[Openswan Users]

Paul Wouters paul at xelerance.com
Mon Mar 6 16:22:51 CET 2006

On Mon, 6 Mar 2006, Stephen Jones wrote:

> I would like to appologize up-front for the length of this post (and the
> repost, because the original message had the subject deleted...).  It includes
> everything I have done to solve this problem and some details about each step.
> Perhaps too much.  Please bear with me if you think you can help.

Yes, we will upgrade the mailinglist server within the next few weeks. Hopefully,
it will stop eating up long subject lines.

> 2.) I downloaded the latest openswan-2.4.5rc5 sources from openswan.org and
> compiled them following the instructions online, and also from Chapter 3:
> Building and Installing Openswan from the book "Building and Integrating
> Virtual Private Networks with Openswan" by Paul Wouters and Ken Bantoft
> (purchased the e-Book + "real" book bundle from packt publishing, great
> writing btw, easy to follow).

Thanks :)

> make programs (no errors)
> make install (no errors)
> 3.) I then patched the 2.4.32 kernel sources with the klips patch:
> patch -p1 < openswan-2.4.5rc5.kernel-2.4-klips.patch
> which appeared to have succeeded w/o issues.
> 4.) I then rebuilt and installed the kernel via make menuconfig, and selected
> the ipsec related options as modules where possible, or in the kernel where
> required.  The kernel rebuilt cleanly and the modules installed and depmod -a
> reports no errors.  The ipsec module loads w/o complaints.

You apparently (see below) did not apply the NAT-T patch. If you have clients
connecting from behind NAT, you will need to apply this patch. Either download
the klips-natt patch or use the 'make nattpatch' command in the openswan source
tree to generate the patch for your kernel. This is also described in chapter 3.

> yeilding this output:
> ipsec_setup: Starting Openswan IPsec 2.4.5rc5...
> ipsec_setup: WARNING: changing route filtering on eth0 (changing
> /proc/sys/net/ipv4/conf/eth0/rp_filter from 1 to 0)

You might want to disable rp_filter in /etc/sysctl.conf (and enable IP
forwarding while you're editting the file)

> The ipsec module is loaded (verified with lsmod). But something is amiss.  The
> console begins to get spammed with this message:
> IPSEC EVENT: KLIPS device ipsec0 shut down
> about every 10 seconds...

Can you add plutonorestartoncrash=no and dumpdir=/tmp to the 'config setup'
section, and see if you are getting a core dump from a crashing pluto? It
should only do this once per time you start it (and stay down)

> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan 2.4.5rc5 (klips)
> Checking for IPsec support in kernel                            [OK]
> KLIPS detected, checking for NAT Traversal support              [FAILED]

You did not apply the nat-t patch.

> Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> Checking that pluto is running                                  [FAILED]
>   whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" failed
> (111 Connection refused)
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption DNS checks:
>    Looking for TXT in forward dns zone: fedora1athlon           [MISSING]
>    Does the machine have at least one non-private address?      [FAILED]

That's all fine. The errors are because pluto is dying before ipsec verify
is ran.

> I am not attempting to test for NAT-T at this point, and the kernel has not
> been patched for NAT-T.


> I suspect my problem(s) may be related to not completely cleaning out the
> remnants of openswan-1.0.10 that exist on the development machine.
> I can provide online postings of the conf files or any log files as needed,
> just let me know what (and possibly how to generate the logs).

It seems like your pluto crashes, which regardless of having old files
around, should not happen. Do perhaps check if you have two installs
that are getting mixed up, eg in /usr/local/lib/ipsec and /usr/lib/ipsec (and
also /usr/local/libexec)

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list