This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Soft-Release v7.402

Today we soft-released v7.402 on our FTP-Servers (ftp.astaro.de for sure). The GA release will follow a few days later, if everything goes well. Use the easter holidays to find out [:D]

Please check intensively, if your NIC sorting stays as expected. We updated Intel e1000 driver and integrated e1000e so there is still a small possibility something may go wrong although we tested that thoroughly.

Update:
We just uploaded a fixed Up2Date package for v7.402 to our FTP-Server (ftp.astaro.de, Mirrors may take a while to sync). This new version should not break your VLANs (and probably other devices) anymore.

Make sure you download the correct new version:
MD5sum: a24570c061234f1ebf0509c1104f9423
Size: 143157552 bytes

It is possible to "repair" a broken v7.402 update by decrementing /etc/version to v7.401, deleting /var/lib/nics, installing the new fixed update and then re-assign the phyiscal hardware devices to your vlan devices via webadmin.

Sorry for inconvenience but thanks to your support, the GA release will not have that problem [H]

This thread was automatically locked due to age.

0 BarryG over 16 years ago in reply to BarryG

rebooted to test VPN again... down again.

ipsec.log


2009:04:15-00:43:19 (none) ipsec_starter[3290]: Starting strongSwan 4.2.3 IPsec [starter]...
2009:04:15-00:43:20 (none) ipsec_starter[3305]: IP address or index of physical interface changed -> reinit of ipsec interface
2009:04:15-00:43:20 (none) pluto[3308]: Starting Pluto (strongSwan Version 4.2.3 THREADS LIBLDAP VENDORID CISCO_QUIRKS)
2009:04:15-00:43:20 (none) pluto[3308]:   including NAT-Traversal patch (Version 0.6c)
2009:04:15-00:43:20 (none) pluto[3308]: ike_alg: Activating OAKLEY_AES_CBC encryption: Ok
2009:04:15-00:43:20 (none) pluto[3308]: ike_alg: Activating OAKLEY_BLOWFISH_CBC encryption: Ok
2009:04:15-00:43:20 (none) pluto[3308]: ike_alg: Activating OAKLEY_SERPENT_CBC encryption: Ok
2009:04:15-00:43:20 (none) pluto[3308]: ike_alg: Activating OAKLEY_SHA2_256 hash: Ok
2009:04:15-00:43:20 (none) pluto[3308]: ike_alg: Activating OAKLEY_SHA2_384 hash: Ok
2009:04:15-00:43:20 (none) pluto[3308]: ike_alg: Activating OAKLEY_SHA2_512 hash: Ok
2009:04:15-00:43:20 (none) pluto[3308]: ike_alg: Activating OAKLEY_TWOFISH_CBC encryption: Ok
2009:04:15-00:43:20 (none) pluto[3308]: ike_alg: Activating OAKLEY_TWOFISH_CBC_SSH encryption: Ok
2009:04:15-00:43:20 (none) pluto[3308]: Testing registered IKE encryption algorithms:
2009:04:15-00:43:20 (none) pluto[3308]:   OAKLEY_DES_CBC self-test not available
2009:04:15-00:43:20 (none) pluto[3308]:   OAKLEY_BLOWFISH_CBC self-test not available
2009:04:15-00:43:20 (none) pluto[3308]:   OAKLEY_3DES_CBC self-test not available
2009:04:15-00:43:20 (none) pluto[3308]:   OAKLEY_AES_CBC self-test not available
2009:04:15-00:43:20 (none) pluto[3308]:   OAKLEY_SERPENT_CBC self-test not available
2009:04:15-00:43:20 (none) pluto[3308]:   OAKLEY_TWOFISH_CBC self-test not available
2009:04:15-00:43:20 (none) pluto[3308]:   OAKLEY_TWOFISH_CBC_SSH self-test not available
2009:04:15-00:43:20 (none) pluto[3308]: Testing registered IKE hash algorithms:
2009:04:15-00:43:20 (none) pluto[3308]:   OAKLEY_MD5 hash self-test passed
2009:04:15-00:43:20 (none) pluto[3308]:   OAKLEY_MD5 hmac self-test passed
2009:04:15-00:43:20 (none) pluto[3308]:   OAKLEY_SHA hash self-test passed
2009:04:15-00:43:20 (none) pluto[3308]:   OAKLEY_SHA hmac self-test passed
2009:04:15-00:43:20 (none) pluto[3308]:   OAKLEY_SHA2_256 hash self-test passed
