[Swan] dev lo route error

Philippe Vouters philippe.vouters at laposte.net
Tue Jan 8 00:00:16 EET 2013


Nick,

With Libreswan, this below does not work either. Only 
ipsec.unmanaged.david.conf is opened.
As far as it seems, only a single include directive as well as a single 
include file looks accepted by addcon. First looking into this.

$ cat /etc/ipsec.conf
...
# Tunnels defined in separate files
#----------------------------------

#include /etc/ipsec.d/ipsec.*.conf
include /etc/ipsec.d/ipsec.unmanaged.david.conf
include /etc/ipsec.d/ipsec.unmanaged.mumin.conf
include /etc/ipsec.d/ipsec.unmanaged.paulin.conf

Next I shall reinstall Openswan 2.6.38 to best read what it promises as 
for {left|right}= in its man. I should read something identical to what 
you claim. I kept Openswan 2.6.38 sources and I now know I have to 
search after this KH_IPHOSTNAME keyword. I can notice differences in 
format_end I did not author. Shall look later into this.

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Le 07/01/2013 21:35, Philippe Vouters a écrit :
> It seems there is another bug with pluto loading the first file and 
> missing the other files:
> [philippe at victor libreswan]$ sudo /usr/local/sbin/ipsec addconn 
> --verbose --autoall
> opening file: /etc/ipsec.conf
> debugging mode enabled
> including file '/etc/ipsec.d/ipsec.*.conf'(/etc/ipsec.d/ipsec.*.conf) 
> from line /etc/ipsec.conf:36
> Loading default conn
> starter: case KH_NOTSET: empty
> starter: case KH_NOTSET: empty
> Loading conn david
> loading all conns according to their auto= settings
>   Pass #1: Loading auto=add and auto=route connections
>   Pass #2: Loading auto=start connections
>
> So addcon does not consider your /etc/ipsec.d/ipsec.unmanaged.mumin.conf
> and
> /etc/ipsec.d/ipsec.unmanaged.paulin.conf
> and misses conf mumin and conn paulin
>
> [philippe at victor ~]$ sudo su -c 'ls /etc/ipsec.d/'
> X9000.conf.save  index.txt                    keys         private
> aacerts          ipsec.secrets                mykey.txt    reqs
> cacerts          ipsec.secrets.old            newcerts secmod.db
> cert8.db         ipsec.secrets.save           nsspassword  serial
> cert9.db         ipsec.unmanaged.david.conf   ocspcerts server.p12
> certs            ipsec.unmanaged.mumin.conf   passwd tempcert
> crls             ipsec.unmanaged.paulin.conf  pkcs11.txt tempcertreq
> examples         key3.db                      pkcs12 vouters.conf.shrew
> hp.conf.save     key4.db                      policies 
> vouters.conf.xl2tpd
>
>
> Note that in conn david:
> # left=howitts.poweredbyclear.com
> # is illegal as per ipsec.conf
> # valid: left=<IPv4 or IPv6 address>
> If someone proves above is legal with Openswan 2.6.38, then this shall 
> be considered as a regression.
>
> Shall work onto this multiple conf files not opened problem first.
>
> Philippe Vouters (Fontainebleau/France)
> URL: http://vouters.dyndns.org/
> SIP: sip:Vouters at sip.linphone.org
>
> Le 07/01/2013 20:47, Nick Howitt a écrit :
>> Conns attached.
>>
>> PSK files are confused as we have one psk file per conn so I have (in 
>> three files):
>>
>> howitts.poweredbyclear.com 88.98.137.158 : PSK "PSK1"
>> @Nick-Mum %any : PSK "PSK2"
>> @Nick-Paul %any : PSK "PSK2"
>> %any : PSK "PSK2"
>> Note last three have the same PSK. The last one is a "spare" one 
>> floating around which I have not bothered disabling.
>>
>> Nick
>>
>> On 07/01/2013 19:06, Philippe Vouters wrote:
>>>
>>> Can you provide your full configuration including everything ? Best 
>>> reply to me with your files attached to your reply.
>>>
>>> Philippe Vouters (Fontainebleau/France)
>>> URL: http://vouters.dyndns.org/
>>> SIP: sip:Vouters at sip.linphone.org
>>>
>>> Le 06/01/2013 17:58, Nick Howitt a écrit :
