[Openswan Users] Centos 6 with SARef support

Giovani Moda giovani at mrinformatica.com.br
Wed Jul 27 20:39:24 EDT 2011 

Hello again list.

I'm trying to setup Centos6 with SAref support, but I'm facing some
problems. I've recompiled kernel 2.6.32-71.29.1.el6.centos.plus with
0001-SAREF-add-support-for-SA-selection-through-sendmsg.patch and
0002-SAREF-implement-IP_IPSEC_BINDREF.patch patches and compiled
openswan 2.6.35 with klips module. Here is the output of ipsec verify:

Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan 2.6.35 (klips)
Checking for IPsec support in kernel                            [OK]
 KLIPS: checking for NAT Traversal support                      [OK]
 KLIPS: checking for OCF crypto offload support                 [N/A]
 Kernel: IPsec SAref kernel support                             [OK]
 Kernel: IPsec SAref Bind kernel support                        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support
[DISABLED]

Relevant parts of ipsec.conf

config setup
        klipsdebug=none
        plutodebug=none
        nat_traversal=yes
        uniqueids=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:172.31.0.0/12,%v4:192.168.0.0/16
        protostack=mast
        oe=off
        nhelpers=0

conn %default
        compress=yes
        disablearrivalcheck=no

conn MR-Miguel
        authby=rsasig
        rightcert=mr.pem
        rightid="C=BR, ST=..."
        auto=add
        also=l2tp-ipsec

conn l2tp-ipsec
        pfs=no
        left=A.B.C.D
        leftcert=mail.pem
        leftrsasigkey=%cert
        leftprotoport=17/1701
        right=%any
        rightca=%same
        rightprotoport=17/1701
        rightrsasigkey=%cert
        rightsubnet=vhost:%no,%priv
        rekey=no
	  overlapip=yes
	  sareftrack=yes

But when I try to connect with protostack=mast, I get

Jul 27 18:19:01 mail pluto[22558]: packet from E.F.G.H:24192: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Jul 27 18:19:01 mail pluto[22558]: packet from E.F.G.H:24192: received
Vendor ID payload [RFC 3947] method set to=109
Jul 27 18:19:01 mail pluto[22558]: packet from E.F.G.H:24192: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 109
Jul 27 18:19:01 mail pluto[22558]: packet from E.F.G.H:24192: ignoring
Vendor ID payload [FRAGMENTATION]
Jul 27 18:19:01 mail pluto[22558]: packet from E.F.G.H:24192: ignoring
Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 27 18:19:01 mail pluto[22558]: packet from E.F.G.H:24192: ignoring
Vendor ID payload [Vid-Initial-Contact]
Jul 27 18:19:01 mail pluto[22558]: packet from E.F.G.H:24192: ignoring
Vendor ID payload [IKE CGA version 1]
Jul 27 18:19:01 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #1: responding
to Main Mode from unknown peer E.F.G.H
Jul 27 18:19:01 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #1:
OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Jul 27 18:19:01 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #1:
OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Jul 27 18:19:01 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #1: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 27 18:19:01 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 27 18:19:01 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #1:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Jul 27 18:19:01 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #1: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 27 18:19:01 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Jul 27 18:19:01 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #1: Main mode
peer ID is ID_DER_ASN1_DN...
Jul 27 18:19:01 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #1: I am
sending my cert
Jul 27 18:19:01 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #1: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 27 18:19:01 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #1: new NAT
mapping for #1, was E.F.G.H:24192, now E.F.G.H:24193
Jul 27 18:19:01 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_256 prf=oakley_sha group=modp2048}
Jul 27 18:19:02 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #1: the peer
proposed: A.B.C.D/32:17/1701 -> 10.1.1.11/32:17/1701
Jul 27 18:19:02 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #1:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Jul 27 18:19:02 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #2: responding
to Quick Mode proposal {msgid:01000000}
Jul 27 18:19:02 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #2:     us:
A.B.C.D< A.B.C.D >[+S=C]:17/1701
Jul 27 18:19:02 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #2:   them:
E.F.G.H[C=BR, ST...:17/1701===10.1.1.11/32
Jul 27 18:19:02 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #2: transition
from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 27 18:19:02 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jul 27 18:19:02 mail pluto[22558]: | mast_sag_eroute called op=1/add
Jul 27 18:19:02 mail pluto[22558]: | mast_raw_eroute called op=1
said=esp.fa41b0d8 at E.F.G.H
Jul 27 18:19:02 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #2: requested
algorithm is not available in the kernel
Jul 27 18:19:02 mail pluto[22558]: |   02 0e 00 03  18 00 00 00  08 00
00 00  1e 58 00 00
Jul 27 18:19:02 mail pluto[22558]: |   03 00 01 00  fa 41 b0 d8  00 00
00 00  10 00 00 00
Jul 27 18:19:02 mail pluto[22558]: |   00 00 00 00  00 00 00 00  03 00
05 00  00 00 00 00
Jul 27 18:19:02 mail pluto[22558]: |   02 00 06 a5  c0 a8 01 04  00 00
00 00  00 00 00 00
Jul 27 18:19:02 mail pluto[22558]: |   03 00 06 00  00 00 00 00  02 00
5e 81  bd 67 b4 e7
Jul 27 18:19:02 mail pluto[22558]: |   00 00 00 00  00 00 00 00  03 00
15 00  00 00 00 00
Jul 27 18:19:02 mail pluto[22558]: |   02 00 06 a5  c0 a8 01 04  00 00
00 00  00 00 00 00
Jul 27 18:19:02 mail pluto[22558]: |   03 00 16 00  00 00 00 00  02 00
06 a5  0a 01 01 0b
Jul 27 18:19:02 mail pluto[22558]: |   00 00 00 00  00 00 00 00  03 00
17 00  00 00 00 00
Jul 27 18:19:02 mail pluto[22558]: |   02 00 ff ff  ff ff ff ff  00 00
00 00  00 00 00 00
Jul 27 18:19:02 mail pluto[22558]: |   03 00 18 00  00 00 00 00  02 00
ff ff  ff ff ff ff
Jul 27 18:19:02 mail pluto[22558]: |   00 00 00 00  00 00 00 00  01 00
1a 00  11 93 00 00
Jul 27 18:19:02 mail pluto[22558]: | raw_eroute result=0
Jul 27 18:19:02 mail pluto[22558]: | mast_sag_eroute failed to add/1
pfkey eroute

With protostack=klips all works fine, but I'm trying to get support for
multiple clients behind the same router, so mast is a requirement. Am I
missing something? I know that prior to openswan 2.6.27 or so compiling
kernel with klips inline was a requirement for SARef support. Is this
still necessary?

Thanks,

Giovani

More information about the Users mailing list