Can not start conn with FreeS/WAN U2.04/K2.2.0 (kernel 2.4.26) afterUpdate from 1.96
This is a discussion on Can not start conn with FreeS/WAN U2.04/K2.2.0 (kernel 2.4.26) afterUpdate from 1.96 within the Linux Security forums, part of the System Security and Security Related category; Hello newsgroups, the story goes like this: Two gateways running Debian Stable handle a site-to-site VPN with FreeS/...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-12-2005
|
|||
|
|||
Can not start conn with FreeS/WAN U2.04/K2.2.0 (kernel 2.4.26) afterUpdate from 1.96
Hello newsgroups,
the story goes like this: Two gateways running Debian Stable handle a site-to-site VPN with FreeS/WAN 1.96 on kernel 2.4.18 with FreeS/WAN patches (everything deb). Fine. Now we're testing the updated versions as Sarge has become stable meanwhile. This means: FreeS/WAN 2.04 and kernel patches 2.2.0 on kernel 2.4.26 (because from 2.4.27 on the kernel has the backported ipsec stuff from 2.6). The config file is not fully compliant, the changes applied can be seen in the comments below, but should not matter (should...) I think. Secrets and everything stayed the same. Pluto is not very talkative although I set plutodebug to "all". Klipsdebug=all does not show anything suspicious so far, but I can supply a blarf if needed, of course. So here's what happens: -+-+-+-+<syslog>-+-+-+-+- Jul 12 07:50:46 lnx-fw2 ipsec_setup: Starting FreeS/WAN IPsec U2.04/K2.2.0... Jul 12 07:50:46 lnx-fw2 ipsec_setup: KLIPS debug `none' Jul 12 07:50:46 lnx-fw2 kernel: Jul 12 07:50:46 lnx-fw2 ipsec_setup: KLIPS ipsec0 on eth1 212.86.147.194/255.255.255.252 broadcast 212.86.147.195 Jul 12 07:50:47 lnx-fw2 ipsec_setup: ...FreeS/WAN IPsec started Jul 12 07:50:51 lnx-fw2 ipsec__plutorun: 104 "H1" #1: STATE_MAIN_I1: initiate Jul 12 07:50:51 lnx-fw2 ipsec__plutorun: ...could not start conn "H1" Jul 12 08:44:27 lnx-fw2 ipsec_setup: Stopping FreeS/WAN IPsec... Jul 12 08:44:29 lnx-fw2 kernel: IPSEC EVENT: KLIPS device ipsec0 shut down. Jul 12 08:44:29 lnx-fw2 kernel: Jul 12 08:44:29 lnx-fw2 ipsec_setup: ...FreeS/WAN IPsec stopped Jul 12 08:44:29 lnx-fw2 ipsec_setup: Starting FreeS/WAN IPsec U2.04/K2.2.0... Jul 12 08:44:29 lnx-fw2 ipsec_setup: KLIPS debug `none' Jul 12 08:44:29 lnx-fw2 kernel: Jul 12 08:44:29 lnx-fw2 ipsec_setup: KLIPS ipsec0 on eth1 212.86.147.194/255.255.255.252 broadcast 212.86.147.195 Jul 12 08:44:29 lnx-fw2 ipsec_setup: ...FreeS/WAN IPsec started Jul 12 08:44:31 lnx-fw2 ipsec__plutorun: 104 "H1" #1: STATE_MAIN_I1: initiate Jul 12 08:44:31 lnx-fw2 ipsec__plutorun: ...could not start conn "H1" -+-+-+-+</syslog>-+-+-+-+- -+-+-+-+<ipsec.conf>-+-+-+-+- version 2 # basic configuration config setup # default in v2 #interfaces=%defaultroute klipsdebug=none plutodebug=all # default in v2 #plutoload=%search #plutostart=%search # default in v2 #uniqueids=yes conn %default keyingtries=0 authby=secret # new for version 2 (overwrite new defaults) disablearrivalcheck=yes leftrsasigkey=%none rightrsasigkey=%none # Tunnel 1 conn H1 # Left security gateway, subnet behind it, next hop toward right. left=212.86.147.58 leftsubnet=10.10.1.0/24 leftnexthop=212.86.147.57 # Right security gateway, subnet behind it, next hop toward left. right=212.86.147.194 rightsubnet=192.168.115.0/24 rightnexthop=212.86.147.193 # To authorize this connection, but not actually start it, at startup, # uncomment this. auto=start conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore -+-+-+-+</ipsec.conf>-+-+-+-+- eth0 Link encap:Ethernet HWaddr 00:02:B3:D3:7A:02 inet addr:192.168.115.250 Bcast:192.168.115.