Chapter 12
Go back and confirm whether or not you see traffic sent from sg1 on sg2's eth0 (the internal interface). If you see the response traffic, then the problem is in the reverse flow. Repeat this last step, but with sg1 and sg2 swapped.
A Final tcpdump Example
The following tcpdump output shows an unfortunately common case:
19:22:18.002772 216.59.238.100.34242 > 216.191.140.38.4500: udp 1 (DF) 19:22:20.331001 216.191.140.38.4500 > 216.59.238.100.34242: udp 84 19:22:22.330900 216.191.140.38.4500 > 216.59.238.100.34242: udp 84 19:22:22.330962 216.191.140.38.4500 > 216.59.238.100.34242: udp 100 19:22:30.330702 216.191.140.38.4500 > 216.59.238.100.34242: udp 84
What is happening here is that the server on 216.191.140.38 is seeing really odd UDP packets on port 4500. The sizes of these packets, 1, 84, and 100, are just completely bogus. This is often the result of either broken NAT routers that do IPsec passthrough, or a broken NETKEY or KLIPS stack.
User Mode Linux Testing
User Mode Linux (UML) is a way to compile a Linux kernel such that it can run as a process in another Linux system (potentially as a *BSD or Windows process). See http://user-mode- linux.sourceforge.net for more information about UML.
UML is a good platform for testing and experimenting with Openswan. It allows several network nodes to be simulated on a single machine. Creating, configuring, installing, monitoring, and controlling these nodes is generally simpler and easier to script with UML than with real hardware. There are other virtual machine implementations, such as Xen and VMware, but these are not supported by the UML test suite.
You will need about 2 Gigabytes of free disk space for a full setup of seven to nine UMLs. You can possibly get this down by 130Mb if you remove the Sunrise/Sunset kernel build. If you just want to play around, then you can even remove the East/West kernel build.
Nothing needs be done as superuser, and we encourage people to run the UMLs as a regular user. UML seems to use a system-wide /tmp/uml directory so different users may interfere with one another. Later UMLs use .uml instead, so multiple users running UML tests should not be a problem, but note that a single user running the UML tests will only be able run one set. Be aware that sometimes UMLs get stuck and hang, taking up a lot of resources. These 'zombies' (most will actually be in the 'T' state in the process table) will interfere with subsequent tests. It might require a reboot of the host at times to resolve this, though often killing the hanging UMLs will work too.
Use a dedicated or spare development machine to run tests with UML. Do not use a production server.
295
Debugging and Troubleshooting
Preparing the Openswan for the UML Build Process
The UMLs we will be using will run our custom-build UML kernel, the latest Openswan, and a very basic 'Linux distribution'. Since we are creating many hosts based on UML to talk to each other, and we do not want to create separate file-trees for all these hosts, a complex system of hardlinked directories is part of the UML setup. It is important to keep all of these locations on one hard disk, which allows hardlinks.
In our examples, we create everything in /umls. First create the base directories to hold the kernel, Openswan, and the root file system:
# mkdir /umls $ cd /umls
$ mkdir umlrootfs kernel Openswan tools results $ cd umlrootfs
$ wget ftp://ftp.openswan.org/openswan/umlrootfs/umlswanroot-22.tar.gz $ tar zxvf umlswanroot-22.tar.gz
Download the Linux kernel and UML patch. Linux 2.6.11 or above has integrated the UML patch. If you use this kernel or a newer version, you do not need to apply a UML patch.
$ cd /umls/kernel
$ wget ftp://ftp.ca.kernel.org/linux/kernel/v2.4/linux-2.4.27.tar.bz2 $ tar jxf linux-2.4.27.tar.gz
$ wget ftp://ftp.openswan.org/openswan/umlfsrootfs/uml-patch-2.4.27-1.bz2
The exact path to the Linux kernel tree varies according to the mirror site.
