From: Luis G. <bew...@ya...> - 2009-08-10 16:16:29
|
I have seen that something is installed in /usr/local/sbin. I think the problem is in the config with --prefix==$home or something like that. As you see I am not an expert in code for Linux :-( My objective is only to install ipsec-tools-0.8-alpha in order to be able to use opennhrp. How should I configure ipsec-tools in order to be compatible with opennhrp? Thanks ________________________________ De: Luis Garcia <bew...@ya...> Para: ips...@li... Enviado: lunes, 10 de agosto, 2009 16:24:29 Asunto: Files not created after doing make I am very worried because I have seen that, like in Debian, in Ubuntu the /etc/ipsec-tools.conf, the /etc/racoon/racoon.conf and these ones are not created. And I think that this is because I am doing anything bad. As I told before, no error is seen during the compilation process. The -Werror has been removed in the Makefiles, the Flex and Bison are installed, Apparmor removed, SeLinux installed and rebooted the computer ... and at last I see that the compitation is finished without any error message, but the files are not created. The steps I do are ... (being root in Ubuntu) ./configure (Must I add any sentences after configure as I have seen with previous ipsec-tools versions?) After doing configure, remove the -Werror in every all the makefiles in the ipsec-tools folder and subfolders. make make install I have searched in the forum and in the internet but I haven't found the solution What I am doing bad? Is anywhere a guide about how to install it? Thanks |
From: Luis G. <bew...@ya...> - 2009-08-10 17:26:47
|
Searching and searching, I am trying different configure functions, the following one is the last, but all remains the same, for example I have the /usr/sbin/setkey but none of the /etc, even when it is supposed to be configured in sysconfdir. I aldo have tried with sysconfdir=/etc but everything remains the same as I told before. At least anyone could tell me how to solve it in order to work with opennhrp or thinks at least where could be my problem because I am a bit lost ... I will remain searching and testing. CFLAGS="-D_FORTIFY_SOURCE=0" ./configure --verbose --prefix=/usr --sysconfdir=/etc/racoon --mandir=/usr/share/man --infodir=/usr/share/info --localstatedir=/var/run --enable-shared --disable-static --enable-frag --enable-hybrid --enable-dpd --enable-adminport --enable-natt --with-kernel-headers=/usr/include --without-readline ________________________________ De: Luis Garcia <bew...@ya...> Para: ips...@li... Enviado: lunes, 10 de agosto, 2009 18:16:14 Asunto: Re: [Ipsec-tools-devel] Files not created after doing make I have seen that something is installed in /usr/local/sbin. I think the problem is in the config with --prefix==$home or something like that. As you see I am not an expert in code for Linux :-( My objective is only to install ipsec-tools-0.8-alpha in order to be able to use opennhrp. How should I configure ipsec-tools in order to be compatible with opennhrp? Thanks ________________________________ De: Luis Garcia <bew...@ya...> Para: ips...@li... Enviado: lunes, 10 de agosto, 2009 16:24:29 Asunto: Files not created after doing make I am very worried because I have seen that, like in Debian, in Ubuntu the /etc/ipsec-tools.conf, the /etc/racoon/racoon.conf and these ones are not created. And I think that this is because I am doing anything bad. As I told before, no error is seen during the compilation process. The -Werror has been removed in the Makefiles, the Flex and Bison are installed, Apparmor removed, SeLinux installed and rebooted the computer ... and at last I see that the compitation is finished without any error message, but the files are not created. The steps I do are ... (being root in Ubuntu) ./configure (Must I add any sentences after configure as I have seen with previous ipsec-tools versions?) After doing configure, remove the -Werror in every all the makefiles in the ipsec-tools folder and subfolders. make make install I have searched in the forum and in the internet but I haven't found the solution What I am doing bad? Is anywhere a guide about how to install it? Thanks |
From: Timo T. <tim...@ik...> - 2009-08-10 17:38:52
|
Luis Garcia wrote: > Searching and searching, I am trying different configure functions, the > following one is the last, but all remains the same, for example I have > the /usr/sbin/setkey but none of the /etc, even when it is supposed to > be configured in sysconfdir. I aldo have tried with sysconfdir=/etc but > everything remains the same as I told before. There is not supposed to be anything in /etc after make install. It's all configuration: *you* have to write it, based on what kind of security policies and connections you want. The opennhrp readme has a basic example of the policies you want. Some distributions provide empty config files in /etc. Or files with a comment to read the appropriate man page. But those are added by the specific distributions. > At least anyone could tell me how to solve it in order to work with > opennhrp or thinks at least where could be my problem because I am a bit > lost ... I will remain searching and testing. > > CFLAGS="-D_FORTIFY_SOURCE=0" ./configure --verbose --prefix=/usr > --sysconfdir=/etc/racoon --mandir=/usr/share/man > --infodir=/usr/share/info --localstatedir=/var/run --enable-shared > --disable-static --enable-frag --enable-hybrid --enable-dpd > --enable-adminport --enable-natt --with-kernel-headers=/usr/include > --without-readline The configure line looks perfectly ok. - Timo |
