gmane.network.openswan.devel

[Openswan dev] Ipv6 support in KLIPS

Debjyoti Mukherjee — 2013-05-21T05:03:38

Hi, 
I am new to Openswan. Just wanted to confirm if KLIPS support ipv6? I am using "openswan-2.6.38"

[Openswan dev] libreswan CVE-2013-205[234] backport patches availabe for openswan/strongswan (fwd)

D. Hugh Redelmeier — 2013-05-14T18:32:37

FYI

---------- Forwarded message ----------
X-Spam-Level: 
From: Paul Wouters <pwouters< at >redhat.com>
To: swan< at >lists.libreswan.org
Date: Tue, 14 May 2013 13:24:22 -0400 (EDT)
Subject: [Swan] libreswan CVE-2013-205[234] backport patches availabe for
    openswan/strongswan

Yesterday was the public disclosure of the serious atodn() buffer overflow
bug in libreswan, openswan and some (older) strongswan versions. The
different swan flavours have different CVE numbers:

CVE-2013-2052: libreswan
CVE-2013-2053: openswan
CVE-2013-2054: strongswan

For a desciption of the issue see:

https://download.libreswan.org/security/CVE-2013-2052/CVE-2013-2052.txt

Current versions of libreswan and strongswan are not vulnerable. Current
version (as of today) of openswan is still vulnerable.

We have backported the libreswan patches to the RHEL version of openswan
that is based on openswan 2.6.32. These patches, which were given to
openswan a week ago, are now available at:

https://download.libreswan.org/security/CVE-2013-205

Re: [Openswan dev] Git repository configuration

Lutz Jaenicke — 2013-01-11T14:31:29

Looks good, thanks.
Lutz

Re: [Openswan dev] Git repository configuration

Patrick Naubert — 2013-01-11T14:15:44

On 2013-01-07, at 12:00 PM, ljaenicke< at >innominate.com wrote:



Thanks for the report. Please try now.  I believe I have fixed the hook.

Regards,

Patrick Naubert
patrickn< at >xelerance.com

[Openswan dev] Git repository configuration

Lutz Jaenicke — 2013-01-07T13:55:21

Hi,

I am trying to create a clone of the current openswan git repository.

This does not succeed due to the following reason:
According to the web interface at
  http://git.openswan.org/cgi-bin/cgit/openswan/
the repository shall be cloned from
  http://git.openswan.org/openswan.git
There is a repository served which however does have an outdated
  openssl.git/info/refs
file such that git clone returns the state of 27-Feb-2012.
Access via git protocol and port would not need maintenance
of the info/refs file but is not available.
Would you kindly run update-server-info (normally this is done
automatically via the post-receive hook).

Thank you very much,
Lutz Jänicke

[Openswan dev] Contributing to the project development

Prashant Batra — 2012-12-30T17:56:22

Hi Developers,

I have worked on development of IKev2/IPSec stack and keen to contribute,
work and learn with Openswan team.
I am not able to  find a suitable link on the wiki nor anywhere else on the
website, so posting for help on the list.

Please point me to the required steps.

Thanks in advance,
Prashant Batra
_______________________________________________
Dev mailing list
Dev< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/dev

[Openswan dev] My resignation of The Openswan Project

Paul Wouters — 2012-12-16T22:59:03

Dear Openswan Community,

One year ago, I reluctantly resigned from Xelerance Corporation, a
company I co-founded in 2003.  Shortly thereafter, it became clear
that Xelerance and I disagreed about a number of things, including who
or what should control the "Openswan" name.  Lawsuits were exchanged and,
after having been in litigation for almost a year, Xelerance and I settled
our claims against one another and severed our remaining business ties.

Openswan 2.6.38 was the last release for me as a member of The Openswan
Project and this message marks the end of my participation on the Openswan
email lists.  Xelerance now controls the Openswan domains and will manage
them as it sees fit.

I wish to thank everyone who assisted me by providing affidavits on behalf
of The Openswan Project.  I continue to develop free and opensource
software, and will continue to help people in their quest to use IPsec
to increase their security and protect their privacy. You will be able
to follow my activities via Twitter, my w

[Openswan dev] asynchronous event-driven initialization /configuration / reconfiguration

John Denker — 2012-12-06T17:43:16

Hi Folks --

Quoting from the ipsec init script:

# The startup and shutdown times are a difficult compromise (in particular,
# it is almost impossible to reconcile them with the insanely early/late
# times of NFS filesystem startup/shutdown).  Startup is after startup of
# syslog and pcmcia support; shutdown is just before shutdown of syslog.

Actually, there is *no* good compromise that covers the general case, as
can be seen from the following use-cases:

 1) Suppose I start up my laptop with no network connections, and then
  carry it to a place where wireless connectivity is available.
 
 2) (Mobility) Same as above, but then I carry it to a place where
  /different/ network connectivity is available.

