[Swan] libreswan 3.9+klips not listen on multiple secondary address
csszep
csszep at gmail.com
Wed Jul 16 20:28:57 EEST 2014
With plutodebug=all
Jul 16 18:26:35 debian7vm pluto[6617]: listening for IKE messages
Jul 16 18:26:35 debian7vm pluto[6617]: | Inspecting interface lo
Jul 16 18:26:35 debian7vm pluto[6617]: | found lo with address 127.0.0.1
Jul 16 18:26:35 debian7vm pluto[6617]: | Inspecting interface eth0
Jul 16 18:26:35 debian7vm pluto[6617]: | found eth0 with address 192.168.8.129
Jul 16 18:26:35 debian7vm pluto[6617]: | Inspecting interface eth0:0
Jul 16 18:26:35 debian7vm pluto[6617]: | found eth0:0 with address 192.168.8.111
Jul 16 18:26:35 debian7vm pluto[6617]: | IP interface eth0:0
192.168.8.111 has no matching ipsec* interface -- ignored
Jul 16 18:26:35 debian7vm pluto[6617]: | IP interface eth0
192.168.8.129 has no matching ipsec* interface -- ignored
Jul 16 18:26:35 debian7vm pluto[6617]: | IP interface lo 127.0.0.1 has
no matching ipsec* interface -- ignored
Jul 16 18:26:35 debian7vm pluto[6617]: | found lo with address
0000:0000:0000:0000:0000:0000:0000:0001
Jul 16 18:26:35 debian7vm pluto[6617]: | IP interface lo ::1 has no
matching ipsec* interface -- ignored
Jul 16 18:26:35 debian7vm pluto[6617]: no public interfaces found
2014-07-16 19:19 GMT+02:00 csszep <csszep at gmail.com>:
> Hi Paul!
>
> It does not work on Debian 7.
>
>
> This is the super simple config:
>
>
> config setup
> protostack=klips
> interfaces="ipsec0=eth0:0"
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
>
> route -n
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 0.0.0.0 192.168.8.2 0.0.0.0 UG 0 0 0 eth0
> 192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
>
> ifconfig
>
> eth0 Link encap:Ethernet HWaddr 00:0c:29:a2:80:64
> inet addr:192.168.8.129 Bcast:192.168.8.255 Mask:255.255.255.0
> inet6 addr: fe80::20c:29ff:fea2:8064/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:1212 errors:0 dropped:0 overruns:0 frame:0
> TX packets:385 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:114452 (111.7 KiB) TX bytes:47059 (45.9 KiB)
>
> eth0:0 Link encap:Ethernet HWaddr 00:0c:29:a2:80:64
> inet addr:192.168.8.111 Bcast:192.168.8.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>
> ipsec0 Link encap:Ethernet HWaddr 00:0c:29:a2:80:64
> inet6 addr: fe80::20c:29ff:fea2:8064/128 Scope:Link
> UP RUNNING NOARP MTU:16260 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:2 overruns:0 carrier:0
> collisions:0 txqueuelen:10
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:89 errors:0 dropped:0 overruns:0 frame:0
> TX packets:89 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:12514 (12.2 KiB) TX bytes:12514 (12.2 KiB)
>
>
> Jul 16 18:04:38 debian7vm ipsec__plutorun: Starting Pluto subsystem...
> Jul 16 18:04:38 debian7vm pluto[4348]: nss directory plutomain: /etc/ipsec.d
> Jul 16 18:04:38 debian7vm pluto[4348]: NSS Initialized
> Jul 16 18:04:38 debian7vm pluto[4348]: libcap-ng support [enabled]
> Jul 16 18:04:38 debian7vm pluto[4348]: FIPS HMAC integrity support [disabled]
> Jul 16 18:04:38 debian7vm pluto[4348]: Linux audit support [disabled]
> Jul 16 18:04:38 debian7vm pluto[4348]: Starting Pluto (Libreswan
> Version 3.9 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG XAUTH_PAM
> NETWORKMANAGER KLIPS_MAST CURL(non-NSS) LDAP(non-NSS)) pid:4348
> Jul 16 18:04:38 debian7vm pluto[4348]: core dump dir: /var/run/pluto
> Jul 16 18:04:38 debian7vm pluto[4348]: secrets file: /etc/ipsec.secrets
> Jul 16 18:04:38 debian7vm pluto[4348]: leak-detective disabled
> Jul 16 18:04:38 debian7vm pluto[4348]: SAref support [disabled]:
> Protocol not available
> Jul 16 18:04:38 debian7vm pluto[4348]: SAbind support [disabled]:
> Protocol not available
> Jul 16 18:04:38 debian7vm pluto[4348]: NSS crypto [enabled]
> Jul 16 18:04:38 debian7vm pluto[4348]: XAUTH PAM support [enabled]
> Jul 16 18:04:38 debian7vm pluto[4348]: NAT-Traversal support [enabled]
> Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_enc():
> Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok (ret=0)
> Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_384: Ok (ret=0)
> Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok (ret=0)
> Jul 16 18:04:38 debian7vm pluto[4348]: starting up 1 crypto helpers
> Jul 16 18:04:38 debian7vm pluto[4348]: started thread for crypto
> helper 0 (master fd 6)
> Jul 16 18:04:38 debian7vm pluto[4348]: Using KLIPS IPsec interface
> code on 3.2.0-4-amd64
> Jul 16 18:04:38 debian7vm pluto[4348]: listening for IKE messages
> Jul 16 18:04:38 debian7vm pluto[4348]: no public interfaces found
> Jul 16 18:04:38 debian7vm pluto[4348]: loading secrets from "/etc/ipsec.secrets"
> Jul 16 18:04:38 debian7vm pluto[4348]: loading secrets from
> "/var/lib/libreswan/ipsec.secrets.inc"
>
>
> With interfaces="ipsec0=eth0" it works of course:
>
> ifconfig
> eth0 Link encap:Ethernet HWaddr 00:0c:29:a2:80:64
> inet addr:192.168.8.129 Bcast:192.168.8.255 Mask:255.255.255.0
> inet6 addr: fe80::20c:29ff:fea2:8064/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:1983 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1147 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:177448 (173.2 KiB) TX bytes:628939 (614.1 KiB)
>
> eth0:0 Link encap:Ethernet HWaddr 00:0c:29:a2:80:64
> inet addr:192.168.8.111 Bcast:192.168.8.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>
> ipsec0 Link encap:Ethernet HWaddr 00:0c:29:a2:80:64
> inet addr:192.168.8.129 Mask:255.255.255.255
> inet6 addr: fe80::20c:29ff:fea2:8064/128 Scope:Link
> UP RUNNING NOARP MTU:16260 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:1 overruns:0 carrier:0
> collisions:0 txqueuelen:10
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>
> Jul 16 18:09:04 debian7vm ipsec__plutorun: Starting Pluto subsystem...
> Jul 16 18:09:04 debian7vm pluto[4653]: nss directory plutomain: /etc/ipsec.d
> Jul 16 18:09:04 debian7vm pluto[4653]: NSS Initialized
> Jul 16 18:09:04 debian7vm pluto[4653]: libcap-ng support [enabled]
> Jul 16 18:09:04 debian7vm pluto[4653]: FIPS HMAC integrity support [disabled]
> Jul 16 18:09:04 debian7vm pluto[4653]: Linux audit support [disabled]
> Jul 16 18:09:04 debian7vm pluto[4653]: Starting Pluto (Libreswan
> Version 3.9 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG XAUTH_PAM
> NETWORKMANAGER KLIPS_MAST CURL(non-NSS) LDAP(non-NSS)) pid:4653
> Jul 16 18:09:04 debian7vm pluto[4653]: core dump dir: /var/run/pluto
> Jul 16 18:09:04 debian7vm pluto[4653]: secrets file: /etc/ipsec.secrets
> Jul 16 18:09:04 debian7vm pluto[4653]: leak-detective disabled
> Jul 16 18:09:04 debian7vm pluto[4653]: SAref support [disabled]:
> Protocol not available
> Jul 16 18:09:04 debian7vm pluto[4653]: SAbind support [disabled]:
> Protocol not available
> Jul 16 18:09:04 debian7vm pluto[4653]: NSS crypto [enabled]
> Jul 16 18:09:04 debian7vm pluto[4653]: XAUTH PAM support [enabled]
> Jul 16 18:09:04 debian7vm pluto[4653]: NAT-Traversal support [enabled]
> Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_enc():
> Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok (ret=0)
> Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_384: Ok (ret=0)
> Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok (ret=0)
> Jul 16 18:09:04 debian7vm pluto[4653]: starting up 1 crypto helpers
> Jul 16 18:09:04 debian7vm pluto[4653]: started thread for crypto
> helper 0 (master fd 6)
> Jul 16 18:09:04 debian7vm pluto[4653]: Using KLIPS IPsec interface
> code on 3.2.0-4-amd64
> Jul 16 18:09:04 debian7vm pluto[4653]: listening for IKE messages
> Jul 16 18:09:04 debian7vm pluto[4653]: adding interface ipsec0/eth0
> 192.168.8.129:500
> Jul 16 18:09:04 debian7vm pluto[4653]: adding interface ipsec0/eth0
> 192.168.8.129:4500
> Jul 16 18:09:04 debian7vm pluto[4653]: loading secrets from "/etc/ipsec.secrets"
> Jul 16 18:09:04 debian7vm pluto[4653]: loading secrets from
> "/var/lib/libreswan/ipsec.secrets.inc"
>
>
> Thx
> Csszep
>
> 2014-07-16 17:02 GMT+02:00 Paul Wouters <paul at nohats.ca>:
>> On Wed, 16 Jul 2014, csszep wrote:
>>
>>> I'm migrating from openswan to libreswan and i have a host with
>>> multiple interfaces and secondary address.
