[Openswan Users] pluto.ctl failed

Mon Feb 27 15:08:54 CET 2006

Hi, I have a problem with an road connection with l2tp and certificate x509:

[root at localhost misc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                         [OK]
Linux Openswan Ucvs2002Mar11_19:19:03/Kopenswan-2.1.4-15.rhfc1.at (klips)
Checking for IPsec support in kernel                                    [OK]
Checking for RSA private key (/etc/ipsec.secrets)
[FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running
[FAILED]
whack: is Pluto running?  connect() for "/var/run/pluto.ctl" failed (111
Connection refused)
Two or more interfaces found, checking IP forwarding
[FAILED]
whack: is Pluto running?  connect() for "/var/run/pluto.ctl" failed (111
Connection refused)

..in the log file I have:

Feb 27 11:02:11 localhost ipsec__plutorun: Restarting Pluto subsystem...
Feb 27 11:02:12 localhost pluto[12582]: Starting Pluto (Openswan Version
cvs2002Mar11_19:19:03 X.509-1.4.8-1 PLUTO_USES_KEYRR)
Feb 27 11:02:13 localhost pluto[12582]:   including NAT-Traversal patch
(Version 0.6c)
Feb 27 11:02:13 localhost pluto[12582]: Using KLIPS IPsec interface code
Feb 27 11:02:13 localhost pluto[12582]: Could not change to directory
'/etc/ipsec.d/cacerts'
Feb 27 11:02:13 localhost pluto[12582]: Changing to directory
'/etc/ipsec.d/crls'
Feb 27 11:02:13 localhost pluto[12582]:   loaded crl file 'crl.pem' (520
bytes)
Feb 27 11:02:13 localhost pluto[12582]: crl issuer cacert not found
Feb 27 11:02:13 localhost pluto[12582]:   loaded host cert file
'/etc/vpngateway_cert.pem' (3645 bytes)
Feb 27 11:02:13 localhost pluto[12582]: added connection description
"left-road"
Feb 27 11:02:14 localhost pluto[12582]: listening for IKE messages
Feb 27 11:02:14 localhost pluto[12582]: adding interface ipsec0/eth0
81.174.10.122
Feb 27 11:02:14 localhost pluto[12582]: adding interface ipsec0/eth0
81.174.10.122:4500
Feb 27 11:02:14 localhost pluto[12582]: loading secrets from
"/etc/ipsec.secrets"
Feb 27 11:02:14 localhost pluto[12582]:   loaded private key file
'/etc/ipsec.d/private/vpngateway_key.pem' (1708 bytes)

.. if start/stop ipsec I have:

[root at localhost ipsec.d]# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Removing orphaned /var/run/pluto.pid:
[root at localhost ipsec.d]# service ipsec start
ipsec_setup: Starting Openswan IPsec cvs2002Mar11_19:19:03...
ipsec_setup: Using
/lib/modules/2.4.22-1.2194.nptl_50.rhfc1.at/updates/net/ipsec/ipsec.o
[root at localhost ipsec.d]# ipsec whack --status
000 %myid = (none)
000 debug none
000
000 "left-road": 1.2.3.4[C=IT, ST=Italy, L=Naples, O=pixteam.com,
OU=Securiy, CN=VPN-Gateway,
E=pixteam at pixteam.com,S=C]:17/1701---1.2.3.5...%any[S=C]:17/1701; unrouted;
eroute owner: #0
000 "left-road":   CAs: 'C=IT, ST=Italy, L=Naples, O=pixteam.com,
OU=Security, CN=RootCA 2006, E=pixteam at pixteam.com'...'%any'
000 "left-road":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "left-road":   policy: RSASIG+ENCRYPT; prio: 32,32; interface: ;
000 "left-road":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000

..then after a few seconds I have:

[root at localhost ipsec.d]# ipsec whack --status
whack: is Pluto running?  connect() for "/var/run/pluto.ctl" failed (111
Connection refused)

my ipsec.conf is:
config setup
     interfaces="ipsec0=eth0"
     nat_traversal=yes
conn %default
      authby=rsasig
conn left-road
    auto=add
    pfs=no
    type=transport
 #sede A uff left (locale)
      left=1.2.3.4
      leftnexthop=1.2.3.5
      leftrsasigkey=%cert
      leftcert=/etc/ipsec.d/certs/vpngateway_cert.pem
      leftprotoport=17/1701
 #sede B right (remoto with xp)
      right=%any
      rightrsasigkey=%cert
      rightprotoport=17/1701

.. on vpn server I use:

[root at localhost misc]# uname -r
2.4.22-1.2194.nptl_50.rhfc1.at
[root at localhost misc]# rpm -qa|grep openswan
openswan-2.1.4-15.rhfc1.at
kernel-module-openswan-2.4.22-1.2194.nptl_50.rhfc1.at-2.1.4-15.rhfc1.at

..if I don't use a certificate but psk I don't have a problem.
thanks.

------
Salvatore. 