>>>> I'm in a bit of a mess here and I cannot get the conn to load at 
>>>> all to test. Using the command below I get:
>>>>
>>>> [root at server src]# /usr/libexec/ipsec/addconn --verbose MumIn
>>>> opening file: /etc/ipsec.conf
>>>> debugging mode enabled
>>>> including file 
>>>> '/etc/ipsec.d/ipsec.*.conf'(/etc/ipsec.d/ipsec.*.conf) from line 
>>>> /etc/ipsec.conf:36
>>>> Loading default conn
>>>> starter: case KH_NOTSET: empty
>>>> starter: case KH_NOTSET: empty
>>>> Loading conn David
>>>> starter: check what we need to do for 'howitts.poweredbyclear.com'
>>>> starter: ttoaddr_num failed, not numeric 'howitts.poweredbyclear.com'
>>>> starter: Resolved to howitts.poweredbyclear.com !
>>>> starter: check what we need to do for  '88.98.137.158'
>>>> loading named conns: MumIn(notfound)[root at server src]#
>>>>
>>>> The ttoaddr error is coming from another conn (David) which I'm not 
>>>> trying to load. In that conn David if I change left to 
>>>> %defaultroute the 3 "howitts.poweredbyclear.com" errors go away but 
>>>> I don't see why MumIn is not found. My ipsec.conf is:
>>>>
>>>> version 2.0
>>>>
>>>> # Default policy
>>>> #---------------
>>>>
>>>> config setup
>>>>     interfaces=%defaultroute
>>>>     plutodebug=none
>>>>     klipsdebug=none
>>>>     oe=no
>>>>     protostack=netkey
>>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24 
>>>>
>>>>
>>>>
>>>> conn %default
>>>>     type=tunnel
>>>>     authby=secret
>>>>
>>>> # Tunnels defined in separate files
>>>> #----------------------------------
>>>>
>>>> include /etc/ipsec.d/ipsec.*.conf
>>>>
>>>> And /etc/ipsec.d/ipsec.unmanaged.MumIn.conf is:
>>>>
>>>> conn MumIn
>>>>  type=tunnel
>>>>  authby=secret
>>>>  dpdtimeout=120
>>>>  dpddelay=30
>>>>  auto=add
>>>>  left=%defaultroute
>>>>  leftsourceip=192.168.2.1
>>>>  leftsubnet=192.168.2.0/24
>>>>  leftid=@FromNick
>>>>  right=%any
>>>>  rightsubnet=192.168.10.0/24
>>>>  salifetime=1h
>>>>  dpdaction=restart_by_peer
>>>>  ikelifetime=8h
>>>>  ike=aes256
>>>>  phase2alg=aes256
>>>>
>>>> Until I can get these errors to clear, I can't try to reproduce the 
>>>> dev lo route error.
>>>>
>>>> As a separate question, the command "ipsec secrets" appears to load 
>>>> secrets as before, but I notice we now get new files in the 
>>>> installation. Are we forced to use nss now or ipsec.*.secrets still 
>>>> OK to use.
>>>>
>>>> This is using your RHEL rpm. Having to roll back to the rival for 
>>>> the moment
>>>>
>>>> Regards,
>>>>
>>>> Nick
>>>>
>>>> On 04/01/2013 17:26, Paul Wouters wrote:
>>>>>
>>>>> On 01/04/2013 12:13 PM, Nick Howitt wrote:
>>>>>> In Oguz' Yilmaz's case he appears to have a right specified
>>>>>> (right=RIGHT_EXT_IP) and a leftnexthop (leftnexthop=LEFT_EXT_GW) 
>>>>>> rathr
>>>>>> than right=%any and no leftnexthop. :(
>>>>>
>>>>> you can use /usr/libexec/ipsec/addconn --verbose connname to get a 
>>>>> verbose output that includes the routes we got back for making the 
>>>>> decision.
>>>>>
>>>>>> We have hit some minor odd issues - ipsec auto --status does not 
>>>>>> give
>>>>>> any info on phase2alg unless it is specified. It may also fail if 
>>>>>> it is
>>>>>> specified with the hash function e.g. aes256-sha1 but I need to test
>>>>>> further and my time for testing is very limited. But this should 
>>>>>> all be
>>>>>> for another thread......
>>>>>
>>>>> I've filed that as https://bugs.libreswan.org/show_bug.cgi?id=53 
>>>>> but I also have not had the time yet to look into this.
>>>>>
>>>>> Paul
>>>>>
>>>>
>>>> _______________________________________________
>>>> Swan mailing list
>>>> Swan at lists.libreswan.org
>>>> https://lists.libreswan.org/mailman/listinfo/swan
>>>>
>>>
>>
>



More information about the Swan mailing list