OpenSwan 1.0.10 -> OpenSwan 2.x migration: IPSEC EVENT: KLIPSdevice
ipsec0 shut down
hivemynd at hivemynd.net
Sun Mar 5 23:07:56 CET 2006
I would like to appologize up-front for the length of this post. It
includes everything I have done to solve this problem and some details
about each step. Perhaps too much. Please bear with me if you think
you can help.
So begins the long arduous process of migration from OpenSwan 1.0.10 to
OpenSwan 2.4.5rc5 (and beyond).
I am in the process of migrating from OpenSwan 1.0.10 to OpenSwan 2.x. I
plan on using KLIPS. This seems to be the correct thing to do since
OpenSwan 1.x is now officially orphaned, and for now, I need to continue
to use the 2.4.x series of kernels.
I have a 2.4.32 plain vanilla kernel running on an FC1 distro that is
functioning as my development box for SmoothWall
(http://www.smoothwall.org). The smoothwall boxes have been running
Openswan (and FreeS/WAN before that) for years without more than the
usual issues (mostly PEBCAK at that).
What I have done:
1.) I have built and installed a new clean 2.4.32 kernel from sources
obtained from kernel.org. This proceeded w/o issues.
2.) I downloaded the latest openswan-2.4.5rc5 sources from openswan.org
and compiled them following the instructions online, and also from
Chapter 3: Building and Installing Openswan from the book "Building and
Integrating Virtual Private Networks with Openswan" by Paul Wouters and
Ken Bantoft (purchased the e-Book + "real" book bundle from packt
publishing, great writing btw, easy to follow).
make programs (no errors)
make install (no errors)
3.) I then patched the 2.4.32 kernel sources with the klips patch:
patch -p1 < openswan-2.4.5rc5.kernel-2.4-klips.patch
which appeared to have succeeded w/o issues.
4.) I then rebuilt and installed the kernel via make menuconfig, and
selected the ipsec related options as modules where possible, or in the
kernel where required. The kernel rebuilt cleanly and the modules
installed and depmod -a reports no errors. The ipsec module loads w/o
5.) The machine was rebooted to load the new openswan 2.4.5rc5 patched
kernel and new openswan modules. I do not have ipsec set to autostart.
6.) ipsec was started manually with this command:
service ipsec start
yeilding this output:
ipsec_setup: Starting Openswan IPsec 2.4.5rc5...
ipsec_setup: WARNING: changing route filtering on eth0 (changing
/proc/sys/net/ipv4/conf/eth0/rp_filter from 1 to 0)
The ipsec module is loaded (verified with lsmod). But something is
amiss. The console begins to get spammed with this message:
IPSEC EVENT: KLIPS device ipsec0 shut down
about every 10 seconds...
A google search, and a search of the e-book mentioned above for more
specific info about causes/solutions to that error yielded mostly dead
links to posts on http://lists.freeswan.org/pipermail/bugs/ or other not
particularly pertinent info.
7.) ipsec verify yields this:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.4.5rc5 (klips)
Checking for IPsec support in kernel [OK]
KLIPS detected, checking for NAT Traversal support [FAILED]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [FAILED]
whack: is Pluto running? connect() for "/var/run/pluto/pluto.ctl"
failed (111 Connection refused)
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: fedora1athlon [MISSING]
Does the machine have at least one non-private address? [FAILED]
Linux Openswan 2.4.5rc5 (klips)
I am not attempting to test for NAT-T at this point, and the kernel has
not been patched for NAT-T.
I modified my ipsec.conf file following info previously posted by Paul:
- remove plutoload= and plutostart= options from ipsec.conf
- Ad as first line "version 2" to ipsec.conf
I suspect my problem(s) may be related to not completely cleaning out
the remnants of openswan-1.0.10 that exist on the development machine.
I can provide online postings of the conf files or any log files as
needed, just let me know what (and possibly how to generate the logs).
ifconfig -a shows the expected 4 ipsecX interfaces (ipsec0 -> ipsec3).
Any nudges in the right direction on this would be greatly appreciated.
[I also tried to build openswan from the latest cvs files
(rsync://anoncvs.openswan.org/openswan-2) but the build fails
complaining about missing files:
In file included from addrtoa.c:17:
openswan/ipsec_kversion.h: No such file or directory
openswan/ipsec_param.h: No such file or directory
make: *** [addrtoa.o] Error 1
make: Leaving directory
make: *** [programs] Error 1
make: Leaving directory `/usr/src/linux-2.4.32/openswan-2.4.x-rsync/lib'
make: *** [programs] Error 1]
Thank you again for your time and attention!
More information about the Users