Re: [Users] Using dynamic Dialin with 2 IPSEC-Interfaces ???

From: Michael Niehren (michael_at_niehren.de)
Date: Sat Jan 11 2003 - 11:59:56 CET

Hi Hugh,

thanks for your answer,
i tried out ipsec whack --listen, but that wasn't the solution. I got the same error.
Maybe i can describe a simpler Setup, that you can evaluate too.

Ok,
first you must have an Dialup Internet Connection (maybe ISDN or DSL).

After the connection was established, adapt your new dynamic IP-Address and
Gateway and starting your VPN-Connection. Everything is ok.
So, now stopping your Internet-Connection without stopping the VPN, do only
make an ipsec auto --down <connectionname> and ipsec auto --delete <connectionname>.

Then do establish your Internet-Connection again, you got a different dynamic IP.
I do an ipsec whack --listen, but the output is only
[root_at_server ipsec]# ipsec whack --listen
002 listening for IKE messages
003 no public interfaces found
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
002 loaded private key file '/etc/ipsec.d/private/key_server.niehren.de.pem' (963 bytes)

--> No public interfaces found
in ipsec.conf the Interface-Line is always
         interfaces="ipsec0=ppp0 ipsec1=eth2"

ipsec --status prints the following, no interface line ...

000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168, keysizemax=168
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536 (extension), bits=1536
000 algorithm IKE dh group: id=42048, name=OAKLEY_GROUP_MODP2048 (extension), bits=2048
000 algorithm IKE dh group: id=43072, name=OAKLEY_GROUP_MODP3072 (extension), bits=3072
000 algorithm IKE dh group: id=44096, name=OAKLEY_GROUP_MODP4096 (extension), bits=4096
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000
000

And after an ipsec auto --add <connecitonname> and ipsec auto --up <connectionname>
i got the error
022 "vpnniehren": we have no ipsecN interface for either end of this connection

--> i think pluto knows internal only the old dynamic IP, not the new one.

Do you have any idea ?

Some word's about the barf:
> 000 interface ipsec0/ppp0 80.131.103.115
>
> There seems to be no difference.
>
> In either case, the error message would not come out if one side of
> the conn were 80.131.103.115.

The difference is only, that i make an ipsec restart. The internet connection does not
change between the 2 barfs, the IP's and Gateway's are the same. Internaly in pluto
there must a difference between ipsec whack --listen and an restart of the whole IPSEC-System.

Greetings
  Michael

Am Freitag, 10. Januar 2003 20:46 schrieben Sie:
> | From: Michael Niehren <michael_at_niehren.de>
> | Date: Sat, 21 Dec 2002 15:48:42 +0100
>
> | i try to setup VPN-Connection over 2 IPSEC-Interfaces, the first uses ppp0 over
> | DSL from the internet, the second uses eth2 over WLAN.
> | interfaces="ipsec0=ppp0 ipsec1=eth2"
> | Because my internet connection goes up with dynamic Dialin, the IP-address change.
> | But i can't do an ipsec restart in ip-up, because then all my WLAN-VPN-Connections
> | are going down to, so that's not, what i want !
> | So, what i want to do is only updating the setup for ipsec0.
> |
> | i tried the following commands to update the IP
> | ipsec tncfg --detach --virtual ipsec0 --physical ppp0
> | ipsec tncfg --attach --virtual ipsec0 --physical ppp0
> | ifconfig ipsec0 inet <mynewip> pointopoint <mynewgateway> netmask 255.255.255.255
> |
> | it looks good, but it seems to be not enougth, because i always get the error
> | "we have no ipsecN interface for either end of this connection"
>
> pluto doesn't know about your new interface. It looks for interfaces
> 1) when started, and
> 2) when you do a "ipsec whack --listen"
> If you've gotten everything else right (I don't know if you have)
> then try issuing the "ipsec whack --listen"
>
> The "ipsec auto --status" command output will show you what interfaces
> Pluto knows about.
>
> Let's look it your barfs at the output of "ipsec auto --status".
>
> | i create a barf.txt and a log from /var/log/secure.
> | you can find it unter http://www.svhasborn.de/barf.txt and
> | http://www.svhasborn.de/secure
>
> 000 interface ipsec0/ppp0 80.131.103.115
>
> | in http://www.svhasborn.de/barf_geht.txt you can find the
> | barf, that works, after an ipsec restart.
>
> 000 interface ipsec0/ppp0 80.131.103.115
>
> There seems to be no difference.
>
> In either case, the error message would not come out if one side of
> the conn were 80.131.103.115.
>
> Hugh Redelmeier
> hugh_at_mimosa.com voice: +1 416 482-8253
>
>
>
>
> 

-- 
Michael Niehren              __   _       powered by
Am Waldstadion 32           / /  (_)__  __ ____  __
66636 Hasborn              / /__/ / _ \/ // /\ \/ /
Tel: 06853/892877         /____/_/_//_/\_,_/ /_/\_\
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Sun Jan 12 2003 - 05:21:07 CET