Re: [Ipsec-tools-users] Reg enabling IPV6 for Ipsec in suse

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

The psk.txt file is meant to be only accessible by root.  If anyone gains 
access to this file the security of the VPN connection will be compromised.  
Therefore, change it to 0400 and make sure it is only owned by root:root.  
Otherwise racoon will refuse to run.

Regarding peers not being reachable, you need to configure your network so 
that they are reachable over existing routes.  This is why I suggested you 
check you are able to ping the peers first.  Without network connectivity 
between peers you cannot establish a VPN.

On Sunday, 7 October 2018 18:57:02 BST kalyani kaniganti wrote:
> Hi Mick,
> Now I can see the improvement.
> 
> Phase1 negotiation started and I can see that both peers are not reachable.
> I see errors like psk has weak file permission s and I gave 777 permission
> s on both servers but issue is still present.
> 
> Error is phase1 negototation failed reason is could not find the packet for
> peer.
> May be the issue is due to the two peers are unreachable ?
> 
> Error is /etc/racoon/psk.txt has weak file permission.
> 
> Failed to.open pre_share_key file /etc/racoon/pask.txt.
> 
> Changed the permission of psk file to 777 on both servers and initiated
> racoon again but no improvement.
> 
> Please suggest.
> 
> BR,
> Kalyani.k
> 
> On Sun, Oct 7, 2018, 11:02 PM Mick <mic...@gm...> wrote:
> > Have you tested the IPv6 stack?  Does it work to route packets to the
> > remote
> > 
> > peer?  Do you have a fully configured IPv6 route and routable addresses:
> >  ip -6 route show
> >  ip -6 address show
> > 
> > When you start racoon what is the output of 'racoonctl -l show-event' and
> > what
> > do you get in the log?
> > 
> > Do you see IPv6 addresses proposed as isakmp port connections?  For
> > example,
> > 
> > the racoon log starts with:
> >  racoon[10002]: INFO: ::1[500] used as isakmp port (fd=14)
> >  racoon[10002]: INFO: ::1[4500] used as isakmp port (fd=15)
> > 
> > and follows with local IPv6 addresses for each NIC your system has
> > enabled.
> > 
> > If the IPv6 stack is working correctly and you have a configured IPv6
> > route,
> > but racoon still is not setting up IPv6 connections, then all I can think
> > is
> > your ipsec-tools has not been built with ipv6 for your system.
> > ipsec-tools
> > versions >=0.8.0 come with INET6.  I don't know if INET6 in your version
> > has
> > been backported by SUSE.
> > 
> > On Sunday, 7 October 2018 16:06:10 BST kalyani kaniganti wrote:
> > > Hi Mic,
> > > 
> > > Thanks for quick response.
> > > I can see the COnFIg_INET6 are configured as modules.
> > > As mentioned we have already loaded modules from
> > > /lib/modules/3.0.101/default/net/ipv6 using command modprobe module
> > > name.
> > > After executing command we can see the modules in lsmod.
> > > Still racoon is unable to initiate IkEV1 phase intiation.
> > > 
> > > May I know it's an kernel problem ?
> > > 
> > > BR,
> > > Kalyani
> > > 
> > > On Sun, Oct 7, 2018, 6:32 PM Mick <mic...@gm...> wrote:
> > > > Hi Kalyani,
> > > > 
> > > > You don't *have* to set your kernel modules to be built in (set as 'y'
> > 
> > in
> > 
> > > > the
> > > > kernel config).  You can build them as modules (set as 'm' in the
> > 
> > kernel
> > 
> > > > config) and then check they are loaded.  If you change any part of
> > > > your
> > > > kernel
> > > > configuration to 'y', you will have to rebuild the kernel and then
> > > > must
> > > > reboot
> > > > with it.  With separately built modules you don't have to reboot, you
> > 
