Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.freeswan.org > users > 03 > 052359.html (Request Expert lists.freeswan.org Support)

[Users] My first 2.x experiences (bad)

From: Paul Wouters <paul(at)xtdnet.nl>
Date: Thu May 08 2003 - 15:06:01 EDT

So I've switched from 1.99 to 2.0 on a very busy server. I used to have it configured using four seperate conns, of which three are virtual interfaces (ip aliases). Most notable, my dns server IP was NOT in any of the conn definitions. I used the following line for that:

interfaces="ipsec0=eth0 ipsec1=eth0:2 ipsec2=eth0:3 ipsec3=eth0:6"

And then used conns like:

conn eth0_2-to-anyone

# 193.110.157.5 is actuallt the IP address on eth0:2 

       leftsubnet=193.110.157.5/32
       also=eth0-to-anyone
conn eth0_3-to-anyone


       # 193.110.157.7 is actuallt the IP address on eth0:3


       leftsubnet=193.110.157.7/32
       also=eth0-to-anyone
conn eth0_6-to-anyone


       # 193.110.157.6 is actuallt the IP address on eth0:6


       leftsubnet=193.110.157.6/32
       also=eth0-to-anyone
conn eth0-to-anyone
        left=193.110.157.76
        leftnexthop=193.110.157.1
        right=%opportunistic
        auto=route
        keylife=1h
        rekey=no

I removed those entries, since this should (I think) be handled by the policygroups now, added a version 2 to the config file, removed the packetdefault keyword, and things started up with errors:

ipsec_setup: Starting FreeS/WAN IPsec 2.00... ipsec_setup: Using /lib/modules/2.4.19-pre10-ac1/kernel/net/ipsec/ipsec.o expansionpack # May 8 20:51:37 expansionpack ipsec_setup: Starting FreeS/WAN IPsec 2.00... 

May  8 20:51:37 expansionpack ipsec_setup: Using /lib/modules/2.4.19-pre10-ac1/kernel/net/ipsec/ipsec.o
May  8 20:51:37 expansionpack kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 2.00
May  8 20:51:37 expansionpack ipsec_setup: KLIPS debug `none'
May  8 20:51:37 expansionpack kernel:
May  8 20:51:37 expansionpack ipsec_setup: KLIPS ipsec0 on eth0 193.110.157.76/255.255.255.0 broadcast 193.110.157.255
May  8 20:51:37 expansionpack ipsec_setup: KLIPS ipsec1 on eth0:2 193.110.157.5/255.255.255.0 broadcast 193.110.157.255
May  8 20:51:37 expansionpack ipsec_setup: KLIPS ipsec2 on eth0:3 193.110.157.7/255.255.255.0 broadcast 193.110.157.255
May  8 20:51:37 expansionpack ipsec_setup: KLIPS ipsec3 on eth0:6 193.110.157.6/255.255.255.0 broadcast 193.110.157.255
May  8 20:51:38 expansionpack ipsec_setup: ...FreeS/WAN IPsec started
May  8 20:51:38 expansionpack ipsec__plutorun: ipsec_auto: fatal error in "packetdefault": %defaultroute requested but not known
May  8 20:51:38 expansionpack ipsec__plutorun: ipsec_auto: fatal error in "block": %defaultroute requested but not known
May  8 20:51:38 expansionpack ipsec__plutorun: ipsec_auto: fatal error in "clear-or-private": %defaultroute requested but not known
May  8 20:51:39 expansionpack ipsec__plutorun: ipsec_auto: fatal error in "clear": %defaultroute requested but not known
May 8 20:51:39 expansionpack ipsec__plutorun: ipsec_auto: fatal error in "private-or-clear": %defaultroute requested but not known May 8 20:51:39 expansionpack ipsec__plutorun: ipsec_auto: fatal error in "private": %defaultroute requested but not known 
May  8 20:51:39 expansionpack ipsec__plutorun: 021 no connection named "packetdefault"
May  8 20:51:39 expansionpack ipsec__plutorun: ...could not route conn "packetdefault"

Do you need more help?X

May  8 20:51:39 expansionpack ipsec__plutorun: 021 no connection named "block"
May  8 20:51:39 expansionpack ipsec__plutorun: ...could not route conn "block"
May  8 20:51:39 expansionpack ipsec__plutorun: 021 no connection named "clear-or-private"
May  8 20:51:39 expansionpack ipsec__plutorun: ...could not route conn "clear-or-private"
May  8 20:51:39 expansionpack ipsec__plutorun: 021 no connection named "clear"
May  8 20:51:39 expansionpack ipsec__plutorun: ...could not route conn "clear"
May  8 20:51:39 expansionpack ipsec__plutorun: 021 no connection named "private-or-clear"
May  8 20:51:39 expansionpack ipsec__plutorun: ...could not route conn "private-or-clear"
May  8 20:51:39 expansionpack ipsec__plutorun: 021 no connection named "private"
May  8 20:51:39 expansionpack ipsec__plutorun: ...could not route conn "private"

May  8 20:51:39 expansionpack pluto[17696]: listening for IKE messages
May  8 20:51:39 expansionpack pluto[17696]: adding interface ipsec3/eth0:6 193.110.157.6
May  8 20:51:39 expansionpack pluto[17696]: adding interface ipsec2/eth0:3 193.110.157.7
May  8 20:51:39 expansionpack pluto[17696]: adding interface ipsec1/eth0:2 193.110.157.5
May 8 20:51:39 expansionpack pluto[17696]: adding interface ipsec0/eth0 193.110.157.76 May 8 20:51:39 expansionpack pluto[17696]: loading secrets from "/etc/ipsec.secrets"
Do you need help?X

The machine however does have one single simple default route. A barf is available at http://www.xtdnet.nl/paul/freeswan-2.0-expansionpack.barf (you need to disable OE to reach the server)

