[Swan] dev lo route error

Nick Howitt n1ck.h0w1tt at gmail.com
Mon Jan 7 23:13:51 EET 2013 

Philippe,

Those conns are lifted straight from Openswan and work there (although 
tonight I had to restart paulin before it came up after I reinastalled 
Openswan for some reason). FQDN's have worked and used to be evaluated 
once when the conn was read in the conn and again once when the secrets 
file was read. Work was done on DPD with dynamic names around 2.6.24 or 
2.6.21 when the dpdactions restart and restart_by_peer were introduced 
to force re-evaluation of FQDN's.

The man page for ipsec.conf says "in any form accepted by 
ipsec_ttoaddr(3)". The man page for ipsec_ttoaddr(3) says a DNS name can 
be used.

Regards,

Nick

On 07/01/2013 20:35, Philippe Vouters wrote:
>
> It seems there is another bug with pluto loading the first file and 
> missing the other files:
> [philippe at victor libreswan]$ sudo /usr/local/sbin/ipsec addconn 
> --verbose --autoall
> opening file: /etc/ipsec.conf
> debugging mode enabled
> including file '/etc/ipsec.d/ipsec.*.conf'(/etc/ipsec.d/ipsec.*.conf) 
> from line /etc/ipsec.conf:36
> Loading default conn
> starter: case KH_NOTSET: empty
> starter: case KH_NOTSET: empty
> Loading conn david
> loading all conns according to their auto= settings
>   Pass #1: Loading auto=add and auto=route connections
>   Pass #2: Loading auto=start connections
>
> So addcon does not consider your /etc/ipsec.d/ipsec.unmanaged.mumin.conf
> and
> /etc/ipsec.d/ipsec.unmanaged.paulin.conf
> and misses conf mumin and conn paulin
>
> [philippe at victor ~]$ sudo su -c 'ls /etc/ipsec.d/'
> X9000.conf.save  index.txt                    keys         private
> aacerts          ipsec.secrets                mykey.txt    reqs
> cacerts          ipsec.secrets.old            newcerts secmod.db
> cert8.db         ipsec.secrets.save           nsspassword  serial
> cert9.db         ipsec.unmanaged.david.conf   ocspcerts server.p12
> certs            ipsec.unmanaged.mumin.conf   passwd tempcert
> crls             ipsec.unmanaged.paulin.conf  pkcs11.txt tempcertreq
> examples         key3.db                      pkcs12 vouters.conf.shrew
> hp.conf.save     key4.db                      policies 
> vouters.conf.xl2tpd
>
>
> Note that in conn david:
> # left=howitts.poweredbyclear.com
> # is illegal as per ipsec.conf
> # valid: left=<IPv4 or IPv6 address>
> If someone proves above is legal with Openswan 2.6.38, then this shall 
> be considered as a regression.
>
> Shall work onto this multiple conf files not opened problem first.
>
> Philippe Vouters (Fontainebleau/France)
> URL: http://vouters.dyndns.org/
> SIP: sip:Vouters at sip.linphone.org
>
> Le 07/01/2013 20:47, Nick Howitt a écrit :
>> Conns attached.
>>
>> PSK files are confused as we have one psk file per conn so I have (in 
>> three files):
>>
>> howitts.poweredbyclear.com 88.98.137.158 : PSK "PSK1"
>> @Nick-Mum %any : PSK "PSK2"
>> @Nick-Paul %any : PSK "PSK2"
>> %any : PSK "PSK2"
>> Note last three have the same PSK. The last one is a "spare" one 
>> floating around which I have not bothered disabling.
>>
>> Nick
>>
>> On 07/01/2013 19:06, Philippe Vouters wrote:
>>>
>>> Can you provide your full configuration including everything ? Best 
>>> reply to me with your files attached to your reply.
>>>
>>> Philippe Vouters (Fontainebleau/France)
>>> URL: http://vouters.dyndns.org/
>>> SIP: sip:Vouters at sip.linphone.org
>>>
>>> Le 06/01/2013 17:58, Nick Howitt a écrit :
>>>> I'm in a bit of a mess here and I cannot get the conn to load at 
>>>> all to test. Using the command below I get:
>>>>