To report an error (and to submit a UML test to document this error), it is best to try to reproduce this error in a UML with the latest CVS version of Openswan 2, since some problems might have been fixed in the latest release of Openswan even if a new version incorporating this fix has not yet been released. To download the latest CVS HEAD Openswan 2 version, issue the following commands, using anoncvs as the CVS login password:
$ cd /umls/openswan
$ cvs -d :pserver:anoncvs@anoncvs.openswan.org:/public/cvs login
$ cvs -d :pserver:anoncvs@anoncvs.openswan.org:/public/cvs co openswan-2
If your Linux distribution does not have a binary package for uml_utilities, build and install this now:
$ cd /umls/tools
$ tar xjvf uml_utilities_20040114.tar.bz2 $ cd tools
$ make all
$ su -c "make install BIN_DIR=/usr/local/bin"
Now we are ready to configure the build script. First we need to copy it to the main Openswan directory.
$ cd /umls/openswan/openswan-2
$ cp testing/utils/umlsetup-sample.sh umlsetup.sh
296
Chapter 12
Edit the script according to your setup. Our example has been used in the table below:
Variable |
Usage |
UMLPREFIX=/umls
KERNPOOL=$UMLPREFIX/kernel/linux-2.4.27
UMLPATCH=$UMLPREFIX/kernel/uml-patch- 2.4.27-1.bz2
OPENSWANDIR=$UMLPREFIX/openswan/openswa n-2
BASICROOT=$UMLPREFIX/umlrootfs/root22/
POOLSPACE=$UMLPREFIX/umlbuild
The base UML tree to use for everything.
Location of the kernel source. This tree should be unconfigured!
Location of the UML patch. Set to /dev/null if using a kernel tree that already has UML support (2.6.11 or higher, or when using certain vendors' kernel trees).
The directory where the unpacked Openswan 2 directory was created.
The directory used for umlswanroot.
Build location. This location should have at least 500Mb of free disk space and should be on the same physical hard disk partition as $BASICROOT so it can use hardlinks.
KERNVER=24 |
Set the kernel version, either 24 or 26. |
NONINTPATCH=none |
Whether the non-int patch should be applied. |
NATTPATCH=true |
Whether the NAT-T patch should be applied. |
SHAREDIR=$BASICROOT/usr/share |
This should be set to /usr/share for Debian potato |
|
users, or to $BASICROOT/usr/share for everyone |
|
else. |
TCPDUMP=/usr/sbin/tcpdump |
The location of your tcpdump binary. |
REGRESSRESULTS=$UMLPREFIX/results |
(Optional) Should be set to the location where you |
|
want the results (pass or fail) of each test stored. |
Make sure that umlsetup.sh contains an entry for OPENSWANHOSTS. Versions prior to 2.3.2 mistakenly used FREESWANHOSTS.
You should now be able to build the entire UML system with all hosts using:
$ make uml
If you get an error about lndir not existing on your system, install the appropriate X Server package (xorg-x11 or XFree86). On Fedora Core 3, and other systems using gcc-3.4, there is a problem with the 2.4 kernel's use of FASTCALL. Please check the Openswan Wiki pages for updates on whether this problem still exists.
297
Debugging and Troubleshooting
If the build fails with the error "The following defaults are missing:", containing a few new kernel
options, you will need to add these options to openswan/openswan-2/testing/kernelconfigs/uml*.
Always remove the entire $POOLSPACE directory if your build failed and you change something in the kernel tree, otherwise your build tree will be a combination of kernel versions due to the use of hardlinks.
Running the UMLs
You can now start a machine, for example East, by running;
$ $POOLSPACE/east/start.sh
Or you can start up a few xterms with a Linux box in each of them:
$ for i in sunrise sunset east west do
xterm -name $i -title $i -e $POOLSPACE/$i/start.sh & done
You can login as root, with the password "root". The UMLs are all networked together, so East can talk to West, when they have both been started, but there is no connectivity on East or West to the outside world. The following figure shows an overview of the entire Openswan UML-based test network.
298 |