Ted Victorio
2014-01-14 02:50:42 UTC
?
I added openswan 2.4.12 to existing functional uClinux-dist-20080808 (kernel 2.6.25-uc0) on
Coldfire MCF5329. The build is successful and loads onto target; however, the
uClinux unit neither initiates nor responds to the remote IPsec Main Mode
handshake. Can someone advise me on how to proceed?
Details shown below. Thank you in advance for your help.
Ted
?
I executed the following commands (uClinux unit):
?
/>modprobe af_key?????
/>modprobe xfrm_user??
/>modprobe ah4????????
/>modprobe esp4???????
/>modprobe ipcomp?????
/>modprobe xfrm4_tunnel
?
/> lsmod
Module????????????? Size? Used by
af_key 29216 - - Live 0x41490000
xfrm_user 15092 - - Live 0x415b8000
xfrm4_tunnel 640 - - Live 0x414a2800
tunnel4 852 - - Live 0x414a2c00
ipcomp 2748 - - Live 0x41422000
esp4 3764 - - Live 0x41d20000
ah4 2824 - - Live 0x41c4c000
?
/>pluto --nofork --noklips --use-netkey? --secretsfile /mnt/ipsec.secrets --debug-all
&
/>whack --listen &
/>whack --name link2 --host 90.0.0.3 --to --host 90.0.0.9 --client
209.0.0.0/24 --psk --encrypt --tunnel --pfs &
/>whack --name link2 --initiate &
/>
Pluto initialized
Nov 30 00:01:51 pluto[30]: Starting Pluto (Openswan Version 2.4.12
PLUTO_SENDS_VENDORID; Vendor ID OEzufdtpHjOA)
Nov 30 00:01:51 pluto[30]: | opening /dev/urandom
Nov 30 00:01:51 pluto[30]: | inserting event EVENT_REINIT_SECRET,
timeout in 3600 seconds
Nov 30 00:01:51 pluto[30]: | inserting event EVENT_PENDING_PHASE2,
timeout in 120 seconds
Nov 30 00:01:51 pluto[30]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok(ret=0)
Nov 30 00:01:51 pluto[30]: starting up 1 cryptographic helpers
Nov 30 00:03:55 pluto[31]: | opening /dev/urandom
Nov 30 00:03:55 pluto[31]: ! helper 0 waiting on fd: 6
?
Note: Using similar pluto & whack commands above, I was able to
have 2 Ubuntu PCs etablish IPsec communication.
I executed the following commands (On Ubuntu side):
# ipsec auto --add link2
# ipsec auto --up link2
Additional IPsec build configuration options:
Networking options
CONFIG_XFRM_USER=m
CONFIG_NET_KEY=m
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
?
Cryptographic API
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_DES=y
CONFIG_CRYPTO_DEFLATE=y
?
?
uClinux to ubunutu test configuration
Ubuntu setup:
-------------
ipsec.conf:
?? config setup
??????????????? plutodebug=all
??????????????? klipsdebug=all
??????????????? #nat_traversal=yes
?
?? conn link2
??????????????? type=tunnel
??????????????? authby=secret
??????????????? left=90.0.0.3
??????????????? right=90.0.0.9
??????????????? rightsubnet=209.0.0.0/24
?
???????
ipsec.secrets:
90.0.0.3 90.0.0.9 : PSK "testing12345"
?
uClinux setup:
--------------
/mnt/ipsec.secrets:
90.0.0.3 90.0.0.9 : PSK "testing12345"
?
?
(uClinux) 90.0.0.3====================90.0.0.9 (Ubuntu) ---- 209.0.0.9
????????????????????????? ? ? ? ? ?? |
???????????????????????? ? ? ? ? ? ? |
????????????????? monitor w/
Wireshark
?
Wireshark monitor showed remote ubuntu (90.0.0.9) initiated:
?????? 90.0.0.9???????? ? 90.0.0.3????????????? ISAKMP??????????????? Identity Protection (Main Mode)
?????? 90.0.0.3???????? ? 90.0.0.9????????????? ICMP???? Destination unreachable (Port unreachable)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.uclinux.org/pipermail/uclinux-dev/attachments/20140113/7cb6d750/attachment.html>
I added openswan 2.4.12 to existing functional uClinux-dist-20080808 (kernel 2.6.25-uc0) on
Coldfire MCF5329. The build is successful and loads onto target; however, the
uClinux unit neither initiates nor responds to the remote IPsec Main Mode
handshake. Can someone advise me on how to proceed?
