Mailing List Archive: vpnc: devel

vpnc-nortel for MAC OS (almost!)

Index | Next | Previous | View Threaded

borneo.antonio at gmail

Aug 22, 2009, 5:27 AM

Post #1 of 6 (744 views)
Permalink

vpnc-nortel for MAC OS (almost!)

Better subject: kernel-mode ipsec for vpnc-nortel

Hi,
I've been working on 2004 patch by Mattias for some time
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2004-September/000228.html
Was not easy to port it to current vpnc-nortel and, unfortunately, the
available documentation on kernel ipsec is not so much.

The attached patch is working to me on 32bit x86 Linux.
Kernel mode ipsec is enabled by "--kernel-ipsec" in vpnc command line

The patch needs some cleanup, it's still full of debug messages and
dirty code, but I want to share it to get feedback form list's users.

1) Endianess
Comparing Mattias code with code in "ipsec-tools-0.7.1", it looks like
there is some endianess incompatibility around the values "spi". In
ipsec-tools spi is passed through ntohl/htonl, but this is not done in
vpnc.
Would be useful if somebody in the list could test this patch on a
big-endian machine (sparc or power-pc) running Linux.
To double check, the patch prints "spi" for tx and rx. Same spi value
have to be printed by tcpdump for each ESP packet, and also by the
command "setkey -D" when the ipsec connection is active in
kernel-mode.
Please report if you get any discrepancy.

2) MAC OS
I cannot guarantee the patch compiles as is on MAC OS. Probably some
include file is missing.
Please test and provide fixes. I would be glad to include them in the patch.
Also, MAC OS is available either for x86 (little endian) and power-pc
(big endian).
I invite you to report the endianess of the system you use in your tests.

3) TUN/TAP
Current patch still set the tuntap interface, but then does not use it at all.
To allow kernel mode to uses ethernet aliases in place of tuntap, some
modification is required to "vpnc-script".
Any volunteer for this job?
I give you some hint, to let you proceed faster.
In the patch, in vpnc.c, there are 3 lines with "if (1 || !opt_kernel_ipsec) {"
Remove the part "1 || " so tuntap will not be initialized, and
vpnc-script would not be executed.
In this situation you also loose the VPN setting for DNS, so please
use only numeric IP.
After vpnc connects, you can run:
#> ifconfig eth0:1 ${INTERNAL_IP4_ADDRESS} netmask {INTERNAL_IP4_NETMASK}
#> ip route replace default via ${DEFAULTGW} dev eth0:1 src
${INTERNAL_IP4_ADDRESS}
putting the right value for the variables, as in the original
vpnc-script, and the VPN is setup.

4) code review and license
The code in ipsec-tools is much more clean than the equivalent one in
this patch.
I would like to copy from ipsec-tools. This should make easy following
and integrating any ipsec-tools evolution or bug fix.
But, ipsec-tools license is BSD.
Do you know if I can carry code form them inside vpnc (that is under GPL)?
Do you have any concern about this operation?

5) dynamic library form ipsec-tools
ipsec-tools can be compiled to generate a dynamic library
"libipsec.so.0.0.1". It requires the flag "--enable-shared" to
"configure" during build.
Such libipsec is not widely available in all Linux distro, and I have
no idea about other platforms like MAC OS or Solaris.
Before using such library in 4), I would like having feedback if this
is a good option.

Best Regards,
Antonio Borneo

Attachments:

patch-20090822.diff (34.3 KB)

natbudin at gmail

Sep 21, 2009, 5:45 AM

Post #2 of 6 (598 views)
Permalink

Re: vpnc-nortel for MAC OS (almost!) [In reply to]

Hi,

I downloaded and tested Antonio Borneo's patch from August 22, 2009
under Mac OS X 10.6. The patch didn't quite apply cleanly against the
latest SVN sources of vpnc-norlel, but it was not very hard to make
the appropriate changes.

