<div dir="ltr">Hi.<div><br></div><div>I've deleted all content of ipsec.d and now pluto runs.</div><div><br></div><div>Thanks,</div><div><br></div><div>Miguel</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Mon, Nov 11, 2013 at 3:11 PM, Leto <span dir="ltr"><<a href="mailto:letoams@gmail.com" target="_blank">letoams@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto"><div>nss initialisation fails sounds like you did not run "ipsec initnss" to create a new nss db. or with selinux enabled it might need a restorecon -Rv /etc/ipsec.d</div><div><br></div><div>(libreswan on fedora/rhel performs these steps on post on package install, but Debian/Ubuntu packages still need to be updated for that)<br>
<br>sent from a tiny device </div><div><div class="h5"><div><br>On 2013-11-11, at 6:34, Miguel Goyanes <<a href="mailto:mgoyanes@gmail.com" target="_blank">mgoyanes@gmail.com</a>> wrote:<br><br></div><blockquote type="cite">
<div><div dir="ltr">Hello.<div><br></div><div>I'm failing to start ipsec.</div><div><br></div><div>If I do the below commands I get this message:</div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div><div>[root@localhost ~]# service ipsec start</div></div><div><div>Redirecting to /bin/systemctl start ipsec.service</div></div><div><div>[root@localhost ~]# service ipsec status</div></div><div><div>Redirecting to /bin/systemctl status ipsec.service</div>
</div><div><div>ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec</div></div><div><div> Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)</div></div><div><div> Active: failed (Result: start-limit) since Mon 2013-11-11 11:28:08 WET; 1s ago</div>
</div><div><div> Process: 18430 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS)</div></div><div><div> Process: 18428 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS)</div></div>
<div><div> Process: 18425 ExecStop=/usr/sbin/ipsec whack --shutdown (code=exited, status=1/FAILURE)</div></div><div><div> Process: 18421 ExecStart=/bin/sh -c eval `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)</div>
</div><div><div> Process: 18354 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)</div></div><div><div> Process: 18352 ExecStartPre=/usr/sbin/ipsec addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)</div>
</div><div><div><br></div></div><div><div>Nov 11 11:28:08 localhost.localdomain systemd[1]: Unit ipsec.service entered failed state.</div></div><div><div>Nov 11 11:28:08 localhost.localdomain systemd[1]: ipsec.service holdoff time over, scheduling restart.</div>
</div><div><div>Nov 11 11:28:08 localhost.localdomain systemd[1]: Stopping Internet Key Exchange (IKE) Protocol Daemon for IPsec...</div></div><div><div>Nov 11 11:28:08 localhost.localdomain systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...</div>
</div><div><div>Nov 11 11:28:08 localhost.localdomain systemd[1]: ipsec.service start request repeated too quickly, refusing to start.</div></div><div><div>Nov 11 11:28:08 localhost.localdomain systemd[1]: Failed to start Internet Key Exchange (IKE) Protocol Daemon for IPsec.</div>
</div><div><div>Nov 11 11:28:08 localhost.localdomain systemd[1]: Unit ipsec.service entered failed state.</div></div></blockquote><div><div><br></div><div>Then if I check:</div><div><br></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div><div>[root@localhost ~]# ipsec verify</div></div><div><div>Verifying installed system and configuration files</div></div><div><div><br></div></div><div><div>Version check and ipsec on-path <span style="white-space:pre-wrap">        </span>[OK]</div>
</div><div><div>Libreswan 3.5 (netkey) on 3.11.1-200.fc19.x86_64</div></div><div><div>Checking for IPsec support in kernel <span style="white-space:pre-wrap">        </span>[OK]</div></div><div><div> NETKEY: Testing XFRM related proc values</div>
</div><div><div> ICMP default/send_redirects <span style="white-space:pre-wrap">        </span>[NOT DISABLED]</div></div><div><div><br></div></div><div><div> Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!</div>
</div><div><div><br></div></div><div><div> ICMP default/accept_redirects <span style="white-space:pre-wrap">        </span>[NOT DISABLED]</div></div><div><div><br></div></div><div><div> Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!</div>
</div><div><div><br></div></div><div><div> XFRM larval drop <span style="white-space:pre-wrap">        </span>[OK]</div></div><div><div>Pluto ipsec.conf syntax <span style="white-space:pre-wrap">        </span>[OK]</div>
</div><div><div>Hardware random device <span style="white-space:pre-wrap">        </span>[N/A]</div></div><div><div>Two or more interfaces found, checking IP forwarding<span style="white-space:pre-wrap">        </span>[OK]</div>
</div><div><div>Checking rp_filter <span style="white-space:pre-wrap">        </span>[ENABLED]</div></div><div><div> /proc/sys/net/ipv4/conf/cint0/rp_filter <span style="white-space:pre-wrap">        </span>[ENABLED]</div>
</div><div><div> /proc/sys/net/ipv4/conf/default/rp_filter <span style="white-space:pre-wrap">        </span>[ENABLED]</div></div><div><div> /proc/sys/net/ipv4/conf/gw0/rp_filter <span style="white-space:pre-wrap">        </span>[ENABLED]</div>
</div><div><div> /proc/sys/net/ipv4/conf/p2p1/rp_filter <span style="white-space:pre-wrap">        </span>[ENABLED]</div></div><div><div> /proc/sys/net/ipv4/conf/rw0/rp_filter <span style="white-space:pre-wrap">        </span>[ENABLED]</div>
</div><div><div> rp_filter is not fully aware of IPsec and should be disabled</div></div><div><div>Checking that pluto is running <span style="white-space:pre-wrap">        </span>[FAILED]</div></div><div>
<div>Checking NAT and MASQUERADEing <span style="white-space:pre-wrap">        </span>[TEST INCOMPLETE]</div></div><div><div>Checking 'ip' command <span style="white-space:pre-wrap">        </span>[OK]</div>
</div><div><div>Checking 'iptables' command <span style="white-space:pre-wrap">        </span>[OK]</div></div><div><div>Checking 'prelink' command does not interfere with FIPS<span style="white-space:pre-wrap">        </span>[PRESENT]</div>
</div><div><div>Checking for obsolete ipsec.conf options <span style="white-space:pre-wrap">        </span>[OK]</div></div><div><div>Opportunistic Encryption <span style="white-space:pre-wrap">        </span>[DISABLED]</div>
</div><div><div><br></div></div><div><div>ipsec verify: encountered 15 errors - see 'man ipsec_verify' for help</div></div></blockquote><div><br></div><div><br></div><div>My /var/log/secure has this:</div><div><br>
</div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><div>Nov 11 11:28:08 localhost pluto[18424]: nss directory plutomain: /etc/ipsec.d</div></div><div><div>Nov 11 11:28:08 localhost pluto[18424]: NSS initialization failed (err -8015)</div>
</div></blockquote><div><br></div><div><br></div><div>Please help me. How can I fix this error???</div><div><br></div><div><br></div><div><br></div><div>Thanks,</div><div><br></div><div>Miguel</div></div>
</div></blockquote></div></div><blockquote type="cite"><div><span>_______________________________________________</span><br><span><a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a></span><br>
<span><a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a></span><br><span>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></span><br>
<span>Building and Integrating Virtual Private Networks with Openswan:</span><br><span><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span><br>
</div></blockquote></div></blockquote></div><br></div>