From: Luis G. <bew...@ya...> - 2009-08-11 15:04:21
|
Hi! I'm here again ... I have been reading the man pages, the forum etc ... I have created the files like is advised in the README and in a blog found in internet, but an error is shown me. In this case the error message is the typical one as I have seen in the forum, but the difference is that in this case the exitstatus number is 1. The problem is not in the network because I have previous experience in Cisco DMVPNs, I am able from the computer to do ping to the ethernet interface of the cisco router, but I have seen that the computer is not sending any NHRP packets to the Router. What I am doing bad now? thanks ________________________________ De: Timo Teräs <tim...@ik...> Para: Luis Garcia <bew...@ya...> CC: ips...@li... Enviado: lunes, 10 de agosto, 2009 19:38:36 Asunto: Re: [Ipsec-tools-devel] Files not created after doing make Luis Garcia wrote: > Searching and searching, I am trying different configure functions, the following one is the last, but all remains the same, for example I have the /usr/sbin/setkey but none of the /etc, even when it is supposed to be configured in sysconfdir. I aldo have tried with sysconfdir=/etc but everything remains the same as I told before. There is not supposed to be anything in /etc after make install. It's all configuration: *you* have to write it, based on what kind of security policies and connections you want. The opennhrp readme has a basic example of the policies you want. Some distributions provide empty config files in /etc. Or files with a comment to read the appropriate man page. But those are added by the specific distributions. > At least anyone could tell me how to solve it in order to work with opennhrp or thinks at least where could be my problem because I am a bit lost ... I will remain searching and testing. > > CFLAGS="-D_FORTIFY_SOURCE=0" ./configure --verbose --prefix=/usr --sysconfdir=/etc/racoon --mandir=/usr/share/man --infodir=/usr/share/info --localstatedir=/var/run --enable-shared --disable-static --enable-frag --enable-hybrid --enable-dpd --enable-adminport --enable-natt --with-kernel-headers=/usr/include --without-readline The configure line looks perfectly ok. - Timo |
From: Timo T. <tim...@ik...> - 2009-08-11 17:13:38
|
Luis Garcia wrote: > Hi! I'm here again ... I have been reading the man pages, the forum etc > ... I have created the files like is advised in the README and in a > blog found in internet, but an error is shown me. In this case the error > message is the typical one as I have seen in the forum, but the > difference is that in this case the exitstatus number is 1. The exitstatus is kinda useless; it just means the opennhrp-script failed to run: most likely racoon failed to establish sa. You really need to paste the logs. Depending on the problem it can be a problem in the opennhrp-script or the racoon configuration; so it's a bit tricky to decide if the questions should go to opennhrp or this list. > The problem is not in the network because I have previous experience in > Cisco DMVPNs, I am able from the computer to do ping to the ethernet > interface of the cisco router, but I have seen that the computer is not > sending any NHRP packets to the Router. The opennhrp does not send anything until the script has exited with zero to imply successful sa negotiation. This would imply that your ping packets are going over the transit subnet unencrypted and without gre routing. - Timo |
From: Luis G. <bew...@ya...> - 2009-08-12 00:45:12
|
But it is strange, because I haven't got any racoon.log neither in /var/log nor in any other file in all the computer. I have been searching it. And I have seen in these forums of people sending the outputs of the logs. The only log I have found with any information of opennhrp is the syslog, but no new information is shown. Even the opennhrp -v doesn't show any additional information. I know that this is not relevant information, but the problem shown to me is racoonctl: kmpstat: invalid argument Peer up script failed: exitstatus 1 In the forum a person with a similar problem is inforced to install ipsec-tools 0.8, but this is the version I have. The config files a copied-pasted, and the Cisco architecture is adapted to the configuration of the examples. Thanks ________________________________ De: Timo Teräs <tim...@ik...> Para: Luis Garcia <bew...@ya...> CC: ips...@li... Enviado: martes, 11 de agosto, 2009 19:13:25 Asunto: Re: What does exitstatus1 mean? Luis Garcia wrote: > Hi! I'm here again ... I have been reading the man pages, the forum etc ... I have created the files like is advised in the README and in a blog found in internet, but an error is shown me. In this case the error message is the typical one as I have seen in the forum, but the difference is that in this case the exitstatus number is 1. The exitstatus is kinda useless; it just means the opennhrp-script failed to run: most likely racoon failed to establish sa. You really need to paste the logs. Depending on the problem it can be a problem in the opennhrp-script or the racoon configuration; so it's a bit tricky to decide if the questions should go to opennhrp or this list. > The problem is not in the network because I have previous experience in Cisco DMVPNs, I am able from the computer to do ping to the ethernet interface of the cisco router, but I have seen that the computer is not sending any NHRP packets to the Router. The opennhrp does not send anything until the script has exited with zero to imply successful sa negotiation. This would imply that your ping packets are going over the transit subnet unencrypted and without gre routing. - Timo |