 3) A similar thing can happen with a desktop:  After the computer has 
  been up for several days, the DHCP server decides to be unfriendly and 
  replace the old IP address with a new and different one.

 4) Suppose we are recovering from a power failure.  At the time the
  computer comes up, there is n

Re: [Openswan dev] coexistence of RSA connections with and without Xauth

Andrey Alexandrenko — 2012-12-03T14:26:15

Hallo Paul,

I discover a much better solution for my xauth problem. Using XAUTH_VID 
for setting of XAUTH policy is not the right way, because some of IKE 
implementations (for example strongSWAN) sends XAUTH_VID even if no 
XAUTH was configured on the connection. An other and I think the right 
way is to use the authentication method information.

Regards, Andrey Alexandrenko

_______________________________________________
Dev mailing list
Dev< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/dev

[Openswan dev] [PATCH] fix pluto segfault

Roel van Meer — 2012-10-18T11:23:29

Hi,

while debugging a crashing pluto daemon, I came across an incorrect free. 
Please see the attached patch, which fixes it.

Although I'm running this in production now, I haven't yet been able to 
assess if it fixes the crash, because it only occurs once every few months 
(but when it happens it happens several times a day). The patch is 
really straightforward though.

The crash was first reported on the openswan users list: 
https://lists.openswan.org/pipermail/users/2012-August/021873.html

Best regards,

Roel

Fix crash caused by incorrect pfree.

diff --git a/programs/pluto/kernel_pfkey.c b/programs/pluto/kernel_pfkey.c
index 82e6f09..da18942 100644
--- a/programs/pluto/kernel_pfkey.c
+++ b/programs/pluto/kernel_pfkey.c
< at >< at > -1532,7 +1532,7 < at >< at > scan_proc_shunts(void)
         struct eroute_info *p = orphaned_holds;
 
         orphaned_holds = p->next;
-        pfree(orphaned_holds);
+        pfree(p);
     }
 
     /* decode the /proc file.  Don't do anything strenuous to it
___________________________

[Openswan dev] ipsec mutilple ip connection

Xu Tingting — 2012-10-13T01:05:23

HI,

I have tried to set mutilple ip connection with L2tp-ipsec vpn.
My network :
eth0 MyIP1
eth0:0 MyIP2
eth0:1 MyIP3
My ipsec.conf as following:
===============
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
 #  also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=MyIP1
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/0
   # also=L2TP-PSK-noNAT02
conn L2TP-PSK-noNATo1
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=MyIP2
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/0
conn L2TP-PSK-noNAT02
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=MyIP3
    leftpr

[Openswan dev] A query on NAT-T implementation in Openswan

SaRaVanAn — 2012-10-08T10:49:25

Hi Team,
    I am a newbie to Netkey IPSec Stack world.  I have some queries on
NAT-T implementation in Openswan with respect to Netkey stack.

1)  I have opened a UDP socket of port 4500, in order to receive NAT-T
packets. But
I am receiving both IKE and ESP packets with UDP encapsulation to IKE user
space daemon, which results in loss
of UDP encapsulated ESP packets.

There is some way to filter the UDP encapsulated ESP packets from reaching
IKE user space daemon in Openswan.

Could you please help me with the files or Functions in Openswan, which
does this for my understanding? or
Could you please guide me with a way to achieve the same?

Thanks in Advance for your precious time.

Regards,
Saravanan N
_______________________________________________
Dev mailing list
Dev< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/dev

Re: [Openswan dev] coexistence of RSA connections with and without Xauth

Andrey Alexandrenko — 2012-10-08T08:04:30

Hallo Paul,

both (right and left) sites have to be XAUTH-Client/Server or have no 
XAUTH-setting at all, else connection will fail. This is the reason, why 
I've put the line. "(c->policy & policy) == policy" -- does not always 
cover the case. It does not work if the local configuration has XAUTH 
policy but the remote doesn’t.

I don't use ipsec.conf on my system, because I create my configuration 
from database data and pass it with whack trough.
It is very easy to reproduce my case. You need to configure two similar 
RSA connections (except XAUTH setting) to "any" remote site. One of them 
(dependence on the order they configured in) won't be established 
without the patch.

Regards, Andrey

Re: [Openswan dev] What will happen with OpenSWAN

Patrick Naubert — 2012-10-04T22:24:41


I have recently been made aware of the difficulties of Openswan developers to be able to push to the git.openswan.org repository.

We have repaired that ability at this time.  All developers that had the ability to push commits previously should be able to do so at this time.

Please point your git remotes to ssh://git< at >git.openswan.org/openswan.git and report back problems.

Regards,

Patrick Naubert
Xelerance Corporation

Re: [Openswan dev] What will happen with OpenSWAN

Tuomo Soini — 2012-10-04T13:53:03

On Mon, 01 Oct 2012 10:45:20 +0200
Mattias Walström <mattias.walstrom< at >westermo.se> wrote:


We are waiting on the outcome of a lawsuit regarding the rights
to the name openswan.

