gmane.network.openswan.devel

Re: [Openswan dev] AES-GCM for ESP with Openswan

Tuomo Soini — 2012-05-17T09:10:06

On Wed, 16 May 2012 15:09:58 -0400
Avesh Agarwal <avagarwa< at >redhat.com> wrote:


Thank you. Applied as 81778fcad5c3ebb966b02fc9af0fc7c0fbead678 with some
white space corrections found by git diff --check and comment ones I
found.

[Openswan dev] AES-GCM for ESP with Openswan

Avesh Agarwal — 2012-05-16T19:09:58

Hello,

Current implementation of AES-GCM (Key lengths 128, 192, 256 bits and IV
of 8, 12, 16 bytes as per RFC 4106) for ESP with Openswan has following
issues:

1. AES-GCM for key length 256 for all 3 variants(IV of 8, 12, 16 bytes)
does not work.

2. AES-GCM negotiation for ESP during IKE exchange does not
inter-operate with any other implementation, because Openswan sends
wrong key length values. RFC 4106 defines that key lengths of 128, 192,
256 should be used during IKE exchange, whereas key lengths + 4 bytes
should be calculated as final keys to be sent to kernel for ESP.
However, Openswan sends key length + 4 bytes during IKE exchange and
breaks interop with other implementation.

3. RFC 4106 only allows 3 key lengths of 128, 192 or 256 bits, but
Openswan lets configure any key length which should not happen, and
configuration should be limited to only the specified lengths in the rfc.

The attached patch addresses the above issues and has been created
against the latest upstream release of Openswan.

[Openswan dev] klips startup error if secondary ip addres onphysical interface

Roel van Meer — 2012-05-10T08:40:46

Hi devs,

when I start openswan, I get this error message:
ipsec_setup: Error: either "local" is duplicate, or "secondary" is a garbage.

The commit that caused this is here:
http://git.openswan.org/cgi-bin/cgit/openswan/patch/programs/_startklips/_startklips.in?id=7a6cc9e9f2a4692f1e5da7c78b52fa2f32ced38b

The openswan config is minimal and looks like this:

root< at >test13a:/tmp# cat /etc/ipsec.conf
version 2.0

config setup
 interfaces="ipsec0=eth1"
 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,\
   v4:172.16.0.0/12,%v4:!10.0.0.0/24,%v4:!10.10.0.0/16
 oe=off
 protostack=klips

The physiscal interface is configured like this:

root< at >test13a:/tmp# ip address show dev eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:40:f4:b4:0a:68 brd ff:ff:ff:ff:ff:ff
    inet 111.222.33.131/28 brd 111.222.33.143 scope global eth1
    inet 111.222.33.135/28 brd 111.222.33.143 scope global secondary eth1:1

With the patch (pristine 2.6.38) the ipsec0 device lo

Re: [Openswan dev] Openswan 2.4.5 with linux kernel 2.6.26 - any chance?

Harald Jenny — 2012-05-10T07:35:33

Hi Siegfried


I don't think so - you may try the Debian lenny package (version 2.4.12
but with all security fixes up to 2.4.15), this "should" work.


Kind regards
Harald

[Openswan dev] Openswan 2.4.5 with linux kernel 2.6.26 - any chance?

Siegfried Müller - MB Connect Line GmbH — 2012-05-05T08:21:53

Hi all,

is there any chance to compile openswan 2.4.5 with linux kernel 2.6.26?

I must use 2.4.5 because there are some strange issues with interoperate to fortigate firewall with openswan 2.6.x. So I can't use openswan 2.6.x.

Many thanky for any hints!

