Re: [Development] Strongswan 5.0.0

Re: [Development] Strongswan 5.0.0

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1983 bytes --]

On Tue, 2012-08-07 at 10:51 +0200, Erik K. wrote:
> 
> > Hi all,
> > i have tried that and after a
> > 
> > [root(a)ipfire-server ~]# /etc/init.d/ipsec start
> > Starting strongSwan 5.0.0 IPsec [starter]...
> > insmod /lib/modules/2.6.32.45-ipfire/kernel/net/key/af_key.ko 
> > insmod /lib/modules/2.6.32.45-ipfire/kernel/net/ipv4/ah4.ko 
> > insmod /lib/modules/2.6.32.45-ipfire/kernel/net/ipv4/esp4.ko 
> > insmod /lib/modules/2.6.32.45-ipfire/kernel/net/xfrm/xfrm_ipcomp.ko 
> > insmod /lib/modules/2.6.32.45-ipfire/kernel/net/ipv4/ipcomp.ko 
> > insmod /lib/modules/2.6.32.45-ipfire/kernel/net/ipv4/tunnel4.ko 
> > insmod /lib/modules/2.6.32.45-ipfire/kernel/net/ipv4/xfrm4_tunnel.ko 
> > insmod /lib/modules/2.6.32.45-ipfire/kernel/net/xfrm/xfrm_user.ko 
> > 
> > there was no output on httpd/error_log

It is not supposed that there is any.

> > but my log manager warned me per email with a:
> > 
> > OSSEC HIDS Notification.
> > 2012 Aug 07 10:29:16
> > 
> > Received From: ipfire-server->/var/log/messages
> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
> > system."
> > Portion of the log(s):
> > 
> > Aug  7 10:29:16 ipfire-server charon: 00[LIB] plugin 'padlock':
> > failed to load - padlock_plugin_create returned NULL 
> > 
> > --END OF NOTIFICATION

Well, that's bad from your log manager.

strongswan tries to use hardware crypto when it is available. So it
loads the padlock module which fails to load with an error saying there
is not padlock available. Which is totally normal on an Intel PC.

This is nothing harmful, but the program shouldn't notify.

> > Also is there a dev list with changes on this new version especially
> > for the WUI so the documentation can start up more quickly ?

No, we are still testing those changes.

If we can be sure that there are no more severe problems, we can start
the documentation. At this stage, it might be possible that changes in
the UI are required.

Please do a little more testing...

Michael

Re: [Development] Strongswan 5.0.0

[Erik K.]

[-- Attachment #1: Type: text/plain, Size: 2294 bytes --]


Am 07.08.2012 um 11:13 schrieb Michael Tremer:

> On Tue, 2012-08-07 at 10:51 +0200, Erik K. wrote:
>> 
>>> Hi all,
>>> i have tried that and after a
>>> 
>>> [root(a)ipfire-server ~]# /etc/init.d/ipsec start
>>> Starting strongSwan 5.0.0 IPsec [starter]...
>>> insmod /lib/modules/2.6.32.45-ipfire/kernel/net/key/af_key.ko 
>>> insmod /lib/modules/2.6.32.45-ipfire/kernel/net/ipv4/ah4.ko 
>>> insmod /lib/modules/2.6.32.45-ipfire/kernel/net/ipv4/esp4.ko 
>>> insmod /lib/modules/2.6.32.45-ipfire/kernel/net/xfrm/xfrm_ipcomp.ko 
>>> insmod /lib/modules/2.6.32.45-ipfire/kernel/net/ipv4/ipcomp.ko 
>>> insmod /lib/modules/2.6.32.45-ipfire/kernel/net/ipv4/tunnel4.ko 
>>> insmod /lib/modules/2.6.32.45-ipfire/kernel/net/ipv4/xfrm4_tunnel.ko 
>>> insmod /lib/modules/2.6.32.45-ipfire/kernel/net/xfrm/xfrm_user.ko 
>>> 
>>> there was no output on httpd/error_log
> 
> It is not supposed that there is any.
> 
>>> but my log manager warned me per email with a:
>>> 
>>> OSSEC HIDS Notification.
>>> 2012 Aug 07 10:29:16
>>> 
>>> Received From: ipfire-server->/var/log/messages
>>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
>>> system."
>>> Portion of the log(s):
>>> 
>>> Aug  7 10:29:16 ipfire-server charon: 00[LIB] plugin 'padlock':
>>> failed to load - padlock_plugin_create returned NULL 
>>> 
>>> --END OF NOTIFICATION
> 
> Well, that's bad from your log manager.
> 
> strongswan tries to use hardware crypto when it is available. So it
> loads the padlock module which fails to load with an error saying there
> is not padlock available. Which is totally normal on an Intel PC.
> 
> This is nothing harmful, but the program shouldn't notify.
> 
>>> Also is there a dev list with changes on this new version especially
>>> for the WUI so the documentation can start up more quickly ?
> 
> No, we are still testing those changes.
> 
> If we can be sure that there are no more severe problems, we can start
> the documentation. At this stage, it might be possible that changes in
> the UI are required.
> 
> Please do a little more testing...
> 
> Michael
> 
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development