It seems there must be some small incompatibility, though, because
right after I type my password, I get the following message:

error writing PF_KEY socket: Invalid argument

Here is my debug output using --debug 2:

vpnc version 0.5.3-446M

S1 init_sockaddr
[2009-09-21 08:45:04]

S2 make_socket
[2009-09-21 08:45:04]

S3 setup_tunnel
[2009-09-21 08:45:04]
using interface tun0

S4 do_phase1_am
[2009-09-21 08:45:04]

S4.1 create_nonce
[2009-09-21 08:45:04]

S4.2 dh setup
[2009-09-21 08:45:04]

S4.3 AM packet_1
[2009-09-21 08:45:04]

S4.4 AM_packet2
[2009-09-21 08:45:05]
(unknown)
(DPD)
IKE SA selected psk-3des-sha1
peer is DPD capable (RFC3706)
NAT status: no NAT-T VID seen

S4.5 AM_packet3
[2009-09-21 08:45:05]

S4.6 cleanup
[2009-09-21 08:45:05]

S5 do_phase2_xauth [1]
[2009-09-21 08:45:05]

S5.1 xauth_request
[2009-09-21 08:45:05]

S5.2 notice_check
[2009-09-21 08:45:05]

S5.3 type-is-xauth check
[2009-09-21 08:45:05]

S5.4 xauth type check
[2009-09-21 08:45:05]

S5.5 do xauth reply
[2009-09-21 08:45:05]

S5.2 notice_check
[2009-09-21 08:45:05]

S5.3 type-is-xauth check
[2009-09-21 08:45:05]

S5.6 process xauth set
[2009-09-21 08:45:05]

S5.8 xauth done
[2009-09-21 08:45:05]

S6 do_phase2_config [1]
[2009-09-21 08:45:05]

S6.2 phase2_config receive modecfg
[2009-09-21 08:45:05]
unknown attribute 6 / 0x6
unknown attribute 16392 / 0x4008
unknown attribute 16393 / 0x4009
unknown attribute 16394 / 0x400A
unknown attribute 16396 / 0x400C
unknown attribute 16398 / 0x400E
unknown attribute 16397 / 0x400D
unknown attribute 16403 / 0x4013
unknown attribute 16400 / 0x4010
got address 10.130.33.239

S6 do_phase2
[2009-09-21 08:45:05]

do_phase2: S7.5 QM_packet2 check reject offer
[2009-09-21 08:45:05]

do_phase2: S7.6 QM_packet2 check and process proposal
[2009-09-21 08:45:05]
got ipsec lifetime attributes: 57600 seconds
IPSEC SA selected 3des-md5

do_phase2: S7.1 QM_packet1
[2009-09-21 08:45:05]
error writing PF_KEY socket: Invalid argument
_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

borneo.antonio at gmail

Sep 21, 2009, 7:55 AM

Post #3 of 6 (597 views)
Permalink

Re: vpnc-nortel for MAC OS (almost!) [In reply to]

Ciao Nat,
surprised you get that error. Looks like your kernel do not support PF_KEY ...
But I never tryed on Mac; don't have it... maybe some silly mistake by my side.

Please try to use the same version on which I developed the patch.
Download it with
# svn co -r 414 http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel
then apply patch and compile.
Do you get any error or warning at compile time?

Best Regards,
Antonio Borneo

On Mon, Sep 21, 2009 at 8:45 PM, Nat Budin <natbudin[at]gmail.com> wrote:
> Hi,
>
> I downloaded and tested Antonio Borneo's patch from August 22, 2009
> under Mac OS X 10.6. The patch didn't quite apply cleanly against the
> latest SVN sources of vpnc-norlel, but it was not very hard to make
> the appropriate changes.
>
> It seems there must be some small incompatibility, though, because
> right after I type my password, I get the following message:
>
> error writing PF_KEY socket: Invalid argument
>
> Here is my debug output using --debug 2:
> ...
_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

natbudin at gmail

Sep 21, 2009, 8:04 AM

Post #4 of 6 (596 views)
Permalink

Re: vpnc-nortel for MAC OS (almost!) [In reply to]

Hi Antonio!

I'm not sure it is true that my kernel doesn't support PF_KEY. From
Apple's developer site, specifically:
http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man4/ipsec.4.html,
it appears it should be supported. I checked on my system and the
same manpage is present there. I've been playing around with gdb to
find out which packet is causing the error, and it appears that the
request is originating from kernel_ipsec_get_spi.

