#790 v1.9.19 : IPSEC fails with aliases

2.0
closed-fixed
nobody
VPN (60)
5
2014-02-14
2011-06-22
Dave Roberts
No

It would appear that Openswan fails to start if aliases are used on the wan-1 interface. relevant part of messages:

Jun 22 17:39:30 mailgate pluto[16195]: added connection description "ipsecvpn"
Jun 22 17:39:30 mailgate pluto[16195]: | 10.0.0.0/24===xx.xx.xx.xx<xx.xx.xx.xx>[+S=C]...yy.yy.yy.yy<yy.yy.yy.yy>[+S=C]===10.0.1.0/24
Jun 22 17:39:30 mailgate pluto[16195]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK
Jun 22 17:39:30 mailgate ipsec__plutorun: 002 added connection description "ipsecvpn"
Jun 22 17:39:30 mailgate pluto[16195]: | * processed 0 messages from cryptographic helpers
Jun 22 17:39:30 mailgate pluto[16195]: | next event EVENT_PENDING_DDNS in 60 seconds
Jun 22 17:39:30 mailgate pluto[16195]: | next event EVENT_PENDING_DDNS in 60 seconds
Jun 22 17:39:30 mailgate pluto[16195]: |
Jun 22 17:39:30 mailgate pluto[16195]: | *received whack message
Jun 22 17:39:30 mailgate pluto[16195]: listening for IKE messages
Jun 22 17:39:30 mailgate pluto[16195]: | found lo with address 127.0.0.1
Jun 22 17:39:30 mailgate pluto[16195]: | found wan-1 with address xx.xx.xx.xx
Jun 22 17:39:30 mailgate pluto[16195]: FATAL ERROR: ioctl(SIOCGIFFLAGS) for wan-1.alias in find_raw_ifaces4(). Errno 19: No such device
Jun 22 17:39:30 mailgate pluto[16195]: | processing connection ipsecvpn
Jun 22 17:39:30 mailgate pluto[16195]: "ipsecvpn": deleting connection
Jun 22 17:39:30 mailgate pluto[16195]: | alg_info_delref(0xb8c23d18) alg_info->ref_cnt=1
Jun 22 17:39:30 mailgate pluto[16195]: | alg_info_delref(0xb8c23d18) freeing alg_info
Jun 22 17:39:30 mailgate pluto[16195]: | alg_info_delref(0xb8c234b0) alg_info->ref_cnt=1
Jun 22 17:39:30 mailgate pluto[16195]: | alg_info_delref(0xb8c234b0) freeing alg_info
Jun 22 17:39:30 mailgate pluto[16197]: pluto_crypto_helper: helper (0) is normal exiting
Jun 22 17:39:30 mailgate ipsec__plutorun: 003 FATAL ERROR: ioctl(SIOCGIFFLAGS) for wan-1.alias in find_raw_ifaces4(). Errno 19: No such device

I found a reference to this at http://lists.openswan.org/pipermail/users/2010-April/018646.html from a user Olaf, Is that Herr Westrik? Is there a fix available?

Regards,
Dave

Discussion

  • Dave Roberts
    Dave Roberts
    2011-06-22

    This may not be an openswan error.

    The error is caught on line 307 of openswan-2.6.34\programs\pluto\sysdep_linux.c when the program tries to get some extended information for wlan-1.alias

    /* Find out stuff about this interface. See netdevice(7). */
    zero(&auxinfo); /* paranoia */
    memcpy(auxinfo.ifr_name, buf[j].ifr_name, IFNAMSIZ);
    if (ioctl(master_sock, SIOCGIFFLAGS, &auxinfo) == -1)
    exit_log_errno((e
    , "ioctl(SIOCGIFFLAGS) for %s in find_raw_ifaces4()"
    , ri.name));

    I initially thought that openswan didn't know how to deal with aliased network interfaces but then I ran ifconfig and this gave duff info as well:

    wan-1 Link encap:Ethernet HWaddr 00:ab:cd:ef:12:34
    inet addr:xx.xx.xx.xx Bcast:0.0.0.0 Mask:255.255.255.240
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:212852 errors:0 dropped:0 overruns:0 frame:0
    TX packets:209171 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:99953125 (95.3 MiB) TX bytes:131639641 (125.5 MiB)
    Interrupt:17

    wan-1.alias: error fetching interface information: Device not found

    That's the story so far. Will have a look how the aliases are created and report back.

     
  • Dave Roberts
    Dave Roberts
    2011-06-22

    Well I've found a kludge to get openswan up and running with aliased interfaces. You need to remove the wan-1.alias entries using:

    /sbin/ip addr flush label wan-1.alias

    And then re-add but using a :1 label:

    /sbin/ip addr add 1.2.3.4/28 dev wan-1 label wan-1:1
    /sbin/ip addr add 1.2.3.5/28 dev wan-1 label wan-1:1
    /sbin/ip addr add 1.2.3.6/28 dev wan-1 label wan-1:1

    ifconfig and ioctl are both happy to use the :1 label and return valid information.

    Now to see what the .alias label is used for.

     
  • Dave Roberts
    Dave Roberts
    2011-06-22

    I've done a quick scan and can't find any code that relies on .alias (I could be wrong though). My proposed changes are to trunk/src/misc-progs/setaliases.c:

    142 "/sbin/ip addr add %s dev %s label %s.alias",
    142 "/sbin/ip addr add %s dev %s label %s:1",

    148 "/sbin/ip addr add %s/%s dev %s label %s.alias",
    148 "/sbin/ip addr add %s/%s dev %s label %s:1",

     
  • Dave, thanks for your report, and suggested fix.

    There is another instance where you need to change .alias to :1, on line 91, which flushes aliases.

    Apologies for the delayed response, I think Olaf must be on holiday.

     
  • Olaf Westrik
    Olaf Westrik
    2011-06-29

    The linux kernel has several places with hardcoded ':' as test for aliased interfaces.
    /sbin/ip handles '.' just fine, the kernel does not.

    We'll return to using ':', I don't think we can convince upstream to change the kernel ...

     
  • Olaf Westrik
    Olaf Westrik
    2011-06-29

    • status: open --> pending-fixed
     
  • This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

     
    • status: pending-fixed --> closed-fixed