Fedora Linux Support Community & Resources Center
  #1  
Old 18th May 2006, 05:44 PM
sandman42 Offline
Registered User
 
Join Date: May 2006
Posts: 6
Question Trouble setting up ipsec interface - Kernel Bug?

Hi,

I'm trying to set uo a FC4 box, kernel 2.6.16-1.2108_FC4 having a
dynamic IP as a VPN client in order to allow it to connect to
headquarter lan, having a static ip.

I've written a script named ifcfg-ipsec0:

TYPE=IPsec
ONBOOT=yes
SRCGW=192.168.2.254
DSTGW=192.168.1.254
SRCNET=192.168.2.0/24
DSTNET=192.168.1.0/24
DST=1.2.3.4

and I've placed it in /etc/sysconfig/network-scripts

When I issue a ifup ipsec I have the following error

RTNETLINK answers: invalid argument

I've tried to strace it, and that's the result (a snippet of):

--- SIGCHLD (Child exited) @ 0 (0) ---
waitpid(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WNOHANG) = 4285
waitpid(-1, 0xbffee1b8, WNOHANG) = -1 ECHILD (No child processes)
sigreturn() = ? (mask now [])
rt_sigaction(SIGCHLD, {0x807871f, [], 0}, {0x807871f, [], 0}, 8) = 0
close(4) = 0
read(3, "10.20.1.2\n", 128) = 10
read(3, "", 128) = 0
close(3) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGINT, {0x80760d4, [], 0}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {0x80760d4, [], 0}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
read(255, "\n\nif [ \"$KEYING\" = \"manual\" ]; t"..., 8077) = 5401
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
stat64(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat64("/sbin/ip", {st_mode=S_IFREG|0755, st_size=124168, ...}) = 0
access("/sbin/ip", X_OK) = 0
stat64("/sbin/ip", {st_mode=S_IFREG|0755, st_size=124168, ...}) = 0
access("/sbin/ip", X_OK) = 0
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
clone(child_stack=0,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGC HLD,
child_tidptr=0xb7fe3708) = 4288
RTNETLINK answers: Invalid argument
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
waitpid(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 2}], WNOHANG) = 4288
waitpid(-1, 0xbffebcf8, WNOHANG) = -1 ECHILD (No child processes)
sigreturn() = ? (mask now [])
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGINT, {0x80760d4, [], 0}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {0x80760d4, [], 0}, 8) = 0
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
clone(child_stack=0,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGC HLD,
child_tidptr=0xb7fe3708) = 4289
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---

I've tried to set up the script using network applet in Desktop ->
System settings menu, but the script is identical and the error too.

Any hint would be VERY appreciated, since this issue took me one week,
and I can't ever see the light.

Thanks in advance.
Reply With Quote
  #2  
Old 21st May 2006, 08:13 AM
stevea Offline
Registered User
 
Join Date: Apr 2006
Location: Ohio, USA
Posts: 9,041
Hi,

I'm at about the same point as you, but for FC5.

If you type: sh -x ifup ipsec0
you'll probably see that the ifup script is failing when an "ip"
command is used to set up a routing table entry.
something like: ip route add n.n.n.n/24 via n.n.n.n/24 src n.n.n.n

I don't understand the problem yet either, but maybe this will help.

-S
Reply With Quote
  #3  
Old 21st May 2006, 01:16 PM
sandman42 Offline
Registered User
 
Join Date: May 2006
Posts: 6
Quote:
Originally Posted by stevea
I'm at about the same point as you, but for FC5.
Mee too: I have work on FC4, but on my own FC5 there problem is identical

Quote:
Originally Posted by stevea
If you type: sh -x ifup ipsec0
you'll probably see that the ifup script is failing when an "ip"
command is used to set up a routing table entry.
something like: ip route add n.n.n.n/24 via n.n.n.n/24 src n.n.n.n
I don't understand the problem yet either, but maybe this will help.
This ABSOLUTELY does!
I.e.: if you try to go further from your succestion, you see that ifup fails when it issues a

exec /etc/sysconfig/network-scripts/ifup-ipsec ifcfg-ipsec0

running a sh -x of it, the error comes at this point:

ip route add to 10.0.126.0/24 via 10.0.251.252 src 10.0.251.252
RTNETLINK answers: Invalid argument


If you issue by hand the same command you have the same error but, if you omit ther src....
everything goes, i.e. no error.

I'll investigate more about it, since I' haven't been able ho find any help except you, and I'llp ost here the results, if any, and I'll update the bugzilla entry for this issue.

Of course, ideas are welcome from anybody.

Ciao

Last edited by sandman42; 21st May 2006 at 01:32 PM.
Reply With Quote
  #4  
Old 13th June 2006, 09:15 PM
Vuke69 Offline
Registered User
 
Join Date: Jul 2005
Posts: 11
The /etc/sysconfig/network-scripts/ifup-ipsec script is incorrect.

The src has to be local to the box, or ip route will fail.

For IPSEC tunnels I use the local ip on the internal side of the endpoint to use as the source. eg., if your firewall/endpoint has two interfaces, eth0 on the local network 192.168.1.1, and eth1 on the internet 24.24.24.24, use 192.168.1.1 for the src address.

To fix this edit the script as follows.

At about line 111 add the following:
if [ -z "$FSRC" ]; then
FSRC=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"`
fi


Then at about line 154 & 209 change:
ip route add to $DSTNET via $SRCGW src $SRCGW
to
ip route add to $DSTNET via $SRCGW src $FSRC

Good luck
Reply With Quote
  #5  
Old 17th June 2006, 03:34 AM
stevea Offline
Registered User
 
Join Date: Apr 2006
Location: Ohio, USA
Posts: 9,041
Thanks VUKE, I've suspected that the shell scrpipt was wrong.

FWIW I got the VPN up using pluto rather than racoon & the
redhat scripts.
Reply With Quote
  #6  
Old 30th December 2006, 05:51 AM
SatelliteX Offline
Registered User
 
Join Date: Jun 2005
Posts: 47
I am trying IPSEC with the latest FC6 and having the exact same problem (RTNETLINK answers: Invalid argument)
Was there a fix for this?
Reply With Quote
Reply

Tags
bug, interface, ipsec, kernel, setting, trouble

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
setting up shorewall for a standalone interface mikequest Security and Privacy 0 28th June 2009 01:57 PM
Help setting up ipsec net-to-net connection (WILL PAY FOR HELP!) tkhater Servers & Networking 7 10th February 2006 03:17 PM
Setting IPSec Tunnel between two Fedora Boxes yanqui Servers & Networking 2 27th September 2005 05:25 PM


Current GMT-time: 21:41 (Thursday, 18-12-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Creek Side - Stockholm-Arlanda Airport (ARN) Travel Photos on Instagram - Marina of Koper Travel Photos - Te Whiti Park Instagram Photos - Texas State Fair Photos on Instagram