>>>> [root at server src]# /usr/libexec/ipsec/addconn --verbose MumIn
>>>> opening file: /etc/ipsec.conf
>>>> debugging mode enabled
>>>> including file 
>>>> '/etc/ipsec.d/ipsec.*.conf'(/etc/ipsec.d/ipsec.*.conf) from line 
>>>> /etc/ipsec.conf:36
>>>> Loading default conn
>>>> starter: case KH_NOTSET: empty
>>>> starter: case KH_NOTSET: empty
>>>> Loading conn David
>>>> starter: check what we need to do for 'howitts.poweredbyclear.com'
>>>> starter: ttoaddr_num failed, not numeric 'howitts.poweredbyclear.com'
>>>> starter: Resolved to howitts.poweredbyclear.com !
>>>> starter: check what we need to do for  '88.98.137.158'
>>>> loading named conns: MumIn(notfound)[root at server src]#
>>>>
>>>> The ttoaddr error is coming from another conn (David) which I'm not 
>>>> trying to load. In that conn David if I change left to 
>>>> %defaultroute the 3 "howitts.poweredbyclear.com" errors go away but 
>>>> I don't see why MumIn is not found. My ipsec.conf is:
>>>>
>>>> version 2.0
>>>>
>>>> # Default policy
>>>> #---------------
>>>>
>>>> config setup
>>>>     interfaces=%defaultroute
>>>>     plutodebug=none
>>>>     klipsdebug=none
>>>>     oe=no
>>>>     protostack=netkey
>>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24 
>>>>
>>>>
>>>>
>>>> conn %default
>>>>     type=tunnel
>>>>     authby=secret
>>>>
>>>> # Tunnels defined in separate files
>>>> #----------------------------------
>>>>
>>>> include /etc/ipsec.d/ipsec.*.conf
>>>>
>>>> And /etc/ipsec.d/ipsec.unmanaged.MumIn.conf is:
>>>>
>>>> conn MumIn
>>>>  type=tunnel
>>>>  authby=secret
>>>>  dpdtimeout=120
>>>>  dpddelay=30
>>>>  auto=add
>>>>  left=%defaultroute
>>>>  leftsourceip=192.168.2.1
>>>>  leftsubnet=192.168.2.0/24
>>>>  leftid=@FromNick
>>>>  right=%any
>>>>  rightsubnet=192.168.10.0/24
>>>>  salifetime=1h
>>>>  dpdaction=restart_by_peer
>>>>  ikelifetime=8h
>>>>  ike=aes256
>>>>  phase2alg=aes256
>>>>
>>>> Until I can get these errors to clear, I can't try to reproduce the 
>>>> dev lo route error.
>>>>
>>>> As a separate question, the command "ipsec secrets" appears to load 
>>>> secrets as before, but I notice we now get new files in the 
>>>> installation. Are we forced to use nss now or ipsec.*.secrets still 
>>>> OK to use.
>>>>
>>>> This is using your RHEL rpm. Having to roll back to the rival for 
>>>> the moment
>>>>
>>>> Regards,
>>>>
>>>> Nick
>>>>
>>>> On 04/01/2013 17:26, Paul Wouters wrote:
>>>>>
>>>>> On 01/04/2013 12:13 PM, Nick Howitt wrote:
>>>>>> In Oguz' Yilmaz's case he appears to have a right specified
>>>>>> (right=RIGHT_EXT_IP) and a leftnexthop (leftnexthop=LEFT_EXT_GW) 
>>>>>> rathr
>>>>>> than right=%any and no leftnexthop. :(
>>>>>
>>>>> you can use /usr/libexec/ipsec/addconn --verbose connname to get a 
>>>>> verbose output that includes the routes we got back for making the 
>>>>> decision.
>>>>>
>>>>>> We have hit some minor odd issues - ipsec auto --status does not 
>>>>>> give
>>>>>> any info on phase2alg unless it is specified. It may also fail if 
>>>>>> it is
>>>>>> specified with the hash function e.g. aes256-sha1 but I need to test
>>>>>> further and my time for testing is very limited. But this should 
>>>>>> all be
>>>>>> for another thread......
>>>>>
>>>>> I've filed that as https://bugs.libreswan.org/show_bug.cgi?id=53 
>>>>> but I also have not had the time yet to look into this.
>>>>>
>>>>> Paul
>>>>>
>>>>
>>>> _______________________________________________
>>>> Swan mailing list
>>>> Swan at lists.libreswan.org
>>>> https://lists.libreswan.org/mailman/listinfo/swan
>>>>
>>>
>>
>

More information about the Swan mailing list