ipsec-tools-devel — Development discussion of IPsec Tools

Re: [Ipsec-tools-devel] Hanging Connection

[Stephen C. <scl...@ea...>]

On 09/18/2012 11:38 AM, Milan P. Stanic wrote:
> On Tue, 2012-09-18 at 09:26, Stephen Clark wrote:
>    
>> On 09/18/2012 08:41 AM, Rainer Weikusat wrote:
>>      
>>> Tobias Dinse<tob...@st...>   writes:
>>>        
> [...]
>    
>> Is there ip xfrm commands that show all the info that you get with setkey -D
>> like current bytes, state, date created, etc
>>      
> 'ip -s xfrm state' or 'ip -s xfrm policy'
>
> Short form:
> 'ip -s x s' and 'ip -s x p'
>
>    
Great! Thanks.
>> Because I didn't see any when I did ip xfrm state and nothing in the man
>> page on ip
>> but there have been undocumented features of ip command.
>>      
>    


-- 

"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty
decreases."  (Thomas Jefferson)

Re: [Ipsec-tools-devel] Hanging Connection

[Milan P. S. <mp...@ar...>]

On Tue, 2012-09-18 at 09:26, Stephen Clark wrote:
> On 09/18/2012 08:41 AM, Rainer Weikusat wrote:
> > Tobias Dinse<tob...@st...>  writes:
[...]
> Is there ip xfrm commands that show all the info that you get with setkey -D
> like current bytes, state, date created, etc

'ip -s xfrm state' or 'ip -s xfrm policy'

Short form:
'ip -s x s' and 'ip -s x p'

> Because I didn't see any when I did ip xfrm state and nothing in the man 
> page on ip
> but there have been undocumented features of ip command.

-- 
Kind regards,  Milan
--------------------------------------------------
Arvanta,        http://www.arvanta.net
Please do not send me e-mail containing HTML code or documents in
proprietary format (word, excel, pps and so on)

Re: [Ipsec-tools-devel] Hanging Connection

[Stephen C. <scl...@ea...>]

On 09/18/2012 08:41 AM, Rainer Weikusat wrote:
> Tobias Dinse<tob...@st...>  writes:
>    
>> We have only 4 SA´s. I attached the Configuration file. It only laggs
>> on Connection over the Internet Gateway  (where racoon is running
>> there). Pings between the other Servers in the internal Networks are
>> fine. We already tried to switch the Cable / NIC and to our Backup
>> Gateways Server. CPU / Mem isnt hight and Racoon not going crazy.
>>
>> After restarting Racoon / rebooting the Server all works fine. I m
>> happy about any hint.
>>      
> As I already wrote: racoon does not handle any actual data traffic, it
> just configures the kernel to handle that in a particular way. If you
> stop it, it will send a SADB_FLUSH message to the kernel, causing all
> kernel SAs to be deleted, and then send iskamp delete payloads for all
> ph2 SAs known to it to the respective peers. This could theoretically
> help with an in-kernel performance issue if there are (for some
> reason) lots and lots of kernel SAs (xfrm states, actually) and
> because of this, searching for a matching xfrm state for a datagram
> supposed to be processed takes a long time. A similar problem could
> exist for xfrm policies. Both of these possibilities are IMO rather
> far fetched but checking them (hopefully :-) can't hurt. You can
> display all kernel SAs (on Linux) indepdendently of racoon with ip
> xfrm state and all policies with ip xfrm pol. Equivalent setkey
> commands would be setkey -D and setkey -D -P. Lastly, racoonctl ss
> ipsec can be used to display all kernel SAs/ xfrm states with the help
> of the daemon itself.
>    
Hi,

Is there ip xfrm commands that show all the info that you get with setkey -D
like current bytes, state, date created, etc

Because I didn't see any when I did ip xfrm state and nothing in the man 
page on ip
but there have been undocumented features of ip command.

> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Ipsec-tools-devel mailing list
> Ips...@li...
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
>
>    


-- 

"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty
decreases."  (Thomas Jefferson)

Re: [Ipsec-tools-devel] Hanging Connection

[Rainer W. <rwe...@mo...>]

Tobias Dinse <tob...@st...> writes:
> We have only 4 SA´s. I attached the Configuration file. It only laggs
> on Connection over the Internet Gateway  (where racoon is running
> there). Pings between the other Servers in the internal Networks are
> fine. We already tried to switch the Cable / NIC and to our Backup
> Gateways Server. CPU / Mem isnt hight and Racoon not going crazy.
>
> After restarting Racoon / rebooting the Server all works fine. I m
> happy about any hint.

As I already wrote: racoon does not handle any actual data traffic, it
just configures the kernel to handle that in a particular way. If you
stop it, it will send a SADB_FLUSH message to the kernel, causing all
kernel SAs to be deleted, and then send iskamp delete payloads for all
ph2 SAs known to it to the respective peers. This could theoretically
help with an in-kernel performance issue if there are (for some
reason) lots and lots of kernel SAs (xfrm states, actually) and
because of this, searching for a matching xfrm state for a datagram
supposed to be processed takes a long time. A similar problem could
exist for xfrm policies. Both of these possibilities are IMO rather
far fetched but checking them (hopefully :-) can't hurt. You can
display all kernel SAs (on Linux) indepdendently of racoon with ip
xfrm state and all policies with ip xfrm pol. Equivalent setkey
commands would be setkey -D and setkey -D -P. Lastly, racoonctl ss
ipsec can be used to display all kernel SAs/ xfrm states with the help
of the daemon itself.

Re: [Ipsec-tools-devel] Hanging Connection

[Tobias D. <tob...@st...>]

Hi,

We have only 4 SA´s. I attached the Configuration file. It only laggs on 
Connection over the Internet Gateway  (where racoon is running there). 
Pings between the other Servers in the internal Networks are fine. We 
already tried to switch the Cable / NIC and to our Backup Gateways 
Server. CPU / Mem isnt hight and Racoon not going crazy.

After restarting Racoon / rebooting the Server all works fine. I m happy 
about any hint.

regards

Tobias

Am 14.09.2012 17:15, schrieb Rainer Weikusat:
> Tobias Dinse <tob...@st...> writes:
>> we have a strange Problem since we are using Racoon for our VPN
>> Connections. After a while (maybe 2-3 Weeks), we gain a lot of laggs and
>> sporadic high pings on your Debian Servers.
>>
>> After Restarting Racoon all works fine for about 1-2 days.
> Nothing that's part of the regular operations of the daemon can cause
> this directly because it doesn't handle any real traffic, it just
> negotiates security associations and configures the kernel to handle
> this traffic in the desired way. Even the daemon going bezerk and
> using all available CPU time shouldn't cause this to happen because
> the kernel-level stuff is all interrupt driven. I happen to have some
> experience with racoon on Debian and so far his hasn't happened for us
> although we decidedly handle more han three customers :-).
>


-- 
# Stegbauer Datawork
# Tobias Dinse
# +49 (8571) 922213
# Oberjulbachring 9, 84387 Julbach

Re: [Ipsec-tools-devel] Hanging Connection

[Rainer W. <rwe...@mo...>]

Larry Baird <la...@gt...> writes:
>> Sorry to be so blunt but this is a totally weird idea. The various
>> SADB_DUMP based loops in racoon (used for SA deletion) may cause
>> performance issues because of the insane amount of needless copying of
>> data which needs to be done in order to delete single SA but this will
>> certainly not get better when increasing the number of messages
>> received in reply to a SADB_DUMP request.
> All I can say is that it fixed some issues for me.  Had older versions
> of racoon with large number of SAs that worked fine.  Upgrading to newest
> racoon and they quit working.  Adding this patch made everything work
> again.