From: Timo T. <tim...@ik...> - 2009-08-12 04:50:25
|
Luis Garcia wrote: > But it is strange, because I haven't got any racoon.log neither in > /var/log nor in any other file in all the computer. I have been > searching it. And I have seen in these forums of people sending the > outputs of the logs. Both ipsec-tools and opennhrp use syslog to log stuff. Additionally they print to stderr if started from command line. > The only log I have found with any information of opennhrp is the > syslog, but no new information is shown. Even the opennhrp -v doesn't > show any additional information. > > I know that this is not relevant information, but the problem shown > to me is racoonctl: kmpstat: invalid argument > Peer up script failed: exitstatus 1 This is exactly the important bit of information. > In the forum a person with a similar problem is inforced to install > ipsec-tools 0.8, but this is the version I have. The config files a > copied-pasted, and the Cisco architecture is adapted to the > configuration of the examples. Yes, but maybe you installed it to different place from where the stock OS version is. E.g. operating system provides it in /usr/bin and you put it in /usr/local/bin; and the OS version still gets used. You might want to remove the OS ipsec-tools package. Or at least verify that the right version is being used (racoon -V prints version; or just "racoonctl" and you can verify presense of -w flag for establish-sa command in usage). - Timo |
From: Luis G. <bew...@ya...> - 2009-08-12 16:03:15
|
Today I haven't been with the opennhrp very much... The only thing I have done is to see the outputs you have told me. The outputs are the following ones, in which I don't see the -w in the racoonctl, maybe it is the problem. But what is strange for me is that in this case the error is different, because when I had installed with ipsec-tools 0.7 the output of the error was about -w, but in this case the error is different. If this info help more ... racoon -V - OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/) - IPv6 support - Dead Peer Detection - IKE fragmentation - Hybrid authentication - NAT Traversal - Timing statistics - Admin port - Monotonic clock - Security context racoonctl racoonctl [opts] reload-config racoonctl [opts] show-schedule racoonctl [opts] show-sa [protocol] racoonctl [opts] flush-sa [protocol] racoonctl [opts] delete-sa <saopts> racoonctl [opts] establish-sa [-u identity] [-n remoteconf] [-w] <saopts> racoonctl [opts] vpn-connect [-u identity] vpn_gateway racoonctl [opts] vpn-disconnect vpn_gateway racoonctl [opts] show-event racoonctl [opts] logout-user login General options: -d Debug: hexdump admin messages before sending -l Increase output verbosity (mainly for show-sa) -s <socket> Specify adminport socket to use (default: /usr/local/var/racoon/racoon.sock) Parameter specifications: <protocol>: "isakmp", "esp" or "ah". In the case of "show-sa" or "flush-sa", you can use "ipsec". <saopts>: "isakmp" <family> <src> <dst> : {"esp","ah"} <family> <src/prefixlen/port> <dst/prefixlen/port> <ul_proto> <family>: "inet" or "inet6" <ul_proto>: "icmp", "tcp", "udp", "gre" or "any" ________________________________ De: Timo Teräs <tim...@ik...> Para: Luis Garcia <bew...@ya...> CC: ips...@li... Enviado: miércoles, 12 de agosto, 2009 6:50:09 Asunto: Re: What does exitstatus1 mean? Luis Garcia wrote: > But it is strange, because I haven't got any racoon.log neither in /var/log nor in any other file in all the computer. I have been searching it. And I have seen in these forums of people sending the outputs of the logs. Both ipsec-tools and opennhrp use syslog to log stuff. Additionally they print to stderr if started from command line. > The only log I have found with any information of opennhrp is the syslog, but no new information is shown. Even the opennhrp -v doesn't show any additional information. > I know that this is not relevant information, but the problem shown to me is racoonctl: kmpstat: invalid argument > Peer up script failed: exitstatus 1 This is exactly the important bit of information. > In the forum a person with a similar problem is inforced to install ipsec-tools 0.8, but this is the version I have. The config files a copied-pasted, and the Cisco architecture is adapted to the configuration of the examples. Yes, but maybe you installed it to different place from where the stock OS version is. E.g. operating system provides it in /usr/bin and you put it in /usr/local/bin; and the OS version still gets used. You might want to remove the OS ipsec-tools package. Or at least verify that the right version is being used (racoon -V prints version; or just "racoonctl" and you can verify presense of -w flag for establish-sa command in usage). - Timo |