Re: linux-ipsec: 9th planet (now 8th?) review

-----BEGIN PGP SIGNED MESSAGE-----
> Thanks to Richard for this testing! I've updated the CVS repository

I'll ignore them this time around, but they should be fixed by 0.90.

> | I didn't know if the ipsec module needed to be loaded or not. It seems

Well, have a look at klips/doc/rgb_setup.txt for some ideas. The commands that I think need to be in place are: insmod ipsec, tncfg ...., and ifconfig ipsec0 ...

> | It bugs me (although I am guilty myself) when I get caught by a makefile

I just said it bugged me when I forgot about this...

> | I am happy to see that pluto exits with an error in debug mode when it

Ok, but I saw no obvious protest...maybe it was burried.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

> | Pluto will not notice if the ipsec virtual interface has not been connected

check for ipsec0 -> NULL. This will tell you that it is not wired to anything.

> | With the command:
> |
> | whack 501 <remoteIP> <remotePlutoPort> 0.0.0.0 x x x encrypt
> |
> | Pluto could not set a route for another host on the same subnet to
> | do transport mode. This may already be known... Klips is capable of
> | this.

Not quite. Try:

        route add -host <remoteIP> dev ipsec0

This will route all the traffic that needs processing via ipsec first, otherwise it will completely bypass the module.

> I've just changed Pluto to know this IFF peer == peer's client.

For examples, check the updated spi.c.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

> Pluto did notice that the KLIPS wasn't happy. It reported a write

I'm not entirely sure myself...I'm still trying to discover the best way to get error codes back from the kernel into user space.

> | It appears pluto didn't even try to talk to klips to set the forward esp

Ah.

> | It did nothing on the remote end with klips or route(8).

Ah.

> | Pluto occupies /dev/ipsec, preventing any other process from writing to

Ah. Good.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

> Extracts from RIchard's log, with notes:

I half expected this....

> [Silly Pluto decides that since it cannot digest this packet, it will

        route add -host <peer> dev ipsec0

> The second round ended unhappily with:

Most likely.

> I've made a stab at splitting the keys in kernel.c (the Pluto module

I'll run it to test it before grovelling through that.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

> ================

I wasn't aware of any output that went somewhere else...but I may have simply lost it.

> I've changed Pluto to only use stderr. The distinction between stderr

Thank you.

> ================

I used the tunnel command on a separate invocation that was not spewed in the last message. If the output had been different, I would have posted it. I guess that was not clear.

> This is *not* a problem. Pluto automatically assumes that tunnelling

Good. This should be the expected behaviour.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

> Hugh Redelmeier

        Slainte Mhath, rgb

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNYe5ZN+sBuIhFagtAQEIDgP/YlFCS4uxqEO6NL5EAdTOlpYn3HzJaI4e 3tQU6EdPJ8MahbAzqonir6/0dZCCWXzZ5qdTruiL4lm+J5r6hHZvL4H4C14lv7f8 hdXjcKgFR5cbpyPSkn8yhmpMD/ld54Qrf0wElN8deMbT9CPCadIUjKGaKpNyvm74 TUaLxcUIJdo=
=L9Qn
-----END PGP SIGNATURE----- Received on Wed Jun 17 08:41:13 1998