It will increase 'threshold' beyond which the kernel (at least Linux)
silently truncates the dump reply. This means the racoon SA deletion
code (in purge_remote and purge_ipsec_spi) will be able to deal with
more SAs instead of just not deleting ph2 SAs which weren't part of
this reply because of the 'buffer overflow'. It's just inconceivable
that this helps with otherwise unrelated 'performance problems', at
least as far as my understanding goes (I know what the purge_* code
does because I replaced it ;-).

Re: [Ipsec-tools-devel] Hanging Connection

[Larry B. <la...@gt...>]

> Sorry to be so blunt but this is a totally weird idea. The various
> SADB_DUMP based loops in racoon (used for SA deletion) may cause
> performance issues because of the insane amount of needless copying of
> data which needs to be done in order to delete single SA but this will
> certainly not get better when increasing the number of messages
> received in reply to a SADB_DUMP request.
All I can say is that it fixed some issues for me.  Had older versions
of racoon with large number of SAs that worked fine.  Upgrading to newest
racoon and they quit working.  Adding this patch made everything work
again.

Larry

-- 
------------------------------------------------------------------------
Larry Baird
Global Technology Associates, Inc. 1992-2012 	| http://www.gta.com
Celebrating Twenty Years of Software Innovation | Orlando, FL
Email: la...@gt...                 		| TEL 407-380-0220

Re: [Ipsec-tools-devel] Hanging Connection

[Rainer W. <rwe...@mo...>]

Larry Baird <la...@gt...> writes:
>> we have a strange Problem since we are using Racoon for our VPN 
>> Connections. After a while (maybe 2-3 Weeks), we gain a lot of laggs and 
>> sporadic high pings on your Debian Servers.
>> 
>> After Restarting Racoon all works fine for about 1-2 days. Than its 
>> again. If we reboot the Server the Problem is gone for 2-3 weeks. This 
>> Problem is 3 complete different Networks of 3 Customers. I can post the 
>> Configuration but first I want to ask if someone has an Idea if it could 
>> be a generally issue.
> How many SAs do you have?  We have a customer with large number of SAs
> reporting a similar problem.  In the file src/libipsec/pfkey.c in the
> function pfkey_open() there is logic to try to set SO_RCVBUF to at
> least 2MB. This is not enough for a very large number of SAs.

Sorry to be so blunt but this is a totally weird idea. The various
SADB_DUMP based loops in racoon (used for SA deletion) may cause
performance issues because of the insane amount of needless copying of
data which needs to be done in order to delete single SA but this will
certainly not get better when increasing the number of messages
received in reply to a SADB_DUMP request.

Re: [Ipsec-tools-devel] Hanging Connection

[Larry B. <la...@gt...>]

Tobias,

> we have a strange Problem since we are using Racoon for our VPN 
> Connections. After a while (maybe 2-3 Weeks), we gain a lot of laggs and 
> sporadic high pings on your Debian Servers.
> 
> After Restarting Racoon all works fine for about 1-2 days. Than its 
> again. If we reboot the Server the Problem is gone for 2-3 weeks. This 
> Problem is 3 complete different Networks of 3 Customers. I can post the 
> Configuration but first I want to ask if someone has an Idea if it could 
> be a generally issue.
How many SAs do you have?  We have a customer with large number of SAs
reporting a similar problem.  In the file src/libipsec/pfkey.c in the
function pfkey_open() there is logic to try to set SO_RCVBUF to at
least 2MB. This is not enough for a very large number of SAs. The logic
here used to be based upon maxsockbuf size.  We added this logic back to
the end of the function.  See below for patch.  For this patch to
be effective, you may need to increase maxsockbuf.  Still waiting for
feedback from customer to see if this completely fixed their issue.

