[Openswan Users] Pluto not running???

Matthew Claridge mclaridge at rwa-net.co.uk
Mon Aug 16 17:50:26 CEST 2004 

on 16/08/2004 16:36 Paul Wouters said the following:

>On Mon, 16 Aug 2004, Matthew Claridge wrote:
>  
>
>>conn tunnelipsec
>>        type=tunnel
>>        left=62.x.x.x
>>        leftnexthop=%defaultroute
>>        leftsubnet=172.x.x.x/24
>>        right=194.x.x.x
>>        rightnexthop=%defaultroute
>>        rightsubnet=145.x.x.x/24
>>        esp=3des-md5-96
>>        keyexchange=ike
>>        pfs=no
>>        auto=start
>>    
>>
>
>DO NOT user *nexthop=%defaultroute.
>
>I don't know where this came form, but more and more people are trying to
>use it. And for 2.6 native IPsec or backports thereof, you should never
>use the nexthop settings, since they are only used for getting traffic
>into the proper ipsecX devices, which do not exist for the native 2.6 code.
>  
>
ok, took those out. I got it from the documentation and the ipsec.conf 
man page ;o)

> 
>  
>
>>            whack: Pluto is not running (no "/var/run/pluto.ctl")
>>    
>>
>
>This means you should have an error in your log why pluto failed to start.
>Check /var/log/secure 
>  
>
ok, found an error by restarting the ipsec service:

FATAL ERROR: bind() failed in find_raw_ifaces4(). Errno 98: Address 
already in use

maybe I'm being dumb, but it seems obvious the address is already in use 
as it uses exisiting interfaces....

>>/usr/local/ipsec verify gives the following:
>>
>>            Checking for RSA private key 
>>(/etc/ipsec.secrets)                       [FAILED]
>>    
>>
>
>The default is to use rsasig keys for authentication. You have not specified
>a different method (eg PSK) in your conn or default section, so you are
>missing the neccessary keys for setting up your connection.
>  
>
fixed that with "authby=secret"

>>            Checking for 'setkey' command for native IPsec stack 
>>support            [FAILED]
>>            which: no setkey in 
>>(/sbin:/usr/bin:/usr/local/sbin:/usr/local/sbin:/usr/local/sbin:/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin)
>>    
>>
>
>Install the ipsec-tools rpm.
>  
>
yep, already spotted that one ;)

>You might want to include /etc/ipsec.d/examples/no_oe.conf
>  
>
not sure I need to as this is going to try to connect to a cisco router 
(eventually!)

>Paul 
>  
>
Thanks for your comments Paul....

More information about the Users mailing list