<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: PKCIPE will not reconnect --- Calling this a bug.
From: "Brett Johnson" <mlcipe,AT,k50,DOT,net>
Date: Thu, 6 Feb 2003 22:11:34 +0100
In-reply-to: <200301222015090146.04209DA7@192.168.25.1>

If nobody has any ideas why this continually can fail, then I'm calling this 
a bug.

I can easily reproduce the problems given here.  I'm sure others could, also.

Thx/B++

*********** REPLY SEPARATOR  ***********

On 1/22/03 at 8:15 PM Brett Johnson wrote:

>(COUGH COUGH someone may find this a little bit helpful in setting up
>pkcipe COUGH GASP)
>
>I've been having this problem off and on for awhile, but it's now causing
>enough problems to be moved up my priority list.  I've dug through the
>mailing list archives but didn't seem to find anything related to this
>problem.
>
>I have a few firewalls I do CIPE VPN's between using PKCIPE for all the
>connection stuff.
>
>I run Red Hat 7.3 and 8.0 boxes.  I compile the kernel from kernel.org.
>On each box I've removed the RH cipe*.rpm and have compiled cipe-1.5.4.
>To be clear, I stay away from Red Hat kernels and the old version of CIPE
>they never seem to upgrade.
>
>My 2 systems currently being used for trying to fix this problem:
>
>"chihuahua.net.k90.dynamic.dhcp" is my RH80 box with kernel 2.4.20.
>I have an internal DHCP server with DDNS set up on this box for my LAN.
>That's why the name is so long.
>Real Internet IP is 65.71.225.187
>Internal IP is 192.168.25.1
>This box is the PKCIPE "client".
>
>"confidence.k50.net" is my RH73 box with kernel 2.4.18.
>Real Internet IP is 65.172.141.2
>Internal IP is 172.16.1.2
>This box is the PKCIPE "server".
>
>When the VPNs are up and running they work great.  I do not believe this
>is a configuration issue on my side...otherwise I'd never have gotten the
>first VPN running to begin with.
>
>Sometimes one of those VPN's will die off for various reasons (usually
>death by ISP).  Sometimes I can reconnect it using PKCIPE, most of the
>time I cannot.  I've tried many different things, but I haven't been able
>to really find the source of the problem.
>
>Usually I will do a reconnect the brutal way...on each box I'll clean up
>by:
>ps axw | grep cipe
>kill cipe pids
>ps axw | grep ping
>kill any pings laying around
>rm /var/run/cipe/*
>rmmod cipcb
>modprobe cipcb
>sometimes I'll restart xinetd just for the fun of it.
>"ifconfig cipcb* down" is pointless as the interface is already gone by
>this point (if it wasn't gone already)
>
>Now, *in theory*, this should hard reset both boxes and make them clean
>for a new connection, right? (as in I'm troubleshooting and totally
>starting the connection process over).
>
>All keys used with pkcipe are chmod 400 and owned by root.
>
>Key/Profile on chihuahua:  /etc/cipe/pk/confidence.k50.net
>-----BEGIN PUBLIC KEY-----
><4 lines cut>
>-----END PUBLIC KEY-----
>ipaddr 192.168.25.9
>ptpaddr 172.16.1.248
>maxerr 4
>ping 12
>toping 5
>
>Key/Profile on confidence:  /etc/cipe/pk/chihuahua.net.k90.dynamic.dhcp
>-----BEGIN PUBLIC KEY-----
><4 lines cut>
>-----END PUBLIC KEY-----
>ipaddr 172.16.1.248
>ptpaddr 192.168.25.9
>maxerr 4
>ping 12
>toping 5
>
>The public keys cut out do match the identity file of the peer machines
>(this config has worked before).
>
>From chihuahua I'll try and connect to confidence by:
>pkcipe -c 65.172.141.2:pkcipe chihuahua.net.k90.dynamic.dhcp -D100 -E
>
>Under ideal conditions this will throw around a lot of debugging and work
>perfectly.  Lately it has been:
>
>[root@chihuahua pk]# pkcipe -c 65.172.141.2:pkcipe
>chihuahua.net.k90.dynamic.dh
>cp -D100 -E
>connect to 65.172.141.2
>SignUpdate 28
>VerifyUpdate 28
>VerifyUpdate rev 18
>SignUpdate rev 18
>packetSendBN: 128
>6b52c2fd4044536ebad3addcd311bda0121d7bd913ef22c39f95909074b64f
>b9964d74fea5b2a639dc415436ef7f7eaf7a5f056251f8f481df1d64b482c4bd9247accb1c657072
>bacbab4fc237c82ebf2fd4dd73c6a658c7cdeafce77040661b0f12abf14c4ad9fcff042082704d47
>441b061cff3c481d4393ae1134c0732c81
>SignUpdate 130
>VerifyUpdate 130
>packetExtrBN: 128
>9675a14e01fbe9924e7a1791d0479a052ef68d965fe10c46e94c72398a6d30
>6a2d712a960c760639bdda21a9de0c8f921d34216336a6fc7036997ade6ee260d2cec0a11ca39839
>232e71f200972d5d6fd2bad5fcc95f61613510cb8fdbdb192928aebf2ca91fae11d12e458f394bef
