2.6.0-test2-mm1 & ipsec-tools (xfrm_type_2_50?)

2.6.0-test2-mm1 & ipsec-tools (xfrm_type_2_50?)

[Richard A Nelson]

I built ipsec-tools against the 2.6.0-test2-mm1 includes and am *so*
close to getting it to work...

I'm getting odd errors from racoon:

INFO: isakmp.c:797:isakmp_ph1begin_i(): initiate new phase 1
	negotiation: 9.30.62.131[500]<=>9.51.94.26[500]
INFO: isakmp.c:802:isakmp_ph1begin_i(): begin Identity Protection mode.
INFO: isakmp.c:2418:log_ph1established(): ISAKMP-SA established
	9.30.62.131[500]-9.51.94.26[500] spi:36dbc14ce81d5d28:dc42216efd6549d4
INFO: isakmp.c:941:isakmp_ph2begin_i(): initiate new phase 2 negotiation:
	9.30.62.131[0]<=>9.51.94.26[0]
modprobe: FATAL: Module ripemd160 not found.
modprobe: FATAL: Module cast128 not found.
modprobe: FATAL: Module lzs not found.
modprobe: FATAL: Module lzjh not found.
modprobe: FATAL: Module xfrm_type_2_50 not found.
modprobe: FATAL: Module ripemd160 not found.
modprobe: FATAL: Module cast128 not found.
modprobe: FATAL: Module lzs not found.
modprobe: FATAL: Module lzjh not found.
modprobe: FATAL: Module xfrm_type_2_50 not found.
ERROR: pfkey.c:209:pfkey_handler(): pfkey UPDATE failed:
	 No buffer space available
ERROR: pfkey.c:209:pfkey_handler(): pfkey ADD failed: No buffer space available

all the ipsec and crypto stuff is modular, for the nonce, until I figure
what I need/want.

most of the module not found messages are fine, its xfrm_type_2_50 that
I'm worried about... What am I missing ?
-- 
Rick Nelson
I can saw a woman in two, but you won't want to look in the box when I do
'For My Next Trick I'll Need a Volunteer' -- Warren Zevon

Re: 2.6.0-test2-mm1 & ipsec-tools (xfrm_type_2_50?)

[bert hubert]

On Wed, Jul 30, 2003 at 04:22:25PM -0400, Richard A Nelson wrote:
> 
> I built ipsec-tools against the 2.6.0-test2-mm1 includes and am *so*
> close to getting it to work...

I recently tested all this again with 2.6.0-test2 and It Just Worked, so I
can't confirm this.

> modprobe: FATAL: Module xfrm_type_2_50 not found.
> ERROR: pfkey.c:209:pfkey_handler(): pfkey UPDATE failed:
> 	 No buffer space available
> ERROR: pfkey.c:209:pfkey_handler(): pfkey ADD failed: No buffer space available
> 
> all the ipsec and crypto stuff is modular, for the nonce, until I figure
> what I need/want.
> 
> most of the module not found messages are fine, its xfrm_type_2_50 that
> I'm worried about... What am I missing ?

I run with a very minimal racoon.conf, almost exactly the one found on
http://lartc.org/howto/lartc.ipsec.html

I'd suggest posting the relevant bits of your .config

Good luck!

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO

Re: 2.6.0-test2-mm1 & ipsec-tools (xfrm_type_2_50?)

[Richard A Nelson]

On Wed, 30 Jul 2003, bert hubert wrote:

> I recently tested all this again with 2.6.0-test2 and It Just Worked, so I
> can't confirm this.

with an all modular build ?

> I run with a very minimal racoon.conf, almost exactly the one found on
> http://lartc.org/howto/lartc.ipsec.html

ditto

> I'd suggest posting the relevant bits of your .config

!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 9.30.62.131 9.51.94.26 any -P out ipsec
        esp/transport//require;
spdadd 9.51.94.26 9.30.62.131 any -P in ipsec
        esp/transport//require;

/etc/racoon/racoon.conf
remote 9.51.94.26
{
	exchange_mode main;
	my_identifier asn1dn;
	peers_identifier asn1dn;
	certificate_type x509 "<cert>" "<key>";
	peers_certfile "<remote cert>";
	proposal {
        encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method rsasig;
		dh_group modp1536 ;
	}
}
sainfo anonymous
{
    pfs_group modp1536;
    encryption_algorithm 3des ;
    authentication_algorithm hmac_sha1 ;
    compression_algorithm deflate ;
}

Again, the remote is freeswan 1.96


> Good luck!
Thanks, I'll probably be needing it :)

-- 
Rick Nelson
I can saw a woman in two, but you won't want to look in the box when I do
'For My Next Trick I'll Need a Volunteer' -- Warren Zevon

Re: 2.6.0-test2-mm1 & ipsec-tools (xfrm_type_2_50?)

