[Openswan Users] _plutorun/_plutoload stops after shell logout
netvipe
me at netvipe.com
Mon May 9 23:54:44 CEST 2005
hi,
i detected a curious problem while running ipsec in combination with
ike. not the connection itself is the problem. it seems to be the init
script....
the ipsec connection is defined as follows:
version 2.0
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
conn dmz-halle
type = tunnel
left = xxx.xxx.xxx.xxx
leftsubnet = 192.168.0.0/16
leftnexthop = xxx.xxx.xxx.xxx
right = yyy.yyy.yyy.yyy
rightsubnet = www.www.www.www/28
esp = 3des-md5-96
authby = secret
pfs = no
auto = start
after i've started the ipsec process while using "/etc/init.d/ipsec
start" everything works fine.
22912 root 800 S /bin/sh /usr/lib/ipsec/_plutorun --debug none
--uniqueids yes --nocrsend --strictcrlpolicy --nat
23860 root 404 S logger -s -p daemon.error -t ipsec__plutorun
30969 root 812 S /bin/sh /usr/lib/ipsec/_plutorun --debug none
--uniqueids yes --nocrsend --strictcrlpolicy --nat
23125 root 796 S /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
28239 root 976 S /usr/libexec/ipsec/pluto --nofork
--secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --debug
21804 root 592 S N pluto helper # 0
23235 root 240 S _pluto_adns
both SA's will be established and a connection from left to right
succeeds...
May 9 21:51:12 ipsec_setup: KLIPS ipsec0 on eth0
xxx.xxx.xxx.xxx/255.255.255.248 broadcast xxx.xxx.xxx.xxx
May 9 21:51:12 ipsec__plutorun: Starting Pluto subsystem...
May 9 21:51:12 ipsec_setup: ...Openswan IPsec started
May 9 21:51:12 ipsec_setup: Starting Openswan IPsec U2.3.0/K...
May 9 21:51:12 pluto[24551]: Starting Pluto (Openswan Version 2.3.0
X.509-1.5.4 PLUTO_USES_KEYRR)
May 9 21:51:12 pluto[24551]: Setting port floating to off
May 9 21:51:12 pluto[24551]: port floating activate 0/1
May 9 21:51:12 pluto[24551]: including NAT-Traversal patch (Version
0.6c) [disabled]
May 9 21:51:12 pluto[24551]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
May 9 21:51:12 pluto[24551]: starting up 1 cryptographic helpers
May 9 21:51:12 pluto[24551]: started helper pid=3668 (fd:6)
May 9 21:51:12 pluto[24551]: Using KLIPS IPsec interface code
May 9 21:51:12 pluto[24551]: Changing to directory '/etc/ipsec.d/cacerts'
May 9 21:51:12 pluto[24551]: Changing to directory '/etc/ipsec.d/aacerts'
May 9 21:51:12 pluto[24551]: Changing to directory '/etc/ipsec.d/ocspcerts'
May 9 21:51:12 pluto[24551]: Changing to directory '/etc/ipsec.d/crls'
May 9 21:51:12 pluto[24551]: Warning: empty directory
May 9 21:51:12 pluto[24551]: added connection description "dmz-conn"
May 9 21:51:12 pluto[24551]: listening for IKE messages
May 9 21:51:12 pluto[24551]: adding interface ipsec0/eth0 xxx.xxx.xxx.xxx
May 9 21:51:12 pluto[24551]: loading secrets from "/etc/ipsec.secrets"
May 9 21:51:12 pluto[24551]: "dmz-conn" #1: initiating Main Mode
May 9 21:51:12 pluto[24551]: | no IKE algorithms for this connection
May 9 21:51:12 ipsec__plutorun: 104 "dmz-conn" #1: STATE_MAIN_I1: initiate
May 9 21:51:12 ipsec__plutorun: ...could not start conn "dmz-conn"
May 9 21:51:13 pluto[24551]: "dmz-conn" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
May 9 21:51:13 pluto[24551]: "dmz-conn" #1: received Vendor ID payload
[XAUTH]
May 9 21:51:13 pluto[24551]: "dmz-conn" #1: received Vendor ID payload
[Dead Peer Detection]
May 9 21:51:13 pluto[24551]: "dmz-conn" #1: received Vendor ID payload
[Cisco-Unity]
May 9 21:51:13 pluto[24551]: "dmz-conn" #1: ignoring unknown Vendor ID
payload [2a5940a3b43ae7c2d012aab54dd0e607]
May 9 21:51:13 pluto[24551]: "dmz-conn" #1: I did not send a
certificate because I do not have one.
May 9 21:51:13 pluto[24551]: "dmz-conn" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
May 9 21:51:13 pluto[24551]: "dmz-conn" #1: Main mode peer ID is
ID_IPV4_ADDR: '62.89.183.33'
May 9 21:51:13 pluto[24551]: "dmz-conn" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
May 9 21:51:13 pluto[24551]: "dmz-conn" #1: ISAKMP SA established
May 9 21:51:13 pluto[24551]: "dmz-conn" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
May 9 21:51:13 pluto[24551]: "dmz-conn" #1: ignoring informational
payload, type IPSEC_INITIAL_CONTACT
May 9 21:51:13 pluto[24551]: "dmz-conn" #1: received and ignored
informational message
May 9 21:51:13 pluto[24551]: "dmz-conn" #2: ignoring informational
payload, type IPSEC_RESPONDER_LIFETIME
May 9 21:51:13 pluto[24551]: "dmz-conn" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
May 9 21:51:13 pluto[24551]: "dmz-conn" #2: sent QI2, IPsec SA
established {ESP=>0x995e661d <0xecf84a73}
my problem starts after i've left the shell (from where i've started the
ipsec init script). when i logout, the ike process
(_plutorun/_plutoload) will also finish. i've tried to figure out what
happens but can not find any problems. even debug doesn't helps (...as
expected cause it's not an ipsec/ike communication problem)
there is only some short output in the logfile:
May 9 21:51:25 pluto[24551]: Pluto ignores SIGHUP -- perhaps you want
"whack --listen"
May 9 21:51:25 pluto[24551]: ADNS process terminated by signal 1
May 9 21:51:25 pluto[24551]: closing helper(0) pid=-1 fd=6
what happens here???
as a matter of course the ipsec connection will be available till the
next rekeying period.
some info's about the system:
- x86 (pentium IIT) hardware with 2.4.29-grsec kernel
- os resides on a flash module and is based on uClibc
- /etc, /var and /tmp are writeable (tmpfs)
- busybox provides most services (incl. init)
- sh replaced by bash (3.00.16(2))
- pgawk (3.1.2), sed (4.1.2) and grep (2.5.1) are available
- openswan 2.3.0
- other services (openvpn, openssh or dnsmasq) are running without any
problems
so hope that anybody can give me some suggestions or maybe even know how
to fix the problem.
kindly advice
florian
--
Florian Reinholz mailto:me at netvipe.com
GnuPG Key: http://netvipe.com/netvipe-pubkey.asc
Fingerprint: C808 9B2E 002F FE88 A916 0CFF 128A 6EC0 5C97 DE78
More information about the Users
mailing list