        u_long bufsiz;
        size_t len = sizeof(bufsiz);

        if ( 0 == sysctlbyname( "kern.ipc.maxsockbuf", &bufsiz, &len, NULL, 0 )
) {
             /* Round down to amount that can actually contain data.
                As calulated by sysctl_handle_sb_max() in kern/uipc_sockbuf.c */
             bufsiz_wanted = (int)((u_quad_t)bufsiz * MCLBYTES / (MSIZE + MCLBYT
ES));

            if ( setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz_wanted, sizeof(bu
fsiz_wanted)) )
                syslog( LOG_WARNING,
                        "Unable to set pfkey receive buffer to %d; %s",
                        bufsiz_wanted,
                        strerror(errno) );
        }


-- 
------------------------------------------------------------------------
Larry Baird
Global Technology Associates, Inc. 1992-2012 	| http://www.gta.com
Celebrating Twenty Years of Software Innovation | Orlando, FL
Email: la...@gt...                 		| TEL 407-380-0220

Re: [Ipsec-tools-devel] Hanging Connection

[Rainer W. <rwe...@mo...>]

Tobias Dinse <tob...@st...> writes:
> we have a strange Problem since we are using Racoon for our VPN 
> Connections. After a while (maybe 2-3 Weeks), we gain a lot of laggs and 
> sporadic high pings on your Debian Servers.
>
> After Restarting Racoon all works fine for about 1-2 days.

Nothing that's part of the regular operations of the daemon can cause
this directly because it doesn't handle any real traffic, it just
negotiates security associations and configures the kernel to handle
this traffic in the desired way. Even the daemon going bezerk and
using all available CPU time shouldn't cause this to happen because
the kernel-level stuff is all interrupt driven. I happen to have some
experience with racoon on Debian and so far his hasn't happened for us
although we decidedly handle more han three customers :-).

[Ipsec-tools-devel] Hanging Connection

[Tobias D. <tob...@st...>]

Hi all,

we have a strange Problem since we are using Racoon for our VPN 
Connections. After a while (maybe 2-3 Weeks), we gain a lot of laggs and 
sporadic high pings on your Debian Servers.

After Restarting Racoon all works fine for about 1-2 days. Than its 
again. If we reboot the Server the Problem is gone for 2-3 weeks. This 
Problem is 3 complete different Networks of 3 Customers. I can post the 
Configuration but first I want to ask if someone has an Idea if it could 
be a generally issue.

dpkg -l|grep racoon
Version: 1:0.7.3-12
Debian Squeeze amd64

regards

Tobias

[Ipsec-tools-devel] document beahviour of the file inclusion mechanism

[Rainer W. <rwe...@mo...>]

The racoons I have to deal with as part of my job needed to be able to
include all files located in some directory in order to make 'machine
reconfiguration' of the daemon easier. As it turned out to be, the
inclusion code already supported this but the corresponding behaviour
isn't documented in the raccon.conf(5) manpage. Below is a patch
agains 0.8.0 adding this.

-----------------
diff -rNu ipsec-tools-0.8.0/src/racoon/racoon.conf.5 ipsec-tools-0.8.0.patched//src/racoon/racoon.conf.5
--- ipsec-tools-0.8.0/src/racoon/racoon.conf.5	2010-06-22 21:51:04.000000000 +0100
+++ ipsec-tools-0.8.0.patched//src/racoon/racoon.conf.5	2012-09-09 19:23:24.645315390 +0100
@@ -234,7 +234,11 @@
 .Ss File Inclusion
 .Bl -tag -width Ds -compact
 .It Ic include Ar file
-Specifies other configuration files to be included.
+Specifies other configuration files to be included. Shell-style wildcard expanison
+of the argument is performed via
+.Xr glob 3 ,
+using GLOB_TILDE as flags argument. This can, for instance, be used to
+include all files in a certain directory.
 .El
 .\"
 .Ss Timer Specification

Re: [Ipsec-tools-devel] AES hardware acceleration

[Roman H. A. <rh...@op...>]

Hi Yvan

No pressure, but could you please provide the patch? We desperately need
it for gigabit speed operations.

