[Openswan Users] Pluto not running???

Paul Wouters paul at xelerance.com
Mon Aug 16 18:36:47 CEST 2004

On Mon, 16 Aug 2004, Matthew Claridge wrote:

> conn tunnelipsec
>         type=tunnel
>         left=62.x.x.x
>         leftnexthop=%defaultroute
>         leftsubnet=172.x.x.x/24
>         right=194.x.x.x
>         rightnexthop=%defaultroute
>         rightsubnet=145.x.x.x/24
>         esp=3des-md5-96
>         keyexchange=ike
>         pfs=no
>         auto=start

DO NOT user *nexthop=%defaultroute.

I don't know where this came form, but more and more people are trying to
use it. And for 2.6 native IPsec or backports thereof, you should never
use the nexthop settings, since they are only used for getting traffic
into the proper ipsecX devices, which do not exist for the native 2.6 code.
>             whack: Pluto is not running (no "/var/run/pluto.ctl")

This means you should have an error in your log why pluto failed to start.
Check /var/log/secure
> There's nothing in the docs about having to start Pluto so I'm a bit 
> stumped....

Pluto is started when the ipsec service starts (service ipsec start)
> /usr/local/ipsec verify gives the following:
>             Checking for RSA private key 
> (/etc/ipsec.secrets)                       [FAILED]

The default is to use rsasig keys for authentication. You have not specified
a different method (eg PSK) in your conn or default section, so you are
missing the neccessary keys for setting up your connection.

>             Checking that pluto is 
> running                                          [FAILED]
>             whack: Pluto is not running (no "/var/run/pluto.ctl")

check /var/log/secure why pluto fails to start.

>             Checking for 'setkey' command for native IPsec stack 
> support            [FAILED]
>             which: no setkey in 
> (/sbin:/usr/bin:/usr/local/sbin:/usr/local/sbin:/usr/local/sbin:/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin)

Install the ipsec-tools rpm.
>             Opportunistic Encryption DNS checks:
>                Looking for TXT in forward dns zone: 
> mickey.rwa-net.co.uk            [MISSING]
>                Does the machine have at least one non-private 
> address?              [OK]
>                Looking for TXT in reverse dns zone: 
>     [MISSING]

Ignore these.

You might want to include /etc/ipsec.d/examples/no_oe.conf


More information about the Users mailing list