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:1 dropped:0 overruns:0 carrier:1 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:42 (42.0 b) Interrupt:10 Base address:0x8400 Memory:dd000000-dd000038 eth1 Link encap:Ethernet HWaddr 00:0E:0C:60:28:26 inet addr:212.86.147.194 Bcast:212.86.147.195 Mask:255.255.255.252 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1569 errors:0 dropped:0 overruns:0 frame:0 TX packets:871 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:110832 (108.2 KiB) TX bytes:65112 (63.5 KiB) Interrupt:4 Base address:0x8000 Memory:dc000000-dc000038 ipsec0 Link encap:Ethernet HWaddr 00:0E:0C:60:28:26 inet addr:212.86.147.194 Mask:255.255.255.252 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 212.86.147.192 0.0.0.0 255.255.255.252 U 0 0 0 eth1 212.86.147.192 0.0.0.0 255.255.255.252 U 0 0 0 ipsec0 10.10.1.0 212.86.147.193 255.255.255.0 UG 0 0 0 ipsec0 192.168.115.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 212.86.147.193 0.0.0.0 UG 0 0 0 eth1 netfilter rules have been set to nothing and all policies to ACCEPT without change of behaviour of course. Any help or hints are highly appreciated! Thanks in advance. Best regards -- - Nat Metal headquarters @ http://bleeding.4metal.net Technology of the 4Metal.net : http://tech.4metal.net 
|
|
07-12-2005
|
|||
|
|||
|
Re: Can not start conn with FreeS/WAN U2.04/K2.2.0 (kernel 2.4.26)after Update from 1.96
on 12.07.2005 10:02 Natanael Mignon wrote:
> meanwhile. This means: FreeS/WAN 2.04 and kernel patches 2.2.0 on kernel > 2.4.26 (because from 2.4.27 on the kernel has the backported ipsec stuff Update. Took freeswan from Debian/Testing meanwhile (depends on ipsec-tools and openswan 2.2.0 - so we're talking about OpenS/WAN 2.2 now). The messages and results are exactly the same as before. Ethereal sniffing on the router between the two gateways shows full IKE dialogues; Informational, MainMode and encrypted chat in QuickMode - finalizing with a last Informational package with encrypted payload and that's it. Nothing really of help to me. :-( > -+-+-+-+<syslog>-+-+-+-+- > Jul 12 08:44:29 lnx-fw2 ipsec_setup: KLIPS ipsec0 on eth1 > 212.86.147.194/255.255.255.252 broadcast 212.86.147.195 > Jul 12 08:44:29 lnx-fw2 ipsec_setup: ...FreeS/WAN IPsec started > Jul 12 08:44:31 lnx-fw2 ipsec__plutorun: 104 "H1" #1: STATE_MAIN_I1: > initiate > Jul 12 08:44:31 lnx-fw2 ipsec__plutorun: ...could not start conn "H1" > -+-+-+-+</syslog>-+-+-+-+- Best regards -- - Nat Metal headquarters @ http://bleeding.4metal.net Technology of the 4Metal.net : http://tech.4metal.net
|
|
07-12-2005
|
|||
|
|||
|
Re: Can not start conn with FreeS/WAN U2.04/K2.2.0 (kernel 2.4.26)after Update from 1.96
Another update. ipsec auto --verbose --add H1 ipsec auto --verbose --up H1 Shows wonderfully perfect dialogues and successfully established ESP connection, no errors or failures whatsoever, plain and smooth like a baby. So what the hell is going on? :-? on 12.07.2005 11:47 Natanael Mignon wrote: >> -+-+-+-+<syslog>-+-+-+-+- >> Jul 12 08:44:29 lnx-fw2 ipsec_setup: KLIPS ipsec0 on eth1 >> 212.86.147.194/255.255.255.252 broadcast 212.86.147.195 >> Jul 12 08:44:29 lnx-fw2 ipsec_setup: ...FreeS/WAN IPsec started >> Jul 12 08:44:31 lnx-fw2 ipsec__plutorun: 104 "H1" #1: STATE_MAIN_I1: >> initiate >> Jul 12 08:44:31 lnx-fw2 ipsec__plutorun: ...could not start conn "H1" >> -+-+-+-+</syslog>-+-+-+-+- Regards -- - Nat Metal headquarters @ http://bleeding.4metal.net Technology of the 4Metal.net : http://tech.4metal.net
|
Linear Mode