BR

Siegfried

_______________________________________________
Dev mailing list
Dev< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/dev

[Openswan dev] Fwd: [Openswan Users] SAref working fine but device with public ip no

Vincent Tamet — 2012-04-23T15:12:54

Hi,
Maybe this question must be in this userlist ?
Best regards

----- Mail transféré -----
De: "Vincent Tamet" <vincent.tamet< at >ilimit.net>
À: users< at >openswan.org
Cc: "Daniel Castro" <daniel.castro< at >ilimit.net>
Envoyé: Mercredi 18 Avril 2012 17:39:40
Objet: [Openswan Users] SAref working fine but device with public ip no

Hi,
We have prove the installation with:
netkey (without SAref): equips with public ip connect and works perfectly.
                        2 equips with the same ip, connect but only one have the ping working, and then one disconnect.
klips  (without SAref): equips with public ip connect and works perfectly.
                        2 equips with the same ip, connect but only one have the ping working, and then one disconnect.
klips  (with SAref):    equips with public ip establish with ipsec but we haven't any log from the xl2tpd.
                        2 equips with the same ip, connect and works perfectly.

For the SAref we use an ubuntu with the both patch from the openswan source, an

[Openswan dev] Openswan 2.6.35 interop with fortigate 200B

Siegfried Müller - MB Connect Line GmbH — 2012-04-21T12:12:10

Hi,

does anyone has experiences with fortigate200b firewall? We used openswan 2.4.5 (as client) with fortigate200b (as server). Now we did a update to openswan 2.6.35 and then one issue occurred. After transferring f.e. a file through the vpn tunnel, it stops after 180-200KB. No error messages on pluto or klips. Also a VNC session interrupted after first seconds. Everything is fine on 2.4.5. Any ideas?

Best regards

Siegfried

_______________________________________________
Dev mailing list
Dev< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/dev

Re: [Openswan dev] RFC KLIPS patch for increased throughput on multicore systems

David McCullough — 2012-04-17T10:32:51

Jivin Jagdish Motwani lays it down ...

The patch is clean and simple,  but I am not sure if there is anything we
are missing here.

I'll try and get this loaded on a few different systems here and try it out.
Especially on an SMP OCF system just to check that angle as well.

At the end of the day we just need to be sure the SA table doesn't get
modified in any way while the state machine is using it.

My only suggestion would be to set a really short rekey time and run with
that while you are benchmarking.  Maybe have 3 or 4 tunnels rekeying while
you are benchmarking if possible.

Given the performance improvements you have shown I think we need to look at
something like this no matter what,  hopefully this patch is it :-)

Thanks,
Davidm

[Openswan dev] RFC KLIPS patch for increased throughput onmulticore systems

Jagdish Motwani — 2012-04-17T08:41:39

Ref mail: KLIPS tdb_lock as rwlock instead of spinlock?

Please find attached klips patch for increased throughput of single 
tunnel on multicore systems.

This patch is just a RFC and may have side effects. Please report them 
by testing or code review.

In-order to get increased throughput,
         1)Apply the patch
         2)Use Receive Packet Steering to send packets of different 
flows on different cpu's (/sys/class/net/eth0/queues/rx-0/rps_cpus)

Regrads,
Jagdish Motwani
Software Engineer
Elitecore Technologies Pvt. Ltd.
diff --git a/linux/include/openswan/ipsec_proto.h b/linux/include/openswan/ipsec_proto.h
index f40336c..db21b92 100644
--- a/linux/include/openswan/ipsec_proto.h
+++ b/linux/include/openswan/ipsec_proto.h
< at >< at > -41,7 +41,7 < at >< at > extern struct prng ipsec_prng;
 
 /* ipsec_sa.c */
 extern struct ipsec_sa *ipsec_sadb_hash[SADB_HASHMOD];
-extern spinlock_t       tdb_lock;
+extern rwlock_t tdb_lock;
 extern int ipsec_sadb_init(void);
 extern int ipsec_sadb_cleanup(__u8);
 
diff --git a/linux/ne

[Openswan dev] ikev2 traffic selector patch

Avesh Agarwal — 2012-04-11T20:43:06

Hello,

I have implemented traffic selector negotiation functionality for ikev2
based on rfc 5996. I am attaching a patch for the same. The current
patch is based on rhel6 openswan version, and I am working on porting it
to latest upstream version. Still I thought to send it to devel mail
list to get some feedback from the developers.

[Openswan dev] ikev2 traffic selector patch

Avesh Agarwal — 2012-04-11T20:31:46

Hello,

I have implemented traffic selector negotiation functionality for ikev2
based on rfc 5996. I am attaching a patch for the same. The current
patch is based on rhel6 openswan version, and I am working on porting it
to latest upstream version. Still I thought to send it to devel mail
list to get some feedback from the developers.