Cheers,
Roman

On 24.08.2012 13:49, VANHULLEBUS Yvan wrote:
> Hi.
> 
> On Tue, Jul 24, 2012 at 01:42:30PM +0200, Roman Hoog Antink wrote:
>>>> I have an short Question about Raccon and Hardware Acceleration.
>>>>
>>>> Is it possible to use the AES Hardware Acceleration of an CPU with 
>>>> Racon? How can i enabled it / is it enabled by default?
>>>
>>> Racoon uses openssl to do encryption. If you have proper ENGINE module
>>> for openssl installed and configured, encryption should be hardware
>>> accelerated automatically.
>>>
>>> I use this constantly with Padlock. I also have openssl patches for
>>> Padlock SHA acceleration.
>>>
>>> -Timo
>>
>> You are talking about IKE only. There is the GCM variant of AES for the
>> Linux kernel, which is not yet supported by racoon. I am currently
>> working on a patch for GCM, based on this mailing list post from 2009:
>> http://marc.info/?l=ipsec-tools-devel&m=123606045019199
> 
> 
> I forgot to commit it, but we already have a patch to have racoon be
> able to negociate AES-GCM phase2, which has already been tested with a
> patched FreeBSD (FreeBSD patch should also be commited "soon").
> 
> 
> I'll try to commit that on HEAD next week.
> 
> 
> Yvan.
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Ipsec-tools-devel mailing list
> Ips...@li...
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
> 


-- 
Roman Hoog Antink
Dipl. Ing. ETH
Senior Security Engineer

Open Systems AG
Räffelstrasse 29
CH-8045 Zürich
t: +41 44 455 74 00
f: +41 44 455 74 01

rh...@op...
http://www.open.ch

[Ipsec-tools-devel] ipsec-tools.net domain will expire soon.....

[VANHULLEBUS Y. <va...@fr...>]

Hi all.

A few years ago, I got the ipsec-tools.net domain, with lot of ideas
of things to do with that (web site, mails for developers, new mailing
lists, etc.....).


This domain will expire in about 1 month, and the only thing which has
been done with this domain is the trac (https://trac.ipsec-tools.net),
which seems to be not so much used.


So, is there a good reason for me to spend money again for the domain,
or shall I just leave it, which will also be the end of trac ?



Yvan.

Re: [Ipsec-tools-devel] connection problems for a vpn connection using certificate only authentication

[bhargav p <bha...@gm...>]

Hi,

Is that Switch case in isakmp_cfg is required?

Cant we call the phase1 script based on the status iph1->status established
or not?

Just asking why that switch case is required?

On Tue, Sep 4, 2012 at 12:18 PM, Timo Teras <tim...@ik...> wrote:

> Hi,
>
> On Wed, 29 Aug 2012 14:25:17 +0200 Martin Huter <mh...@ba...>
> wrote:
>
> > the phase1 script hook (SCRIPT_PHASE1_UP) is not called for a
> > vpn connection using the certificate only authentication method
> > (without xauth, OAKLEY_ATTR_AUTH_METHOD_RSASIG). patch attached.
>
> > diff -NaurbB ipsec-tools-0.8.0.orig/src/racoon/isakmp_cfg.c
> ipsec-tools-0.8.0/src/racoon/isakmp_cfg.c
> > --- ipsec-tools-0.8.0.orig/src/racoon/isakmp_cfg.c    2012-08-29
> 14:19:01.002311264 +0200
> > +++ ipsec-tools-0.8.0/src/racoon/isakmp_cfg.c 2012-08-29
> 14:19:14.260425870 +0200
> > @@ -457,6 +457,7 @@
> >               case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
> >               case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
> >               case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
> > +             case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
> >                       script_hook(iph1, SCRIPT_PHASE1_UP);
> >                       break;
> >               default:
>
> Hum, so you use Mode Configuration, but not Xauth ?
>
> Your patch does not update the similar switch in isakmp.c, which might
> lead to duplicate phase1_up script executions.
>
> However, I'm thinking if the whole switch(authmethod) is bogus and
> should be deleted. Then we could just unconditionally post-pone the
> script launch if Mode Config was used.
>
> -Timo
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Ipsec-tools-devel mailing list
> Ips...@li...
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
>

