[BitVisor-devel-en:123] Re: Bitvisor Wireguard problems?

[Lonnie Cumberland]

Hello Hideki,

Thanks so very much for getting back to me and for your response about 
IPsec.  Given the age of it that you mention, it may not be a fruitful 
endeavor to go that route, but I think that digging into the syslogs 
more will be helpful and will work on getting them set up properly to 
yield information about what may be happening here.

Maybe if the IPsec is so very old then perhaps removing it completely 
from Bitvisor would be  an option to consider and just rely on Wireguard 
since it is a more modern solution although, I would have to see how 
many dependencies it would affect in the code base as well.

Of course, I will be happy to report any findings and possible 
resolutions  that I come up with in this area.

My hope is that maybe we can continue to discuss Bitvisor as it really 
is more of a research project for me at the moment while in the learning 
stage and while hoping to get it to a viable state with Wireguard but 
ultimately the goal is to rework that area to make it a P2P solution 
with Wireguard as the base.

Best Regards and have a great day,
Lonnie


On 6/18/2024 6:06 AM, Hideki EIRAKU wrote:
> Hello,
>
> If BitVisor looks crashed, enabling syslog makes debugging easier.
> docs/getting_started.md describes about the syslog feature.
>
>> Now I need your help as in looking over the default ".vpn" settings it
>> seems as though someone was able to connect with a SoftEther server
>> perhaps on VPN-Gate and I also have a SoftEther server set up and
>> would like to do a test to see if that works since if it does then
>> that effectively confirms that there is a bug in the Wireguard code
>> that is causing the crash and hope fully the person that developed it
>> can help locate that bug to get it fixed, if at all possible.
> The IPsec VPN feature in BitVisor was introduced before the open
> sourced SoftEther VPN was released.  About 15 years ago, I tested it
> with Linux IPsec and racoon daemon.  I could not find what I did at
> that time.  In addition, it probably has security issues because of
> the too old version of OpenSSL and poor random number generation in
> crypto/chelp/chelp.c.
>
> The racoon.conf file that I probably used in 2009 has the following
> lines, just for your information:
>
> ------------------------------------------------------------
> path pre_shared_key "/etc/racoon/psk.txt";
> path certificate "/etc/racoon/certs";
> remote anonymous {
>          exchange_mode aggressive,main;
>          my_identifier user_fqdn"user1 at tsukuba.ac.jp";
>          proposal {
>                  encryption_algorithm 3des;
>                  hash_algorithm sha1;
>                  authentication_method pre_shared_key;
>                  dh_group 2;
>          }
> }
> sainfo anonymous {
>          lifetime time 12 hours;
>          encryption_algorithm 3des;
>          authentication_algorithm hmac_sha1;
>          compression_algorithm deflate;
> }
> ------------------------------------------------------------
>
> WireGuard implementaion comes from
> https://github.com/smartalock/wireguard-lwip.  It does not use OpenSSL
> code and looks much simpler than IPsec VPN.  Hardware random number
> generator (RDRAND instruction) is used if available.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.bitvisor.org/archives/bitvisor-devel-en/attachments/20240618/fa3c5c66/attachment.htm>