Development has continued in private trees since we lost access to the
web site and code repository. We are still trying to avoid a fork but as
you said it has been long time now.

[Openswan dev] What will happen with OpenSWAN

Mattias Walström — 2012-10-01T08:43:11

Still a limited activity on the mailing-list and 6 month since last commit to the git repository. Will the development ever come back again?

Best regards
  Mattias

[Openswan dev] What will happen with OpenSWAN

Mattias Walström — 2012-10-01T08:45:20

Still a limited activity on the mailing-list and 6 month since last commit to the git repository. Will the development ever come back again?

Best regards
  Mattias

[Openswan dev] DPD patch

Andrey Alexandrenko — 2012-09-25T06:50:07

Hallo,

I have a small DPD-patch, witch fixed for me DPD-messages flood in 
2.6.35. There was some DPD-refactoring in 2.6.37 but I'm still using 
this patch in 2.6.38, because the changes make the DPD-code just a bit 
better and more senseful.

Regards, Andrey

diff -up ./programs/pluto/dpd.c.seqno ./programs/pluto/dpd.c
--- ./programs/pluto/dpd.c.seqno    2011-07-23 22:53:13.000000000 +0200
+++ ./programs/pluto/dpd.c    2011-12-15 10:37:07.507947829 +0100
< at >< at > -516,17 +516,15 < at >< at > dpd_inR(struct state *p1st
      DBG_log("DPD: R_U_THERE_ACK, seqno received: %u expected: %u 
(state=#%lu)",
          seqno, p1st->st_dpd_expectseqno, p1st->st_serialno));

-    if (!p1st->st_dpd_expectseqno && seqno != p1st->st_dpd_expectseqno) {
-        loglog(RC_LOG_SERIOUS, "DPD: unexpected R_U_THERE_ACK packet 
with sequence number %u", seqno);
-    p1st->st_dpd_expectseqno = 0;
-    /* do not update time stamp, so we'll send a new one sooner */
-    } else {
+    if (seqno == p1st->st_dpd_expectseqno) {
      /* update the ti

[Openswan dev] Fwd: Re: fix for sha2_truncbug-option in whack

Andrey Alexandrenko — 2012-09-24T07:26:37



-------- Original Message --------
Subject: Re: [Openswan dev] fix for sha2_truncbug-option in whack
Date: Thu, 20 Sep 2012 12:29:53 -0400 (EDT)
From: Paul Wouters <paul< at >nohats.ca>
To: Andrey Alexandrenko <aalexandrenko< at >telco-tech.de>



On Thu, 20 Sep 2012, Andrey Alexandrenko wrote:


It should not accept arguments. It's on when passed as flag.


That's odd, do you have a gdb backtrace?

Paul

I don't have a gdb backtrace, but I guess it crashes on strcmp with NULL:

  case CD_SHA2_TRUNCBUG: /* --sha2_truncbug */
    if ( strcmp(optarg, "yes" ) == 0) {
msg.sha2_truncbug = SHA2_TRUNCBUG_YES;
    }
    else {
msg.sha2_truncbug = SHA2_TRUNCBUG_NO;
    }
continue;


Andrey



_______________________________________________
Dev mailing list
Dev< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/dev

[Openswan dev] fix for sha2_truncbug-option in whack

Andrey Alexandrenko — 2012-09-20T10:48:01

Hi folks,

whack in 3.6.38 do not accept 'sha2_truncbug' with arguments like '--sha2_truncbug=yes'. My patch fixes that.

--- a/programs/pluto/whack.c
+++ b/programs/pluto/whack.c
< at >< at > -662,7 +662,7 < at >< at > static const struct option long_opts[] = {
     { "tunnelipv4", no_argument, NULL, CD_TUNNELIPV4 + OO },
     { "tunnelipv6", no_argument, NULL, CD_TUNNELIPV6 + OO },
     { "pfs", no_argument, NULL, CD_PFS + OO },
-    { "sha2_truncbug", no_argument, NULL, CD_SHA2_TRUNCBUG + OO },
+    { "sha2_truncbug", required_argument, NULL, CD_SHA2_TRUNCBUG + OO },
     { "aggrmode", no_argument, NULL, CD_AGGRESSIVE + OO },
     { "disablearrivalcheck", no_argument, NULL, CD_DISABLEARRIVALCHECK + OO },
     { "initiateontraffic", no_argument, NULL

Regards, Andrey

PS. '--sha2_truncbug' (without arguments) causes segmentation fault in whack.
_______________________________________________
Dev mailing list
Dev< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/dev

Re: [Openswan dev] Regarding klips_debug:ipsec_rcv: auth failed on incoming packet

David McCullough — 2012-08-22T11:46:32

Jivin Elison Niven lays it down ...

Looks like git commit 88bc11b1579db71330a6da9f860cadf98f1dae51 might be the
one you are after,  it sounds like it ;-)

Cheers,
Davidm