2009:04:15-00:43:20 (none) pluto[3308]:   OAKLEY_SHA2_256 hmac self-test passed
2009:04:15-00:43:20 (none) pluto[3308]:   OAKLEY_SHA2_384 hash self-test passed
2009:04:15-00:43:20 (none) pluto[3308]:   OAKLEY_SHA2_384 hmac self-test passed
2009:04:15-00:43:20 (none) pluto[3308]:   OAKLEY_SHA2_512 hash self-test passed
2009:04:15-00:43:20 (none) pluto[3308]:   OAKLEY_SHA2_512 hmac self-test passed
2009:04:15-00:43:20 (none) pluto[3308]: All crypto self-tests passed
2009:04:15-00:43:20 (none) pluto[3308]: Using KLIPS IPsec interface code
2009:04:15-00:43:20 (none) pluto[3308]: Changing to directory '/etc/ipsec.d/cacerts'
2009:04:15-00:43:20 (none) pluto[3308]:   loaded CA cert file 'REF_TTJyRSxYhc.pem' (3009 bytes)
2009:04:15-00:43:20 (none) pluto[3308]: Changing to directory '/etc/ipsec.d/aacerts'
2009:04:15-00:43:20 (none) pluto[3308]: Changing to directory '/etc/ipsec.d/ocspcerts'
2009:04:15-00:43:20 (none) pluto[3308]: Changing to directory '/etc/ipsec.d/crls'
2009:04:15-00:43:20 (none) pluto[3308]: listening for IKE messages
2009:04:15-00:43:20 (none) pluto[3308]: no public interfaces found
2009:04:15-00:43:20 (none) pluto[3308]: loading secrets from "/etc/ipsec.secrets"
2009:04:15-00:43:20 (none) pluto[3308]:   loaded shared key for 5.6.7.8 1.2.3.4
2009:04:15-00:43:20 (none) pluto[3308]:   loaded shared key for 5.6.7.8 1.2.3.4
2009:04:15-00:43:20 (none) pluto[3308]:   loaded shared key for 5.6.7.8 1.2.3.4
2009:04:15-00:43:20 (none) pluto[3308]:   loaded shared key for 5.6.7.8 1.2.3.4
2009:04:15-00:43:20 (none) pluto[3308]:   loaded shared key for 5.6.7.8 1.2.3.4
2009:04:15-00:43:20 (none) pluto[3308]:   loaded shared key for 5.6.7.8 1.2.3.4
2009:04:15-00:43:20 (none) pluto[3308]:   loaded shared key for 5.6.7.8 1.2.3.4
2009:04:15-00:43:20 (none) pluto[3308]:   loaded shared key for 5.6.7.8 1.2.3.4
2009:04:15-00:43:20 (none) pluto[3308]: added connection description "S_REF_rlKUFVAhyL_0"
2009:04:15-00:43:20 (none) pluto[3308]: "S_REF_rlKUFVAhyL_0": we have no ipsecN interface for either end of this connection
2009:04:15-00:43:20 (none) pluto[3308]: added connection description "S_REF_rlKUFVAhyL_1"
2009:04:15-00:43:20 (none) pluto[3308]: "S_REF_rlKUFVAhyL_1": we have no ipsecN interface for either end of this connection
2009:04:15-00:43:20 (none) pluto[3308]: added connection description "S_REF_rlKUFVAhyL_2"
2009:04:15-00:43:20 (none) pluto[3308]: "S_REF_rlKUFVAhyL_2": we have no ipsecN interface for either end of this connection
2009:04:15-00:43:20 (none) pluto[3308]: added connection description "S_REF_rlKUFVAhyL_3"
2009:04:15-00:43:20 (none) pluto[3308]: "S_REF_rlKUFVAhyL_3": we have no ipsecN interface for either end of this connection
2009:04:15-00:43:20 (none) pluto[3308]: added connection description "S_REF_rlKUFVAhyL_4"
2009:04:15-00:43:20 (none) pluto[3308]: "S_REF_rlKUFVAhyL_4": we have no ipsecN interface for either end of this connection
2009:04:15-00:43:20 (none) pluto[3308]: added connection description "S_REF_rlKUFVAhyL_5"
2009:04:15-00:43:20 (none) pluto[3308]: "S_REF_rlKUFVAhyL_5": we have no ipsecN interface for either end of this connection
2009:04:15-00:43:20 (none) pluto[3308]: added connection description "S_REF_rlKUFVAhyL_6"
2009:04:15-00:43:20 (none) pluto[3308]: "S_REF_rlKUFVAhyL_6": we have no ipsecN interface for either end of this connection
2009:04:15-00:43:20 (none) pluto[3308]: added connection description "S_REF_rlKUFVAhyL_7"
2009:04:15-00:43:20 (none) pluto[3308]: "S_REF_rlKUFVAhyL_7": we have no ipsecN interface for either end of this connection

