[Openswan Users] OpenSwan 1.0.10 -> 2.4.5rc5 migration (IPSEC EVENT: KLIPS device ipsec0 shut down)

Stephen Jones hivemynd at hivemynd.net
Mon Mar 6 01:33:00 CET 2006


Hello list,

I would like to appologize up-front for the length of this post (and the 
repost, because the original message had the subject deleted...).  It 
includes everything I have done to solve this problem and some details 
about each step.  Perhaps too much.  Please bear with me if you think 
you can help.

So begins the long arduous process of migration from OpenSwan 1.0.10 to 
OpenSwan 2.4.5rc5 (and beyond).

I am in the process of migrating from OpenSwan 1.0.10 to OpenSwan 2.x. I 
plan on using KLIPS. This seems to be the correct thing to do since 
OpenSwan 1.x is now officially orphaned, and for now, I need to continue 
to use the 2.4.x series of kernels.

I have a 2.4.32 plain vanilla kernel running on an FC1 distro that is 
functioning as my development box for SmoothWall 
(http://www.smoothwall.org). The smoothwall boxes have been running 
Openswan (and FreeS/WAN before that) for years without more than the 
usual issues (mostly PEBCAK at that).

What I have done:

1.) I have built and installed a new clean 2.4.32 kernel from sources 
obtained from kernel.org.  This proceeded w/o issues.

2.) I downloaded the latest openswan-2.4.5rc5 sources from openswan.org 
and compiled them following the instructions online, and also from 
Chapter 3: Building and Installing Openswan from the book "Building and 
Integrating Virtual Private Networks with Openswan" by Paul Wouters and 
Ken Bantoft (purchased the e-Book + "real" book bundle from packt 
publishing, great writing btw, easy to follow).

make programs (no errors)
make install (no errors)

3.) I then patched the 2.4.32 kernel sources with the klips patch:

patch -p1 < openswan-2.4.5rc5.kernel-2.4-klips.patch

which appeared to have succeeded w/o issues.

4.) I then rebuilt and installed the kernel via make menuconfig, and 
selected the ipsec related options as modules where possible, or in the 
kernel where required.  The kernel rebuilt cleanly and the modules 
installed and depmod -a reports no errors.  The ipsec module loads w/o 
complaints.

5.) The machine was rebooted to load the new openswan 2.4.5rc5 patched 
kernel and new openswan modules.  I do not have ipsec set to autostart.

6.) ipsec was started manually with this command:

service ipsec start

yeilding this output:
ipsec_setup: Starting Openswan IPsec 2.4.5rc5...
ipsec_setup: WARNING: changing route filtering on eth0 (changing 
/proc/sys/net/ipv4/conf/eth0/rp_filter from 1 to 0)

The ipsec module is loaded (verified with lsmod). But something is 
amiss.  The console begins to get spammed with this message:

IPSEC EVENT: KLIPS device ipsec0 shut down

about every 10 seconds...

A google search, and a search of the e-book mentioned above for more 
specific info about causes/solutions to that error yielded mostly dead 
links to posts on http://lists.freeswan.org/pipermail/bugs/ or other not 
particularly pertinent info.


7.) ipsec verify yields this:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan 2.4.5rc5 (klips)
Checking for IPsec support in kernel                            [OK]
KLIPS detected, checking for NAT Traversal support              [FAILED]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [FAILED]
   whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" 
failed (111 Connection refused)
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]

Opportunistic Encryption DNS checks:
    Looking for TXT in forward dns zone: fedora1athlon           [MISSING]
    Does the machine have at least one non-private address?      [FAILED]

ipsec version
Linux Openswan 2.4.5rc5 (klips)

I am not attempting to test for NAT-T at this point, and the kernel has 
not been patched for NAT-T.

I modified my ipsec.conf file following info previously posted by Paul:

- remove plutoload= and plutostart= options from ipsec.conf
- Ad as first line "version 2" to ipsec.conf


I suspect my problem(s) may be related to not completely cleaning out 
the remnants of openswan-1.0.10 that exist on the development machine.
I can provide online postings of the conf files or any log files as 
needed, just let me know what (and possibly how to generate the logs).

ifconfig -a shows the expected 4 ipsecX interfaces (ipsec0 -> ipsec3).

Any nudges in the right direction on this would be greatly appreciated.

[I also tried to build openswan from the latest cvs files 
(rsync://anoncvs.openswan.org/openswan-2) but the build fails 
complaining about missing files:
In file included from addrtoa.c:17:
/usr/src/linux-2.4.32/openswan-2.4.x-rsync/linux/include/openswan.h:65:37: 
openswan/ipsec_kversion.h: No such file or directory
/usr/src/linux-2.4.32/openswan-2.4.x-rsync/linux/include/openswan.h:66:34: 
openswan/ipsec_param.h: No such file or directory
make[2]: *** [addrtoa.o] Error 1
rm addrtoa.c
make[2]: Leaving directory 
`/usr/src/linux-2.4.32/openswan-2.4.x-rsync/lib/libopenswan'
make[1]: *** [programs] Error 1
make[1]: Leaving directory `/usr/src/linux-2.4.32/openswan-2.4.x-rsync/lib'
make: *** [programs] Error 1]

Thank you again for your time and attention!

Best regards,

SJ



More information about the Users mailing list