[Swan] This clearly denotes bugs
Philippe Vouters
philippe.vouters at laposte.net
Sun Jan 6 22:53:22 EET 2013
Nick, Paul,
Changed from left=victor.vouters.dyndns.org to:
*1/ *left=alla.vouters.dyndns.org which is only known inside the DNS
table of my DSL router. This gives the following:
[philippe at victor ~]$ nslookup alla.vouters.dyndns.org
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: alla.vouters.dyndns.org
Address: 192.168.1.4
[philippe at victor ~]$ sudo /usr/local/sbin/ipsec addconn --verbose
Philippe_PSK
opening file: /etc/ipsec.conf
debugging mode enabled
including file '/etc/ipsec.d/*.conf'(/etc/ipsec.d/*.conf) from line
/etc/ipsec.conf:26
Loading conn Philippe_PSK
while loading conn 'Philippe_PSK' also including 'FIXED_RIGHT_IP'
starter: case KH_DEFAULTROUTE: empty
Loading conn DHCP_RIGHT_IP
starter: check what we need to do for 'alla.vouters.dyndns.org'
starter: ttoaddr_num failed, not numeric 'alla.vouters.dyndns.org'
Calling unbound_resolve() for endpoint value
starter: Resolved to alla.vouters.dyndns.org !
while loading 'DHCP_RIGHT_IP': *Resolving failed for remote address
=alla.vouters.dyndns.org*
Loading conn FIXED_RIGHT_IP
starter: case KH_DEFAULTROUTE: empty
loading named conns: Philippe_PSK
parse_src = 0, parse_gateway = 1, has_dst = 0
dst via 192.168.1.1 dev eth0 src
set nexthop: 192.168.1.1
dst 169.254.0.0 via dev eth0 src
dst 192.168.1.0 via dev eth0 src 192.168.1.2
dst 127.0.0.0 via dev lo src 127.0.0.1
dst 127.0.0.0 via dev lo src 127.0.0.1
dst 127.0.0.1 via dev lo src 127.0.0.1
dst 127.255.255.255 via dev lo src 127.0.0.1
dst 192.168.1.0 via dev eth0 src 192.168.1.2
dst 192.168.1.2 via dev eth0 src 192.168.1.2
dst 192.168.1.255 via dev eth0 src 192.168.1.2
parse_src = 1, parse_gateway = 0, has_dst = 1
dst 192.168.1.1 via dev eth0 src 192.168.1.2
set addr: 192.168.1.2
002 "Philippe_PSK": deleting connection
002 added connection description "Philippe_PSK"
So the unbound library fails in this case as well as addconn.
*2/ *left=vouters.dyndns.org with vouters.dyndns.org DNS known by both
dyndns.com and my DSL box. Here is the result:
[philippe at victor ~]$ sudo /usr/local/sbin/ipsec addconn --verbose
Philippe_PSK
opening file: /etc/ipsec.conf
debugging mode enabled
including file '/etc/ipsec.d/*.conf'(/etc/ipsec.d/*.conf) from line
/etc/ipsec.conf:26
Loading conn Philippe_PSK
while loading conn 'Philippe_PSK' also including 'FIXED_RIGHT_IP'
starter: case KH_DEFAULTROUTE: empty
Loading conn DHCP_RIGHT_IP
starter: check what we need to do for 'vouters.dyndns.org'
starter: ttoaddr_num failed, not numeric 'vouters.dyndns.org'
Calling unbound_resolve() for endpoint value
starter: Resolved to vouters.dyndns.org !
Loading conn FIXED_RIGHT_IP
starter: case KH_DEFAULTROUTE: empty
loading named conns: Philippe_PSK
parse_src = 0, parse_gateway = 1, has_dst = 0
dst via 192.168.1.1 dev eth0 src
set nexthop: 192.168.1.1
dst 169.254.0.0 via dev eth0 src
dst 192.168.1.0 via dev eth0 src 192.168.1.2
dst 127.0.0.0 via dev lo src 127.0.0.1
dst 127.0.0.0 via dev lo src 127.0.0.1
dst 127.0.0.1 via dev lo src 127.0.0.1
dst 127.255.255.255 via dev lo src 127.0.0.1
dst 192.168.1.0 via dev eth0 src 192.168.1.2
dst 192.168.1.2 via dev eth0 src 192.168.1.2
dst 192.168.1.255 via dev eth0 src 192.168.1.2
parse_src = 1, parse_gateway = 0, has_dst = 1
dst 192.168.1.1 via dev eth0 src 192.168.1.2
set addr: 192.168.1.2
002 "Philippe_PSK": deleting connection
002 added connection description "Philippe_PSK"
[philippe at victor ~]$
So the unbound library succeeds in this case. addconn also succeeds to
correctly set up Philippe_PSK.
