Re: [strongSwan] [patch] add support for --disable-threads

2008-12-02 Thread Thomas Jarosch 
On Tuesday, 2. December 2008 10:05:10 you wrote:
 Thanks, applied to [4735].

 I slightly modified the patch that this option affects pluto only. I
 think it might be somewhat confusing for a user if --disable-threads
 completely removes IKEv2 support.

Fine with me. I thought threads are needed for charon...

The strongswan download page still links to the old CVS repository.
As the revision number indicated the source is maintained via SVN,
I quickly found the trac link while searching the mailinglist archive ;-)

Thomas

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] received netlink error: Invalid argument (22)

2008-12-02 Thread Vit Pelcak 
Thank you for your response.

Well, I was testing this:

http://www.strongswan.org/uml/testresults42/openssl/ike-alg-ecp-low/

Example configurations must be wrong then.

Martin Willi napsal(a):
 Hi,

   
 carol# ipsec up home
 received TS_UNACCEPTABLE notify, no CHILD_SA built
 

 Carol proposes 
   
 leftsubnet=10.20.5.46/16
 rightsubnet=10.20.5.46/16
 
 , but moon accepts
   
 leftsubnet=10.20.5.46/16
 
 only. Not defining a subnet results in a host2host tunnel.

 Do you really want to include a subnet on the client side?

   
 dave# ipsec up home
 received netlink error: Invalid argument (22)
 unable to install source route for 10.0.3.3
 

 The tunnel should be OK, just the route is missing. We use a separate
 routing table (220) to install our routes, probably support for
 additional tables is missing in your kernel. Double-check if your kernel
 supports multiple routing tables [1], or set the routing_table option to
 0 for the main table (not recommended, see [2]).

 Regards
 Martin

 [1]http://trac.strongswan.org/wiki/KernelModules
 [2]http://trac.strongswan.org/wiki/strongswanConf



   

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] received netlink error: Invalid argument (22)

2008-12-02 Thread Martin Willi 
Hi,

 carol# ipsec up home
 received TS_UNACCEPTABLE notify, no CHILD_SA built

Carol proposes 
 leftsubnet=10.20.5.46/16
 rightsubnet=10.20.5.46/16
, but moon accepts
 leftsubnet=10.20.5.46/16
only. Not defining a subnet results in a host2host tunnel.

Do you really want to include a subnet on the client side?

 dave# ipsec up home
 received netlink error: Invalid argument (22)
 unable to install source route for 10.0.3.3

The tunnel should be OK, just the route is missing. We use a separate
routing table (220) to install our routes, probably support for
additional tables is missing in your kernel. Double-check if your kernel
supports multiple routing tables [1], or set the routing_table option to
0 for the main table (not recommended, see [2]).

Regards
Martin

[1]http://trac.strongswan.org/wiki/KernelModules
[2]http://trac.strongswan.org/wiki/strongswanConf



___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] [patch] add missing include

2008-12-02 Thread Martin Willi 
Hi Thomas,

 attached patch fixes a small compile error of struct tm not being defined.

Applied to [4733], thanks.

Best regards
Martin



___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] updown script failure?

2008-12-02 Thread Andreas Steffen 
There seems to be a problem with iptables:

 charon: 09[CHD] updown: iptables: Unknown error 18446744073709551615
 charon: 09[CHD] updown: iptables: Unknown error 18446744073709551615

Which kernel and which iptables version are you using? Are you able
to insert an IPsec policy iptables rule manually?

iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT

iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
  -s $PLUTO_MY_CLIENT $S_MY_PORT \
  -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT

Just replace all script parameters by their actual values.

The VPN_LOGGING information seems to be correct:

 vpn: + [EMAIL PROTECTED]
   10.10.0.1/32 == 65.x.x.138 -- 63.x.x.205 == 0.0.0.0/0

generated by

logger -t $TAG -p $FAC_PRIO \
   + $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER --
  $PLUTO_ME == $PLUTO_MY_CLIENT

Best regards

Andreas

[EMAIL PROTECTED] wrote:
 Hi,
 
 have a problem with my strongswan set up.  It looks like the insertion
 of a firewall rule by the updown script seems to be failing. The log
 messaging i am getting is not giving me a lot to go on... (my loglevel
 is set to 5 for CHD)  I am hoping someone has seen this issue before
 or could recommend a troubleshooting way forward.
 
 Thanks
 -Dan C.
 
 General FYI
 Kernel=2.6.9-42.0.3
 No issues on startup
 Using EAP SIM Authentication
 Public IP addresses have been 'modified' in log below
 strongswan-4.2.5
 
 Log Message on tunnel initiation
 charon: 09[AUD] IKE_SA rw-eapsim-131000123601[1] established
 between [EMAIL PROTECTED]
 charon: 09[IKE] peer requested virtual IP %any
 charon: 09[IKE] assigning virtual IP 10.10.0.1 to peer
 charon: 09[CHD] updown: iptables: Unknown error 18446744073709551615
 charon: 09[CHD] updown: iptables: Unknown error 18446744073709551615
 vpn: + [EMAIL PROTECTED] 10.10.0.1/32 == 65.x.x.138 --
 63.x.x.205 == 0.0.0.0/0
 charon: 09[AUD] CHILD_SA rw-eapsim-abc{1} established with SPIs
 c2cb37d5_i 33908b00_o and TS 0.0.0.0/0 === 10.10.0.1/32
 
 
 Log Message on Strongswan shutdown
  charon: 01[CHD] running updown script: 21 PLUTO_VERSION='1.1'
 PLUTO_VERB='down-client' PLUTO_CONNECTION='rw-eapsim-abc'
 PLUTO_INTERFACE='eth0' PLUTO_REQID='2' PLUTO_ME='63.x.x.205'
 PLUTO_MY_ID='sgw.xxx.com' PLUTO_MY_CLIENT='0.0.0.0/0'
 PLUTO_MY_CLIENT_NET='0.0.0.0' PLUTO_MY_CLIENT_MASK='0'
 PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='65.x.x.138'
 PLUTO_PEER_ID='[EMAIL PROTECTED]'
 PLUTO_PEER_CLIENT='10.10.0.1/32' PLUTO_PEER_CLIENT_NET='10.10.0.1'
 PLUTO_PEER_CLIENT_MASK='32' PLUTO_PEER_PORT='0'
 PLUTO_PEER_PROTOCOL='0' ipsec _updown iptables
 charon: 01[CHD] updown: iptables: Bad rule (does a matching rule exist
 in that chain?)
 charon: 01[CHD] updown: iptables: Bad rule (does a matching rule exist
 in that chain?)
 vpn: - [EMAIL PROTECTED] 10.10.0.1/32 ==
 65.57.245.138 -- 63.80.235.205 == 0.0.0.0/0
 ___
 Users mailing list
 Users@lists.strongswan.org
 https://lists.strongswan.org/mailman/listinfo/users


-- 
==
Andreas Steffen [EMAIL PROTECTED]
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users