22347 saddr:10.239.255.244:500
> daddr:192.168.23.130:500
Hope this shows something to the trained eye. :)
> If there is NAT involved, things might be moving to a different port,
> wich might be causing firewall issues, but those should not be different
> between klips and mast....
No NAT is involved, though their WAN addresses are private IP class
(10.x.x.x).
Regards, Danilo
--
Danilo Godec, sistemska podpora / system administration
Predlog! Obiscite prenovljeno spletno stran www.agenda.si
ODPRTA KODA IN LINUX
STORITVE : POSLOVNE RESITVE : UPRAVLJANJE IT : INFRASTRUKTURA IT : IZOBRAZEVANJE : PROGRAMSKA OPREMA
Visit our updated web page at www.agenda.si
OPEN SOURCE AND LINUX
SERVICES : BUSINESS SOLUTIONS : IT MANAGEMENT : IT INFRASTRUCTURE : TRAINING : SOFTWARE