Yes, it really says "(none)" for the hostname.
I am using dyndns, but I'm not sure that's related. The hostname is set apropriately (to the dyndns domain) in the system settings.

Barry

0 BarryG over 16 years ago in reply to BarryG

ipsec.log after manual restart:


2009:04:15-00:53:05 astarofw pluto[3308]: shutting down
2009:04:15-00:53:05 astarofw pluto[3308]: forgetting secrets
2009:04:15-00:53:05 astarofw pluto[3308]: "S_REF_rlKUFVAhyL_7": deleting connection
2009:04:15-00:53:05 astarofw pluto[3308]: "S_REF_rlKUFVAhyL_6": deleting connection
2009:04:15-00:53:05 astarofw pluto[3308]: "S_REF_rlKUFVAhyL_5": deleting connection
2009:04:15-00:53:05 astarofw pluto[3308]: "S_REF_rlKUFVAhyL_4": deleting connection
2009:04:15-00:53:05 astarofw pluto[3308]: "S_REF_rlKUFVAhyL_3": deleting connection
2009:04:15-00:53:05 astarofw pluto[3308]: "S_REF_rlKUFVAhyL_2": deleting connection
2009:04:15-00:53:05 astarofw pluto[3308]: "S_REF_rlKUFVAhyL_1": deleting connection
2009:04:15-00:53:05 astarofw pluto[3308]: "S_REF_rlKUFVAhyL_0": deleting connection
2009:04:15-00:53:08 astarofw ipsec_starter[5045]: Starting strongSwan 4.2.3 IPsec [starter]...
2009:04:15-00:53:08 astarofw ipsec_starter[5056]: IP address or index of physical interface changed -> reinit of ipsec interface
2009:04:15-00:53:08 astarofw pluto[5059]: Starting Pluto (strongSwan Version 4.2.3 THREADS LIBLDAP VENDORID CISCO_QUIRKS)
2009:04:15-00:53:08 astarofw pluto[5059]:   including NAT-Traversal patch (Version 0.6c)
2009:04:15-00:53:08 astarofw pluto[5059]: ike_alg: Activating OAKLEY_AES_CBC encryption: Ok
2009:04:15-00:53:08 astarofw pluto[5059]: ike_alg: Activating OAKLEY_BLOWFISH_CBC encryption: Ok
2009:04:15-00:53:08 astarofw pluto[5059]: ike_alg: Activating OAKLEY_SERPENT_CBC encryption: Ok
2009:04:15-00:53:08 astarofw pluto[5059]: ike_alg: Activating OAKLEY_SHA2_256 hash: Ok
2009:04:15-00:53:08 astarofw pluto[5059]: ike_alg: Activating OAKLEY_SHA2_384 hash: Ok
2009:04:15-00:53:08 astarofw pluto[5059]: ike_alg: Activating OAKLEY_SHA2_512 hash: Ok
2009:04:15-00:53:08 astarofw pluto[5059]: ike_alg: Activating OAKLEY_TWOFISH_CBC encryption: Ok
2009:04:15-00:53:08 astarofw pluto[5059]: ike_alg: Activating OAKLEY_TWOFISH_CBC_SSH encryption: Ok
2009:04:15-00:53:08 astarofw pluto[5059]: Testing registered IKE encryption algorithms:
2009:04:15-00:53:08 astarofw pluto[5059]:   OAKLEY_DES_CBC self-test not available
2009:04:15-00:53:08 astarofw pluto[5059]:   OAKLEY_BLOWFISH_CBC self-test not available
2009:04:15-00:53:08 astarofw pluto[5059]:   OAKLEY_3DES_CBC self-test not available
2009:04:15-00:53:08 astarofw pluto[5059]:   OAKLEY_AES_CBC self-test not available
2009:04:15-00:53:08 astarofw pluto[5059]:   OAKLEY_SERPENT_CBC self-test not available
2009:04:15-00:53:08 astarofw pluto[5059]:   OAKLEY_TWOFISH_CBC self-test not available
2009:04:15-00:53:08 astarofw pluto[5059]:   OAKLEY_TWOFISH_CBC_SSH self-test not available
2009:04:15-00:53:08 astarofw pluto[5059]: Testing registered IKE hash algorithms:
2009:04:15-00:53:08 astarofw pluto[5059]:   OAKLEY_MD5 hash self-test passed
2009:04:15-00:53:08 astarofw pluto[5059]:   OAKLEY_MD5 hmac self-test passed
2009:04:15-00:53:08 astarofw pluto[5059]:   OAKLEY_SHA hash self-test passed
2009:04:15-00:53:08 astarofw pluto[5059]:   OAKLEY_SHA hmac self-test passed
2009:04:15-00:53:08 astarofw pluto[5059]:   OAKLEY_SHA2_256 hash self-test passed
2009:04:15-00:53:08 astarofw pluto[5059]:   OAKLEY_SHA2_256 hmac self-test passed
2009:04:15-00:53:08 astarofw pluto[5059]:   OAKLEY_SHA2_384 hash self-test passed
2009:04:15-00:53:08 astarofw pluto[5059]:   OAKLEY_SHA2_384 hmac self-test passed
2009:04:15-00:53:08 astarofw pluto[5059]:   OAKLEY_SHA2_512 hash self-test passed
2009:04:15-00:53:08 astarofw pluto[5059]:   OAKLEY_SHA2_512 hmac self-test passed
2009:04:15-00:53:08 astarofw pluto[5059]: All crypto self-tests passed
2009:04:15-00:53:08 astarofw pluto[5059]: Using KLIPS IPsec interface code
2009:04:15-00:53:08 astarofw pluto[5059]: Changing to directory '/etc/ipsec.d/cacerts'
2009:04:15-00:53:08 astarofw pluto[5059]:   loaded CA cert file 'REF_TTJyRSxYhc.pem' (3009 bytes)
2009:04:15-00:53:08 astarofw pluto[5059]: Changing to directory '/etc/ipsec.d/aacerts'
