Bug#596172: openswan: pluto erroneously adds host route for IP with valid

2011-02-14 Thread Athanasius 
On Fri, Feb 11, 2011 at 11:14:12PM +0100, Harald Jenny wrote:
 could you please try the openswan 2.6 version from lenny-backports and see if
 the problem got solved there?

  Yes, that appears to be working perfectly.  A simple:

aptitude -t lenny-backports install openswan

telling it to keep my current config and it's working.

-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
  Finger athan(at)fysh.org for PGP key
   And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence. Paula Cole - ME



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#596172: openswan: pluto erroneously adds host route for IP with valid

2011-02-14 Thread Harald Jenny 
On Mon, Feb 14, 2011 at 01:00:51PM +, Athanasius wrote:
 On Fri, Feb 11, 2011 at 11:14:12PM +0100, Harald Jenny wrote:
  could you please try the openswan 2.6 version from lenny-backports and see 
  if
  the problem got solved there?
 
   Yes, that appears to be working perfectly.  A simple:
 
 aptitude -t lenny-backports install openswan
 
 telling it to keep my current config and it's working.

So may I close this bug report as solved - as 2.4 is deprecated by upstream
it may not be really feasable to fix it :-/ )?

 
 -- 
 - Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
   Finger athan(at)fysh.org for PGP key
  And it's me who is my enemy. Me who beats me up.
 Me who makes the monsters. Me who strips my confidence. Paula Cole - ME



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#596172: openswan: pluto erroneously adds host route for IP with valid

2011-02-14 Thread Athanasius 
On Mon, Feb 14, 2011 at 02:21:37PM +0100, Harald Jenny wrote:
 On Mon, Feb 14, 2011 at 01:00:51PM +, Athanasius wrote:
  aptitude -t lenny-backports install openswan
  
  telling it to keep my current config and it's working.
 
 So may I close this bug report as solved - as 2.4 is deprecated by upstream
 it may not be really feasable to fix it :-/ )?

  Fine by me, especially given squeeze is now the Stable (and I'll be
upgrading to that in the next month or so).

-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
  Finger athan(at)fysh.org for PGP key
   And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence. Paula Cole - ME


signature.asc
Description: Digital signature

Bug#596172: openswan: pluto erroneously adds host route for IP with valid

2011-02-11 Thread Harald Jenny 
Dear Athanasius,

could you please try the openswan 2.6 version from lenny-backports and see if
the problem got solved there?

Kind regards
Harald Jenny



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#596172: openswan: pluto erroneously adds host route for IP with valid network route

2010-09-24 Thread Harald Jenny 
Dear Athanasius,

if I understand you correctly the problem is that your android device is
currently on the same network as your server and that openswan is adding
a route for the host is this what you mean? I estimate you are using NETKEY
(the built-in IPSec stack from Debian kernel)? For this to work I think you
may need to add a passthrough rule for the rest of the net (please look at
man ipsec.conf for the syntax).

Kind regards
Harald Jenny



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#596172: openswan: pluto erroneously adds host route for IP with valid network route

2010-09-08 Thread Athanasius 
Package: openswan
Version: 1:2.4.12+dfsg-1.3+lenny2
Severity: important

  In trying to get an L2TP/IPSec tunnel up from my Android-based phone to
my server for use when on untrusted WiFi I've obviously been testing it
at home.
  So I have a WiFi Access Point on 192.168.11.0/24, my server on .1, the
WAP on .2 and my phone on .4.  When I start up the connection pluto
decides to call _uproute in order to add a host route for
192.168.11.4/32... to whatever device pluto is listening on connections
for.  This of course is *not* the same device as the 192.168.11.0/24
network is on, so I end up with:

00:57:02 1$ ip -4 route
82.69.184.122 dev ethpriv  scope link 
82.69.184.123 dev ethpriv  scope link 
82.69.184.124 dev ethpriv  scope link 
192.168.11.4 dev ethpub  scope link 
82.69.184.125 dev ethpriv  scope link 
82.69.184.120/29 dev ethpub  proto kernel  scope link  src 82.69.184.121 
192.168.1.0/24 dev ethpriv  proto kernel  scope link  src 192.168.1.162 
192.168.11.0/24 dev ethwap  proto kernel  scope link  src 192.168.11.1 
default via 82.69.184.126 dev ethpub 

82.69.184.120/29 is my ISP-provided network and route to the internet.

I had a similar thing happen when testing with my 192.168.1.0/24 local
network.  I'd end up with a:

192.168.11.4 dev ethpriv scope link

route, blocking my server from talking back to the phone.

  Given any device connecting to OpenSwan/pluto can be from some
arbitrary IP I think it can be assumed that my server will already have
a route back to it.  So why bother even attempting to add this route at
all ?  It seems to be a leftover from the other/prior IPSec
implementation where the connection would come in over an ipsecx
device rather than just staying on the normal device as it does now.

  Anyway, I've worked around this for now by modifying
/usr/lib/ipsec/_uproute so that uproute() looks like:

# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
if [ ${PLUTO_INTERFACE} == ${defaultroutephys} ];
then
return
fi
doroute add
ip route flush cache
}

I'd guess the most common way to setup OpenSwan is listening on the
default route interface, but can also see setups where it might be on an
internal network (think of a secure internal network with a WAP
attached, firewalled off other than IPSec, and using tunnels to get WAP
clients onto that secure network).  So, this isn't a perfect fix.
Really I think it needs the whole code reviewing to only even attempt
these routes if the IPSec connection has resulted in a special network
interface for the connection in question.  This does not happen with my
setup using a 2.6.35.4 kernel and Debian lenny all up to date.

  I did glance quickly over the squeeze/testing changelog for Openswan
and couldn't spot anything that might have fixed this (but I only
searched quickly on 'route'), so this bug may well still be in that
version too.

-- System Information:
Debian Release: 5.0.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.35.4amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openswan depends on:
ii  bsdmainutils  6.1.10 collection of more utilities from 
ii  debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii  debianutils   2.30   Miscellaneous utilities specific t
ii  host  2331-9 utility for querying DNS servers
ii  iproute   20080725-2 networking and traffic control too
ii  ipsec-tools   1:0.7.1-1.3+lenny2 IPsec tools for Linux
ii  libc6 2.7-18lenny4   GNU C Library: Shared libraries
ii  libcurl3  7.18.2-8lenny4 Multi-protocol file transfer libra
ii  libgmp3c2 2:4.2.2+dfsg-3 Multiprecision arithmetic library
ii  libldap-2.4-2 2.4.11-1+lenny2OpenLDAP libraries
ii  libpam0g  1.0.1-5+lenny1 Pluggable Authentication Modules l
ii  libssl0.9.8   0.9.8g-15+lenny8   SSL shared libraries
ii  openssl   0.9.8g-15+lenny8   Secure Socket Layer (SSL) binary a

openswan recommends no packages.

Versions of packages openswan suggests:
ii  curl  7.18.2-8lenny4 Get a file from an HTTP, HTTPS or 
pn  openswan-modules-source | none (no description available)

-- debconf information:
  openswan/existing_x509_key_filename:
  openswan/x509_state_name:
  openswan/rsa_key_length: 2048
  openswan/restart: true
  openswan/start_level: earliest
* openswan/enable-oe: false
  openswan/existing_x509_certificate: false
  openswan/existing_x509_certificate_filename:
* openswan/create_rsa_key: false
  openswan/x509_email_address:
  openswan/x509_country_code: AT
  openswan/x509_self_signed: true
  openswan/x509_organizational_unit: