[Swan] libreswan 3.9+klips not listen on multiple secondary address
csszep
csszep at gmail.com
Wed Jul 16 20:19:10 EEST 2014
Hi Paul!
It does not work on Debian 7.
This is the super simple config:
config setup
protostack=klips
interfaces="ipsec0=eth0:0"
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.8.2 0.0.0.0 UG 0 0 0 eth0
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:a2:80:64
inet addr:192.168.8.129 Bcast:192.168.8.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fea2:8064/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1212 errors:0 dropped:0 overruns:0 frame:0
TX packets:385 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:114452 (111.7 KiB) TX bytes:47059 (45.9 KiB)
eth0:0 Link encap:Ethernet HWaddr 00:0c:29:a2:80:64
inet addr:192.168.8.111 Bcast:192.168.8.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
ipsec0 Link encap:Ethernet HWaddr 00:0c:29:a2:80:64
inet6 addr: fe80::20c:29ff:fea2:8064/128 Scope:Link
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:2 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:89 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:12514 (12.2 KiB) TX bytes:12514 (12.2 KiB)
Jul 16 18:04:38 debian7vm ipsec__plutorun: Starting Pluto subsystem...
Jul 16 18:04:38 debian7vm pluto[4348]: nss directory plutomain: /etc/ipsec.d
Jul 16 18:04:38 debian7vm pluto[4348]: NSS Initialized
Jul 16 18:04:38 debian7vm pluto[4348]: libcap-ng support [enabled]
Jul 16 18:04:38 debian7vm pluto[4348]: FIPS HMAC integrity support [disabled]
Jul 16 18:04:38 debian7vm pluto[4348]: Linux audit support [disabled]
Jul 16 18:04:38 debian7vm pluto[4348]: Starting Pluto (Libreswan
Version 3.9 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG XAUTH_PAM
NETWORKMANAGER KLIPS_MAST CURL(non-NSS) LDAP(non-NSS)) pid:4348
Jul 16 18:04:38 debian7vm pluto[4348]: core dump dir: /var/run/pluto
Jul 16 18:04:38 debian7vm pluto[4348]: secrets file: /etc/ipsec.secrets
Jul 16 18:04:38 debian7vm pluto[4348]: leak-detective disabled
Jul 16 18:04:38 debian7vm pluto[4348]: SAref support [disabled]:
Protocol not available
Jul 16 18:04:38 debian7vm pluto[4348]: SAbind support [disabled]:
Protocol not available
Jul 16 18:04:38 debian7vm pluto[4348]: NSS crypto [enabled]
Jul 16 18:04:38 debian7vm pluto[4348]: XAUTH PAM support [enabled]
Jul 16 18:04:38 debian7vm pluto[4348]: NAT-Traversal support [enabled]
Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_hash():
Activating OAKLEY_SHA2_384: Ok (ret=0)
Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Jul 16 18:04:38 debian7vm pluto[4348]: starting up 1 crypto helpers
Jul 16 18:04:38 debian7vm pluto[4348]: started thread for crypto
helper 0 (master fd 6)
Jul 16 18:04:38 debian7vm pluto[4348]: Using KLIPS IPsec interface
code on 3.2.0-4-amd64
Jul 16 18:04:38 debian7vm pluto[4348]: listening for IKE messages
Jul 16 18:04:38 debian7vm pluto[4348]: no public interfaces found
Jul 16 18:04:38 debian7vm pluto[4348]: loading secrets from "/etc/ipsec.secrets"
Jul 16 18:04:38 debian7vm pluto[4348]: loading secrets from
"/var/lib/libreswan/ipsec.secrets.inc"
With interfaces="ipsec0=eth0" it works of course:
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:a2:80:64
inet addr:192.168.8.129 Bcast:192.168.8.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fea2:8064/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1983 errors:0 dropped:0 overruns:0 frame:0
TX packets:1147 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:177448 (173.2 KiB) TX bytes:628939 (614.1 KiB)
eth0:0 Link encap:Ethernet HWaddr 00:0c:29:a2:80:64
inet addr:192.168.8.111 Bcast:192.168.8.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
ipsec0 Link encap:Ethernet HWaddr 00:0c:29:a2:80:64
inet addr:192.168.8.129 Mask:255.255.255.255
inet6 addr: fe80::20c:29ff:fea2:8064/128 Scope:Link
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:1 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Jul 16 18:09:04 debian7vm ipsec__plutorun: Starting Pluto subsystem...
