conf/173969: sendd does not work

Sara sara_ir110 at yahoo.com
Wed Nov 28 14:40:02 UTC 2012 

>Number:         173969
>Category:       conf
>Synopsis:       sendd does not work
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 28 14:40:00 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Sara
>Release:        9.0
>Organization:
HPI
>Environment:
Freebsd i386 9.0 released
>Description:
for configuring router advertisement, I did not have any problem with rtadvd service. but when I configured sendd service to enable SEND on my interface in order to send the secure router advertisement, I do not receive any error in /var/log/messages but it does not send any message too.
whenever I reboot the system, I just receive this message that sendd socket is created. From the time I configured it for sendd, the rtadvd does not work either. I also disabled sendd but now rtadvd does not work anymore. 

I searched on internet and I could find nothing to help me

>How-To-Repeat:
briefly:
-configure rtadvd 
- configure sendd and all its require options for router advertisement
more detailed:
--------------------------------------------------------------------------
To enable rtadvd(8) you will need the following in your /etc/rc.conf:
rtadvd_enable="YES"
It is important that you specify the interface on which to do IPv6 router solicitation. For example to tell rtadvd(8) to use em0: (em0 is the name of network interface. You can obtain this by running this command “ifconfig”
rtadvd_interfaces="em0"

Now we must create the configuration file, /etc/rtadvd.conf. Here is an example:
fxp0:\
	:addrs#1:addr="2001:471:1f11:246::":prefixlen#64:tc=ether:


Error message  reporting non-zero lifetime RA but net.inet6.ip6.forwarding=0

Now we need set a couple of kernel options. Now edit your /etc/sysctl.conf and add these lines in there:
net.inet6.ip6.accept_rtadv=0
net.inet6.ip6.forwarding=1

and reboot the system
reporting non-zero lifetime RA on RA receiving interface
em0:\
:addr="DEAD:BEEF:CAFE:1::":prefixlen#64:rltime#0:
____________________________________________
/etc/rc.conf
ifconfig_re1_ipv6="inet6 -accept_rtadv"
ifconfig_re1_ipv6="inet6 accept_rtadv"

------------------------
The place of CA.pl
/usr/src/crypto/openssl/apps/CA.pl
Make new directory under root
mkdir CA
mv /usr/src/crypto/openssl/apps/CA.pl  /root/CA/CA.pl
create certificate, go to CA directory
perl CA.pl –newca
remove the passphrase from the private key under the demoCA/private/ directory
openssl rsa -in /CA/demoCA/private/cakey.pem -out /CA/demoCA/private/newkey.pem

replace it with the old key
mv /CA/demoCA/private/newkey.pem /CA/demoCA/private/cakey.pem

sign the certificate file
perl CA.pl –sign

create a file with the name /CA/ipext.conf
add the following commands

addresses {
ipv6 {
SAFI unicast;
prefix 2001:abc:123:1::/64;
}
}
files {
certfile /CA/demoCA/cacert.pem;
cacert /CA/demoCA/cacert.pem;
capriv /CA/demoCA/private/cakey.pem;
outfile /CA/demoCA/cert/ca_ipext.pem;
}

"certfile" is the input certificate.
"cacert" is the input signer's certificate.
"capriv" is the input signer's private key.
"outfile" is where to put the newly signed certificate.
Now run this command while you are in /CA path
ipexttool -w -i ipext.conf
the output pem file with the name ca_ipext.pem should be created 
then edit /etc/sendd.conf to change this line
snd_pkixip_conf=/CA/ipext.conf
generate a cga and set that ip
ifconfig interfaceName inet6 IPAddress
to generate it everytime the system boot
create a folder with the name /CA/cga/cgagen.sh  and add the following lines
#/bin/sh
cgatool --gen –R 1024 –k /CA/cga/mykey.pem –p 2001:: -o /CA/cga/myder –s 1 | xargs ifconfig em0 inet6
This will generate CGA and set the ip address
Now move the file to /usr/local/etc/rc.d/


To set CGA parameters go to 
vi /etc/send/cga-params.conf
there add the path to where you create mykey.pem and my der

finally when the testing was ok edit the ipext.conf and add
files {
trustedcert /CA/demoCA/cacert.pem;

}
For each certificate

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list