2009:04:15-00:53:08 astarofw pluto[5059]: Changing to directory '/etc/ipsec.d/ocspcerts'
2009:04:15-00:53:08 astarofw pluto[5059]: Changing to directory '/etc/ipsec.d/crls'
2009:04:15-00:53:08 astarofw pluto[5059]: listening for IKE messages
2009:04:15-00:53:08 astarofw pluto[5059]: adding interface ipsec0/eth0 1.2.3.4:500
2009:04:15-00:53:08 astarofw pluto[5059]: adding interface ipsec0/eth0 1.2.3.4:4500
2009:04:15-00:53:08 astarofw pluto[5059]: loading secrets from "/etc/ipsec.secrets"
2009:04:15-00:53:08 astarofw pluto[5059]:   loaded shared key for 5.6.7.8 1.2.3.4
2009:04:15-00:53:08 astarofw pluto[5059]:   loaded shared key for 5.6.7.8 1.2.3.4
2009:04:15-00:53:08 astarofw pluto[5059]:   loaded shared key for 5.6.7.8 1.2.3.4
2009:04:15-00:53:08 astarofw pluto[5059]:   loaded shared key for 5.6.7.8 1.2.3.4
2009:04:15-00:53:08 astarofw pluto[5059]:   loaded shared key for 5.6.7.8 1.2.3.4
2009:04:15-00:53:08 astarofw pluto[5059]:   loaded shared key for 5.6.7.8 1.2.3.4
2009:04:15-00:53:08 astarofw pluto[5059]:   loaded shared key for 5.6.7.8 1.2.3.4
2009:04:15-00:53:08 astarofw pluto[5059]:   loaded shared key for 5.6.7.8 1.2.3.4
2009:04:15-00:53:08 astarofw pluto[5059]: added connection description "S_REF_rlKUFVAhyL_0"
2009:04:15-00:53:08 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_0" #1: initiating Main Mode
2009:04:15-00:53:08 astarofw pluto[5059]: added connection description "S_REF_rlKUFVAhyL_1"
2009:04:15-00:53:08 astarofw pluto[5059]: added connection description "S_REF_rlKUFVAhyL_2"
2009:04:15-00:53:08 astarofw pluto[5059]: added connection description "S_REF_rlKUFVAhyL_3"
2009:04:15-00:53:08 astarofw pluto[5059]: added connection description "S_REF_rlKUFVAhyL_4"
2009:04:15-00:53:08 astarofw pluto[5059]: added connection description "S_REF_rlKUFVAhyL_5"
2009:04:15-00:53:08 astarofw pluto[5059]: added connection description "S_REF_rlKUFVAhyL_6"
2009:04:15-00:53:08 astarofw pluto[5059]: added connection description "S_REF_rlKUFVAhyL_7"
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_0" #1: ignoring Vendor ID payload [strongSwan 4.2.3]
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_0" #1: ignoring Vendor ID payload [Cisco-Unity]
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_0" #1: received Vendor ID payload [XAUTH]
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_0" #1: received Vendor ID payload [Dead Peer Detection]
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_0" #1: received Vendor ID payload [RFC 3947]
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_0" #1: enabling possible NAT-traversal with method 3
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_0" #1: NAT-Traversal: Result using RFC 3947: no NAT detected
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_0" #1: Peer ID is ID_IPV4_ADDR: '5.6.7.8'
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_0" #1: ISAKMP SA established
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_7" #2: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1}
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_6" #3: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1}
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_5" #4: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1}
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_4" #5: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1}
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_3" #6: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1}
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_2" #7: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1}
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_1" #8: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1}
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_0" #9: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1}
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_7" #2: route-client output: /usr/libexec/ipsec/updown: line 105: /usr/sbin/conntrack: No such file or directory
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_7" #2: Dead Peer Detection (RFC 3706) enabled
2009:04:15-00:53:09 astarofw pluto[5059]: "S_REF_rlKUFVAhyL_7" #2: sent QI2, IPsec SA established {ESP=>0x3e46a6eb 0x0000499e