Ah O.K. my fault sorry

Thanks for information

Re: [Development] Strongswan 5.0.0

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 808 bytes --]

Applied, thanks for the fix.

http://git.ipfire.org/?p=people/ms/ipfire-2.x.git;a=commitdiff;h=35b5392a958b9f3439dab71a19485326c9d7343b

So everyone who installs the package needs to manually update the CGI
script.

Michael

On Tue, 2012-08-07 at 13:09 +0200, Stefan Schantl wrote:
> Hello Michael,
> 
> your commands work without any problems - IPSec will be stopped an 
> started as I already have written.
> 
> After some work I found the problem in the vpnmain.cgi. In the shipped 
> file of your update, there is the line missing which stores
> the information if the service is enabled or not. After I've manually 
> added it again, I was able to stop and disable IPSec from the WUI.
> 
> I've created a patchfile for you - please check and apply it.
> 
> Thanks
> 
> Stefan

Re: [Development] Strongswan 5.0.0

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 2458 bytes --]

Hello Michael,

your commands work without any problems - IPSec will be stopped an 
started as I already have written.

After some work I found the problem in the vpnmain.cgi. In the shipped 
file of your update, there is the line missing which stores
the information if the service is enabled or not. After I've manually 
added it again, I was able to stop and disable IPSec from the WUI.

I've created a patchfile for you - please check and apply it.

Thanks

Stefan
> Please try to manually stop strongswan with the helper tool:
>
> ipsecctrl D
>
> Try to start it again with:
>
> ipsecctrl S
>
> On Mon, 2012-08-06 at 21:48 +0200, Stefan Schantl wrote:
>> Hello Michael,
>>
>> I've tested to stop IPSec from shell which worked without problems. But
>> if I try to disable and stop it from the WUI, by
>> unsing the checkbox the service does a restart and no shutdown.
>>
>> I've looked inside the error_log from the httpd, and found the following
>> lines:
>>
>> [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] IPSec
>> enabled on orange but orange interface is invalid or not found, referer:
>> https://gate.xxx:444/cgi-bin/vpnmain.cgi
>> [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] IPSec
>> enabled on blue but blue interface is invalid or not found, referer:
>> https://gate.xxx:444/cgi-bin/vpnmain.cgi
>> [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] Stopping
>> strongSwan IPsec..., referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi
>> [Mon Aug 06 21:42:12 2012] [error] [client 192.168.xxx.xxx] Starting
>> strongSwan 5.0.0 IPsec [starter]..., referer:
>> https://gate.xxx:444/cgi-bin/vpnmain.cgi
>> [Mon Aug 06 21:42:12 2012] [error] [client 192.168.xxx.xxx] , referer:
>> https://gate.xxx:444/cgi-bin/vpnmain.cgi
>>
>> Why are there entries about an orange and blue network, I don't have one
>> of them......
>>
>> Do you have any idea about that ?
>>
>> Stefan
>>
>>> On Mon, 2012-08-06 at 17:21 +0200, Stefan Schantl wrote:
>>>> The only bad point, I've to report is, that after the update I can't
>>>> disable IPSec over the WUI anymore - may other testers will report the
>>>> same issue.
>>> What is the exact problem? Did you get an internal server error from the
>>> CGI script? Need a more precise error report.
>>>
>>> Michael
>>>
>>>
>> _______________________________________________
>> SIG-VPN mailing list
>> SIG-VPN(a)lists.ipfire.org
>> http://lists.ipfire.org/mailman/listinfo/sig-vpn
>