[Openswan dev] [slanser< at >tallmaple.com: Re: [Openswan - Bug #1342]Pluto 30-second encrypted TCP connection stall with on-demandpeering (NETKEY)]

Steve Lanser — 2012-04-11T13:48:03

It certianly sounds like the same issue.

I'll get to this after dealing with some of the higher priority IKEv2
issues.  This issue is a much lower priority for us since we largely aviod
the problem by configuring our connections with auto=start.  Packets issued
after a connection is brought up in this fashion are not subject to delay.

I have confirmed, however, that the behavior is still present in 2.6.38.

Steve

On Tue, Apr 10, 2012 at 03:50:32AM -0400, redmine< at >openswan.org wrote:

----- End forwarded message -----

[Openswan dev] KLIPS tdb_lock as rwlock instead of spinlock?

Jagdish Motwani — 2012-04-11T13:42:31

Hi,
    Can tdb_lock be converted from spinlock to rwlock?

     From what i know, tdb_lock is used to protect sa.
                                  ipsec_xmit.c &  ipsec_rcv.c just uses 
them for reading(get) sa.


      While experimenting with KLIPS, i converted this tdb_lock to 
rwlock_t and performed the below given test.

      I got desired results but i am not sure about any side-effects of 
this conversion.  Please provide your valuable input.

/
     Test setup details:
                     LAN1 ----------
                                             Test Machine 
----------(Ipsec tunnel)---------------- Road warrior
                     LAN2 ----------


       Test Machine has 8 cores, I  have binded interrupts to only 3 of 
them:
                             LAN1 -- cpu1
                             LAN2 -- cpu2
                  Roadwarrior -- cpu3

       Traffic flows from LAN1 and LAN2 to Road warrior. (I used iperf 
to generate traffic: iperf server is at road warrior and clients in LAN1 
a

Re: [Openswan dev] BUG 1201: dpd + ddns does not work

Nrupen Chudasma — 2012-03-30T12:05:07

Hi,

For the explanation about /etc/hosts being static and only need to restart
the pluto for correct entry, refer to to below code.

#include <stdio.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <unistd.h>

int
main(int argc, char **argv) {
        struct hostent *host;     /* host information */
        struct in_addr h_addr;    /* internet address */
        if (argc != 2) {
                fprintf(stderr, "USAGE: nslookup <inet_address>\n");
                return 1;
        }
        while(1){
                if ((host = gethostbyname(argv[1])) == NULL) {
                        fprintf(stderr, "(mini) nslookup failed on '%s'\n",
argv[1]);
                        return 1;
                }
                h_addr.s_addr = *((unsigned long *) host->h_addr_list[0]);
                fprintf(stdout, "%s\n", inet_ntoa(h_addr));
                sleep(5);
        }
        return 0;
}

After successfully complying the code, I run it with /etc/hosts entry for
'ddnstest' as '10.10

Re: [Openswan dev] BUG 1201: dpd + ddns does not work

Tuomo Soini — 2012-03-29T17:11:49

On Wed, 28 Mar 2012 11:38:03 +0530
Nrupen Chudasma <nrupen< at >gmail.com> wrote:


Anything in /etc/hosts is static data - not dynamic dns - there is no
guarantee it gets read without restarting whole pluto.

Re: [Openswan dev] DPD action restart creates segfault inRoadwarrior connection

Ruchir Thakkar — 2012-03-28T17:57:28

Hi Nrupen,

Do not keep dpd action "restart" in connection definition where the peer ip
is wildcard.

Regards,
Ruchir.
 On Mar 28, 2012 8:39 AM, "Nrupen Chudasma" <nrupen< at >gmail.com> wrote:

_______________________________________________
Dev mailing list
Dev< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/dev

[Openswan dev] DPD action restart creates segfault in Roadwarriorconnection

Nrupen Chudasma — 2012-03-28T12:39:28

Hi,

I am using openswan 2.6.24. I have configured one connection at VPN gateway
where many road warriors can connect the tunnel from different IPs.
Below is my configuration.

version 2.0      # conforms to second version of ipsec.conf specification

config setup
        nat_traversal=yes
        oe=off
        protostack=netkey


conn ng
        right=%any
        rightsubnet="vhost:%v:0.0.0.0/0"
        left=10.103.6.71
        leftsubnet=10.1.1.0/255.255.255.0
        leftnexthop=10.103.6.1
        auto=add
        x_rightdynamic=yes
        authby=secret
        compress=no
        failureshunt=drop
        dpddelay=15
        dpdtimeout=60
        dpdaction=restart
        pfs=yes

ike=aes128-md5-modp1024,aes192-md5-modp1024,aes256-md5-modp1024,aes128-sha1-modp1024,aes192-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,aes128-md5-modp1536,aes192-md5-modp1536,aes256-md5-modp1536,aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536,3des-md5-modp1536,3des-sha1-modp1536,ae

[Openswan dev] BUG 1201: dpd + ddns does not work

Nrupen Chudasma — 2012-03-28T06:08:03

Hi,

Yesterday I sent the same comment in the User's list. But I think it would
be appropriate to discuss about the bug in dev list.

I have been using openswan 2.6.24 with NETKEY for quite a long time.
I had a requirement for DYNDNS based remote host support for making the
connections. As there is support added, I tried with the 2.6.24 version and
could not succeed.
I searched out for bug#1201 with the exact reason. So I uprated to version
2.6.33. But the problem is still there. Even I tried latest version i.e.
2.6.38 but the result is same.

According to the RCA done for the bug, "conn->dnshostname" is NULL. The
specified solution was to work with ipsec whack.

I tried with that. Please correct me if my approach for the problem is
wrong. I have put remote as "ddnstest" and added entry in the /etc/hosts
file.
I add one connection with ipsec whack. Initiate the connection. Later I
change my remote host's IP and add the according entry in /etc/hosts.
The dpdtimeout happens as the former IP no longer available

[Openswan dev] [Announce] openswan 2.6.38 released

Tuomo Soini — 2012-03-23T23:22:46

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear community,

As Paul Wouters is currently unable to perform his role as Release
Manager, I have stepped in to temporarily take over his
responsibilities.

Openswan 2.6.38 released to the community

https://www.openswan.org/download/openswan-2.6.38.tar.gz
https://www.openswan.org/download/openswan-2.6.38.tar.gz.asc
https://www.openswan.org/download/CHANGES

Mirror site:
ftp://ftp.openswan.fi/pub/openswan/openswan-2.6.38.tar.gz
ftp://ftp.openswan.fi/pub/openswan/openswan-2.6.38.tar.gz.asc
ftp://ftp.openswan.fi/pub/openswan/CHANGES

This is a major bugfix release. It fixes and enhances IKEv2
functionality. It works around the Linux kernel bug for
wrong SHA2 truncation that caused openswan to fail to interop
with other vendors such as Checkpoint. It has various NAT-T
fixes for better interop with Android and I-Phones. And it now
supports reconfiguring a locally running DNSSEC server with
nameservers obtained via XAUTH/ModeConfig.

A full list of changes follows

[Openswan dev] openswan 2.6.38 release candidate 2

Paul Wouters — 2012-03-20T16:46:47

Hi developers,

Please test openswan 2.6.38 Release Candidate 2:

http://download.openswan.org/openswan/testing/openswan-2.6.38rc2.tar.gz
http://download.openswan.org/openswan/testing/openswan-2.6.38rc2.tar.gz.asc

See for the CHANGES:

http://download.openswan.org/openswan/CHANGES

Paul
_______________________________________________
Dev mailing list
Dev< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/dev

[Openswan dev] openswan 2.6.38 release candidate 1

Paul Wouters — 2012-03-12T22:45:48

Hi developers,

Please test openswan 2.6.38 Release Candidate 1:

http://download.openswan.org/openswan/testing/openswan-2.6.38rc1.tar.gz
http://download.openswan.org/openswan/testing/openswan-2.6.38rc1.tar.gz.asc

See for the CHANGES:

http://download.openswan.org/openswan/CHANGES

Paul