Hosting Provided By

linux-ipsec: Test installing the 0.91 release...

From: Hugh Daniel <hugh(at)road.toad.com>
Date: Sun Dec 06 1998 - 07:09:21 EST

As a follow up to the announcement of Linux FreeS/WAN 0.91 here are some collected notes gatherd over a (busy) period of days while testing the 0.91 release a step at a time. Most of the problems and gripes below have to do with documentation. This is due to a new direction that the doc is taking with sevral smaller files being added to describe different ways of running IPSEC (vpn, extruded subnet, mobile ipsec, host-to-host etc. as well as topics like testing, sysadmining IPSEC etc.). I like the new direction the team is taking the doc, but please bear with them as everything has to start off raw at some point and this doc is no exception.

First off I notice that none of the documents have RCS Id strings in them, which is likely a good idea.
I find my self getting confused in reading all of these various scripting files (/etc/ipsec* etc.), maybe if you had a standard headder format with name, RCS ID, short description, pointer at more doc etc. this would be less of a problem.

.../README

Is this the file where folks should be told howto GPG/PGP
test the tar file against the teams key? If not here where?
It is very weird to be pointed at the doc/vpn.how file
insted of the INSTALL file directly. It is also strnange how
late in the file this happens in the README.
Why point at the vpn.how document rather then a top level
roadmap.how or design.how document?

.../INSTALL

It bothers me that the INSTALL file is in the root directory
where someone can find it and not find the roadmap (currently
vpn.how) file first. Yet this is traditional.

0: This paragraph is confusing, maybe it should go in the
roadmap.how (or whatever) document and the zero paragraph
could then point at the rodmap document. It does not have
to do with INSTALL'ing the system.

12a: There is nothing in this paragraph that points me to the
"Networking options --->" menu, so I am a bit lost as to
where I should be seeing the various stuff talked
about.

12b: I notice that the "Networking options" entry for IPSEC
is labeled as "(EXPERIMENTAL)", but I have not turned on
the "Prompt for development and/or incomplete
code/drivers" option so I should not see this label or
the ipsec option at all, right?

.../vpn.how

The ASCII thin maps (like S==G--...--H==T) are cute, but
need an index of what the various characters mean. Maybe
someone can whip up a few variants to see what works best?
I love step #2...
I don't know what to do in step #5, it needs to be more
explicit.
Why do you have both steps #5 and #6? Is there some reason
to have folks do both manual & automatic keying right from the
start? Maybe separate documents are needed for manual and
auto VPN's?
In #5 there is no idea what to edit, in #6 you have us trash
Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
all of the examples that we might need to reference in the
future! Some consistency is needed here, and where do I go to
look at examples if I am told to delete them all?
Is paragraph #7 the right place to mention ipsec_ranbits?
In paragraph #8 it says that all of these files should be
"-rw-------" while the system installs the ipsec-auto file as
"-rw-r--r--". Which is right?
Opps, I did the wrong thing and now I have to go back to
pparagraph #6 and do things the way I was told. First off I
tryed to create my own profile, which is wrong, then when I
read the instructions I did not know how to edit the snt entry
(what does "snt" stand for? Is it what the rest of us would
call "test"?). You need to tell me EXACTLY what to edit and
do as this stuff is just too complex!
In paragraph #10 my output looks very different from yours,
mostly becuase I used my real IP numbers, few folks have
address that are mostly one character. The difference made me
have to examen things longer, maybe not a bad thing but it
slows the process down. Here is what mine looked like:

west.toad.com Sat Dec 5 03:24:39 PST 1998

209.157.90.160/29 -> 209.157.90.152/29 => tun0x201@209.157.90.145 esp0x203@209.157.90.145

tun0x201@209.157.90.145 IPv4_Encapsulation: dir=out   209.157.90.146 -> 209.157.90.145
esp0x202@209.157.90.146 3DES-MD5-96_Encryption: dir=in  iv=0x3884714110bfb4b4  seq=0  bit=0x00000000  win=0  flags=0x0<>
esp0x203@209.157.90.145 3DES-MD5-96_Encryption: dir=out  iv=0x3884714110bfb4b4  seq=0  bit=0x00000000  win=0  flags=0x0<>
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
209.157.90.144  0.0.0.0         255.255.255.248 U      1500 0          0 eth0
209.157.90.152  209.157.90.145  255.255.255.248 UG     1404 0          0 ipsec0
0.0.0.0         209.157.90.150  0.0.0.0         UG     1500 0          0 eth0
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek

	  (I delete a large part here where nothing I did worked...)
	  Wow, I totaly missed the last paragraph in this section, on
	several readings.  Something is wrong here, though it may be
	me...
	  On the other hand, now pings go round trip!  Yea!