Re: [Ipsec-tools-devel] connection problems for a vpn connection using certificate only authentication

[Timo T. <tim...@ik...>]

Hi,

On Wed, 29 Aug 2012 14:25:17 +0200 Martin Huter <mh...@ba...>
wrote:

> the phase1 script hook (SCRIPT_PHASE1_UP) is not called for a 
> vpn connection using the certificate only authentication method
> (without xauth, OAKLEY_ATTR_AUTH_METHOD_RSASIG). patch attached.

> diff -NaurbB ipsec-tools-0.8.0.orig/src/racoon/isakmp_cfg.c ipsec-tools-0.8.0/src/racoon/isakmp_cfg.c
> --- ipsec-tools-0.8.0.orig/src/racoon/isakmp_cfg.c	2012-08-29 14:19:01.002311264 +0200
> +++ ipsec-tools-0.8.0/src/racoon/isakmp_cfg.c	2012-08-29 14:19:14.260425870 +0200
> @@ -457,6 +457,7 @@
>  		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
>  		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 
>  		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 
> +		case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
>  			script_hook(iph1, SCRIPT_PHASE1_UP);
>  			break;
>  		default:

Hum, so you use Mode Configuration, but not Xauth ?

Your patch does not update the similar switch in isakmp.c, which might
lead to duplicate phase1_up script executions.

However, I'm thinking if the whole switch(authmethod) is bogus and
should be deleted. Then we could just unconditionally post-pone the
script launch if Mode Config was used.

-Timo

Re: [Ipsec-tools-devel] [ANNOUNCE] Ipsec-tools 0.7-beta3 released

[Jefferson L. F. <fr...@gm...>]

Tore Anderson <tore@...> writes:

> 
> * VANHULLEBUS Yvan
> 
> > I guess we should simply discard anything related to lifebyte, but I'm
> > not sure it won't cause problems with some peers that set up a value
> > for lifebyte...
> > 
> > Did your peer really sent a proposal with a lifebyte of 4,5 Mb, or is
> > this another lifebyte related bug/issue/problem on ipsec-tool's side ?
> > 
> > And was your peer an ipsec-tools's racoon (in which version ?) or
> > "something else" ?
> 
>    The peer is a Cisco ASA with OS version 7.2.2, and it really did
>   propose a lifebyte of 4.5 MB.  According to my client it's not possible
>   to disable this completely.  I'm using racoon 0.7-beta3.
> 
>    However I'm more concerned about the racoon part of the log message.
>   If racoon proposes a lifebyte of 2GB, but sets up the IPSEC SAs without
>   any lifebyte, won't that cause the peer to expire tose SAs prematurely
>   if 2GB is transferred before the lifetime has elapsed?  And won't that
>   cause connectivity problems?
> 
>    I think this might have been the trouble I had speaking to this
>   device.  At apparantly random intervals the Cisco would send me a
>   delete SA notification (delete SA didn't work with 0.6.6 so
>   connectivity was interrupted).  I believe that was due to the 4.5 MB
>   limit being hit, the Cisco apparantly thought we'd agreed to such a
>   lifebyte.
> 


Hi Tore,

Searching for a solution of my problem, I found your question about set a 
lifebyte in racoon. Aparently my problem is the same - my Peer: racoon - my 
partner peer CISCO, and the log: [racoon: ERROR: lifebyte mismatched: 
my:2147483647 peer:0 ]

Did you find some way to solve this problem ? Or to set the lifebyte ?

Thanks a lot !

Regards.

Jefferson.