I just tried it using revision 414, and the patch does apply cleanly
there. The only compile-time warnings I receive are:

config.c: In function �do_config�:
config.c:840: warning: field precision should have type �int�, but
argument 2 has type �long unsigned int�

isakmp-pkt.c: In function �parse_isakmp_packet�:
isakmp-pkt.c:931: warning: format �%d� expects type �int�, but
argument 2 has type �size_t�

which I believe are also present in the latest version from trunk.
However, I still get the same illegal argument error when I try to
connect using it.

Cheers,
Nat

On Mon, Sep 21, 2009 at 10:55 AM, Antonio Borneo
<borneo.antonio[at]gmail.com> wrote:
> Ciao Nat,
> surprised you get that error. Looks like your kernel do not support PF_KEY ...
> But I never tryed on Mac; don't have it... maybe some silly mistake by my side.
>
> Please try to use the same version on which I developed the patch.
> Download it with
> # svn co -r 414 http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel
> then apply patch and compile.
> Do you get any error or warning at compile time?
>
> Best Regards,
> Antonio Borneo
>
> On Mon, Sep 21, 2009 at 8:45 PM, Nat Budin <natbudin[at]gmail.com> wrote:
>> Hi,
>>
>> I downloaded and tested Antonio Borneo's patch from August 22, 2009
>> under Mac OS X 10.6. �The patch didn't quite apply cleanly against the
>> latest SVN sources of vpnc-norlel, but it was not very hard to make
>> the appropriate changes.
>>
>> It seems there must be some small incompatibility, though, because
>> right after I type my password, I get the following message:
>>
>> error writing PF_KEY socket: Invalid argument
>>
>> Here is my debug output using --debug 2:
>> ...
>

_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

borneo.antonio at gmail

Sep 21, 2009, 10:19 AM

Post #5 of 6 (598 views)
Permalink

Re: vpnc-nortel for MAC OS (almost!) [In reply to]

Hi Nat,

the 2 warnings are from some printf(), we could skip them for the moment.

Please run in another shell the command
# setkey -x
or
# setkey -x -H
that will dump the whole PF_KEY communication with kernel, and run vpnc again.
Please send me the result of setkey. Since the communication stops
quite early, I do not expect any secret info could be in the dump.

Best Regards
Antonio Borneo

On Mon, Sep 21, 2009 at 11:04 PM, Nat Budin <natbudin[at]gmail.com> wrote:
> Hi Antonio!
>
> I'm not sure it is true that my kernel doesn't support PF_KEY. From
> Apple's developer site, specifically:
> http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man4/ipsec.4.html,
> it appears it should be supported. I checked on my system and the
> same manpage is present there. I've been playing around with gdb to
> find out which packet is causing the error, and it appears that the
> request is originating from kernel_ipsec_get_spi.
>
> I just tried it using revision 414, and the patch does apply cleanly
> there. The only compile-time warnings I receive are:
>
> config.c: In function �do_config�:
> config.c:840: warning: field precision should have type �int�, but
> argument 2 has type �long unsigned int�
>
> isakmp-pkt.c: In function �parse_isakmp_packet�:
> isakmp-pkt.c:931: warning: format �%d� expects type �int�, but
> argument 2 has type �size_t�
>
> which I believe are also present in the latest version from trunk.
> However, I still get the same illegal argument error when I try to
> connect using it.
>
> Cheers,
> Nat
>
> On Mon, Sep 21, 2009 at 10:55 AM, Antonio Borneo
> <borneo.antonio[at]gmail.com> wrote:
>> Ciao Nat,
>> surprised you get that error. Looks like your kernel do not support PF_KEY ...
>> But I never tryed on Mac; don't have it... maybe some silly mistake by my side.
>>
>> Please try to use the same version on which I developed the patch.
>> Download it with
>> # svn co -r 414 http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel
>> then apply patch and compile.
>> Do you get any error or warning at compile time?
>>
>> Best Regards,
>> Antonio Borneo
>>
>> On Mon, Sep 21, 2009 at 8:45 PM, Nat Budin <natbudin[at]gmail.com> wrote:
>>> Hi,
>>>
>>> I downloaded and tested Antonio Borneo's patch from August 22, 2009
>>> under Mac OS X 10.6. The patch didn't quite apply cleanly against the
>>> latest SVN sources of vpnc-norlel, but it was not very hard to make
>>> the appropriate changes.
>>>
>>> It seems there must be some small incompatibility, though, because
>>> right after I type my password, I get the following message:
>>>
>>> error writing PF_KEY socket: Invalid argument
>>>
>>> Here is my debug output using --debug 2:
>>> ...
>>
>