	  In paragraph #11 you have me use a 5th machine (to run
	tcpdump) , this is far too late in the game to add a machine
	to the mix!  I looked at the map at the top and set up a 4
	machine network, not a 5 machine net.  Urg.
	  Next (still in paragraph #11) I got confused by the example
	IP address in the ping and pinged the father SG (getting ping
	packets in the clear).  Do something so that I don't get
	confused the first time I see a SG client machine as a
	target.
	  YEIKS, MAJOR BUG!  In paragraph #11 you have me ping a
	client of the remote SG (the target machine I think of it as)
	and so I did from the near SG and not the near by client!
	Once again it's time to tell me _exactly_ what to do.
	  FYI: when I pinged the ping packets never even showed
	up, if I can re-create this I will report it as a bug later.
	  Lasty I don' know what I am looking for, is it something like
	this?:

...

19:52:53.876323 west.toad.com > east.toad.com: ip-proto-50 116
...

	  Is it a bug if I don't see any pings(well pongs...) back?
	  Next how do I run tcpdump in a way to see the ping padding?
	How to see raw packets with tcpdump is at at all clear from
	the man page.
	  So unless I am missing someting big, the instructions break
	down big time in paragraph #11.

	  On to paragraph #12, opps, whats this I see about shutting
	down both manual SA's?  Did I miss something?  Yep.  Maybe
	a new paragraph # for setting up the other end of the link
	would be a good idea.

	  A general comment here is that at this point I can't make
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
	heads or tails out of the S, H, G & T nameing scheme.  Can you
	come up wth something better, clearer?

	  Now to paragraph #12: here is my first try (I was not told
	to edit snt so I used ew):

root@east > ipsec auto ew up
403 need --listen before --initiate
and
root@west > ipsec auto ew up
401 no connection with that name

	  Turns out it did not matter what profile I used as neither
	would have worked, as nothing in the current document ever
	told me to run the 'add' command or edit the /etc/sysconfig
	file to 'add' them at boot time!
	  By default there is no visible error output, where does it
	go?  I had typed one character wrong in my /etc/isakmp-secrets
	file wrong and nothing worked and nothing spit out anything in
	command line space.

	  The last two paragraphs (#13 & #14) seem to need to go into
	a sysadmin.how document.

General
When I ask for "man ipsec_pluto" I get this error message: /usr/local/man/man8/ipsec_pluto.8:788: warning: can't break line

Running the 0.91 system
Well I just ran the ipsec release on two machines (east & west) and one (east) came up just right, while the other (west) gave me these messages:

Dec  4 01:14:31 west ipsec_setup: SIOCSIFADDR: No such device 
Dec  4 01:14:31 west modprobe: Can't locate module ipsec0
Dec  4 01:14:31 west last message repeated 2 times
Dec  4 01:14:31 west ipsec_setup: SIOCSIFBRDADDR: No such device 
Dec  4 01:14:31 west modprobe: Can't locate module ipsec0
Dec  4 01:14:31 west modprobe: Can't locate module ipsec0
Dec  4 01:14:31 west ipsec_setup: SIOCSIFNETMASK: No such device 
Dec  4 01:14:32 west ipsec_setup: Starting Pluto:  
Dec  4 01:14:33 west ipsec_setup: Enabling Pluto negotiation:

Not only do I get the error messages but the /proc/net/ipsec_* stuff is missing. I have to have screwed something up. Humm, no module and nothing in the kernel symbol table (/boot/System.map). Yep, that is the set of messages you get if there is no ipsec either in the kernel or as a module. Is it worth wasting script space to test for this condition for the few idiots (like me...) that might run into this problem?

Can't find what you're looking for?

Why does something as critical as the KLIPSINTERFACES variable have a valid but allmost certainly bogus value? Worse it's hard to see visualy, where if it were all XXXX's it would be clear what needs to be done.

Well thats my list of gripes and confusions, hopefuly it will at least prove amusing.

		||ugh Daniel
		hugh@toad.com

			Systems Testing & Project mis-Management
			The Linux FreeS/WAN Project
			
http://www.xs4all.nl/~freeswan

Received on Sun Dec 6 07:38:55 1998

This message: [ Message body ]
Next message: Sandy Harris: "linux-ipsec: Improved? documentation"
Previous message: Pramod John: "linux-ipsec: Clientization of the IPsec Code"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:09 EDT