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: ipsec-fix-stopping-on-wui.patch --]
[-- Type: text/x-patch, Size: 496 bytes --]

# This patch fixes the problem, to disable and stop the complete IPSec service
# by using the Webinterface.
--- vpnmain.cgi_old	2012-08-07 12:58:31.701086700 +0200
+++ vpnmain.cgi	2012-08-07 12:55:44.627624624 +0200
@@ -436,6 +436,7 @@
 	goto SAVE_ERROR;
     }
 
+    $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
     $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
     $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};
     $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'};

Re: [Development] Strongswan 5.0.0

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1960 bytes --]

Please try to manually stop strongswan with the helper tool:

ipsecctrl D

Try to start it again with:

ipsecctrl S

On Mon, 2012-08-06 at 21:48 +0200, Stefan Schantl wrote:
> Hello Michael,
> 
> I've tested to stop IPSec from shell which worked without problems. But 
> if I try to disable and stop it from the WUI, by
> unsing the checkbox the service does a restart and no shutdown.
> 
> I've looked inside the error_log from the httpd, and found the following 
> lines:
> 
> [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] IPSec 
> enabled on orange but orange interface is invalid or not found, referer: 
> https://gate.xxx:444/cgi-bin/vpnmain.cgi
> [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] IPSec 
> enabled on blue but blue interface is invalid or not found, referer: 
> https://gate.xxx:444/cgi-bin/vpnmain.cgi
> [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] Stopping 
> strongSwan IPsec..., referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi
> [Mon Aug 06 21:42:12 2012] [error] [client 192.168.xxx.xxx] Starting 
> strongSwan 5.0.0 IPsec [starter]..., referer: 
> https://gate.xxx:444/cgi-bin/vpnmain.cgi
> [Mon Aug 06 21:42:12 2012] [error] [client 192.168.xxx.xxx] , referer: 
> https://gate.xxx:444/cgi-bin/vpnmain.cgi
> 
> Why are there entries about an orange and blue network, I don't have one 
> of them......
> 
> Do you have any idea about that ?
> 
> Stefan
> 
> > On Mon, 2012-08-06 at 17:21 +0200, Stefan Schantl wrote:
> >> The only bad point, I've to report is, that after the update I can't
> >> disable IPSec over the WUI anymore - may other testers will report the
> >> same issue.
> > What is the exact problem? Did you get an internal server error from the
> > CGI script? Need a more precise error report.
> >
> > Michael
> >
> >
> 
> _______________________________________________
> SIG-VPN mailing list
> SIG-VPN(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/sig-vpn

Re: [Development] Strongswan 5.0.0

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 1550 bytes --]

Hello Michael,

I've tested to stop IPSec from shell which worked without problems. But 
if I try to disable and stop it from the WUI, by
unsing the checkbox the service does a restart and no shutdown.

I've looked inside the error_log from the httpd, and found the following 
lines:

[Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] IPSec 
enabled on orange but orange interface is invalid or not found, referer: 
https://gate.xxx:444/cgi-bin/vpnmain.cgi
[Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] IPSec 
enabled on blue but blue interface is invalid or not found, referer: 
https://gate.xxx:444/cgi-bin/vpnmain.cgi
[Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] Stopping 
strongSwan IPsec..., referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi
[Mon Aug 06 21:42:12 2012] [error] [client 192.168.xxx.xxx] Starting 
strongSwan 5.0.0 IPsec [starter]..., referer: 
https://gate.xxx:444/cgi-bin/vpnmain.cgi
[Mon Aug 06 21:42:12 2012] [error] [client 192.168.xxx.xxx] , referer: 
https://gate.xxx:444/cgi-bin/vpnmain.cgi

Why are there entries about an orange and blue network, I don't have one 
of them......

Do you have any idea about that ?

