I built ipsec-tools against the 2.6.0-test2-mm1 includes and am *so*
close to getting it to work...
I'm getting odd errors from racoon:
INFO: isakmp.c:797:isakmp_ph1begin_i(): initiate new phase 1
negotiation: 9.30.62.131[500]<=>9.51.94.26[500]
INFO: isakmp.c:802:isakmp_ph1begin_i(): begin Identity Protection mode.
INFO: isakmp.c:2418:log_ph1established(): ISAKMP-SA established
9.30.62.131[500]-9.51.94.26[500] spi:36dbc14ce81d5d28:dc42216efd6549d4
INFO: isakmp.c:941:isakmp_ph2begin_i(): initiate new phase 2 negotiation:
9.30.62.131[0]<=>9.51.94.26[0]
modprobe: FATAL: Module ripemd160 not found.
modprobe: FATAL: Module cast128 not found.
modprobe: FATAL: Module lzs not found.
modprobe: FATAL: Module lzjh not found.
modprobe: FATAL: Module xfrm_type_2_50 not found.
modprobe: FATAL: Module ripemd160 not found.
modprobe: FATAL: Module cast128 not found.
modprobe: FATAL: Module lzs not found.
modprobe: FATAL: Module lzjh not found.
modprobe: FATAL: Module xfrm_type_2_50 not found.
ERROR: pfkey.c:209:pfkey_handler(): pfkey UPDATE failed:
No buffer space available
ERROR: pfkey.c:209:pfkey_handler(): pfkey ADD failed: No buffer space available
all the ipsec and crypto stuff is modular, for the nonce, until I figure
what I need/want.
most of the module not found messages are fine, its xfrm_type_2_50 that
I'm worried about... What am I missing ?
--
Rick Nelson
I can saw a woman in two, but you won't want to look in the box when I do
'For My Next Trick I'll Need a Volunteer' -- Warren Zevon
On Wed, Jul 30, 2003 at 04:22:25PM -0400, Richard A Nelson wrote:
>
> I built ipsec-tools against the 2.6.0-test2-mm1 includes and am *so*
> close to getting it to work...
I recently tested all this again with 2.6.0-test2 and It Just Worked, so I
can't confirm this.
> modprobe: FATAL: Module xfrm_type_2_50 not found.
> ERROR: pfkey.c:209:pfkey_handler(): pfkey UPDATE failed:
> No buffer space available
> ERROR: pfkey.c:209:pfkey_handler(): pfkey ADD failed: No buffer space available
>
> all the ipsec and crypto stuff is modular, for the nonce, until I figure
> what I need/want.
>
> most of the module not found messages are fine, its xfrm_type_2_50 that
> I'm worried about... What am I missing ?
I run with a very minimal racoon.conf, almost exactly the one found on
http://lartc.org/howto/lartc.ipsec.html
I'd suggest posting the relevant bits of your .config
Good luck!
--
http://www.PowerDNS.com Open source, database driven DNS Software
http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
On Wed, 30 Jul 2003, bert hubert wrote:
> I recently tested all this again with 2.6.0-test2 and It Just Worked, so I
> can't confirm this.
with an all modular build ?
> I run with a very minimal racoon.conf, almost exactly the one found on
> http://lartc.org/howto/lartc.ipsec.html
ditto
> I'd suggest posting the relevant bits of your .config
!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 9.30.62.131 9.51.94.26 any -P out ipsec
esp/transport//require;
spdadd 9.51.94.26 9.30.62.131 any -P in ipsec
esp/transport//require;
/etc/racoon/racoon.conf
remote 9.51.94.26
{
exchange_mode main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "<cert>" "<key>";
peers_certfile "<remote cert>";
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp1536 ;
}
}
sainfo anonymous
{
pfs_group modp1536;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
Again, the remote is freeswan 1.96
> Good luck!
Thanks, I'll probably be needing it :)
--
Rick Nelson
I can saw a woman in two, but you won't want to look in the box when I do
'For My Next Trick I'll Need a Volunteer' -- Warren Zevon
On Wednesday, 30 July 2003, at 16:22:25 -0400,
Richard A Nelson wrote:
> all the ipsec and crypto stuff is modular, for the nonce, until I figure
> what I need/want.