> > can
> > 
> > > > load
> > > > the modules as you need them, if they have not been loaded already.
> > > > 
> > > > The question you are asking is not an ipsec-tools specific question,
> > 
> > but
> > 
> > > > how
> > > > to rebuild your SLES kernel.  This will be required ONLY if the
> > 
> > specific
> > 
> > > > modules are not already enabled in the kernel.  The command to use to
> > > > configure a linux kernel is 'make menuconfig'.  I haven't used your
> > 
> > Linux
> > 
> > > > distribution for years and things may have changed, so I cannot give
> > 
> > you
> > 
> > > > detailed steps.  First have a look in your /proc/config.gz and search
> > 
> > for
> > 
> > > > the
> > > > particular modules; e.g.
> > > > 
> > > > zgrep INET6 /proc/config.gz
> > > > 
> > > > If they are already marked as modules, then 'modprobe -v' them
> > > > individually.
> > > > 
> > > > If any of these modules are not configured (would be marked as 'not
> > 
> > set')
> > 
> > > > you
> > > > will need to configure them and build them before you can load them.
> > 
> > Ask
> > 
> > > > for
> > > > help on how to reconfigure and rebuild a kernel in SUSE support.
> > > > 
> > > > On Sunday, 7 October 2018 13:38:48 BST kalyani kaniganti wrote:
> > > > > Hi,
> > > > > 
> > > > > How we can check the parameters are set to y as per the below mail.
> > > > > Please provide me the command.
> > > > > If they are not set to y ,any restarts are req.
> > > > > Please suggest us.
> > > > > BR,
> > > > > Kalyani
> > > > > 
> > > > > On Sun, Oct 7, 2018, 4:46 PM Mick <mic...@gm...> wrote:
> > > > > > From 'man racoon':
> > > > > > 
> > > > > > -d  Increase the debug level.  Multiple -d arguments will increase
> > 
> > the
> > 
> > > > > > debug
> > > > > > 
> > > > > >     level even more.
> > > > > > 
> > > > > > You'll need to add this option in whatever script your distro is
> > 
> > using
> > 
> > > > to
> > > > 
> > > > > > start racoon, if the logs are not verbose enough.  Please note,
> > 
> > this
> > 
> > > > will
> > > > 
> > > > > > only
> > > > > > increase the log verbosity of the racoon application, not any
> > 
> > kernel
> > 
> > > > logs.
> > > > 
> > > > > > If your IPv6 stack is working fine without IPSec, i.e. you can
> > > > > > ping
> > > > 
> > > > remote
> > > > 
> > > > > > peers, then check the IPSec specific modules are available and
> > > > 
> > > > loaded.  I
> > > > 
> > > > > > think you will need most of these:
> > > > > > 
> > > > > > CONFIG_INET6_AH=y
> > > > > > CONFIG_INET6_ESP=y
> > > > > > 
> > > > > > CONFIG_INET6_IPCOMP=y
> > > > > > CONFIG_INET6_XFRM_TUNNEL=y
> > > > > > CONFIG_INET6_TUNNEL=y
> > > > > > CONFIG_INET6_XFRM_MODE_TRANSPORT=y
> > > > > > CONFIG_INET6_XFRM_MODE_TUNNEL=y
> > > > > > CONFIG_INET6_XFRM_MODE_BEET=y
> > > > > > 
> > > > > > Also, if you are running a firewall you will probably need to
> > 
> > enable
> > 
> > > > IPv6
> > > > 
> > > > > > netfilter configuration modules.  However, I would first check
> > > > 
> > > > everything
> > > > 
> > > > > > is
> > > > > > working without a firewall enabled and then configure the firewall
> > 
> > as
> > 
> > > > the
> > > > 
> > > > > > last
> > > > > > step.
> > > > > > 
> > > > > > Hope this helps.
> > > > > > 
> > > > > > On Sunday, 7 October 2018 03:21:42 BST kalyani kaniganti wrote:
> > > > > > > Hi,
> > > > > > > 
> > > > > > > As per your below statement ,could you please share the
> > 
> > procedure to
> > 
> > > > > > > test
> > > > > > > it.
> > > > > > > 
> > > > > > > Check your kernel config has CONFIG_INET6_* options suitable for
> > > > 
> > > > IPSEC
> > > > 