Not sure what those errors at the end are about.
# which conntrack
/usr/sbin/conntrack

There's actually more at the end of the log (for each connection), but it won't fit here. It is basically the same though.

Barry

0 BarryG over 16 years ago in reply to BarryG

Is a 7.402 ISO going to be released?

I need it for my new system (see sig)

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 ErikFranzen over 16 years ago

Update:
We just uploaded a fixed Up2Date package for v7.402 to our FTP-Server (ftp.astaro.de, Mirrors may take a while to sync). This new version should not break your VLANs (and probably other devices) anymore.

Make sure you download the correct new version:
MD5sum: a24570c061234f1ebf0509c1104f9423
Size: 143157552 bytes

Just checked ftp.astaro.de, in folder /pub/Astaro_Security_Gateway/v7/up2date. The old 7.402 is still there.

Currently md5 is 99649d575795bddee7cc8247645a3275 for file u2d-sys-7.402.tgz.gpg on ftp.astaro.de
Cancel
Vote Up 0 Vote Down

Cancel
0 Goldy_01 over 16 years ago in reply to ErikFranzen

Today, after upgrading to 7.402, and reboot, Astaro no longer recognized 7 of my 11 Interfaces.
I was forced to clean install 7.401 and upload the configuration file in order to bring back my system on its feet.

[:(]
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 16 years ago in reply to Goldy_01

Today, after upgrading to 7.402, and reboot, Astaro no longer recognized 7 of my 11 Interfaces.
I was forced to clean install 7.401 and upload the configuration file in order to bring back my system on its feet.

Hi, What kind of interfaces?

Can you do an
lspci -nnkv

on your 7.401 system?

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 Goldy_01 over 16 years ago in reply to BarryG

Hi.

See the attached file.

Couldn't copy all so here part of it...
[:)]
- Astaro.txt
- View
- Hide
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 16 years ago in reply to Goldy_01

Goldy, do you happen to know which NICs weren't detected?

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 Goldy_01 over 16 years ago in reply to BarryG

Hi.

Far as i remember:
Eth 1 ,Eth 3-6, Eth 8, Eth9.
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 16 years ago in reply to Goldy_01

I had the same problem on one of our test appliances; the Intel GB NICS which have worked fine since 7.0 quit working after instalation of 7.402.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel