ipsec-tools-users — User List for Discussion / Help

Re: [Ipsec-tools-users] Fwd: shoule racoon use prot [500] and [4500] exclusively?

[Mick <mic...@gm...>]

Hi Frank,

UDP port 500 is used for ISAKMP to negotiate keys (IKE Phase 1) between two 
VPN end points and UDP port 4500 can be used to send encapsulated ESP packets 
when NAT-Translation is necessary, because either VPN end point may be behind 
a router.  Usually UDP 500 is the port racoon will attempt to start a 
negotiation on.

These ports are registered by IANA for this purpose, so unless an IKE/IPSec 
application is already using these ports they should be available for a 
connection.  If you have a running VPN server these ports will be reported as 
listening for incoming connections when you run netstat or ss.

When there is no application running IKE/IPSec these ports should not be in 
use and therefore you ought to investigate what software is using these ports 
before you proceed.

To answer your question directly, racoon can be initiated to use/listen on a 
different port for ISAKMP instead of UDP 500, just use the option:

-p 13503

to make racoon use (for example) UDP port 13503 for Phase 1, and

-P 43508

to make racoon use UDP port 43508 for encapsulated ESP packets.


PLEASE NOTE:
============
The development of IPsec-Tools has been abandoned since 2014 and there are 
number of known vulnerabitilies present in older versions:

http://ipsec-tools.sourceforge.net/

My understanding is that NetBSD continue to provide patches, e.g.:

https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=54020

Unless you know your version of racoon and associated IPsec-Tools software was 
built incorporating these patches, it is better if you use a different 
application and stronger protocols and ciphers (e.g. IKEv2) for your VPN 
tunnels than racoon.  For example:

https://wiki.strongswan.org/projects/strongswan/wiki/Android

Hope this helps.


On Wednesday, 6 November 2019 05:31:40 GMT guyue huang wrote:
> Dear experts,
> 
> I really need some help from you guys since I met an issue when set up a
> VPN with an Android phone, log showed that some other application use the
> port[500] and [4500] which prevent racoon from setting up turnel.
> 
> Here is my question: should racoon use prot [500] and [4500]  exclusively
> for any security concern so that it can share the ports with any other
> applications?
> 
> Thanks,
> Frank

[Ipsec-tools-users] Fwd: shoule racoon use prot [500] and [4500] exclusively?

[guyue h. <hhh...@gm...>]

Dear experts,

I really need some help from you guys since I met an issue when set up a
VPN with an Android phone, log showed that some other application use the
port[500] and [4500] which prevent racoon from setting up turnel.

Here is my question: should racoon use prot [500] and [4500]  exclusively
for any security concern so that it can share the ports with any other
applications?

Thanks,
Frank

[Ipsec-tools-users] Problem about porting ipsec-tools setkey utility on Android8.1

[Cai, X. (X.) <xc...@yf...>]

Dear All,
                Excuse me.
                I am  porting the ipsec-tools on Android 8.1 system. Because Android only support racoon utility, not support setkey utility. But, unfortunately, I always meet issues when adding esp SAD (add ah SAD is ok). The error message is below . I am reading source code, but still cannot understand what is the root cause.
                Could you please give me any guide?
                Thank you very much !



                The result of line 22: (null).
The result of line 23: (null).


Thanks & Best Regards
----------------------------------------------------------------------
Cai Xiaodong (蔡小冬）
Tel: (86-21) 33323361
Email: xc...@yf...<mailto:xc...@yf...>

Re: [Ipsec-tools-users] Cannot match on sainfo subnet

[Mick <mic...@gm...>]

Hi Phil,

On Monday, 8 October 2018 08:52:31 BST Phil Nightowl wrote:
> Hi Mick,
> 
> thanks for your hints. Unfortunately, I did try that one already (sorry for
> not mentioning that). Just to be sure, I tried now once again with the /24
> mask (before that, I used the /25 one). Still the same, i. e. error during
> phase 2.

I tried a similar set up to yours but with different subnets (to fit my own 
network topology) and can confirm Phase2 hangs when *both* sides' sainfo 
directives are configured to have the initiator's IPSec ID set as a subnet and 
the responder's as a single address (or both of them as subnets).

With this setup I noticed Phase 1 completes, then Phase 2 starts being 
negotiated, but comes up with the same errors like you have shown.

ERROR: failed to get sainfo.
ERROR: failed to pre-process ph2 packet (side: 1, status: 1).

While I was logged in PC-A I could see it had succeeded in setting up IKE 
Phase 1, but was unable to complete Phase 2.  In Phase 2 it had started 
setting up SAs for ESP and AH from the remote peer (PC-B) to local (PC-A), but 
only ESP from local to remote.  All these were incomplete (shown with 
'state=larval' instead of mature).  You can check the same using:

 racoonctl -l show-sa ipsec


If I leave PC-B's racoon.conf as is, but change in PC-A's racoon.conf the 
sainfo directive to anonymous, then the following behaviour was observed:

Connections initiated from PC-A still fail to complete as above.

Connections initiated from PC-B complete successfully.


> To some extent, I expected this, because my racoon.conf man page (in
> the part that describes the sainfo part of the config file) says:
> 
> [ ... ]
> 
> "An id string should be expressed to match the exact value of an ID payload.
> This is not like a filter rule. For example, if you define
> 3ffe:501:4819::/48 as local_id, 3ffe:501:4819:1000:/64 will not match.  In
> the case of a longest prefix (selecting a single host), address instructs
> to send ID type of ADDRESS while subnet instructs to send ID type of
> SUBNET. Otherwise, these instructions are identical."
> 
> 
> This is exactly where I get lost. I always assumed that the sainfo part of
> the config file is relevant only when receiving a packet from a remote
> host, not when sending one.

As I understand it, sainfo is used in two cases:

When the initiator generates an IPSec proposal, racoon uses the local/remote 
values of the sainfo to create the ID payload.  It selects these sainfo values 
by matching them against the selectors acquired from the kernel, which in turn 
are derived from the SPD entries.  Therefore, the sainfo and SPD local/remote 
values must match.

In the responder, racoon selects an sainfo directive from the racoon.conf file 
in order to compare it with the proposal received from the initiator.  In this 
case the selector is derived from the ID payload of the IPSec proposal of the 
initiator.  Hence the sainfo IDs must match between peers, unless 'anonymous' 
is used which will match any proposed ID.


> Although I do not know *why* there is no filter/subnet matching, I just
> accept that at the moment. As a result, the above quote from the man page
> makes me think that I have to make the initiator send a subnet id string
> (i. e. 10.0.0.0/25) instead of a host id (10.0.0.1), which is exactly what
> I do not know how to do.

The error "failed to pre-process ph2 packet/failed to get sainfo" is typically 
caused by mismatched subnets and in particular a subnet mask.  The sainfo 
IPSec IDs (local_id and remote_id) are meant to be set up in the sainfo 
sections, which is what you have been doing.  I am also not clear why the 
subnet is not matching.  Looking at the output of 'ip xfrm monitor' I can see 
the selectors processed by the kernel when I try to initiate the connection, 
at the 'acquire proto esp' call show individual IP addresses, while the SPD 
policies that follow show a subnet ...  :-/


> On the other hand, I might be misguided here completely, but there could
> also be a bug in the code. Therefore, I will be very grateful for any
> further ideas.

I'm not a developer and my knowledge is rather limited, but I think the rules 
for comparing IKEv1 Phase 2 ID payloads were never defined clearly to allow 
faultless interoperability between VPN implementations.  Hence the decision to 
implement a simple sainfo ID match, rather than filters, which can quickly get 
out of hand.  In IKEv2 these rules are specified more fully.


Coming back to your use case, is it not suitable to set the responder's sainfo 
as anonymous?  From what I tried above the connection gets established, 
although I suspect if it breaks down/expires only one side will be able to 
renew it.

-- 
Regards,
Mick

Re: [Ipsec-tools-users] Cannot match on sainfo subnet

[Phil N. <phi...@gm...>]

My apologies - I have sent a private copy only, without sending it to the 
list as well.

Phil

----- Forwarded message -----

Hi Mick,

thanks for your hints. Unfortunately, I did try that one already (sorry for 
not mentioning that). Just to be sure, I tried now once again with the /24 
mask (before that, I used the /25 one). Still the same, i. e. error during 
phase 2.

To some extent, I expected this, because my racoon.conf man page (in 
the part that describes the sainfo part of the config file) says:

[ ... ]

"An id string should be expressed to match the exact value of an ID payload.  
This is not like a filter rule. For example, if you define 3ffe:501:4819::/48
as local_id, 3ffe:501:4819:1000:/64 will not match.  In the case of a longest
prefix (selecting a single host), address instructs to send ID type of
ADDRESS while subnet instructs to send ID type of SUBNET. Otherwise, these 
instructions are identical."


This is exactly where I get lost. I always assumed that the sainfo part of 
the config file is relevant only when receiving a packet from a remote 
host, not when sending one.

Although I do not know *why* there is no filter/subnet matching, I just 
accept that at the moment. As a result, the above quote from the man page 
makes me think that I have to make the initiator send a subnet id string 
(i. e. 10.0.0.0/25) instead of a host id (10.0.0.1), which is exactly what 
I do not know how to do.

On the other hand, I might be misguided here completely, but there could 
also be a bug in the code. Therefore, I will be very grateful for any 
further ideas.

Regards,


Phil

> The error in the log indicates the subnet 10.0.0.0/25 is incorrectly 
> specified.
> 
> In particular, you have specified:
> 
> racoon.conf:
> ------------
> [ ... ]
> 
> sainfo *address* 10.0.0.0/25 any address 10.0.0.254 any
> 
> 
> However, although 10.0.0.254  is an address, 10.0.0.0/25 is not an address but 
> a subnet.  Therefore, either provide a single address e.g.
> 
> sainfo address 10.0.0.1 any address 10.0.0.254 any
> 
> Or,
> 
> provide a subnet:
> 
> sainfo subnet 10.0.0.0/24 any address 10.0.0.254 any
> 
> 
> 10.0.0.0/24 will allow any IP address within this subnet to match.  
> Alternatively, if it suits your use case set the sainfo to 'anonymous' and 
> this will match any id which has completed successfully Phase1.  Make sure 
> your ipsec-tools.conf corresponds to the above settings and these are also 
> mirrored on the remote peer's configuration files.
> 
> 
> On Friday, 5 October 2018 13:54:32 BST Phil Nightowl wrote:
> > > Did you try using 10.0.0.0/24 to specify the LAN subnet?
> > 
> > I have just tried it out; unfortunately, it still does not match. The debug
> > messages are the same (except for the netmask, of course).
> > 
> > Best regards,
> > 
> > Phil
> > 
> > 
> > _______________________________________________
> > Ipsec-tools-users mailing list
> > Ips...@li...
> > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users
> 
> 
> -- 
> Regards,
> Mick

----- End forwarded message -----

Re: [Ipsec-tools-users] Reg enabling IPV6 for Ipsec in suse

[Mick <mic...@gm...>]

The psk.txt file is meant to be only accessible by root.  If anyone gains 
access to this file the security of the VPN connection will be compromised.  
Therefore, change it to 0400 and make sure it is only owned by root:root.  
Otherwise racoon will refuse to run.

Regarding peers not being reachable, you need to configure your network so 
that they are reachable over existing routes.  This is why I suggested you 
check you are able to ping the peers first.  Without network connectivity 
between peers you cannot establish a VPN.


On Sunday, 7 October 2018 18:57:02 BST kalyani kaniganti wrote:
> Hi Mick,
> Now I can see the improvement.
> 
> Phase1 negotiation started and I can see that both peers are not reachable.
> I see errors like psk has weak file permission s and I gave 777 permission
> s on both servers but issue is still present.
> 
> Error is phase1 negototation failed reason is could not find the packet for
> peer.
> May be the issue is due to the two peers are unreachable ?
> 
> Error is /etc/racoon/psk.txt has weak file permission.
> 
> Failed to.open pre_share_key file /etc/racoon/pask.txt.
> 
> Changed the permission of psk file to 777 on both servers and initiated
> racoon again but no improvement.
> 
> Please suggest.
> 
> BR,
> Kalyani.k
> 
> On Sun, Oct 7, 2018, 11:02 PM Mick <mic...@gm...> wrote:
> > Have you tested the IPv6 stack?  Does it work to route packets to the
> > remote
> > 
> > peer?  Do you have a fully configured IPv6 route and routable addresses:
> >  ip -6 route show
> >  ip -6 address show
> > 
> > When you start racoon what is the output of 'racoonctl -l show-event' and
> > what
> > do you get in the log?
> > 
> > Do you see IPv6 addresses proposed as isakmp port connections?  For
> > example,
> > 
> > the racoon log starts with:
> >  racoon[10002]: INFO: ::1[500] used as isakmp port (fd=14)
> >  racoon[10002]: INFO: ::1[4500] used as isakmp port (fd=15)
> > 
> > and follows with local IPv6 addresses for each NIC your system has
> > enabled.
> > 
> > If the IPv6 stack is working correctly and you have a configured IPv6
> > route,
> > but racoon still is not setting up IPv6 connections, then all I can think
> > is
> > your ipsec-tools has not been built with ipv6 for your system.
> > ipsec-tools
> > versions >=0.8.0 come with INET6.  I don't know if INET6 in your version
> > has
> > been backported by SUSE.
> > 
> > On Sunday, 7 October 2018 16:06:10 BST kalyani kaniganti wrote:
> > > Hi Mic,
> > > 
> > > Thanks for quick response.
> > > I can see the COnFIg_INET6 are configured as modules.
> > > As mentioned we have already loaded modules from
> > > /lib/modules/3.0.101/default/net/ipv6 using command modprobe module
> > > name.
> > > After executing command we can see the modules in lsmod.
> > > Still racoon is unable to initiate IkEV1 phase intiation.
> > > 
> > > May I know it's an kernel problem ?
> > > 
> > > BR,
> > > Kalyani
> > > 
> > > On Sun, Oct 7, 2018, 6:32 PM Mick <mic...@gm...> wrote:
> > > > Hi Kalyani,
> > > > 
> > > > You don't *have* to set your kernel modules to be built in (set as 'y'
> > 
> > in
> > 
> > > > the
> > > > kernel config).  You can build them as modules (set as 'm' in the
> > 
> > kernel
> > 
> > > > config) and then check they are loaded.  If you change any part of
> > > > your
> > > > kernel
> > > > configuration to 'y', you will have to rebuild the kernel and then
> > > > must
> > > > reboot
> > > > with it.  With separately built modules you don't have to reboot, you
> > 
> > can
> > 
> > > > load
> > > > the modules as you need them, if they have not been loaded already.
> > > > 
> > > > The question you are asking is not an ipsec-tools specific question,
> > 
> > but
> > 
> > > > how
> > > > to rebuild your SLES kernel.  This will be required ONLY if the
> > 
> > specific
> > 
> > > > modules are not already enabled in the kernel.  The command to use to
> > > > configure a linux kernel is 'make menuconfig'.  I haven't used your
> > 
> > Linux
> > 
> > > > distribution for years and things may have changed, so I cannot give
> > 
> > you
> > 
> > > > detailed steps.  First have a look in your /proc/config.gz and search
> > 
> > for
> > 
> > > > the
> > > > particular modules; e.g.
> > > > 
> > > > zgrep INET6 /proc/config.gz
> > > > 
> > > > If they are already marked as modules, then 'modprobe -v' them
> > > > individually.
> > > > 
> > > > If any of these modules are not configured (would be marked as 'not
> > 
> > set')
> > 
> > > > you
> > > > will need to configure them and build them before you can load them.
> > 
> > Ask
> > 
> > > > for
> > > > help on how to reconfigure and rebuild a kernel in SUSE support.
> > > > 
> > > > On Sunday, 7 October 2018 13:38:48 BST kalyani kaniganti wrote:
> > > > > Hi,
> > > > > 
> > > > > How we can check the parameters are set to y as per the below mail.
> > > > > Please provide me the command.
> > > > > If they are not set to y ,any restarts are req.
> > > > > Please suggest us.
> > > > > BR,
> > > > > Kalyani
> > > > > 
> > > > > On Sun, Oct 7, 2018, 4:46 PM Mick <mic...@gm...> wrote:
> > > > > > From 'man racoon':
> > > > > > 
> > > > > > -d  Increase the debug level.  Multiple -d arguments will increase
> > 
> > the
> > 
> > > > > > debug
> > > > > > 
> > > > > >     level even more.
> > > > > > 
> > > > > > You'll need to add this option in whatever script your distro is
> > 
> > using
> > 
> > > > to
> > > > 
> > > > > > start racoon, if the logs are not verbose enough.  Please note,
> > 
> > this
> > 
> > > > will
> > > > 
> > > > > > only
> > > > > > increase the log verbosity of the racoon application, not any
> > 
> > kernel
> > 
> > > > logs.
> > > > 
> > > > > > If your IPv6 stack is working fine without IPSec, i.e. you can
> > > > > > ping
> > > > 
> > > > remote
> > > > 
> > > > > > peers, then check the IPSec specific modules are available and
> > > > 
> > > > loaded.  I
> > > > 
> > > > > > think you will need most of these:
> > > > > > 
> > > > > > CONFIG_INET6_AH=y
> > > > > > CONFIG_INET6_ESP=y
> > > > > > 
> > > > > > CONFIG_INET6_IPCOMP=y
> > > > > > CONFIG_INET6_XFRM_TUNNEL=y
> > > > > > CONFIG_INET6_TUNNEL=y
> > > > > > CONFIG_INET6_XFRM_MODE_TRANSPORT=y
> > > > > > CONFIG_INET6_XFRM_MODE_TUNNEL=y
> > > > > > CONFIG_INET6_XFRM_MODE_BEET=y
> > > > > > 
> > > > > > Also, if you are running a firewall you will probably need to
> > 
> > enable
> > 
> > > > IPv6
> > > > 
> > > > > > netfilter configuration modules.  However, I would first check
> > > > 
> > > > everything
> > > > 
> > > > > > is
> > > > > > working without a firewall enabled and then configure the firewall
> > 
> > as
> > 
> > > > the
> > > > 
> > > > > > last
> > > > > > step.
> > > > > > 
> > > > > > Hope this helps.
> > > > > > 
> > > > > > On Sunday, 7 October 2018 03:21:42 BST kalyani kaniganti wrote:
> > > > > > > Hi,
> > > > > > > 
> > > > > > > As per your below statement ,could you please share the
> > 
> > procedure to
> > 
> > > > > > > test
> > > > > > > it.
> > > > > > > 
> > > > > > > Check your kernel config has CONFIG_INET6_* options suitable for
> > > > 
> > > > IPSEC
> > > > 
> > > > > > > enabled.
> > > > > > > 
> > > > > > > I am unable to find errors in logs racoon is not stating any
> > 
> > errors.
> > 
> > > > > > > BR,
> > > > > > > Kalyani.k
> > > > > > > 
> > > > > > > 
> > > > > > > On Sat, Oct 6, 2018, 11:49 PM kalyani kaniganti <
> > > > > > 
> > > > > > kal...@gm...>
> > > > > > 
> > > > > > > wrote:
> > > > > > > > Hi,
> > > > > > > > Thanks for the information.
> > > > > > > > I have found out some of the kernel modules are not loaded in
> > > > 
> > > > kernel
> > > > 
> > > > > > for
> > > > > > 
> > > > > > > > ipv6.
> > > > > > > > esp6.ko,ah6.ko and transport mode module.I loaded the modules
> > > > > > > > using
> > > > > > > > modprobe and I can see these modules using lsmod now.
> > > > > > > > But issue still exist,do you have any idea what modules are
> > > > 
> > > > required
> > > > 
> > > > > > for
> > > > > > 
> > > > > > > > Ipsec to enable ipv6 in kernel .
> > > > > > > > 
> > > > > > > > We have already tested for IPV4 it's working fine,but same is
> > 
> > not
> > 
> > > > > > working
> > > > > > 
> > > > > > > > for ipv6.
> > > > > > > > How we can check logs in debug mode.Please suggest.
> > > > > > > > BR,
> > > > > > > > Kalyani.k
> > > > > > > > 
> > > > > > > > On Sat, Oct 6, 2018, 10:40 PM Mick <mic...@gm...>
> > > > 
> > > > wrote:
> > > > > > > >> Hi kalyani,
> > > > > > > >> 
> > > > > > > >> Check your kernel config has CONFIG_INET6_* options suitable
> > 
> > for
> > 
> > > > > > > >> IPSEC
> > > > > > > >> enabled.  If some kernel module is necessary for IPv6
> > > > 
> > > > setkey/racoon
> > > > 
> > > > > > will
> > > > > > 
> > > > > > > >> complain when you run/start it, so check your logs for any
> > > > 
> > > > relevant
> > > > 
> > > > > > > >> messages.
> > > > > > > >> 
> > > > > > > >> To troubleshoot this problem take one step at a time.  First
> > > > > > > >> check
> > > > > > 
> > > > > > your
> > > > > > 
> > > > > > > >> IPv4
> > > > > > > >> network, routing and IPSec all work without errors.  Then
> > 
> > check
> > 
> > > > your
> > > > 
> > > > > > IPv6
> > > > > > 
> > > > > > > >> stack is working and you can ping remote peers.  Then check
> > 
> > your
> > 
> > > > logs
> > > > 
> > > > > > for
> > > > > > 
> > > > > > > >> error messages when you try to initiate an ESP/AH connection
> > 
> > with
> > 
> > > > > > > >> racoon.
> > > > > > > >> Increase verbosity and study the logs to debug the problem.
> > > > > > > >> 
> > > > > > > >> On Saturday, 6 October 2018 15:28:56 BST kalyani kaniganti
> > 
> > wrote:
> > > > > > > >> > Hi,
> > > > > > > >> > We are using ipsectools rpm version
> > 
> > ipsec-tools-0.7.3_1.38.3.1
> > 
> > > > from
> > > > 
> > > > > > > >> sles 11
> > > > > > > >> 
> > > > > > > >> > sp4 kernel.
> > > > > > > >> > We are using racoon as daemon .
> > > > > > > >> > We are using dual stack on os and trying to enable IPsec
> > > > > > > >> > for
> > > > 
> > > > IPV6
> > > > 
> > > > > > > >> > as
> > > > > > > >> 
> > > > > > > >> well
> > > > > > > >> 
> > > > > > > >> > and we have already provided support for IPV4.
> > > > > > > >> > I have done configuration same as ipv4 but ifind IPSEC- SA
> > 
> > is
> > 
> > > > not
> > > > 
> > > > > > > >> > initiating phase 1 authentication.
> > > > > > > >> > May I know we have to enable any other option on kernel to
> > > > 
> > > > support
> > > > 
> > > > > > > >> > Ipsec
> > > > > > > >> > for ipv6 we are trying to use ESP and AH protocols.
> > > > > > > >> > 
> > > > > > > >> > Please suggest us
> > > > > > > >> > BR,
> > > > > > > >> > Kalyani.k
> > 
> > --
> > Regards,
> > Mick


-- 
Regards,
Mick

Re: [Ipsec-tools-users] Reg enabling IPV6 for Ipsec in suse

[kalyani k. <kal...@gm...>]

Hi Mick,
Now I can see the improvement.

Phase1 negotiation started and I can see that both peers are not reachable.
I see errors like psk has weak file permission s and I gave 777 permission
s on both servers but issue is still present.

Error is phase1 negototation failed reason is could not find the packet for
peer.
May be the issue is due to the two peers are unreachable ?

Error is /etc/racoon/psk.txt has weak file permission.

Failed to.open pre_share_key file /etc/racoon/pask.txt.

Changed the permission of psk file to 777 on both servers and initiated
racoon again but no improvement.

Please suggest.

BR,
Kalyani.k

On Sun, Oct 7, 2018, 11:02 PM Mick <mic...@gm...> wrote:

> Have you tested the IPv6 stack?  Does it work to route packets to the
> remote
> peer?  Do you have a fully configured IPv6 route and routable addresses:
>
>  ip -6 route show
>  ip -6 address show
>
> When you start racoon what is the output of 'racoonctl -l show-event' and
> what
> do you get in the log?
>
> Do you see IPv6 addresses proposed as isakmp port connections?  For
> example,
> the racoon log starts with:
>
>  racoon[10002]: INFO: ::1[500] used as isakmp port (fd=14)
>  racoon[10002]: INFO: ::1[4500] used as isakmp port (fd=15)
>
> and follows with local IPv6 addresses for each NIC your system has enabled.
>
> If the IPv6 stack is working correctly and you have a configured IPv6
> route,
> but racoon still is not setting up IPv6 connections, then all I can think
> is
> your ipsec-tools has not been built with ipv6 for your system.
> ipsec-tools
> versions >=0.8.0 come with INET6.  I don't know if INET6 in your version
> has
> been backported by SUSE.
>
>
> On Sunday, 7 October 2018 16:06:10 BST kalyani kaniganti wrote:
> > Hi Mic,
> >
> > Thanks for quick response.
> > I can see the COnFIg_INET6 are configured as modules.
> > As mentioned we have already loaded modules from
> > /lib/modules/3.0.101/default/net/ipv6 using command modprobe module name.
> > After executing command we can see the modules in lsmod.
> > Still racoon is unable to initiate IkEV1 phase intiation.
> >
> > May I know it's an kernel problem ?
> >
> > BR,
> > Kalyani
> >
> > On Sun, Oct 7, 2018, 6:32 PM Mick <mic...@gm...> wrote:
> > > Hi Kalyani,
> > >
> > > You don't *have* to set your kernel modules to be built in (set as 'y'
> in
> > > the
> > > kernel config).  You can build them as modules (set as 'm' in the
> kernel
> > > config) and then check they are loaded.  If you change any part of your
> > > kernel
> > > configuration to 'y', you will have to rebuild the kernel and then must
> > > reboot
> > > with it.  With separately built modules you don't have to reboot, you
> can
> > > load
> > > the modules as you need them, if they have not been loaded already.
> > >
> > > The question you are asking is not an ipsec-tools specific question,
> but
> > > how
> > > to rebuild your SLES kernel.  This will be required ONLY if the
> specific
> > > modules are not already enabled in the kernel.  The command to use to
> > > configure a linux kernel is 'make menuconfig'.  I haven't used your
> Linux
> > > distribution for years and things may have changed, so I cannot give
> you
> > > detailed steps.  First have a look in your /proc/config.gz and search
> for
> > > the
> > > particular modules; e.g.
> > >
> > > zgrep INET6 /proc/config.gz
> > >
> > > If they are already marked as modules, then 'modprobe -v' them
> > > individually.
> > >
> > > If any of these modules are not configured (would be marked as 'not
> set')
> > > you
> > > will need to configure them and build them before you can load them.
> Ask
> > > for
> > > help on how to reconfigure and rebuild a kernel in SUSE support.
> > >
> > > On Sunday, 7 October 2018 13:38:48 BST kalyani kaniganti wrote:
> > > > Hi,
> > > >
> > > > How we can check the parameters are set to y as per the below mail.
> > > > Please provide me the command.
> > > > If they are not set to y ,any restarts are req.
> > > > Please suggest us.
> > > > BR,
> > > > Kalyani
> > > >
> > > > On Sun, Oct 7, 2018, 4:46 PM Mick <mic...@gm...> wrote:
> > > > > From 'man racoon':
> > > > >
> > > > > -d  Increase the debug level.  Multiple -d arguments will increase
> the
> > > > > debug
> > > > >
> > > > >     level even more.
> > > > >
> > > > > You'll need to add this option in whatever script your distro is
> using
> > >
> > > to
> > >
> > > > > start racoon, if the logs are not verbose enough.  Please note,
> this
> > >
> > > will
> > >
> > > > > only
> > > > > increase the log verbosity of the racoon application, not any
> kernel
> > >
> > > logs.
> > >
> > > > > If your IPv6 stack is working fine without IPSec, i.e. you can ping
> > >
> > > remote
> > >
> > > > > peers, then check the IPSec specific modules are available and
> > >
> > > loaded.  I
> > >
> > > > > think you will need most of these:
> > > > >
> > > > > CONFIG_INET6_AH=y
> > > > > CONFIG_INET6_ESP=y
> > > > >
> > > > > CONFIG_INET6_IPCOMP=y
> > > > > CONFIG_INET6_XFRM_TUNNEL=y
> > > > > CONFIG_INET6_TUNNEL=y
> > > > > CONFIG_INET6_XFRM_MODE_TRANSPORT=y
> > > > > CONFIG_INET6_XFRM_MODE_TUNNEL=y
> > > > > CONFIG_INET6_XFRM_MODE_BEET=y
> > > > >
> > > > > Also, if you are running a firewall you will probably need to
> enable
> > >
> > > IPv6
> > >
> > > > > netfilter configuration modules.  However, I would first check
> > >
> > > everything
> > >
> > > > > is
> > > > > working without a firewall enabled and then configure the firewall
> as
> > >
> > > the
> > >
> > > > > last
> > > > > step.
> > > > >
> > > > > Hope this helps.
> > > > >
> > > > > On Sunday, 7 October 2018 03:21:42 BST kalyani kaniganti wrote:
> > > > > > Hi,
> > > > > >
> > > > > > As per your below statement ,could you please share the
> procedure to
> > > > > > test
> > > > > > it.
> > > > > >
> > > > > > Check your kernel config has CONFIG_INET6_* options suitable for
> > >
> > > IPSEC
> > >
> > > > > > enabled.
> > > > > >
> > > > > > I am unable to find errors in logs racoon is not stating any
> errors.
> > > > > >
> > > > > > BR,
> > > > > > Kalyani.k
> > > > > >
> > > > > >
> > > > > > On Sat, Oct 6, 2018, 11:49 PM kalyani kaniganti <
> > > > >
> > > > > kal...@gm...>
> > > > >
> > > > > > wrote:
> > > > > > > Hi,
> > > > > > > Thanks for the information.
> > > > > > > I have found out some of the kernel modules are not loaded in
> > >
> > > kernel
> > >
> > > > > for
> > > > >
> > > > > > > ipv6.
> > > > > > > esp6.ko,ah6.ko and transport mode module.I loaded the modules
> > > > > > > using
> > > > > > > modprobe and I can see these modules using lsmod now.
> > > > > > > But issue still exist,do you have any idea what modules are
> > >
> > > required
> > >
> > > > > for
> > > > >
> > > > > > > Ipsec to enable ipv6 in kernel .
> > > > > > >
> > > > > > > We have already tested for IPV4 it's working fine,but same is
> not
> > > > >
> > > > > working
> > > > >
> > > > > > > for ipv6.
> > > > > > > How we can check logs in debug mode.Please suggest.
> > > > > > > BR,
> > > > > > > Kalyani.k
> > > > > > >
> > > > > > > On Sat, Oct 6, 2018, 10:40 PM Mick <mic...@gm...>
> > >
> > > wrote:
> > > > > > >> Hi kalyani,
> > > > > > >>
> > > > > > >> Check your kernel config has CONFIG_INET6_* options suitable
> for
> > > > > > >> IPSEC
> > > > > > >> enabled.  If some kernel module is necessary for IPv6
> > >
> > > setkey/racoon
> > >
> > > > > will
> > > > >
> > > > > > >> complain when you run/start it, so check your logs for any
> > >
> > > relevant
> > >
> > > > > > >> messages.
> > > > > > >>
> > > > > > >> To troubleshoot this problem take one step at a time.  First
> > > > > > >> check
> > > > >
> > > > > your
> > > > >
> > > > > > >> IPv4
> > > > > > >> network, routing and IPSec all work without errors.  Then
> check
> > >
> > > your
> > >
> > > > > IPv6
> > > > >
> > > > > > >> stack is working and you can ping remote peers.  Then check
> your
> > >
> > > logs
> > >
> > > > > for
> > > > >
> > > > > > >> error messages when you try to initiate an ESP/AH connection
> with
> > > > > > >> racoon.
> > > > > > >> Increase verbosity and study the logs to debug the problem.
> > > > > > >>
> > > > > > >> On Saturday, 6 October 2018 15:28:56 BST kalyani kaniganti
> wrote:
> > > > > > >> > Hi,
> > > > > > >> > We are using ipsectools rpm version
> ipsec-tools-0.7.3_1.38.3.1
> > >
> > > from
> > >
> > > > > > >> sles 11
> > > > > > >>
> > > > > > >> > sp4 kernel.
> > > > > > >> > We are using racoon as daemon .
> > > > > > >> > We are using dual stack on os and trying to enable IPsec for
> > >
> > > IPV6
> > >
> > > > > > >> > as
> > > > > > >>
> > > > > > >> well
> > > > > > >>
> > > > > > >> > and we have already provided support for IPV4.
> > > > > > >> > I have done configuration same as ipv4 but ifind IPSEC- SA
> is
> > >
> > > not
> > >
> > > > > > >> > initiating phase 1 authentication.
> > > > > > >> > May I know we have to enable any other option on kernel to
> > >
> > > support
> > >
> > > > > > >> > Ipsec
> > > > > > >> > for ipv6 we are trying to use ESP and AH protocols.
> > > > > > >> >
> > > > > > >> > Please suggest us
> > > > > > >> > BR,
> > > > > > >> > Kalyani.k
>
>
>
> --
> Regards,
> Mick

Re: [Ipsec-tools-users] Reg enabling IPV6 for Ipsec in suse

[Mick <mic...@gm...>]

Have you tested the IPv6 stack?  Does it work to route packets to the remote 
peer?  Do you have a fully configured IPv6 route and routable addresses:

 ip -6 route show
 ip -6 address show

When you start racoon what is the output of 'racoonctl -l show-event' and what 
do you get in the log?

Do you see IPv6 addresses proposed as isakmp port connections?  For example, 
the racoon log starts with:

 racoon[10002]: INFO: ::1[500] used as isakmp port (fd=14)
 racoon[10002]: INFO: ::1[4500] used as isakmp port (fd=15)

and follows with local IPv6 addresses for each NIC your system has enabled.

If the IPv6 stack is working correctly and you have a configured IPv6 route, 
but racoon still is not setting up IPv6 connections, then all I can think is 
your ipsec-tools has not been built with ipv6 for your system.  ipsec-tools 
versions >=0.8.0 come with INET6.  I don't know if INET6 in your version has 
been backported by SUSE.


On Sunday, 7 October 2018 16:06:10 BST kalyani kaniganti wrote:
> Hi Mic,
> 
> Thanks for quick response.
> I can see the COnFIg_INET6 are configured as modules.
> As mentioned we have already loaded modules from
> /lib/modules/3.0.101/default/net/ipv6 using command modprobe module name.
> After executing command we can see the modules in lsmod.
> Still racoon is unable to initiate IkEV1 phase intiation.
> 
> May I know it's an kernel problem ?
> 
> BR,
> Kalyani
> 
> On Sun, Oct 7, 2018, 6:32 PM Mick <mic...@gm...> wrote:
> > Hi Kalyani,
> > 
> > You don't *have* to set your kernel modules to be built in (set as 'y' in
> > the
> > kernel config).  You can build them as modules (set as 'm' in the kernel
> > config) and then check they are loaded.  If you change any part of your
> > kernel
> > configuration to 'y', you will have to rebuild the kernel and then must
> > reboot
> > with it.  With separately built modules you don't have to reboot, you can
> > load
> > the modules as you need them, if they have not been loaded already.
> > 
> > The question you are asking is not an ipsec-tools specific question, but
> > how
> > to rebuild your SLES kernel.  This will be required ONLY if the specific
> > modules are not already enabled in the kernel.  The command to use to
> > configure a linux kernel is 'make menuconfig'.  I haven't used your Linux
> > distribution for years and things may have changed, so I cannot give you
> > detailed steps.  First have a look in your /proc/config.gz and search for
> > the
> > particular modules; e.g.
> > 
> > zgrep INET6 /proc/config.gz
> > 
> > If they are already marked as modules, then 'modprobe -v' them
> > individually.
> > 
> > If any of these modules are not configured (would be marked as 'not set')
> > you
> > will need to configure them and build them before you can load them.  Ask
> > for
> > help on how to reconfigure and rebuild a kernel in SUSE support.
> > 
> > On Sunday, 7 October 2018 13:38:48 BST kalyani kaniganti wrote:
> > > Hi,
> > > 
> > > How we can check the parameters are set to y as per the below mail.
> > > Please provide me the command.
> > > If they are not set to y ,any restarts are req.
> > > Please suggest us.
> > > BR,
> > > Kalyani
> > > 
> > > On Sun, Oct 7, 2018, 4:46 PM Mick <mic...@gm...> wrote:
> > > > From 'man racoon':
> > > > 
> > > > -d  Increase the debug level.  Multiple -d arguments will increase the
> > > > debug
> > > > 
> > > >     level even more.
> > > > 
> > > > You'll need to add this option in whatever script your distro is using
> > 
> > to
> > 
> > > > start racoon, if the logs are not verbose enough.  Please note, this
> > 
> > will
> > 
> > > > only
> > > > increase the log verbosity of the racoon application, not any kernel
> > 
> > logs.
> > 
> > > > If your IPv6 stack is working fine without IPSec, i.e. you can ping
> > 
> > remote
> > 
> > > > peers, then check the IPSec specific modules are available and
> > 
> > loaded.  I
> > 
> > > > think you will need most of these:
> > > > 
> > > > CONFIG_INET6_AH=y
> > > > CONFIG_INET6_ESP=y
> > > > 
> > > > CONFIG_INET6_IPCOMP=y
> > > > CONFIG_INET6_XFRM_TUNNEL=y
> > > > CONFIG_INET6_TUNNEL=y
> > > > CONFIG_INET6_XFRM_MODE_TRANSPORT=y
> > > > CONFIG_INET6_XFRM_MODE_TUNNEL=y
> > > > CONFIG_INET6_XFRM_MODE_BEET=y
> > > > 
> > > > Also, if you are running a firewall you will probably need to enable
> > 
> > IPv6
> > 
> > > > netfilter configuration modules.  However, I would first check
> > 
> > everything
> > 
> > > > is
> > > > working without a firewall enabled and then configure the firewall as
> > 
> > the
> > 
> > > > last
> > > > step.
> > > > 
> > > > Hope this helps.
> > > > 
> > > > On Sunday, 7 October 2018 03:21:42 BST kalyani kaniganti wrote:
> > > > > Hi,
> > > > > 
> > > > > As per your below statement ,could you please share the procedure to
> > > > > test
> > > > > it.
> > > > > 
> > > > > Check your kernel config has CONFIG_INET6_* options suitable for
> > 
> > IPSEC
> > 
> > > > > enabled.
> > > > > 
> > > > > I am unable to find errors in logs racoon is not stating any errors.
> > > > > 
> > > > > BR,
> > > > > Kalyani.k
> > > > > 
> > > > > 
> > > > > On Sat, Oct 6, 2018, 11:49 PM kalyani kaniganti <
> > > > 
> > > > kal...@gm...>
> > > > 
> > > > > wrote:
> > > > > > Hi,
> > > > > > Thanks for the information.
> > > > > > I have found out some of the kernel modules are not loaded in
> > 
> > kernel
> > 
> > > > for
> > > > 
> > > > > > ipv6.
> > > > > > esp6.ko,ah6.ko and transport mode module.I loaded the modules
> > > > > > using
> > > > > > modprobe and I can see these modules using lsmod now.
> > > > > > But issue still exist,do you have any idea what modules are
> > 
> > required
> > 
> > > > for
> > > > 
> > > > > > Ipsec to enable ipv6 in kernel .
> > > > > > 
> > > > > > We have already tested for IPV4 it's working fine,but same is not
> > > > 
> > > > working
> > > > 
> > > > > > for ipv6.
> > > > > > How we can check logs in debug mode.Please suggest.
> > > > > > BR,
> > > > > > Kalyani.k
> > > > > > 
> > > > > > On Sat, Oct 6, 2018, 10:40 PM Mick <mic...@gm...>
> > 
> > wrote:
> > > > > >> Hi kalyani,
> > > > > >> 
> > > > > >> Check your kernel config has CONFIG_INET6_* options suitable for
> > > > > >> IPSEC
> > > > > >> enabled.  If some kernel module is necessary for IPv6
> > 
> > setkey/racoon
> > 
> > > > will
> > > > 
> > > > > >> complain when you run/start it, so check your logs for any
> > 
> > relevant
> > 
> > > > > >> messages.
> > > > > >> 
> > > > > >> To troubleshoot this problem take one step at a time.  First
> > > > > >> check
> > > > 
> > > > your
> > > > 
> > > > > >> IPv4
> > > > > >> network, routing and IPSec all work without errors.  Then check
> > 
> > your
> > 
> > > > IPv6
> > > > 
> > > > > >> stack is working and you can ping remote peers.  Then check your
> > 
> > logs
> > 
> > > > for
> > > > 
> > > > > >> error messages when you try to initiate an ESP/AH connection with
> > > > > >> racoon.
> > > > > >> Increase verbosity and study the logs to debug the problem.
> > > > > >> 
> > > > > >> On Saturday, 6 October 2018 15:28:56 BST kalyani kaniganti wrote:
> > > > > >> > Hi,
> > > > > >> > We are using ipsectools rpm version ipsec-tools-0.7.3_1.38.3.1
> > 
> > from
> > 
> > > > > >> sles 11
> > > > > >> 
> > > > > >> > sp4 kernel.
> > > > > >> > We are using racoon as daemon .
> > > > > >> > We are using dual stack on os and trying to enable IPsec for
> > 
> > IPV6
> > 
> > > > > >> > as
> > > > > >> 
> > > > > >> well
> > > > > >> 
> > > > > >> > and we have already provided support for IPV4.
> > > > > >> > I have done configuration same as ipv4 but ifind IPSEC- SA is
> > 
> > not
> > 
> > > > > >> > initiating phase 1 authentication.
> > > > > >> > May I know we have to enable any other option on kernel to
> > 
> > support
> > 
> > > > > >> > Ipsec
> > > > > >> > for ipv6 we are trying to use ESP and AH protocols.
> > > > > >> > 
> > > > > >> > Please suggest us
> > > > > >> > BR,
> > > > > >> > Kalyani.k



-- 
Regards,
Mick

Re: [Ipsec-tools-users] Reg enabling IPV6 for Ipsec in suse

[kalyani k. <kal...@gm...>]

Hi Mic,

Thanks for quick response.
I can see the COnFIg_INET6 are configured as modules.
As mentioned we have already loaded modules from
/lib/modules/3.0.101/default/net/ipv6 using command modprobe module name.
After executing command we can see the modules in lsmod.
Still racoon is unable to initiate IkEV1 phase intiation.

May I know it's an kernel problem ?

BR,
Kalyani

On Sun, Oct 7, 2018, 6:32 PM Mick <mic...@gm...> wrote:

> Hi Kalyani,
>
> You don't *have* to set your kernel modules to be built in (set as 'y' in
> the
> kernel config).  You can build them as modules (set as 'm' in the kernel
> config) and then check they are loaded.  If you change any part of your
> kernel
> configuration to 'y', you will have to rebuild the kernel and then must
> reboot
> with it.  With separately built modules you don't have to reboot, you can
> load
> the modules as you need them, if they have not been loaded already.
>
> The question you are asking is not an ipsec-tools specific question, but
> how
> to rebuild your SLES kernel.  This will be required ONLY if the specific
> modules are not already enabled in the kernel.  The command to use to
> configure a linux kernel is 'make menuconfig'.  I haven't used your Linux
> distribution for years and things may have changed, so I cannot give you
> detailed steps.  First have a look in your /proc/config.gz and search for
> the
> particular modules; e.g.
>
> zgrep INET6 /proc/config.gz
>
> If they are already marked as modules, then 'modprobe -v' them
> individually.
>
> If any of these modules are not configured (would be marked as 'not set')
> you
> will need to configure them and build them before you can load them.  Ask
> for
> help on how to reconfigure and rebuild a kernel in SUSE support.
>
>
> On Sunday, 7 October 2018 13:38:48 BST kalyani kaniganti wrote:
> > Hi,
> >
> > How we can check the parameters are set to y as per the below mail.
> > Please provide me the command.
> > If they are not set to y ,any restarts are req.
> > Please suggest us.
> > BR,
> > Kalyani
> >
> > On Sun, Oct 7, 2018, 4:46 PM Mick <mic...@gm...> wrote:
> > > From 'man racoon':
> > >
> > > -d  Increase the debug level.  Multiple -d arguments will increase the
> > > debug
> > >
> > >     level even more.
> > >
> > > You'll need to add this option in whatever script your distro is using
> to
> > > start racoon, if the logs are not verbose enough.  Please note, this
> will
> > > only
> > > increase the log verbosity of the racoon application, not any kernel
> logs.
> > >
> > >
> > > If your IPv6 stack is working fine without IPSec, i.e. you can ping
> remote
> > > peers, then check the IPSec specific modules are available and
> loaded.  I
> > > think you will need most of these:
> > >
> > > CONFIG_INET6_AH=y
> > > CONFIG_INET6_ESP=y
> > >
> > > CONFIG_INET6_IPCOMP=y
> > > CONFIG_INET6_XFRM_TUNNEL=y
> > > CONFIG_INET6_TUNNEL=y
> > > CONFIG_INET6_XFRM_MODE_TRANSPORT=y
> > > CONFIG_INET6_XFRM_MODE_TUNNEL=y
> > > CONFIG_INET6_XFRM_MODE_BEET=y
> > >
> > > Also, if you are running a firewall you will probably need to enable
> IPv6
> > > netfilter configuration modules.  However, I would first check
> everything
> > > is
> > > working without a firewall enabled and then configure the firewall as
> the
> > > last
> > > step.
> > >
> > > Hope this helps.
> > >
> > > On Sunday, 7 October 2018 03:21:42 BST kalyani kaniganti wrote:
> > > > Hi,
> > > >
> > > > As per your below statement ,could you please share the procedure to
> > > > test
> > > > it.
> > > >
> > > > Check your kernel config has CONFIG_INET6_* options suitable for
> IPSEC
> > > > enabled.
> > > >
> > > > I am unable to find errors in logs racoon is not stating any errors.
> > > >
> > > > BR,
> > > > Kalyani.k
> > > >
> > > >
> > > > On Sat, Oct 6, 2018, 11:49 PM kalyani kaniganti <
> > >
> > > kal...@gm...>
> > >
> > > > wrote:
> > > > > Hi,
> > > > > Thanks for the information.
> > > > > I have found out some of the kernel modules are not loaded in
> kernel
> > >
> > > for
> > >
> > > > > ipv6.
> > > > > esp6.ko,ah6.ko and transport mode module.I loaded the modules using
> > > > > modprobe and I can see these modules using lsmod now.
> > > > > But issue still exist,do you have any idea what modules are
> required
> > >
> > > for
> > >
> > > > > Ipsec to enable ipv6 in kernel .
> > > > >
> > > > > We have already tested for IPV4 it's working fine,but same is not
> > >
> > > working
> > >
> > > > > for ipv6.
> > > > > How we can check logs in debug mode.Please suggest.
> > > > > BR,
> > > > > Kalyani.k
> > > > >
> > > > > On Sat, Oct 6, 2018, 10:40 PM Mick <mic...@gm...>
> wrote:
> > > > >> Hi kalyani,
> > > > >>
> > > > >> Check your kernel config has CONFIG_INET6_* options suitable for
> > > > >> IPSEC
> > > > >> enabled.  If some kernel module is necessary for IPv6
> setkey/racoon
> > >
> > > will
> > >
> > > > >> complain when you run/start it, so check your logs for any
> relevant
> > > > >> messages.
> > > > >>
> > > > >> To troubleshoot this problem take one step at a time.  First check
> > >
> > > your
> > >
> > > > >> IPv4
> > > > >> network, routing and IPSec all work without errors.  Then check
> your
> > >
> > > IPv6
> > >
> > > > >> stack is working and you can ping remote peers.  Then check your
> logs
> > >
> > > for
> > >
> > > > >> error messages when you try to initiate an ESP/AH connection with
> > > > >> racoon.
> > > > >> Increase verbosity and study the logs to debug the problem.
> > > > >>
> > > > >> On Saturday, 6 October 2018 15:28:56 BST kalyani kaniganti wrote:
> > > > >> > Hi,
> > > > >> > We are using ipsectools rpm version ipsec-tools-0.7.3_1.38.3.1
> from
> > > > >>
> > > > >> sles 11
> > > > >>
> > > > >> > sp4 kernel.
> > > > >> > We are using racoon as daemon .
> > > > >> > We are using dual stack on os and trying to enable IPsec for
> IPV6
> > > > >> > as
> > > > >>
> > > > >> well
> > > > >>
> > > > >> > and we have already provided support for IPV4.
> > > > >> > I have done configuration same as ipv4 but ifind IPSEC- SA is
> not
> > > > >> > initiating phase 1 authentication.
> > > > >> > May I know we have to enable any other option on kernel to
> support
> > > > >> > Ipsec
> > > > >> > for ipv6 we are trying to use ESP and AH protocols.
> > > > >> >
> > > > >> > Please suggest us
> > > > >> > BR,
> > > > >> > Kalyani.k
> > > > >>
> > > > >> --
> > > > >> Regards,
> > > > >> Mick
> > >
> > > --
> > > Regards,
> > > Mick
>
>
> --
> Regards,
> Mick

Re: [Ipsec-tools-users] Reg enabling IPV6 for Ipsec in suse

[Mick <mic...@gm...>]

Hi Kalyani,

You don't *have* to set your kernel modules to be built in (set as 'y' in the 
kernel config).  You can build them as modules (set as 'm' in the kernel 
config) and then check they are loaded.  If you change any part of your kernel 
configuration to 'y', you will have to rebuild the kernel and then must reboot 
with it.  With separately built modules you don't have to reboot, you can load 
the modules as you need them, if they have not been loaded already.

The question you are asking is not an ipsec-tools specific question, but how 
to rebuild your SLES kernel.  This will be required ONLY if the specific 
modules are not already enabled in the kernel.  The command to use to 
configure a linux kernel is 'make menuconfig'.  I haven't used your Linux 
distribution for years and things may have changed, so I cannot give you 
detailed steps.  First have a look in your /proc/config.gz and search for the 
particular modules; e.g.

zgrep INET6 /proc/config.gz

If they are already marked as modules, then 'modprobe -v' them individually.

If any of these modules are not configured (would be marked as 'not set') you 
will need to configure them and build them before you can load them.  Ask for 
help on how to reconfigure and rebuild a kernel in SUSE support.


On Sunday, 7 October 2018 13:38:48 BST kalyani kaniganti wrote:
> Hi,
> 
> How we can check the parameters are set to y as per the below mail.
> Please provide me the command.
> If they are not set to y ,any restarts are req.
> Please suggest us.
> BR,
> Kalyani
> 
> On Sun, Oct 7, 2018, 4:46 PM Mick <mic...@gm...> wrote:
> > From 'man racoon':
> > 
> > -d  Increase the debug level.  Multiple -d arguments will increase the
> > debug
> > 
> >     level even more.
> > 
> > You'll need to add this option in whatever script your distro is using to
> > start racoon, if the logs are not verbose enough.  Please note, this will
> > only
> > increase the log verbosity of the racoon application, not any kernel logs.
> > 
> > 
> > If your IPv6 stack is working fine without IPSec, i.e. you can ping remote
> > peers, then check the IPSec specific modules are available and loaded.  I
> > think you will need most of these:
> > 
> > CONFIG_INET6_AH=y
> > CONFIG_INET6_ESP=y
> > 
> > CONFIG_INET6_IPCOMP=y
> > CONFIG_INET6_XFRM_TUNNEL=y
> > CONFIG_INET6_TUNNEL=y
> > CONFIG_INET6_XFRM_MODE_TRANSPORT=y
> > CONFIG_INET6_XFRM_MODE_TUNNEL=y
> > CONFIG_INET6_XFRM_MODE_BEET=y
> > 
> > Also, if you are running a firewall you will probably need to enable IPv6
> > netfilter configuration modules.  However, I would first check everything
> > is
> > working without a firewall enabled and then configure the firewall as the
> > last
> > step.
> > 
> > Hope this helps.
> > 
> > On Sunday, 7 October 2018 03:21:42 BST kalyani kaniganti wrote:
> > > Hi,
> > > 
> > > As per your below statement ,could you please share the procedure to
> > > test
> > > it.
> > > 
> > > Check your kernel config has CONFIG_INET6_* options suitable for IPSEC
> > > enabled.
> > > 
> > > I am unable to find errors in logs racoon is not stating any errors.
> > > 
> > > BR,
> > > Kalyani.k
> > > 
> > > 
> > > On Sat, Oct 6, 2018, 11:49 PM kalyani kaniganti <
> > 
> > kal...@gm...>
> > 
> > > wrote:
> > > > Hi,
> > > > Thanks for the information.
> > > > I have found out some of the kernel modules are not loaded in kernel
> > 
> > for
> > 
> > > > ipv6.
> > > > esp6.ko,ah6.ko and transport mode module.I loaded the modules using
> > > > modprobe and I can see these modules using lsmod now.
> > > > But issue still exist,do you have any idea what modules are required
> > 
> > for
> > 
> > > > Ipsec to enable ipv6 in kernel .
> > > > 
> > > > We have already tested for IPV4 it's working fine,but same is not
> > 
> > working
> > 
> > > > for ipv6.
> > > > How we can check logs in debug mode.Please suggest.
> > > > BR,
> > > > Kalyani.k
> > > > 
> > > > On Sat, Oct 6, 2018, 10:40 PM Mick <mic...@gm...> wrote:
> > > >> Hi kalyani,
> > > >> 
> > > >> Check your kernel config has CONFIG_INET6_* options suitable for
> > > >> IPSEC
> > > >> enabled.  If some kernel module is necessary for IPv6 setkey/racoon
> > 
> > will
> > 
> > > >> complain when you run/start it, so check your logs for any relevant
> > > >> messages.
> > > >> 
> > > >> To troubleshoot this problem take one step at a time.  First check
> > 
> > your
> > 
> > > >> IPv4
> > > >> network, routing and IPSec all work without errors.  Then check your
> > 
> > IPv6
> > 
> > > >> stack is working and you can ping remote peers.  Then check your logs
> > 
> > for
> > 
> > > >> error messages when you try to initiate an ESP/AH connection with
> > > >> racoon.
> > > >> Increase verbosity and study the logs to debug the problem.
> > > >> 
> > > >> On Saturday, 6 October 2018 15:28:56 BST kalyani kaniganti wrote:
> > > >> > Hi,
> > > >> > We are using ipsectools rpm version ipsec-tools-0.7.3_1.38.3.1 from
> > > >> 
> > > >> sles 11
> > > >> 
> > > >> > sp4 kernel.
> > > >> > We are using racoon as daemon .
> > > >> > We are using dual stack on os and trying to enable IPsec for IPV6
> > > >> > as
> > > >> 
> > > >> well
> > > >> 
> > > >> > and we have already provided support for IPV4.
> > > >> > I have done configuration same as ipv4 but ifind IPSEC- SA is not
> > > >> > initiating phase 1 authentication.
> > > >> > May I know we have to enable any other option on kernel to support
> > > >> > Ipsec
> > > >> > for ipv6 we are trying to use ESP and AH protocols.
> > > >> > 
> > > >> > Please suggest us
> > > >> > BR,
> > > >> > Kalyani.k
> > > >> 
> > > >> --
> > > >> Regards,
> > > >> Mick
> > 
> > --
> > Regards,
> > Mick


-- 
Regards,
Mick

Re: [Ipsec-tools-users] Reg enabling IPV6 for Ipsec in suse

[kalyani k. <kal...@gm...>]

Hi,

How we can check the parameters are set to y as per the below mail.
Please provide me the command.
If they are not set to y ,any restarts are req.
Please suggest us.
BR,
Kalyani

On Sun, Oct 7, 2018, 4:46 PM Mick <mic...@gm...> wrote:

> From 'man racoon':
>
> -d  Increase the debug level.  Multiple -d arguments will increase the
> debug
>     level even more.
>
> You'll need to add this option in whatever script your distro is using to
> start racoon, if the logs are not verbose enough.  Please note, this will
> only
> increase the log verbosity of the racoon application, not any kernel logs.
>
>
> If your IPv6 stack is working fine without IPSec, i.e. you can ping remote
> peers, then check the IPSec specific modules are available and loaded.  I
> think you will need most of these:
>
> CONFIG_INET6_AH=y
> CONFIG_INET6_ESP=y
>
> CONFIG_INET6_IPCOMP=y
> CONFIG_INET6_XFRM_TUNNEL=y
> CONFIG_INET6_TUNNEL=y
> CONFIG_INET6_XFRM_MODE_TRANSPORT=y
> CONFIG_INET6_XFRM_MODE_TUNNEL=y
> CONFIG_INET6_XFRM_MODE_BEET=y
>
> Also, if you are running a firewall you will probably need to enable IPv6
> netfilter configuration modules.  However, I would first check everything
> is
> working without a firewall enabled and then configure the firewall as the
> last
> step.
>
> Hope this helps.
>
>
> On Sunday, 7 October 2018 03:21:42 BST kalyani kaniganti wrote:
> > Hi,
> >
> > As per your below statement ,could you please share the procedure to test
> > it.
> >
> > Check your kernel config has CONFIG_INET6_* options suitable for IPSEC
> > enabled.
> >
> > I am unable to find errors in logs racoon is not stating any errors.
> >
> > BR,
> > Kalyani.k
> >
> >
> > On Sat, Oct 6, 2018, 11:49 PM kalyani kaniganti <
> kal...@gm...>
> >
> > wrote:
> > > Hi,
> > > Thanks for the information.
> > > I have found out some of the kernel modules are not loaded in kernel
> for
> > > ipv6.
> > > esp6.ko,ah6.ko and transport mode module.I loaded the modules using
> > > modprobe and I can see these modules using lsmod now.
> > > But issue still exist,do you have any idea what modules are required
> for
> > > Ipsec to enable ipv6 in kernel .
> > >
> > > We have already tested for IPV4 it's working fine,but same is not
> working
> > > for ipv6.
> > > How we can check logs in debug mode.Please suggest.
> > > BR,
> > > Kalyani.k
> > >
> > > On Sat, Oct 6, 2018, 10:40 PM Mick <mic...@gm...> wrote:
> > >> Hi kalyani,
> > >>
> > >> Check your kernel config has CONFIG_INET6_* options suitable for IPSEC
> > >> enabled.  If some kernel module is necessary for IPv6 setkey/racoon
> will
> > >> complain when you run/start it, so check your logs for any relevant
> > >> messages.
> > >>
> > >> To troubleshoot this problem take one step at a time.  First check
> your
> > >> IPv4
> > >> network, routing and IPSec all work without errors.  Then check your
> IPv6
> > >> stack is working and you can ping remote peers.  Then check your logs
> for
> > >> error messages when you try to initiate an ESP/AH connection with
> > >> racoon.
> > >> Increase verbosity and study the logs to debug the problem.
> > >>
> > >> On Saturday, 6 October 2018 15:28:56 BST kalyani kaniganti wrote:
> > >> > Hi,
> > >> > We are using ipsectools rpm version ipsec-tools-0.7.3_1.38.3.1 from
> > >>
> > >> sles 11
> > >>
> > >> > sp4 kernel.
> > >> > We are using racoon as daemon .
> > >> > We are using dual stack on os and trying to enable IPsec for IPV6 as
> > >>
> > >> well
> > >>
> > >> > and we have already provided support for IPV4.
> > >> > I have done configuration same as ipv4 but ifind IPSEC- SA is not
> > >> > initiating phase 1 authentication.
> > >> > May I know we have to enable any other option on kernel to support
> > >> > Ipsec
> > >> > for ipv6 we are trying to use ESP and AH protocols.
> > >> >
> > >> > Please suggest us
> > >> > BR,
> > >> > Kalyani.k
> > >>
> > >> --
> > >> Regards,
> > >> Mick
>
>
> --
> Regards,
> Mick

Re: [Ipsec-tools-users] Reg enabling IPV6 for Ipsec in suse

[Mick <mic...@gm...>]

>From 'man racoon':

-d  Increase the debug level.  Multiple -d arguments will increase the debug
    level even more.

You'll need to add this option in whatever script your distro is using to 
start racoon, if the logs are not verbose enough.  Please note, this will only 
increase the log verbosity of the racoon application, not any kernel logs.


If your IPv6 stack is working fine without IPSec, i.e. you can ping remote 
peers, then check the IPSec specific modules are available and loaded.  I 
think you will need most of these:

CONFIG_INET6_AH=y
CONFIG_INET6_ESP=y

CONFIG_INET6_IPCOMP=y
CONFIG_INET6_XFRM_TUNNEL=y
CONFIG_INET6_TUNNEL=y
CONFIG_INET6_XFRM_MODE_TRANSPORT=y
CONFIG_INET6_XFRM_MODE_TUNNEL=y
CONFIG_INET6_XFRM_MODE_BEET=y

Also, if you are running a firewall you will probably need to enable IPv6 
netfilter configuration modules.  However, I would first check everything is 
working without a firewall enabled and then configure the firewall as the last 
step.

Hope this helps.


On Sunday, 7 October 2018 03:21:42 BST kalyani kaniganti wrote:
> Hi,
> 
> As per your below statement ,could you please share the procedure to test
> it.
> 
> Check your kernel config has CONFIG_INET6_* options suitable for IPSEC
> enabled.
> 
> I am unable to find errors in logs racoon is not stating any errors.
> 
> BR,
> Kalyani.k
> 
> 
> On Sat, Oct 6, 2018, 11:49 PM kalyani kaniganti <kal...@gm...>
> 
> wrote:
> > Hi,
> > Thanks for the information.
> > I have found out some of the kernel modules are not loaded in kernel for
> > ipv6.
> > esp6.ko,ah6.ko and transport mode module.I loaded the modules using
> > modprobe and I can see these modules using lsmod now.
> > But issue still exist,do you have any idea what modules are required for
> > Ipsec to enable ipv6 in kernel .
> > 
> > We have already tested for IPV4 it's working fine,but same is not working
> > for ipv6.
> > How we can check logs in debug mode.Please suggest.
> > BR,
> > Kalyani.k
> > 
> > On Sat, Oct 6, 2018, 10:40 PM Mick <mic...@gm...> wrote:
> >> Hi kalyani,
> >> 
> >> Check your kernel config has CONFIG_INET6_* options suitable for IPSEC
> >> enabled.  If some kernel module is necessary for IPv6 setkey/racoon will
> >> complain when you run/start it, so check your logs for any relevant
> >> messages.
> >> 
> >> To troubleshoot this problem take one step at a time.  First check your
> >> IPv4
> >> network, routing and IPSec all work without errors.  Then check your IPv6
> >> stack is working and you can ping remote peers.  Then check your logs for
> >> error messages when you try to initiate an ESP/AH connection with
> >> racoon.
> >> Increase verbosity and study the logs to debug the problem.
> >> 
> >> On Saturday, 6 October 2018 15:28:56 BST kalyani kaniganti wrote:
> >> > Hi,
> >> > We are using ipsectools rpm version ipsec-tools-0.7.3_1.38.3.1 from
> >> 
> >> sles 11
> >> 
> >> > sp4 kernel.
> >> > We are using racoon as daemon .
> >> > We are using dual stack on os and trying to enable IPsec for IPV6 as
> >> 
> >> well
> >> 
> >> > and we have already provided support for IPV4.
> >> > I have done configuration same as ipv4 but ifind IPSEC- SA is not
> >> > initiating phase 1 authentication.
> >> > May I know we have to enable any other option on kernel to support
> >> > Ipsec
> >> > for ipv6 we are trying to use ESP and AH protocols.
> >> > 
> >> > Please suggest us
> >> > BR,
> >> > Kalyani.k
> >> 
> >> --
> >> Regards,
> >> Mick


-- 
Regards,
Mick

Re: [Ipsec-tools-users] Reg enabling IPV6 for Ipsec in suse

[kalyani k. <kal...@gm...>]

Hi,

As per your below statement ,could you please share the procedure to test
it.

Check your kernel config has CONFIG_INET6_* options suitable for IPSEC
enabled.

I am unable to find errors in logs racoon is not stating any errors.

BR,
Kalyani.k


On Sat, Oct 6, 2018, 11:49 PM kalyani kaniganti <kal...@gm...>
wrote:

> Hi,
> Thanks for the information.
> I have found out some of the kernel modules are not loaded in kernel for
> ipv6.
> esp6.ko,ah6.ko and transport mode module.I loaded the modules using
> modprobe and I can see these modules using lsmod now.
> But issue still exist,do you have any idea what modules are required for
> Ipsec to enable ipv6 in kernel .
>
> We have already tested for IPV4 it's working fine,but same is not working
> for ipv6.
> How we can check logs in debug mode.Please suggest.
> BR,
> Kalyani.k
>
> On Sat, Oct 6, 2018, 10:40 PM Mick <mic...@gm...> wrote:
>
>> Hi kalyani,
>>
>> Check your kernel config has CONFIG_INET6_* options suitable for IPSEC
>> enabled.  If some kernel module is necessary for IPv6 setkey/racoon will
>> complain when you run/start it, so check your logs for any relevant
>> messages.
>>
>> To troubleshoot this problem take one step at a time.  First check your
>> IPv4
>> network, routing and IPSec all work without errors.  Then check your IPv6
>> stack is working and you can ping remote peers.  Then check your logs for
>> error messages when you try to initiate an ESP/AH connection with
>> racoon.
>> Increase verbosity and study the logs to debug the problem.
>>
>>
>> On Saturday, 6 October 2018 15:28:56 BST kalyani kaniganti wrote:
>> > Hi,
>> > We are using ipsectools rpm version ipsec-tools-0.7.3_1.38.3.1 from
>> sles 11
>> > sp4 kernel.
>> > We are using racoon as daemon .
>> > We are using dual stack on os and trying to enable IPsec for IPV6 as
>> well
>> > and we have already provided support for IPV4.
>> > I have done configuration same as ipv4 but ifind IPSEC- SA is not
>> > initiating phase 1 authentication.
>> > May I know we have to enable any other option on kernel to support Ipsec
>> > for ipv6 we are trying to use ESP and AH protocols.
>> >
>> > Please suggest us
>> > BR,
>> > Kalyani.k
>>
>>
>> --
>> Regards,
>> Mick
>
>

Re: [Ipsec-tools-users] Reg enabling IPV6 for Ipsec in suse

[kalyani k. <kal...@gm...>]

Hi,
Thanks for the information.
I have found out some of the kernel modules are not loaded in kernel for
ipv6.
esp6.ko,ah6.ko and transport mode module.I loaded the modules using
modprobe and I can see these modules using lsmod now.
But issue still exist,do you have any idea what modules are required for
Ipsec to enable ipv6 in kernel .