Stefan

> On Mon, 2012-08-06 at 17:21 +0200, Stefan Schantl wrote:
>> The only bad point, I've to report is, that after the update I can't
>> disable IPSec over the WUI anymore - may other testers will report the
>> same issue.
> What is the exact problem? Did you get an internal server error from the
> CGI script? Need a more precise error report.
>
> Michael
>
>

Re: [Development] Strongswan 5.0.0

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 347 bytes --]

On Mon, 2012-08-06 at 17:21 +0200, Stefan Schantl wrote:
> The only bad point, I've to report is, that after the update I can't 
> disable IPSec over the WUI anymore - may other testers will report the 
> same issue.

What is the exact problem? Did you get an internal server error from the
CGI script? Need a more precise error report.

Michael

Re: [Development] Strongswan 5.0.0

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 2363 bytes --]

Hello Michael,

I've successfully installed the new version of strongswan on my IPFire 2 
system.

VPN over IPSec still works perfectly - tested with IKEv1 and IKEv2 
connections.

The only bad point, I've to report is, that after the update I can't 
disable IPSec over the WUI anymore - may other testers will report the 
same issue.

Best regards,

Stefan
> Hello,
>
> as Core Update 61 has now been released, it is time to go on with
> developments for the next one:
>
> I have updated strongswan to version 5.0.0 which finally removes the
> pluto daemon which was responsible for IKEv1 connections.
> However, pluto has gotten very old and was created in the beginnings of
> the IPsec for Linux developments back in freeswan times.
>
> charon was introduced by strongswan some time ago when IKEv2 connections
> got supported. It handles IKEv1 connections as well as IKEv2 connections
> since strongswan version 5.0.0.
>
> What are the benefits for IPFire?
>
> As mentioned earlier, pluto is very old and got very hard to maintain.
> There have been problems with VPNs that terminate at hosts with dynamic
> IP addresses, so we needed to restart the entire IPsec subsystem in
> intervals of 5 minutes.
> This caused some trouble in stability terms.
>
> charon handles those dynamic endpoints much better without the need to
> restart anything. Connections may now be added and removed smoothly and
> in total there should be much more connection stability.
>
> There is also some new code for hybrid IPsec VPNs which can be used with
> Android 4 and maybe Apple iOS. I have not done any investigation on this
> topic, because I am not interested, but hopefully somebody else gives it
> a shot.
>
> I have now packaged the changes into a small package which wants to be
> installed on your system.
>
> http://people.ipfire.org/~ms/unsupported/core-upgrade-2.11-strongswan.ipfire
>
> It should not require any manual interaction at all. Please install and
> give me feedback about the connection stability and the interoperability
> with other (proprietary) implementations.
>
> I am looking forward to it.
>
> Michael
>
> P.S. If you reply to this mail make sure to keep both mailing lists.
>
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development
>

[Development] Strongswan 5.0.0

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1759 bytes --]

Hello,

as Core Update 61 has now been released, it is time to go on with
developments for the next one:

I have updated strongswan to version 5.0.0 which finally removes the
pluto daemon which was responsible for IKEv1 connections.
However, pluto has gotten very old and was created in the beginnings of
the IPsec for Linux developments back in freeswan times.

charon was introduced by strongswan some time ago when IKEv2 connections
got supported. It handles IKEv1 connections as well as IKEv2 connections
since strongswan version 5.0.0.

What are the benefits for IPFire?

As mentioned earlier, pluto is very old and got very hard to maintain.
There have been problems with VPNs that terminate at hosts with dynamic
IP addresses, so we needed to restart the entire IPsec subsystem in
intervals of 5 minutes.
This caused some trouble in stability terms.

charon handles those dynamic endpoints much better without the need to
restart anything. Connections may now be added and removed smoothly and
in total there should be much more connection stability.

There is also some new code for hybrid IPsec VPNs which can be used with
Android 4 and maybe Apple iOS. I have not done any investigation on this
topic, because I am not interested, but hopefully somebody else gives it
a shot.

I have now packaged the changes into a small package which wants to be
installed on your system.

http://people.ipfire.org/~ms/unsupported/core-upgrade-2.11-strongswan.ipfire

It should not require any manual interaction at all. Please install and
give me feedback about the connection stability and the interoperability
with other (proprietary) implementations.

I am looking forward to it.

Michael

P.S. If you reply to this mail make sure to keep both mailing lists.