Re: [Swan] libreswan 3.9+klips not listen on multiple secondary address

Wed, 16 Jul 2014 10:38:37 -0700 

With plutodebug=all

Jul 16 18:26:35 debian7vm pluto[6617]: listening for IKE messages
Jul 16 18:26:35 debian7vm pluto[6617]: | Inspecting interface lo
Jul 16 18:26:35 debian7vm pluto[6617]: | found lo with address 127.0.0.1
Jul 16 18:26:35 debian7vm pluto[6617]: | Inspecting interface eth0
Jul 16 18:26:35 debian7vm pluto[6617]: | found eth0 with address 192.168.8.129
Jul 16 18:26:35 debian7vm pluto[6617]: | Inspecting interface eth0:0
Jul 16 18:26:35 debian7vm pluto[6617]: | found eth0:0 with address 192.168.8.111
Jul 16 18:26:35 debian7vm pluto[6617]: | IP interface eth0:0
192.168.8.111 has no matching ipsec* interface -- ignored
Jul 16 18:26:35 debian7vm pluto[6617]: | IP interface eth0
192.168.8.129 has no matching ipsec* interface -- ignored
Jul 16 18:26:35 debian7vm pluto[6617]: | IP interface lo 127.0.0.1 has
no matching ipsec* interface -- ignored
Jul 16 18:26:35 debian7vm pluto[6617]: | found lo with address
0000:0000:0000:0000:0000:0000:0000:0001
Jul 16 18:26:35 debian7vm pluto[6617]: | IP interface lo ::1 has no
matching ipsec* interface -- ignored
Jul 16 18:26:35 debian7vm pluto[6617]: no public interfaces found

2014-07-16 19:19 GMT+02:00 csszep <[email protected]>:
> Hi Paul!
>
> It does not work on Debian 7.
>
>
> This is the super simple config:
>
>
> config setup
>         protostack=klips
>         interfaces="ipsec0=eth0:0"
>         nat_traversal=yes
>         
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
>
> route -n
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 0.0.0.0         192.168.8.2     0.0.0.0         UG    0      0        0 eth0
> 192.168.8.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
>
> ifconfig
>
> eth0      Link encap:Ethernet  HWaddr 00:0c:29:a2:80:64
>           inet addr:192.168.8.129  Bcast:192.168.8.255  Mask:255.255.255.0
>           inet6 addr: fe80::20c:29ff:fea2:8064/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:1212 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:385 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:114452 (111.7 KiB)  TX bytes:47059 (45.9 KiB)
>
> eth0:0    Link encap:Ethernet  HWaddr 00:0c:29:a2:80:64
>           inet addr:192.168.8.111  Bcast:192.168.8.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>
> ipsec0    Link encap:Ethernet  HWaddr 00:0c:29:a2:80:64
>           inet6 addr: fe80::20c:29ff:fea2:8064/128 Scope:Link
>           UP RUNNING NOARP  MTU:16260  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:2 overruns:0 carrier:0
>           collisions:0 txqueuelen:10
>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:89 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:89 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:12514 (12.2 KiB)  TX bytes:12514 (12.2 KiB)
>
>
> Jul 16 18:04:38 debian7vm ipsec__plutorun: Starting Pluto subsystem...
> Jul 16 18:04:38 debian7vm pluto[4348]: nss directory plutomain: /etc/ipsec.d
> Jul 16 18:04:38 debian7vm pluto[4348]: NSS Initialized
> Jul 16 18:04:38 debian7vm pluto[4348]: libcap-ng support [enabled]
> Jul 16 18:04:38 debian7vm pluto[4348]: FIPS HMAC integrity support [disabled]
> Jul 16 18:04:38 debian7vm pluto[4348]: Linux audit support [disabled]
> Jul 16 18:04:38 debian7vm pluto[4348]: Starting Pluto (Libreswan
> Version 3.9 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG XAUTH_PAM
> NETWORKMANAGER KLIPS_MAST CURL(non-NSS) LDAP(non-NSS)) pid:4348
> Jul 16 18:04:38 debian7vm pluto[4348]: core dump dir: /var/run/pluto
> Jul 16 18:04:38 debian7vm pluto[4348]: secrets file: /etc/ipsec.secrets
> Jul 16 18:04:38 debian7vm pluto[4348]: leak-detective disabled
> Jul 16 18:04:38 debian7vm pluto[4348]: SAref support [disabled]:
> Protocol not available
> Jul 16 18:04:38 debian7vm pluto[4348]: SAbind support [disabled]:
> Protocol not available
> Jul 16 18:04:38 debian7vm pluto[4348]: NSS crypto [enabled]
> Jul 16 18:04:38 debian7vm pluto[4348]: XAUTH PAM support [enabled]
> Jul 16 18:04:38 debian7vm pluto[4348]:    NAT-Traversal support  [enabled]
> Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_enc():
> Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok (ret=0)
> Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_384: Ok (ret=0)
> Jul 16 18:04:38 debian7vm pluto[4348]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok (ret=0)
> Jul 16 18:04:38 debian7vm pluto[4348]: starting up 1 crypto helpers
> Jul 16 18:04:38 debian7vm pluto[4348]: started thread for crypto
> helper 0 (master fd 6)
> Jul 16 18:04:38 debian7vm pluto[4348]: Using KLIPS IPsec interface
> code on 3.2.0-4-amd64
> Jul 16 18:04:38 debian7vm pluto[4348]: listening for IKE messages
> Jul 16 18:04:38 debian7vm pluto[4348]: no public interfaces found
> Jul 16 18:04:38 debian7vm pluto[4348]: loading secrets from 
> "/etc/ipsec.secrets"
> Jul 16 18:04:38 debian7vm pluto[4348]: loading secrets from
> "/var/lib/libreswan/ipsec.secrets.inc"
>
>
> With interfaces="ipsec0=eth0" it works of course:
>
> ifconfig
> eth0      Link encap:Ethernet  HWaddr 00:0c:29:a2:80:64
>           inet addr:192.168.8.129  Bcast:192.168.8.255  Mask:255.255.255.0
>           inet6 addr: fe80::20c:29ff:fea2:8064/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:1983 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:1147 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:177448 (173.2 KiB)  TX bytes:628939 (614.1 KiB)
>
> eth0:0    Link encap:Ethernet  HWaddr 00:0c:29:a2:80:64
>           inet addr:192.168.8.111  Bcast:192.168.8.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>
> ipsec0    Link encap:Ethernet  HWaddr 00:0c:29:a2:80:64
>           inet addr:192.168.8.129  Mask:255.255.255.255
>           inet6 addr: fe80::20c:29ff:fea2:8064/128 Scope:Link
>           UP RUNNING NOARP  MTU:16260  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:1 overruns:0 carrier:0
>           collisions:0 txqueuelen:10
>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>
> Jul 16 18:09:04 debian7vm ipsec__plutorun: Starting Pluto subsystem...
> Jul 16 18:09:04 debian7vm pluto[4653]: nss directory plutomain: /etc/ipsec.d
> Jul 16 18:09:04 debian7vm pluto[4653]: NSS Initialized
> Jul 16 18:09:04 debian7vm pluto[4653]: libcap-ng support [enabled]
> Jul 16 18:09:04 debian7vm pluto[4653]: FIPS HMAC integrity support [disabled]
> Jul 16 18:09:04 debian7vm pluto[4653]: Linux audit support [disabled]
> Jul 16 18:09:04 debian7vm pluto[4653]: Starting Pluto (Libreswan
> Version 3.9 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG XAUTH_PAM
> NETWORKMANAGER KLIPS_MAST CURL(non-NSS) LDAP(non-NSS)) pid:4653
> Jul 16 18:09:04 debian7vm pluto[4653]: core dump dir: /var/run/pluto
> Jul 16 18:09:04 debian7vm pluto[4653]: secrets file: /etc/ipsec.secrets
> Jul 16 18:09:04 debian7vm pluto[4653]: leak-detective disabled
> Jul 16 18:09:04 debian7vm pluto[4653]: SAref support [disabled]:
> Protocol not available
> Jul 16 18:09:04 debian7vm pluto[4653]: SAbind support [disabled]:
> Protocol not available
> Jul 16 18:09:04 debian7vm pluto[4653]: NSS crypto [enabled]
> Jul 16 18:09:04 debian7vm pluto[4653]: XAUTH PAM support [enabled]
> Jul 16 18:09:04 debian7vm pluto[4653]:    NAT-Traversal support  [enabled]
> Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_enc():
> Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok (ret=0)
> Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_384: Ok (ret=0)
> Jul 16 18:09:04 debian7vm pluto[4653]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok (ret=0)
> Jul 16 18:09:04 debian7vm pluto[4653]: starting up 1 crypto helpers
> Jul 16 18:09:04 debian7vm pluto[4653]: started thread for crypto
> helper 0 (master fd 6)
> Jul 16 18:09:04 debian7vm pluto[4653]: Using KLIPS IPsec interface
> code on 3.2.0-4-amd64
> Jul 16 18:09:04 debian7vm pluto[4653]: listening for IKE messages
> Jul 16 18:09:04 debian7vm pluto[4653]: adding interface ipsec0/eth0
> 192.168.8.129:500
> Jul 16 18:09:04 debian7vm pluto[4653]: adding interface ipsec0/eth0
> 192.168.8.129:4500
> Jul 16 18:09:04 debian7vm pluto[4653]: loading secrets from 
> "/etc/ipsec.secrets"
> Jul 16 18:09:04 debian7vm pluto[4653]: loading secrets from
> "/var/lib/libreswan/ipsec.secrets.inc"
>
>
> Thx
> Csszep
>
> 2014-07-16 17:02 GMT+02:00 Paul Wouters <[email protected]>:
>> On Wed, 16 Jul 2014, csszep wrote:
>>
>>> I'm migrating from openswan to libreswan and i have a host with
>>> multiple interfaces and secondary address.