We have already tested for IPV4 it's working fine,but same is not working
for ipv6.
How we can check logs in debug mode.Please suggest.
BR,
Kalyani.k

On Sat, Oct 6, 2018, 10:40 PM Mick <mic...@gm...> wrote:

> Hi kalyani,
>
> Check your kernel config has CONFIG_INET6_* options suitable for IPSEC
> enabled.  If some kernel module is necessary for IPv6 setkey/racoon will
> complain when you run/start it, so check your logs for any relevant
> messages.
>
> To troubleshoot this problem take one step at a time.  First check your
> IPv4
> network, routing and IPSec all work without errors.  Then check your IPv6
> stack is working and you can ping remote peers.  Then check your logs for
> error messages when you try to initiate an ESP/AH connection with racoon.
> Increase verbosity and study the logs to debug the problem.
>
>
> On Saturday, 6 October 2018 15:28:56 BST kalyani kaniganti wrote:
> > Hi,
> > We are using ipsectools rpm version ipsec-tools-0.7.3_1.38.3.1 from sles
> 11
> > sp4 kernel.
> > We are using racoon as daemon .
> > We are using dual stack on os and trying to enable IPsec for IPV6 as well
> > and we have already provided support for IPV4.
> > I have done configuration same as ipv4 but ifind IPSEC- SA is not
> > initiating phase 1 authentication.
> > May I know we have to enable any other option on kernel to support Ipsec
> > for ipv6 we are trying to use ESP and AH protocols.
> >
> > Please suggest us
> > BR,
> > Kalyani.k
>
>
> --
> Regards,
> Mick

Re: [Ipsec-tools-users] Reg enabling IPV6 for Ipsec in suse

[Mick <mic...@gm...>]

Hi kalyani,

Check your kernel config has CONFIG_INET6_* options suitable for IPSEC 
enabled.  If some kernel module is necessary for IPv6 setkey/racoon will 
complain when you run/start it, so check your logs for any relevant messages.

To troubleshoot this problem take one step at a time.  First check your IPv4 
network, routing and IPSec all work without errors.  Then check your IPv6 
stack is working and you can ping remote peers.  Then check your logs for 
error messages when you try to initiate an ESP/AH connection with racoon.  
Increase verbosity and study the logs to debug the problem.


On Saturday, 6 October 2018 15:28:56 BST kalyani kaniganti wrote:
> Hi,
> We are using ipsectools rpm version ipsec-tools-0.7.3_1.38.3.1 from sles 11
> sp4 kernel.
> We are using racoon as daemon .
> We are using dual stack on os and trying to enable IPsec for IPV6 as well
> and we have already provided support for IPV4.
> I have done configuration same as ipv4 but ifind IPSEC- SA is not
> initiating phase 1 authentication.
> May I know we have to enable any other option on kernel to support Ipsec
> for ipv6 we are trying to use ESP and AH protocols.
> 
> Please suggest us
> BR,
> Kalyani.k


-- 
Regards,
Mick

[Ipsec-tools-users] Reg enabling IPV6 for Ipsec in suse

[kalyani k. <kal...@gm...>]

Hi,
We are using ipsectools rpm version ipsec-tools-0.7.3_1.38.3.1 from sles 11
sp4 kernel.
We are using racoon as daemon .
We are using dual stack on os and trying to enable IPsec for IPV6 as well
and we have already provided support for IPV4.
I have done configuration same as ipv4 but ifind IPSEC- SA is not
initiating phase 1 authentication.
May I know we have to enable any other option on kernel to support Ipsec
for ipv6 we are trying to use ESP and AH protocols.

Please suggest us
BR,
Kalyani.k

Re: [Ipsec-tools-users] Cannot match on sainfo subnet

[Mick <mic...@gm...>]

Hi Phil,

The error in the log indicates the subnet 10.0.0.0/25 is incorrectly 
specified.

In particular, you have specified:

racoon.conf:
------------
[ ... ]

sainfo *address* 10.0.0.0/25 any address 10.0.0.254 any


However, although 10.0.0.254  is an address, 10.0.0.0/25 is not an address but 
a subnet.  Therefore, either provide a single address e.g.

sainfo address 10.0.0.1 any address 10.0.0.254 any

Or,

provide a subnet:

sainfo subnet 10.0.0.0/24 any address 10.0.0.254 any


10.0.0.0/24 will allow any IP address within this subnet to match.  
Alternatively, if it suits your use case set the sainfo to 'anonymous' and 
this will match any id which has completed successfully Phase1.  Make sure 
your ipsec-tools.conf corresponds to the above settings and these are also 
mirrored on the remote peer's configuration files.


On Friday, 5 October 2018 13:54:32 BST Phil Nightowl wrote:
> > Did you try using 10.0.0.0/24 to specify the LAN subnet?
> 
> I have just tried it out; unfortunately, it still does not match. The debug
> messages are the same (except for the netmask, of course).
> 
> Best regards,
> 
> Phil
> 
> 
> _______________________________________________
> Ipsec-tools-users mailing list
> Ips...@li...
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users


-- 
Regards,
Mick

Re: [Ipsec-tools-users] Cannot match on sainfo subnet

[Phil N. <phi...@gm...>]

> Did you try using 10.0.0.0/24 to specify the LAN subnet?

I have just tried it out; unfortunately, it still does not match. The debug 
messages are the same (except for the netmask, of course).

Best regards,

Phil

Re: [Ipsec-tools-users] Cannot match on sainfo subnet

[Mick <mic...@gm...>]

Did you try using 10.0.0.0/24 to specify the LAN subnet?

On Friday, 5 October 2018 10:47:49 BST Phil Nightowl wrote:
> Hello everyone,
> 
> I am struggling with a configuration for a small subnet. The basic outline
> is as follows:
> 
> - ipsec-tools 0.8.2 on both machines
> - transport mode, no NAT (at least not yet, NAT will be added later)
> 
> 
> Host A (usually initiator, but I tried the other way round as well)
> ======
> IP 10.0.0.1
> 
> 
> ipsec-tools.conf:
> -----------------
> spdadd 10.0.0.0/25 10.0.0.254 any -P out priority 1 ipsec
>     esp/transport//require
>     ah/transport//require;
> 
> spdadd 10.0.0.254 10.0.0.0/25 any -P in priority 1 ipsec
>     esp/transport//require
>     ah/transport//require;
> 
> 
> racoon.conf:
> ------------
> [ ... ]
> 
> sainfo address 10.0.0.0/25 any address 10.0.0.254 any
> {
> 	...
> }
> 
> 
> 
> 
> Host B (usually responder)
> ======
> IP 10.0.0.254
> 
> 
> ipsec-tools.conf:
> -----------------
> spdadd 10.0.0.254 10.0.0.0/25 any -P out priority 0 ipsec
>     esp/transport//require
>     ah/transport//require;
> 
> spdadd 10.0.0.0/25 10.0.0.254 any -P in priority 0 ipsec
>     esp/transport//require
>     ah/transport//require;
> 
> 
> racoon.conf:
> ------------
> [ ... ]
> 
> sainfo address 10.0.0.254 any address 10.0.0.0/25 any
> {
> 	...
> }
> 
> 
> Using this config, phase 1 works. However, the connection setup gets stuck
> at phase 2, where I get the following on the responder side:
> 
> racoon: DEBUG: getsainfo params: loc='10.0.0.254' rmt='10.0.0.1' peer='C=UK,
> O=Marvin, CN=alpha.marvin' client='10.0.0.1' id=0 racoon: DEBUG: evaluating
> sainfo: loc='10.0.0.254', rmt='10.0.0.0/25', peer='ANY', id=0 racoon:
> DEBUG: check and compare ids : values matched (IPv4_address) racoon: DEBUG:
> cmpid target: '10.0.0.254'
> racoon: DEBUG: cmpid source: '10.0.0.254'
> racoon: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
> racoon: DEBUG: cmpid target: '10.0.0.1'
> racoon: DEBUG: cmpid source: '10.0.0.0/25'
> racoon: ERROR: failed to get sainfo.
> racoon: ERROR: failed to get sainfo.
> racoon: [10.0.0.1] ERROR: failed to pre-process ph2 packet (side: 1, status:
> 1).
> 
> 
> I would expect that either '10.0.0.1' and '10.0.0.0/25' yield a match, or
> that the initiator sends '10.0.0.0/25' instead of '10.0.0.1' (based on
> ipsec-tools.conf settings). Am I wrong? If so, what is the correct way to
> configure a specific sainfo setting?
> 
> Of course, if I change 'address 10.0.0.0/25 any' on the responder side, the
> connection is set up as intended. The point is however, that I would like
> to have different settings for several different IP ranges.
> 
> Thanks a lot for any hints!
> 
> 
> Phil
> 
> 
> _______________________________________________
> Ipsec-tools-users mailing list
> Ips...@li...
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users


-- 
Regards,
Mick

[Ipsec-tools-users] Cannot match on sainfo subnet

[Phil N. <phi...@gm...>]

Hello everyone,

I am struggling with a configuration for a small subnet. The basic outline 
is as follows:

- ipsec-tools 0.8.2 on both machines
- transport mode, no NAT (at least not yet, NAT will be added later)


Host A (usually initiator, but I tried the other way round as well)
======
IP 10.0.0.1


ipsec-tools.conf:
-----------------
spdadd 10.0.0.0/25 10.0.0.254 any -P out priority 1 ipsec
    esp/transport//require
    ah/transport//require;

spdadd 10.0.0.254 10.0.0.0/25 any -P in priority 1 ipsec
    esp/transport//require
    ah/transport//require;


racoon.conf:
------------
[ ... ]

sainfo address 10.0.0.0/25 any address 10.0.0.254 any
{
	...
}




Host B (usually responder)
======
IP 10.0.0.254


ipsec-tools.conf:
-----------------
spdadd 10.0.0.254 10.0.0.0/25 any -P out priority 0 ipsec
    esp/transport//require
    ah/transport//require;

spdadd 10.0.0.0/25 10.0.0.254 any -P in priority 0 ipsec
    esp/transport//require
    ah/transport//require;


racoon.conf:
------------
[ ... ]

sainfo address 10.0.0.254 any address 10.0.0.0/25 any
{
	...
}


Using this config, phase 1 works. However, the connection setup gets stuck 
at phase 2, where I get the following on the responder side:

racoon: DEBUG: getsainfo params: loc='10.0.0.254' rmt='10.0.0.1' peer='C=UK, O=Marvin, CN=alpha.marvin' client='10.0.0.1' id=0
racoon: DEBUG: evaluating sainfo: loc='10.0.0.254', rmt='10.0.0.0/25', peer='ANY', id=0
racoon: DEBUG: check and compare ids : values matched (IPv4_address)
racoon: DEBUG: cmpid target: '10.0.0.254'
racoon: DEBUG: cmpid source: '10.0.0.254'
racoon: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
racoon: DEBUG: cmpid target: '10.0.0.1'
racoon: DEBUG: cmpid source: '10.0.0.0/25'
racoon: ERROR: failed to get sainfo.
racoon: ERROR: failed to get sainfo.
racoon: [10.0.0.1] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).