Details shown below. Thank you in advance for your help.
Ted
?
I executed the following commands (uClinux unit):
?
/>modprobe af_key?????
/>modprobe xfrm_user??
/>modprobe ah4????????
/>modprobe esp4???????
/>modprobe ipcomp?????
/>modprobe xfrm4_tunnel
?
/> lsmod
Module????????????? Size? Used by
af_key 29216 - - Live 0x41490000
xfrm_user 15092 - - Live 0x415b8000
xfrm4_tunnel 640 - - Live 0x414a2800
tunnel4 852 - - Live 0x414a2c00
ipcomp 2748 - - Live 0x41422000
esp4 3764 - - Live 0x41d20000
ah4 2824 - - Live 0x41c4c000
?
/>pluto --nofork --noklips --use-netkey? --secretsfile /mnt/ipsec.secrets --debug-all
&
/>whack --listen &
/>whack --name link2 --host 90.0.0.3 --to --host 90.0.0.9 --client
209.0.0.0/24 --psk --encrypt --tunnel --pfs &
/>whack --name link2 --initiate &
/>
Pluto initialized
Nov 30 00:01:51 pluto[30]: Starting Pluto (Openswan Version 2.4.12
PLUTO_SENDS_VENDORID; Vendor ID OEzufdtpHjOA)
Nov 30 00:01:51 pluto[30]: | opening /dev/urandom
Nov 30 00:01:51 pluto[30]: | inserting event EVENT_REINIT_SECRET,
timeout in 3600 seconds
Nov 30 00:01:51 pluto[30]: | inserting event EVENT_PENDING_PHASE2,
timeout in 120 seconds
Nov 30 00:01:51 pluto[30]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok(ret=0)
Nov 30 00:01:51 pluto[30]: starting up 1 cryptographic helpers
Nov 30 00:03:55 pluto[31]: | opening /dev/urandom
Nov 30 00:03:55 pluto[31]: ! helper 0 waiting on fd: 6
?
Note: Using similar pluto & whack commands above, I was able to
have 2 Ubuntu PCs etablish IPsec communication.
I executed the following commands (On Ubuntu side):
# ipsec auto --add link2
# ipsec auto --up link2
Additional IPsec build configuration options:
Networking options
CONFIG_XFRM_USER=m
CONFIG_NET_KEY=m
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
?
Cryptographic API
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_DES=y
CONFIG_CRYPTO_DEFLATE=y
?
?
uClinux to ubunutu test configuration
Ubuntu setup:
-------------
ipsec.conf:
?? config setup
??????????????? plutodebug=all
??????????????? klipsdebug=all
??????????????? #nat_traversal=yes
?
?? conn link2
??????????????? type=tunnel
??????????????? authby=secret
??????????????? left=90.0.0.3
??????????????? right=90.0.0.9
??????????????? rightsubnet=209.0.0.0/24
?
???????
ipsec.secrets:
90.0.0.3 90.0.0.9 : PSK "testing12345"
?
uClinux setup:
--------------
/mnt/ipsec.secrets:
90.0.0.3 90.0.0.9 : PSK "testing12345"
?
?
(uClinux) 90.0.0.3====================90.0.0.9 (Ubuntu) ---- 209.0.0.9
????????????????????????? ? ? ? ? ?? |
???????????????????????? ? ? ? ? ? ? |
????????????????? monitor w/
Wireshark
?
Wireshark monitor showed remote ubuntu (90.0.0.9) initiated:
?????? 90.0.0.9???????? ? 90.0.0.3????????????? ISAKMP??????????????? Identity Protection (Main Mode)
?????? 90.0.0.3???????? ? 90.0.0.9????????????? ICMP???? Destination unreachable (Port unreachable)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.uclinux.org/pipermail/uclinux-dev/attachments/20140113/7cb6d750/attachment.html>