[Jose Luis Domingo Lopez]

On Wednesday, 30 July 2003, at 16:22:25 -0400,
Richard A Nelson wrote:

> all the ipsec and crypto stuff is modular, for the nonce, until I figure
> what I need/want.
> 
> most of the module not found messages are fine, its xfrm_type_2_50 that
> I'm worried about... What am I missing ?
> 
Maybe your kernel is missing "< > IPsec user configuration interface"
under "Networking options".

Hope this helps.

-- 
Jose Luis Domingo Lopez
Linux Registered User #189436     Debian Linux Sid (Linux 2.6.0-test2-G7)

Re: 2.6.0-test2-mm1 & ipsec-tools (xfrm_type_2_50?)

[Richard A Nelson]

On Wed, 30 Jul 2003, Jose Luis Domingo Lopez wrote:

> > most of the module not found messages are fine, its xfrm_type_2_50 that
> > I'm worried about... What am I missing ?
> >
> Maybe your kernel is missing "< > IPsec user configuration interface"
> under "Networking options".

CONFIG_XFRM_USER=m
$ lsmod | grep xfrm
xfrm_user              15364  0

-- 
Rick Nelson
<core> i'm glad Debian finally got into
        polar-deep-freeze-we-arent-shitting-you state finally.
	-- Seen on #Debian shortly before the release of Debian 2.0

Re: 2.6.0-test2-mm1 & ipsec-tools (xfrm_type_2_50?)

[James Morris]

On Wed, 30 Jul 2003, Richard A Nelson wrote:

> most of the module not found messages are fine, its xfrm_type_2_50 that
> I'm worried about... What am I missing ?

Possibly some aliases in /etc/modprobe.conf

alias xfrm-type-2-50    esp4
alias xfrm-type-2-51    ah4
alias xfrm-type-2-108   ipcomp
alias xfrm-type-10-50   esp6
alias xfrm-type-10-51   ah6
alias xfrm-type-10-108  ipcomp6


- James
-- 
James Morris
<jmorris@intercode.com.au>

Re: 2.6.0-test2-mm1 & ipsec-tools (xfrm_type_2_50?)

[Richard A Nelson]

On Thu, 31 Jul 2003, James Morris wrote:

> > most of the module not found messages are fine, its xfrm_type_2_50 that
> > I'm worried about... What am I missing ?
>
> Possibly some aliases in /etc/modprobe.conf
>
> alias xfrm-type-2-50    esp4
> alias xfrm-type-2-51    ah4
> alias xfrm-type-2-108   ipcomp
> alias xfrm-type-10-50   esp6
> alias xfrm-type-10-51   ah6
> alias xfrm-type-10-108  ipcomp6

Well, I'll be...  I grepped through both the kernel and ipsec-tools
source (and google) and completely missed that - where did you find it ?

THANKS !!!

Now, that allows me to actually make the connection (after changing from
transport to tunnel mode), and actually use it :)

But I'm not out of the woods yet...
Something is getting lost wrt tracking IPSEC packets; my log is very
full of the following:

Jul 31 00:16:14 renegade kernel: nf_hook: hook 0 already set.
Jul 31 00:16:14 renegade kernel: skb: pf=2 (unowned) dev=eth0 len=52
Jul 31 00:16:14 renegade kernel: PROTO=6 9.51.94.26:23 9.30.62.131:34521
L=52 S=0x10 I=14806 F=0x4000 T=64
Jul 31 00:16:14 renegade kernel: nf_hook: hook 1 already set.
Jul 31 00:16:14 renegade kernel: skb: pf=2 (unowned) dev=eth0 len=52
Jul 31 00:16:14 renegade kernel: PROTO=6 9.51.94.26:23 9.30.62.131:34521
L=52 S=0x10 I=14806 F=0x4000 T=64
Jul 31 00:16:14 renegade kernel: nf_hook: hook 0 already set.
Jul 31 00:16:14 renegade kernel: skb: pf=2 (unowned) dev=eth0 len=52
Jul 31 00:16:14 renegade kernel: PROTO=6 9.51.94.26:23 9.30.62.131:34521
L=52 S=0x10 I=14807 F=0x4000 T=64
Jul 31 00:16:14 renegade kernel: nf_hook: hook 1 already set.
Jul 31 00:16:14 renegade kernel: skb: pf=2 (unowned) dev=eth0 len=52
Jul 31 00:16:14 renegade kernel: PROTO=6 9.51.94.26:23 9.30.62.131:34521
L=52 S=0x10 I=14807 F=0x4000 T=6

-- 
Rick Nelson
I can saw a woman in two, but you won't want to look in the box when I do
'For My Next Trick I'll Need a Volunteer' -- Warren Zevon