I would expect that either '10.0.0.1' and '10.0.0.0/25' yield a match, or 
that the initiator sends '10.0.0.0/25' instead of '10.0.0.1' (based on 
ipsec-tools.conf settings). Am I wrong? If so, what is the correct way to 
configure a specific sainfo setting?

Of course, if I change 'address 10.0.0.0/25 any' on the responder side, the 
connection is set up as intended. The point is however, that I would like 
to have different settings for several different IP ranges.

Thanks a lot for any hints!


Phil

Re: [Ipsec-tools-users] problem with building IPSec-android on Android Studio

[Han L. <heh...@gm...>]

May I ask for the android-file-dialog for building the ipsec tool by any
chance?

Sorry maybe I shouldn't ask for that.
Thank you for your time,

Best regards,
Lin


Han Lin <heh...@gm...> 于2018年9月28日周五 下午5:12写道：

> Hi,
>
> I'm having troubles to build this IPSec-android on my Android Studio. I
> didn't see gradle file. I'm wondering would you be able to help me to set
> it up? Sending me more detailed instructions about this project?
>
>
> I appreciate for your help
> Best regards,
> Lin
>

[Ipsec-tools-users] problem with building IPSec-android on Android Studio

[Han L. <heh...@gm...>]

Hi,

I'm having troubles to build this IPSec-android on my Android Studio. I
didn't see gradle file. I'm wondering would you be able to help me to set
it up? Sending me more detailed instructions about this project?


I appreciate for your help
Best regards,
Lin

Re: [Ipsec-tools-users] Load SPD policies after starting racoon service

[Mick <mic...@gm...>]

Hi Daniel,

Your sainfo is fine as shown.

I am not familiar with Red Hat, but from what I recall it uses some ifcfg-
ipsec0 network configuration script file to configure the type of IPSec 
connection and this is used thereafter to run setkey and racoon automatically.

Perhaps if you have not completed this configuration file, when racoon starts 
it flashes out any previous policies you had set up manually.

If you (re)run the setkey command manually pointing it to your policies file, 
then it loads your policies and configures the IPSec connection accordingly, 
flushing out any previous policies racoon had loaded.

To check what security policies and associations are in place you can run at 
each stage:

setkey -PD


On Tuesday, 25 September 2018 16:58:14 BST Daniel wrote:
> Hello,
> 
> "Racoon is trying to configure a connection between 172.16.155.160 and
> 172.16.155.161, but if finds no policy for it.  So, I suggest you add a
> policy
> for it and then you should have no problem."
> 
> Yes, the problem is that i add the SPD policy before  racoon service is
> started, racoon does not find the policy in the SPD policies. If i add the
> SPD policies after raccon is started, the connection is stablished without
> problem so i want to know if there is a way to configure racoon to load SPD
> policies during loading or why it does not recognizes the SPD policies if
> that area already loaded with setkey before racoon starts.
> 
> This is my racoon.conf
> 
> path pre_shared_key "/etc/racoon/psk.txt";
> 
> sainfo anonymous
> {
> lifetime time 1 hour ;
> encryption_algorithm 3des;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate ;
> }
> 
> remote anonymous
> {
>   exchange_mode main;
> 
> proposal {
>         encryption_algorithm 3des;
>         hash_algorithm sha1;
>         authentication_method pre_shared_key;
>         dh_group 2 ;
> }
> }
> 
> Thanks for your help in advance.
> 
> El dom., 23 sept. 2018 a las 2:25, Mick (<mic...@gm...>)
> 
> escribió:
> > On Wednesday, 19 September 2018 03:42:44 BST Daniel wrote:
> > > Hello,
> > > 
> > > I have installed ipsec-tools rpm (ipsec-tools-0.8.2-2.el6.x86_64.rpm) on
> > > Red Hat 6.5, it is working fine but i have the problem that my SPD
> > 
> > policies
> > 
> > > only work if they are loaded after racoon service has been started. If i
> > > run setkey -f /etc/racoon/policies and then start racoon, i have this
> > 
> > error
> > 
> > > during phase 2
> > > 
> > > ERROR: no policy found: 172.16.155.160/32[0]
> > 
> > <http://172.16.155.160/32%5B0%5D> 172.16.155.161/32[0]
> > <http://172.16.155.161/32%5B0%5D> proto=any
> > 
> > > dir=in
> > 
> > Racoon is trying to configure a connection between 172.16.155.160 and
> > 172.16.155.161, but if finds no policy for it.  So, I suggest you add a
> > policy
> > for it and then you should have no problem.
> > 
> > > If i add the policies after racoon has been started, ipsec works without
> > > problem
> > > 
> > > This is my policies file /etc/racoon/policies
> > > 
> > > #!/sbin/setkey -f
> > > 
> > > flush;
> > > spdflush;
> > > 
> > > spdadd 0.0.0.0/0[0] <http://0.0.0.0/0%5B0%5D> 10.36.0.0/24[0]
> > 
> > <http://10.36.0.0/24%5B0%5D> any -P out ipsec
> > 
> > > esp/transport//require;
> > > spdadd 10.36.0.0/24[0] <http://10.36.0.0/24%5B0%5D> 0.0.0.0/0[0]
> > 
> > <http://0.0.0.0/0%5B0%5D> any -P in ipsec esp/transport//require;
> > 
> > > spdadd 0.0.0.0/0[0] <http://0.0.0.0/0%5B0%5D> 0.0.0.0/0[0]
> > 
> > <http://0.0.0.0/0%5B0%5D> any -P in none;
> > 
> > > spdadd 0.0.0.0/0[0] <http://0.0.0.0/0%5B0%5D> 0.0.0.0/0[0]
> > 
> > <http://0.0.0.0/0%5B0%5D> any -P out none;
> > 
> > > Is there any way to tell racoon to load my spd policies after the
> > > service
> > > is started or during the racoon configuration load?
> > 
> > What is in your racoon.conf for the sainfo directive?
> > 
> > --
> > Regards,
> > Mick


-- 
Regards,
Mick

Re: [Ipsec-tools-users] Load SPD policies after starting racoon service

[Daniel <tea...@gm...>]

Hello,

"Racoon is trying to configure a connection between 172.16.155.160 and
172.16.155.161, but if finds no policy for it.  So, I suggest you add a
policy
for it and then you should have no problem."

Yes, the problem is that i add the SPD policy before  racoon service is
started, racoon does not find the policy in the SPD policies. If i add the
SPD policies after raccon is started, the connection is stablished without
problem so i want to know if there is a way to configure racoon to load SPD
policies during loading or why it does not recognizes the SPD policies if
that area already loaded with setkey before racoon starts.

This is my racoon.conf

path pre_shared_key "/etc/racoon/psk.txt";

sainfo anonymous
{
lifetime time 1 hour ;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}

remote anonymous
{
  exchange_mode main;

proposal {
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2 ;
}
}

Thanks for your help in advance.

El dom., 23 sept. 2018 a las 2:25, Mick (<mic...@gm...>)
escribió:

> On Wednesday, 19 September 2018 03:42:44 BST Daniel wrote:
> > Hello,
> >
> > I have installed ipsec-tools rpm (ipsec-tools-0.8.2-2.el6.x86_64.rpm) on
> > Red Hat 6.5, it is working fine but i have the problem that my SPD
> policies
> > only work if they are loaded after racoon service has been started. If i
> > run setkey -f /etc/racoon/policies and then start racoon, i have this
> error
> > during phase 2
> >
> > ERROR: no policy found: 172.16.155.160/32[0]
> <http://172.16.155.160/32%5B0%5D> 172.16.155.161/32[0]
> <http://172.16.155.161/32%5B0%5D> proto=any
> > dir=in
>
> Racoon is trying to configure a connection between 172.16.155.160 and
> 172.16.155.161, but if finds no policy for it.  So, I suggest you add a
> policy
> for it and then you should have no problem.
>
>
> > If i add the policies after racoon has been started, ipsec works without
> > problem
> >
> > This is my policies file /etc/racoon/policies
> >
> > #!/sbin/setkey -f
> >
> > flush;
> > spdflush;
> >
> > spdadd 0.0.0.0/0[0] <http://0.0.0.0/0%5B0%5D> 10.36.0.0/24[0]
> <http://10.36.0.0/24%5B0%5D> any -P out ipsec
> > esp/transport//require;
> > spdadd 10.36.0.0/24[0] <http://10.36.0.0/24%5B0%5D> 0.0.0.0/0[0]
> <http://0.0.0.0/0%5B0%5D> any -P in ipsec esp/transport//require;
> > spdadd 0.0.0.0/0[0] <http://0.0.0.0/0%5B0%5D> 0.0.0.0/0[0]
> <http://0.0.0.0/0%5B0%5D> any -P in none;
> > spdadd 0.0.0.0/0[0] <http://0.0.0.0/0%5B0%5D> 0.0.0.0/0[0]
> <http://0.0.0.0/0%5B0%5D> any -P out none;
> >
> > Is there any way to tell racoon to load my spd policies after the service
> > is started or during the racoon configuration load?
>
> What is in your racoon.conf for the sainfo directive?
>
> --
> Regards,
> Mick

Re: [Ipsec-tools-users] Load SPD policies after starting racoon service

[Mick <mic...@gm...>]

On Wednesday, 19 September 2018 03:42:44 BST Daniel wrote:
> Hello,
> 
> I have installed ipsec-tools rpm (ipsec-tools-0.8.2-2.el6.x86_64.rpm) on
> Red Hat 6.5, it is working fine but i have the problem that my SPD policies
> only work if they are loaded after racoon service has been started. If i
> run setkey -f /etc/racoon/policies and then start racoon, i have this error
> during phase 2
> 
> ERROR: no policy found: 172.16.155.160/32[0] 172.16.155.161/32[0] proto=any
> dir=in

Racoon is trying to configure a connection between 172.16.155.160 and 
172.16.155.161, but if finds no policy for it.  So, I suggest you add a policy 
for it and then you should have no problem.


> If i add the policies after racoon has been started, ipsec works without
> problem
> 
> This is my policies file /etc/racoon/policies
> 
> #!/sbin/setkey -f
> 
> flush;
> spdflush;
> 
> spdadd 0.0.0.0/0[0] 10.36.0.0/24[0] any -P out ipsec
> esp/transport//require;
> spdadd 10.36.0.0/24[0] 0.0.0.0/0[0] any -P in ipsec esp/transport//require;
> spdadd 0.0.0.0/0[0] 0.0.0.0/0[0] any -P in none;
> spdadd 0.0.0.0/0[0] 0.0.0.0/0[0] any -P out none;
> 
> Is there any way to tell racoon to load my spd policies after the service
> is started or during the racoon configuration load?

What is in your racoon.conf for the sainfo directive?

-- 
Regards,
Mick