[Openswan Users] Cisco Concentrator Stumped

Paul Wouters paul at xelerance.com
Thu Feb 3 14:44:37 CET 2005 

On Wed, 2 Feb 2005, Eaton, Andy wrote:

>> Comment out this line in /usr/local/lib/ipsec/_realsetup:
>>
>> lsmod 2>&1 | grep "^ipsec" > /dev/null && rmmod ipsec'
>
> When I did this, I got the following:
> 	ipsec_setup: Starting Openswan IPsec 2.3.0...
> 	ipsec_setup: insmod: can't read 'ipsec': No such file or
> directory

Ok, just replace the line with: echo "not unloading klips". It
probably got confused by an empty conditional branch.

> ipsec setup start and /etc/init.d/ipsec start started telling me about
> ipsec no such file or directory after I installed the klips modules. I
> set up a script to remove the netkey modules and modprobe the klips
> ipsec. Seems to work for some form of working... This may be the reason
> things are breaking so badly too. At any rate, when I comment out that
> line Pluto doesn't start.

Works too.

>> Can you provide us with a gdb backtrace of this? add dumpdir=/tmp to
>> config setup in ipsec.conf to allow core dumps.
>> Is this happening with 2.3.0?
>
> It is 2.3.0.  I will attach the backtrace I am pretty sure it was
> obtained correctly, if not let me know I will get it again.

Thanks. Bad news it is 2.3.0. good news we have a trace now. Except:

Using host libthread_db library "/lib/tls/libthread_db.so.1".
(no debugging symbols found)
Core was generated by `/usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipse'.
Program terminated with signal 6, Aborted.
#0  0x4008e7ab in ?? ()
(gdb) where
#0  0x4008e7ab in ?? ()
#1  0x40196c60 in ?? ()

cd into the openswan-2.3.0/programs/pluto directory first. Then
start gdb. use 'file pluto' to read in the pluto binary. Then
use 'core /tmp/core' to read in the core, and we should get all
the symbols.

> Are you saying that if my lan-to-lan group on the concentrator is
> "24.107.189.229" then my leftid should also read "24.107.189.229" and
> not "@24.107.189.229"?  I was digging into documentation and for some
> reason, it looked like I needed the "@" in front of the group name.

normally, yes.

Paul
-- 

"At best it is a theory, at worst a fantasy" -- Michael Crichton

More information about the Users mailing list