*Explanation thanks to Wireskark:*
The unbound library does not use at all the information in
/etc/resolv.conf but query fixed known DNS servers (namely
<letter>.root-servers.net computers). It ends up in the second
successful case into dyndns.com returning the public IP address of my
DSL box. Provided the unbound library had query using the information in
/etc/resolv.conf, it would have returned my computer IP address inside
my home network.
In the hope this clarifies.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
Le 06/01/2013 20:59, Philippe Vouters a écrit :
> Paul, Nick,
>
> There is at least one visible bug here:
>
> 1/ DHCP_RIGHT_IP is taken into account despite auto=ignore
>
> 2/ unbound_resolve() failed to resolve victor.vouters.dyndns.org.
>
> The second error can eventually be explained by:
>
> [philippe at victor ~]$ nslookup
> victor.vouters.dyndns.org Server: 192.168.1.1
> Address: 192.168.1.1#53
>
> ** server can't find victor.vouters.dyndns.org: NXDOMAIN
>
> despite:
>
> [philippe at victor ~]$ hostname
> victor.vouters.dyndns.org
> [philippe at victor ~]$ cat /etc/hosts
> # Do not remove the following line, or various programs
> # that require network functionality will fail.
> 127.0.0.1 localhost.localdomain localhost victor.localdomain
> ::1 localhost6.localdomain6 localhost6
> 192.168.1.2 victor.vouters.dyndns.org victor www.vouters.com
> ...
> [philippe at victor ~]$
>
> [philippe at victor ~]$ sudo cat /etc/ipsec.d/vouters.conf
> # Mutual PSK
> conn Philippe_PSK
> authby=secret
> # leftsourceip=192.168.1.2
> also=FIXED_RIGHT_IP
>
> conn DHCP_RIGHT_IP
> type=tunnel
> pfs=yes
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart
> left=victor.vouters.dyndns.org
> # leftnexthop=%defaultroute
> leftprotoport=udp/bootps
> leftupdown="ipsec _updown --route yes"
> right=%any
> rightsubnetwithin=192.168.1.0/24
> rightprotoport=udp/bootps
> rekey=no
> auto=ignore
> # auto=add
>
> conn FIXED_RIGHT_IP
> type=tunnel
> pfs=yes
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart
> left=%defaultroute
> leftnexthop=%defaultroute
> leftsubnet=0.0.0.0/0
> leftupdown="ipsec _updown --route yes"
> right=%any
> rightsubnet=vhost:%no,%priv
> rekey=no
> auto=add
> [philippe at victor ~]$ sudo /usr/local/sbin/ipsec addconn --verbose
> Philippe_PSK
> opening file: /etc/ipsec.conf
> debugging mode enabled
> including file '/etc/ipsec.d/*.conf'(/etc/ipsec.d/*.conf) from line
> /etc/ipsec.conf:26
> Loading conn Philippe_PSK
> while loading conn 'Philippe_PSK' also including 'FIXED_RIGHT_IP'
> starter: case KH_DEFAULTROUTE: empty
> Loading conn DHCP_RIGHT_IP
> starter: check what we need to do for 'victor.vouters.dyndns.org'
> starter: ttoaddr_num failed, not numeric 'victor.vouters.dyndns.org'
> Calling unbound_resolve() for endpoint value
> starter: Resolved to victor.vouters.dyndns.org !
> while loading 'DHCP_RIGHT_IP': Resolving failed for remote address
> =victor.vouters.dyndns.org
>
> Loading conn FIXED_RIGHT_IP
> starter: case KH_DEFAULTROUTE: empty
> loading named conns: Philippe_PSK
> parse_src = 0, parse_gateway = 1, has_dst = 0
> dst via 192.168.1.1 dev eth0 src
> set nexthop: 192.168.1.1
> dst 169.254.0.0 via dev eth0 src
> dst 192.168.1.0 via dev eth0 src 192.168.1.2
> dst 127.0.0.0 via dev lo src 127.0.0.1
> dst 127.0.0.0 via dev lo src 127.0.0.1
> dst 127.0.0.1 via dev lo src 127.0.0.1
> dst 127.255.255.255 via dev lo src 127.0.0.1
> dst 192.168.1.0 via dev eth0 src 192.168.1.2
> dst 192.168.1.2 via dev eth0 src 192.168.1.2
> dst 192.168.1.255 via dev eth0 src 192.168.1.2
>
> parse_src = 1, parse_gateway = 0, has_dst = 1
> dst 192.168.1.1 via dev eth0 src 192.168.1.2
> set addr: 192.168.1.2
> 002 "Philippe_PSK": deleting connection
> 002 added connection description "Philippe_PSK"
> [philippe at victor ~]$
>
> [philippe at victor ~]$
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130106/3bfaa7cb/attachment-0001.html>
More information about the Swan
mailing list