> > > > > > > enabled.
> > > > > > > 
> > > > > > > I am unable to find errors in logs racoon is not stating any
> > 
> > errors.
> > 
> > > > > > > BR,
> > > > > > > Kalyani.k
> > > > > > > 
> > > > > > > 
> > > > > > > On Sat, Oct 6, 2018, 11:49 PM kalyani kaniganti <
> > > > > > 
> > > > > > kal...@gm...>
> > > > > > 
> > > > > > > wrote:
> > > > > > > > Hi,
> > > > > > > > Thanks for the information.
> > > > > > > > I have found out some of the kernel modules are not loaded in
> > > > 
> > > > kernel
> > > > 
> > > > > > for
> > > > > > 
> > > > > > > > ipv6.
> > > > > > > > esp6.ko,ah6.ko and transport mode module.I loaded the modules
> > > > > > > > using
> > > > > > > > modprobe and I can see these modules using lsmod now.
> > > > > > > > But issue still exist,do you have any idea what modules are
> > > > 
> > > > required
> > > > 
> > > > > > for
> > > > > > 
> > > > > > > > Ipsec to enable ipv6 in kernel .
> > > > > > > > 
> > > > > > > > We have already tested for IPV4 it's working fine,but same is
> > 
> > not
> > 
> > > > > > working
> > > > > > 
> > > > > > > > for ipv6.
> > > > > > > > How we can check logs in debug mode.Please suggest.
> > > > > > > > BR,
> > > > > > > > Kalyani.k
> > > > > > > > 
> > > > > > > > On Sat, Oct 6, 2018, 10:40 PM Mick <mic...@gm...>
> > > > 
> > > > wrote:
> > > > > > > >> Hi kalyani,
> > > > > > > >> 
> > > > > > > >> Check your kernel config has CONFIG_INET6_* options suitable
> > 
> > for
> > 
> > > > > > > >> IPSEC
> > > > > > > >> enabled.  If some kernel module is necessary for IPv6
> > > > 
> > > > setkey/racoon
> > > > 
> > > > > > will
> > > > > > 
> > > > > > > >> complain when you run/start it, so check your logs for any
> > > > 
> > > > relevant
> > > > 
> > > > > > > >> messages.
> > > > > > > >> 
> > > > > > > >> To troubleshoot this problem take one step at a time.  First
> > > > > > > >> check
> > > > > > 
> > > > > > your
> > > > > > 
> > > > > > > >> IPv4
> > > > > > > >> network, routing and IPSec all work without errors.  Then
> > 
> > check
> > 
> > > > your
> > > > 
> > > > > > IPv6
> > > > > > 
> > > > > > > >> stack is working and you can ping remote peers.  Then check
> > 
> > your
> > 
> > > > logs
> > > > 
> > > > > > for
> > > > > > 
> > > > > > > >> error messages when you try to initiate an ESP/AH connection
> > 
> > with
> > 
> > > > > > > >> racoon.
> > > > > > > >> Increase verbosity and study the logs to debug the problem.
> > > > > > > >> 
> > > > > > > >> On Saturday, 6 October 2018 15:28:56 BST kalyani kaniganti
> > 
> > wrote:
> > > > > > > >> > Hi,
> > > > > > > >> > We are using ipsectools rpm version
> > 
> > ipsec-tools-0.7.3_1.38.3.1
> > 
> > > > from
> > > > 
> > > > > > > >> sles 11
> > > > > > > >> 
> > > > > > > >> > sp4 kernel.
> > > > > > > >> > We are using racoon as daemon .
> > > > > > > >> > We are using dual stack on os and trying to enable IPsec
> > > > > > > >> > for
> > > > 
> > > > IPV6
> > > > 
> > > > > > > >> > as
> > > > > > > >> 
> > > > > > > >> well
> > > > > > > >> 
> > > > > > > >> > and we have already provided support for IPV4.
> > > > > > > >> > I have done configuration same as ipv4 but ifind IPSEC- SA
> > 
> > is
> > 
> > > > not
> > > > 
> > > > > > > >> > initiating phase 1 authentication.
> > > > > > > >> > May I know we have to enable any other option on kernel to
> > > > 
> > > > support
> > > > 
> > > > > > > >> > Ipsec
> > > > > > > >> > for ipv6 we are trying to use ESP and AH protocols.
> > > > > > > >> > 
> > > > > > > >> > Please suggest us
> > > > > > > >> > BR,
> > > > > > > >> > Kalyani.k
> > 
> > --
> > Regards,
> > Mick

-- 
Regards,
Mick