So then I replaced te interface line with the standard:

interfaces=%defaultroute

Then I noticed this really doesnt work well, since this setup didnt exlucde my dnsserver ip address. I tried putting that ip in /etc/ipsec.d/policies/clear, but that still causes %pass eroutes to appear. Which means I get a lot of them. Currently, there are over 7000 %pass routes in my eroute table. I think this is also causing problems, because I'm also seeing:

May 8 20:31:35 expansionpack pluto[14621]: INTERNAL ERROR: /proc/net/ipsec_eroute line 6715 source subnet field malformed: no / in subnet specification

a few minutes later, I see: 

May  8 20:37:37 expansionpack pluto[14621]: ERROR: pfkey write() of SADB_X_DELFLOW message 8792 for flow %pass failed. Errno 14: Bad address
May 8 20:37:37 expansionpack pluto[14621]: | 02 0f 00 0b 0e 00 00 00 58 22 00 00 1d 39 00 00 May 8 20:37:37 expansionpack pluto[14621]: | 03 00 15 00 00 00 00 00 02 00 00 00 c1 6e 9d 04 May 8 20:37:37 expansionpack pluto[14621]: | 00 00 00 00 00 00 00 00 03 00 16 00 00 00 00 00 May 8 20:37:37 expansionpack pluto[14621]: | 02 00 00 00 d5 18 e3 02 00 00 00 00 00 00 00 00 May 8 20:37:37 expansionpack pluto[14621]: | 03 00 17 00 00 00 00 00 02 00 00 00 ff ff ff ff May 8 20:37:37 expansionpack pluto[14621]: | cc 11 00 00 00 00 00 00 03 00 18 00 00 00 00 00 May 8 20:37:37 expansionpack pluto[14621]: | 02 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00

I'm maxing out my %pass routes somewhere between 6600-8000

A second problem I see is one user who is apparently not setup properly for OE, but does connect to me, fail and respond much to quickly. One user is filling up the logdisk. But perhaps this retry is happening because of the first problem. 

May  8 20:41:40 expansionpack pluto[14621]: "private-or-clear#0.0.0.0/0"[17] ...80.221.58.204===? #24: no RSA public key known for '@gagarin.marjaniemi.com'; DNS search for KEY failed (no KEY record for gagarin.marjaniemi.com.)
May  8 20:41:40 expansionpack pluto[14621]: "private-or-clear#0.0.0.0/0"[17] ...80.221.58.204===? #24: no RSA public key known for '@gagarin.marjaniemi.com'; DNS search for KEY failed (no KEY record for gagarin.marjaniemi.com.)
May  8 20:42:20 expansionpack pluto[14621]: "private-or-clear#0.0.0.0/0"[17] ...80.221.58.204===? #25: responding to Main Mode from unknown peer 80.221.58.204 
May  8 20:42:20 expansionpack pluto[14621]: "private-or-clear#0.0.0.0/0"[17] ...80.221.58.204===? #25: no RSA public key known for '@gagarin.marjaniemi.com'; DNS search for KEY failed (no KEY record for gagarin.marjaniemi.com.)

Can't find what you're looking for?X

May  8 20:42:31 expansionpack pluto[14621]: "private-or-clear#0.0.0.0/0"[17] ...80.221.58.204===? #25: no RSA public key known for '@gagarin.marjaniemi.com'; DNS search for KEY failed (no KEY record for gagarin.marjaniemi.com.)
May  8 20:42:40 expansionpack pluto[14621]: "private-or-clear#0.0.0.0/0"[17] ...80.221.58.204===? #24: max number of retransmissions (2) reached STATE_MAIN_R2
May  8 20:42:51 expansionpack pluto[14621]: "private-or-clear#0.0.0.0/0"[17] ...80.221.58.204===? #25: no RSA public key known for '@gagarin.marjaniemi.com'; DNS search for KEY failed (no KEY record for gagarin.marjaniemi.com.)
May  8 20:43:37 expansionpack pluto[14621]: "private-or-clear#0.0.0.0/0"[18] ...80.221.58.204===? #26: deleting connection "packetdefault" instance with peer 80.221.58.204
May  8 20:43:37 expansionpack pluto[14621]: "private-or-clear#0.0.0.0/0"[18] ...80.221.58.204===? #26: no RSA public key known for '@gagarin.marjaniemi.com'; DNS search for KEY failed (no KEY record for gagarin.marjaniemi.com.)
May  8 20:43:37 expansionpack pluto[14621]: "packetdefault"[18] 0.0.0.0/0=== ...80.221.58.204===? #26: responding to Main Mode from unknown peer 80.221.58.204
May  8 20:43:37 expansionpack pluto[14621]: "private-or-clear#0.0.0.0/0"[18] ...80.221.58.204===? #26: deleting connection "packetdefault" instance with peer 80.221.58.204
May  8 20:43:37 expansionpack pluto[14621]: "private-or-clear#0.0.0.0/0"[18] ...80.221.58.204===? #26: no RSA public key known for '@gagarin.marjaniemi.com'; DNS search for KEY failed (no KEY record for gagarin.marjaniemi.com.)

Don't know where to look next?X

May  8 20:44:08 expansionpack last message repeated 2 times
Can we help you?X

Adding leftnexthop=193.110.157.1 to the default section didn't seem to do anything.

So right now, I have no idea how to fix this.

Paul 

-- 
Lawyer: "Now sir, I'm sure you are an intelligent and honest man--"
Witness: "Thank you. If I weren't under oath, I'd return the compliment."

		
http://www.rinkworks.com/said/courtroom.shtml

_______________________________________________
Users mailing list
Users@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
Received on Thu May 8 15:49:11 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:01:30 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library