>>>
>>> With openswan (2.6.28) the following line works:
>>>
>>> interfaces="ipsec0=eth5:0 ipsec1=eth4:0 ipsec2=eth3:0
>>
>>
>> Are you missing a closing quote (") there ?
>>
>>
>>> Pluto listens on secondary address on these interfaces
>>
>>
>> It works for me?
>>
>> [root at road ~]# ifconfig eth0:1 11.1.2.3/24
>> [root at road ~]# ipsec version
>> Linux Libreswan Uv3.9-86-gc7e82bb-master/K(no kernel code presently
>> loaded) on 3.13.6-200.fc20.x86_64
>> [root at road ~]# ifconfig
>> eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>> inet 192.1.3.209 netmask 255.255.255.0 broadcast 192.1.3.255
>> ether 12:00:00:ab:cd:02 txqueuelen 1000 (Ethernet)
>> RX packets 10342 bytes 2533695 (2.4 MiB)
>> RX errors 0 dropped 5 overruns 0 frame 0
>> TX packets 11878 bytes 9857645 (9.4 MiB)
>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>
>> eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>> inet 11.1.2.3 netmask 255.255.255.0 broadcast 11.1.2.255
>> ether 12:00:00:ab:cd:02 txqueuelen 1000 (Ethernet)
>>
>> [root at road ~]# grep interfaces /etc/ipsec.conf
>> interfaces="ipsec0=eth0:1"
>> [root at road ~]# ipsec start
>> Redirecting to: systemctl start ipsec.service
>>
>> [root at road ~]# grep interface /tmp/pluto.log Using KLIPS IPsec interface
>> code on 3.13.6-200.fc20.x86_64
>> | Inspecting interface lo | Inspecting interface eth0 | Inspecting interface
>> eth0:1 | Inspecting interface ipsec0 adding interface ipsec0/eth0:1
>> 11.1.2.3:500
>> adding interface ipsec0/eth0:1 11.1.2.3:4500
>> | IP interface eth0 192.1.3.209 has no matching ipsec* interface -- ignored
>> | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored
>>
>> [root at road ~]# ipsec tncfg
>> ipsec0 -> eth0 mtu=16260(1500) -> 1500
>> ipsec1 -> NULL mtu=0(0) -> 0
>>
>> test on machine with multiple interfaces:
>>
>> [root at east ~]# ifconfig eth0:0 10.0.0.0/24
>> [root at east ~]# ifconfig eth1:0 10.0.1.0/24
>> [root at east ~]# ifconfig eth2:0 10.0.2.0/24
>> [root at east ~]# grep interfaces /etc/ipsec.conf
>> interfaces="ipsec0=eth0:0 ipsec1=eth1:0 ipsec2=eth2:0"
>>
>> ot at east ~]# ipsec version
>> Linux Libreswan Uv3.9-86-gc7e82bb-master/K(no kernel code presently
>> loaded) on 3.13.6-200.fc20.x86_64
>> [root at east ~]# ipsec start
>> Redirecting to: systemctl start ipsec.service
>> [root at east ~]# grep interface /tmp/pluto.log Using KLIPS IPsec interface
>> code on 3.13.6-200.fc20.x86_64
>> | Inspecting interface lo | Inspecting interface eth0 | Inspecting interface
>> eth0:0 | Inspecting interface eth1 | Inspecting interface eth1:0 |
>> Inspecting interface eth2 | Inspecting interface eth2:0 | Inspecting
>> interface ipsec0 | Inspecting interface ipsec1 | Inspecting interface ipsec2
>> adding interface ipsec2/eth2:0 10.0.2.0:500
>> adding interface ipsec2/eth2:0 10.0.2.0:4500
>> | IP interface eth2 192.9.2.23 has no matching ipsec* interface --
>> ignored
>> adding interface ipsec1/eth1:0 10.0.1.0:500
>> adding interface ipsec1/eth1:0 10.0.1.0:4500
>> | IP interface eth1 192.1.2.23 has no matching ipsec* interface --
>> ignored
>> adding interface ipsec0/eth0:0 10.0.0.0:500
>> adding interface ipsec0/eth0:0 10.0.0.0:4500
>> | IP interface eth0 192.0.2.254 has no matching ipsec* interface --
>> ignored
>> | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored
>> [root at east ~]#
>>
>> Paul
More information about the Swan
mailing list