Jul 16 18:09:04 debian7vm pluto[4653]: nss directory plutomain: /etc/ipsec.d
Jul 16 18:09:04 debian7vm pluto[4653]: NSS Initialized
Jul 16 18:09:04 debian7vm pluto[4653]: libcap-ng support [enabled]
Jul 16 18:09:04 debian7vm pluto[4653]: FIPS HMAC integrity support [disabled]
Jul 16 18:09:04 debian7vm pluto[4653]: Linux audit support [disabled]
Jul 16 18:09:04 debian7vm pluto[4653]: Starting Pluto (Libreswan
Version 3.9 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG XAUTH_PAM
NETWORKMANAGER KLIPS_MAST CURL(non-NSS) LDAP(non-NSS)) pid:4653
Jul 16 18:09:04 debian7vm pluto[4653]: core dump dir: /var/run/pluto
Jul 16 18:09:04 debian7vm pluto[4653]: secrets file: /etc/ipsec.secrets
Jul 16 18:09:04 debian7vm pluto[4653]: leak-detective disabled
Jul 16 18:09:04 debian7vm pluto[4653]: SAref support [disabled]:
Protocol not available
Jul 16 18:09:04 debian7vm pluto[4653]: SAbind support [disabled]:
Protocol not available
Jul 16 18:09:04 debian7vm pluto[4653]: NSS crypto [enabled]
Jul 16 18:09:04 debian7vm pluto[4653]: XAUTH PAM support [enabled]
Jul 16 18:09:04 debian7vm pluto[4653]: NAT-Traversal support [enabled]
Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_hash():
Activating OAKLEY_SHA2_384: Ok (ret=0)
Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Jul 16 18:09:04 debian7vm pluto[4653]: starting up 1 crypto helpers
Jul 16 18:09:04 debian7vm pluto[4653]: started thread for crypto
helper 0 (master fd 6)
Jul 16 18:09:04 debian7vm pluto[4653]: Using KLIPS IPsec interface
code on 3.2.0-4-amd64
Jul 16 18:09:04 debian7vm pluto[4653]: listening for IKE messages
Jul 16 18:09:04 debian7vm pluto[4653]: adding interface ipsec0/eth0
192.168.8.129:500
Jul 16 18:09:04 debian7vm pluto[4653]: adding interface ipsec0/eth0
192.168.8.129:4500
Jul 16 18:09:04 debian7vm pluto[4653]: loading secrets from "/etc/ipsec.secrets"
Jul 16 18:09:04 debian7vm pluto[4653]: loading secrets from
"/var/lib/libreswan/ipsec.secrets.inc"
Thx
Csszep
2014-07-16 17:02 GMT+02:00 Paul Wouters <paul at nohats.ca>:
> On Wed, 16 Jul 2014, csszep wrote:
>
>> I'm migrating from openswan to libreswan and i have a host with
>> multiple interfaces and secondary address.
>>
>> With openswan (2.6.28) the following line works:
>>
>> interfaces="ipsec0=eth5:0 ipsec1=eth4:0 ipsec2=eth3:0
>
>
> Are you missing a closing quote (") there ?
>
>
>> Pluto listens on secondary address on these interfaces
>
>
> It works for me?
>
> [root at road ~]# ifconfig eth0:1 11.1.2.3/24
> [root at road ~]# ipsec version
> Linux Libreswan Uv3.9-86-gc7e82bb-master/K(no kernel code presently
> loaded) on 3.13.6-200.fc20.x86_64
> [root at road ~]# ifconfig
> eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 192.1.3.209 netmask 255.255.255.0 broadcast 192.1.3.255
> ether 12:00:00:ab:cd:02 txqueuelen 1000 (Ethernet)
> RX packets 10342 bytes 2533695 (2.4 MiB)
> RX errors 0 dropped 5 overruns 0 frame 0
> TX packets 11878 bytes 9857645 (9.4 MiB)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 11.1.2.3 netmask 255.255.255.0 broadcast 11.1.2.255
> ether 12:00:00:ab:cd:02 txqueuelen 1000 (Ethernet)
>
> [root at road ~]# grep interfaces /etc/ipsec.conf
> interfaces="ipsec0=eth0:1"
> [root at road ~]# ipsec start
> Redirecting to: systemctl start ipsec.service
>
> [root at road ~]# grep interface /tmp/pluto.log Using KLIPS IPsec interface
> code on 3.13.6-200.fc20.x86_64
> | Inspecting interface lo | Inspecting interface eth0 | Inspecting interface
> eth0:1 | Inspecting interface ipsec0 adding interface ipsec0/eth0:1
> 11.1.2.3:500
> adding interface ipsec0/eth0:1 11.1.2.3:4500
> | IP interface eth0 192.1.3.209 has no matching ipsec* interface -- ignored
> | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored
>
> [root at road ~]# ipsec tncfg
> ipsec0 -> eth0 mtu=16260(1500) -> 1500
> ipsec1 -> NULL mtu=0(0) -> 0
>
> test on machine with multiple interfaces:
>
> [root at east ~]# ifconfig eth0:0 10.0.0.0/24
> [root at east ~]# ifconfig eth1:0 10.0.1.0/24
> [root at east ~]# ifconfig eth2:0 10.0.2.0/24
> [root at east ~]# grep interfaces /etc/ipsec.conf
> interfaces="ipsec0=eth0:0 ipsec1=eth1:0 ipsec2=eth2:0"
>
> ot at east ~]# ipsec version
> Linux Libreswan Uv3.9-86-gc7e82bb-master/K(no kernel code presently
> loaded) on 3.13.6-200.fc20.x86_64
> [root at east ~]# ipsec start
> Redirecting to: systemctl start ipsec.service
> [root at east ~]# grep interface /tmp/pluto.log Using KLIPS IPsec interface
> code on 3.13.6-200.fc20.x86_64
> | Inspecting interface lo | Inspecting interface eth0 | Inspecting interface
> eth0:0 | Inspecting interface eth1 | Inspecting interface eth1:0 |
> Inspecting interface eth2 | Inspecting interface eth2:0 | Inspecting
> interface ipsec0 | Inspecting interface ipsec1 | Inspecting interface ipsec2
> adding interface ipsec2/eth2:0 10.0.2.0:500
> adding interface ipsec2/eth2:0 10.0.2.0:4500
> | IP interface eth2 192.9.2.23 has no matching ipsec* interface --
> ignored
> adding interface ipsec1/eth1:0 10.0.1.0:500
> adding interface ipsec1/eth1:0 10.0.1.0:4500
> | IP interface eth1 192.1.2.23 has no matching ipsec* interface --
> ignored
> adding interface ipsec0/eth0:0 10.0.0.0:500
> adding interface ipsec0/eth0:0 10.0.0.0:4500
> | IP interface eth0 192.0.2.254 has no matching ipsec* interface --
> ignored
> | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored
> [root at east ~]#
>
> Paul
More information about the Swan
mailing list