>cf04d292fc01103a32467ebcce64b98e99
>SignUpdate 41
>VerifyUpdate 29
>lockMaster
>lockPeer
>unlockMaster
>lockMaster
>starting /usr/local/sbin/ciped-cb for peer confidence.k50.net
>unlockMaster
>handlePacket: received ERROR: ciped returned 1
>
>chihuahua syslog reports (/var/log/messages):
>Jan 22 19:35:07 firewall kernel: cipcb0: alloc
>Jan 22 19:35:07 firewall kernel: cipcb0: setpar
>Jan 22 19:35:07 firewall kernel: cipcb0: setkey
>Jan 22 19:35:07 firewall kernel: cipcb0: attach
>Jan 22 19:35:07 firewall kernel: cipcb0: opened
>Jan 22 19:35:21 firewall kernel: cipcb0: cipe_sendmsg
>Jan 22 19:35:21 firewall kernel: cipcb0: cipe_recvmsg
>Jan 22 19:35:21 firewall kernel: cipcb0: cipe_sendmsg
>Jan 22 19:35:21 firewall kernel: cipcb0: setkey
>Jan 22 19:35:21 firewall kernel: cipcb0: cipe_sendmsg
>Jan 22 19:35:21 firewall kernel: cipcb0: cipe_recvmsg
>Jan 22 19:35:21 firewall ciped-cb[31518]: kxchg: recv: Connection refused
>Jan 22 19:35:21 firewall kernel: cipcb0: cipe_recvmsg
>Jan 22 19:35:21 firewall ciped-cb[31518]: kxchg: recv: Connection refused
>Jan 22 19:35:21 firewall kernel: cipcb0: cipe_recvmsg
>Jan 22 19:35:21 firewall ciped-cb[31518]: kxchg: recv: Connection refused
>Jan 22 19:35:21 firewall kernel: cipcb0: cipe_recvmsg
>Jan 22 19:35:21 firewall ciped-cb[31518]: kxchg: recv: Connection refused
>Jan 22 19:35:21 firewall kernel: cipcb0: cipe_recvmsg
>Jan 22 19:35:36 firewall ciped-cb[31518]: keepalive timeout
>Jan 22 19:35:36 firewall ciped-cb[31518]: Interface stats        0       0
>   0
>   0    0     0          0         0      660       5    0    0    0     0
> 0          0
>Jan 22 19:35:36 firewall ciped-cb[31518]: KX stats: rreq=0, req=1, ind=0,
>indb=0
>, ack=0, ackb=0, unknown=0
>Jan 22 19:35:36 firewall kernel: cipcb0: cipe_sendmsg
>Jan 22 19:35:36 firewall ciped-cb[31518]: cipcb0: daemon exiting
>Jan 22 19:35:36 firewall kernel: cipcb0: closing
>
>
>chihuahua ps axf reports:
>31522 ?        S      0:00 /bin/sh /etc/cipe/ip-up cipcb0
>65.71.225.187:32805 31518 192.168.25.9 172.16.1.248 confidence.k50.net
>31595 ?        S      0:00  \_ ping -c5 172.16.1.248
>
>chihuahua ifconfig does not have any cipcb interface.
>
>chihuahua /var/run/cipe
>-rw-------    1 root     root          182 Jan 22 19:35 confidence.k50.net
>-rw-------    1 root     root           12 Jan 22 19:35 @@LOCKFILE
>
>confidence ifconfig, system log, or ps list has NOTHING about cipe listed.
> It DOES have chihuahua.net.k90.dynamic.dhcp and @@LOCKFILE in
>/var/run/cipe.
>
>I know what you're thinking...so...
>[root@chihuahua pk]# telnet 65.172.141.2 963
>Trying 65.172.141.2...
>Connected to 65.172.141.2.
>Escape character is '^]'.
>*PKCIPE/02 1.5.4 0.1         *A
>
>Connection closed by foreign host.
>[root@chihuahua pk]#
>
>I can connect from chihuahua.  lsmod on confidence also shows the cipcb
>module loaded (I loaded it by hand earlier).  It has 0 used.
>
>
>
>Now, to make things a little more confusing, there are variations on this
>sequence.
>
>Sometimes I'll run pkcipe and it will just hang.  On confidence I can see
>xinetd launching pkcipe but nothing under it.  Somtimes the ps list will
>show sub-processes under pkcipe and one will be "defunct".  Sometimes
>pkcipe will come back with an immediate failure.  If I "rmmod cipcb" on
>confidence and try to connect from chihuahua again, sometimes the cipcb
>module will be reloaded on confidence, sometimes not.
>
>The only thing I have reliably been able to reproduce is the failure for
>pkcipe to reconnect the VPN when I call it to.  From a working connection,
>do an "ifconfig cipcbX down" or kill cipe process.  Reconnect with pkcipe.
> Keep repeating a few times until it starts failing.  From there it won't
>want to come back.  Sometimes after giving up and waiting awhile I can
>reconnect perfectly again (key timing issues?).  If I keep trying to
>reconnect, rarely will I ever get the connection back.
>
>Please help a desparate admin.
>Thx/B++
>
>
>--
>Message sent by the cipe-l,AT,inka,DOT,de mailing list.
>Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
>Other commands available with "help" in body to the same address.
>CIPE info and list archive: 
><URL:http://sites.inka.de/~bigred/devel/cipe.html>





<< | Thread Index | >> ]    [ << | Date Index | >> ]