>>>
>>> With openswan (2.6.28) the following line works:
>>>
>>> interfaces="ipsec0=eth5:0 ipsec1=eth4:0 ipsec2=eth3:0
>>
>>
>> Are you missing a closing quote (") there ?
>>
>>
>>> Pluto listens on secondary address on these interfaces
>>
>>
>> It works for me?
>>
>> [root@road ~]# ifconfig eth0:1 11.1.2.3/24
>> [root@road ~]# ipsec version
>> Linux Libreswan Uv3.9-86-gc7e82bb-master/K(no kernel code presently
>> loaded) on 3.13.6-200.fc20.x86_64
>> [root@road ~]# ifconfig
>> eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>>         inet 192.1.3.209  netmask 255.255.255.0  broadcast 192.1.3.255
>>         ether 12:00:00:ab:cd:02  txqueuelen 1000  (Ethernet)
>>         RX packets 10342  bytes 2533695 (2.4 MiB)
>>         RX errors 0  dropped 5  overruns 0  frame 0
>>         TX packets 11878  bytes 9857645 (9.4 MiB)
>>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>>
>> eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>>         inet 11.1.2.3  netmask 255.255.255.0  broadcast 11.1.2.255
>>         ether 12:00:00:ab:cd:02  txqueuelen 1000  (Ethernet)
>>
>> [root@road ~]# grep interfaces /etc/ipsec.conf
>>         interfaces="ipsec0=eth0:1"
>> [root@road ~]# ipsec start
>> Redirecting to: systemctl start ipsec.service
>>
>> [root@road ~]# grep interface /tmp/pluto.log Using KLIPS IPsec interface
>> code on 3.13.6-200.fc20.x86_64
>> | Inspecting interface lo | Inspecting interface eth0 | Inspecting interface
>> eth0:1 | Inspecting interface ipsec0 adding interface ipsec0/eth0:1
>> 11.1.2.3:500
>> adding interface ipsec0/eth0:1 11.1.2.3:4500
>> | IP interface eth0 192.1.3.209 has no matching ipsec* interface -- ignored
>> | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored
>>
>> [root@road ~]# ipsec tncfg
>> ipsec0 -> eth0 mtu=16260(1500) -> 1500
>> ipsec1 -> NULL mtu=0(0) -> 0
>>
>> test on machine with multiple interfaces:
>>
>> [root@east ~]# ifconfig eth0:0 10.0.0.0/24
>> [root@east ~]# ifconfig eth1:0 10.0.1.0/24
>> [root@east ~]# ifconfig eth2:0 10.0.2.0/24
>> [root@east ~]# grep interfaces /etc/ipsec.conf
>>         interfaces="ipsec0=eth0:0 ipsec1=eth1:0 ipsec2=eth2:0"
>>
>> ot@east ~]# ipsec version
>> Linux Libreswan Uv3.9-86-gc7e82bb-master/K(no kernel code presently
>> loaded) on 3.13.6-200.fc20.x86_64
>> [root@east ~]# ipsec start
>> Redirecting to: systemctl start ipsec.service
>> [root@east ~]# grep interface /tmp/pluto.log Using KLIPS IPsec interface
>> code on 3.13.6-200.fc20.x86_64
>> | Inspecting interface lo | Inspecting interface eth0 | Inspecting interface
>> eth0:0 | Inspecting interface eth1 | Inspecting interface eth1:0 |
>> Inspecting interface eth2 | Inspecting interface eth2:0 | Inspecting
>> interface ipsec0 | Inspecting interface ipsec1 | Inspecting interface ipsec2
>> adding interface ipsec2/eth2:0 10.0.2.0:500
>> adding interface ipsec2/eth2:0 10.0.2.0:4500
>> | IP interface eth2 192.9.2.23 has no matching ipsec* interface --
>> ignored
>> adding interface ipsec1/eth1:0 10.0.1.0:500
>> adding interface ipsec1/eth1:0 10.0.1.0:4500
>> | IP interface eth1 192.1.2.23 has no matching ipsec* interface --
>> ignored
>> adding interface ipsec0/eth0:0 10.0.0.0:500
>> adding interface ipsec0/eth0:0 10.0.0.0:4500
>> | IP interface eth0 192.0.2.254 has no matching ipsec* interface --
>> ignored
>> | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored
>> [root@east ~]#
>>
>> Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to