>
> most of the module not found messages are fine, its xfrm_type_2_50 that
> I'm worried about... What am I missing ?
>
Maybe your kernel is missing "< > IPsec user configuration interface"
under "Networking options".
Hope this helps.
--
Jose Luis Domingo Lopez
Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0-test2-G7)
On Wed, 30 Jul 2003, Jose Luis Domingo Lopez wrote:
> > most of the module not found messages are fine, its xfrm_type_2_50 that
> > I'm worried about... What am I missing ?
> >
> Maybe your kernel is missing "< > IPsec user configuration interface"
> under "Networking options".
CONFIG_XFRM_USER=m
$ lsmod | grep xfrm
xfrm_user 15364 0
--
Rick Nelson
<core> i'm glad Debian finally got into
polar-deep-freeze-we-arent-shitting-you state finally.
-- Seen on #Debian shortly before the release of Debian 2.0
On Wed, 30 Jul 2003, Richard A Nelson wrote:
> most of the module not found messages are fine, its xfrm_type_2_50 that
> I'm worried about... What am I missing ?
Possibly some aliases in /etc/modprobe.conf
alias xfrm-type-2-50 esp4
alias xfrm-type-2-51 ah4
alias xfrm-type-2-108 ipcomp
alias xfrm-type-10-50 esp6
alias xfrm-type-10-51 ah6
alias xfrm-type-10-108 ipcomp6
- James
--
James Morris
<[email protected]>
On Thu, 31 Jul 2003, James Morris wrote:
> > most of the module not found messages are fine, its xfrm_type_2_50 that
> > I'm worried about... What am I missing ?
>
> Possibly some aliases in /etc/modprobe.conf
>
> alias xfrm-type-2-50 esp4
> alias xfrm-type-2-51 ah4
> alias xfrm-type-2-108 ipcomp
> alias xfrm-type-10-50 esp6
> alias xfrm-type-10-51 ah6
> alias xfrm-type-10-108 ipcomp6
Well, I'll be... I grepped through both the kernel and ipsec-tools
source (and google) and completely missed that - where did you find it ?
THANKS !!!
Now, that allows me to actually make the connection (after changing from
transport to tunnel mode), and actually use it :)
But I'm not out of the woods yet...
Something is getting lost wrt tracking IPSEC packets; my log is very
full of the following:
Jul 31 00:16:14 renegade kernel: nf_hook: hook 0 already set.
Jul 31 00:16:14 renegade kernel: skb: pf=2 (unowned) dev=eth0 len=52
Jul 31 00:16:14 renegade kernel: PROTO=6 9.51.94.26:23 9.30.62.131:34521
L=52 S=0x10 I=14806 F=0x4000 T=64
Jul 31 00:16:14 renegade kernel: nf_hook: hook 1 already set.
Jul 31 00:16:14 renegade kernel: skb: pf=2 (unowned) dev=eth0 len=52
Jul 31 00:16:14 renegade kernel: PROTO=6 9.51.94.26:23 9.30.62.131:34521
L=52 S=0x10 I=14806 F=0x4000 T=64
Jul 31 00:16:14 renegade kernel: nf_hook: hook 0 already set.
Jul 31 00:16:14 renegade kernel: skb: pf=2 (unowned) dev=eth0 len=52
Jul 31 00:16:14 renegade kernel: PROTO=6 9.51.94.26:23 9.30.62.131:34521
L=52 S=0x10 I=14807 F=0x4000 T=64
Jul 31 00:16:14 renegade kernel: nf_hook: hook 1 already set.
Jul 31 00:16:14 renegade kernel: skb: pf=2 (unowned) dev=eth0 len=52
Jul 31 00:16:14 renegade kernel: PROTO=6 9.51.94.26:23 9.30.62.131:34521
L=52 S=0x10 I=14807 F=0x4000 T=6
--
Rick Nelson
I can saw a woman in two, but you won't want to look in the box when I do
'For My Next Trick I'll Need a Volunteer' -- Warren Zevon