_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

natbudin at gmail

Sep 21, 2009, 11:07 AM

Post #6 of 6 (596 views)
Permalink

Re: vpnc-nortel for MAC OS (almost!) [In reply to]

OK, I tried that; however, setkey seems to return two messages as soon
as it's started, and then nothing while vpnc runs. For reference,
here is the output:

nbudin[at]kenichi-2:[~/vpnc-nortel-414]: sudo setkey -xH
14:03:58.906489
00000000: 02 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00
00000010: 02 0b 00 01 02 00 00 00 00 00 00 00 42 30 00 00
sadb_msg{ version=2 type=11 errno=0 satype=1
len=2 reserved=0 seq=0 pid=12354

14:03:58.906576
00000000: 02 0b 00 01 02 00 00 00 00 00 00 00 42 30 00 00

(These two messages came immediately when I ran the command. I then
repeatedly attempted to log into the VPN in a different terminal, but
nothing ever appeared in the setkey output.)

Nat

On Mon, Sep 21, 2009 at 1:19 PM, Antonio Borneo
<borneo.antonio[at]gmail.com> wrote:
> Hi Nat,
>
> the 2 warnings are from some printf(), we could skip them for the moment.
>
> Please run in another shell the command
> # setkey -x
> or
> # setkey -x -H
> that will dump the whole PF_KEY communication with kernel, and run vpnc again.
> Please send me the result of setkey. Since the communication stops
> quite early, I do not expect any secret info could be in the dump.
>
> Best Regards
> Antonio Borneo
>
> On Mon, Sep 21, 2009 at 11:04 PM, Nat Budin <natbudin[at]gmail.com> wrote:
>> Hi Antonio!
>>
>> I'm not sure it is true that my kernel doesn't support PF_KEY. �From
>> Apple's developer site, specifically:
>> http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man4/ipsec.4.html,
>> it appears it should be supported. �I checked on my system and the
>> same manpage is present there. �I've been playing around with gdb to
>> find out which packet is causing the error, and it appears that the
>> request is originating from kernel_ipsec_get_spi.
>>
>> I just tried it using revision 414, and the patch does apply cleanly
>> there. �The only compile-time warnings I receive are:
>>
>> config.c: In function �do_config�:
>> config.c:840: warning: field precision should have type �int�, but
>> argument 2 has type �long unsigned int�
>>
>> isakmp-pkt.c: In function �parse_isakmp_packet�:
>> isakmp-pkt.c:931: warning: format �%d� expects type �int�, but
>> argument 2 has type �size_t�
>>
>> which I believe are also present in the latest version from trunk.
>> However, I still get the same illegal argument error when I try to
>> connect using it.
>>
>> Cheers,
>> Nat
>>
>> On Mon, Sep 21, 2009 at 10:55 AM, Antonio Borneo
>> <borneo.antonio[at]gmail.com> wrote:
>>> Ciao Nat,
>>> surprised you get that error. Looks like your kernel do not support PF_KEY ...
>>> But I never tryed on Mac; don't have it... maybe some silly mistake by my side.
>>>
>>> Please try to use the same version on which I developed the patch.
>>> Download it with
>>> # svn co -r 414 http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel
>>> then apply patch and compile.
>>> Do you get any error or warning at compile time?
>>>
>>> Best Regards,
>>> Antonio Borneo
>>>
>>> On Mon, Sep 21, 2009 at 8:45 PM, Nat Budin <natbudin[at]gmail.com> wrote:
>>>> Hi,
>>>>
>>>> I downloaded and tested Antonio Borneo's patch from August 22, 2009
>>>> under Mac OS X 10.6. �The patch didn't quite apply cleanly against the
>>>> latest SVN sources of vpnc-norlel, but it was not very hard to make
>>>> the appropriate changes.
>>>>
>>>> It seems there must be some small incompatibility, though, because
>>>> right after I type my password, I get the following message:
>>>>
>>>> error writing PF_KEY socket: Invalid argument
>>>>
>>>> Here is my debug output using --debug 2:
>>>> ...
>>>
>>
>

_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com