[Openswan Users] Kernel 2.4.32 + openswan-2.4.5rc5

Stephen Jones hivemynd at hivemynd.net
Tue Mar 7 13:56:44 CET 2006 

Hi Paul and list,

I was able to perform the additional steps and checks recommended below, 
but haven't seemed to proceed much further, other than the constant 
"IPSEC EVENT: KLIPS device ipsec0 shut down" messages have stopped now 
(thanks to the config setup option I believe).   Here is what I have 
done (and redone) so far (abbreviated):

1.) Clean 2.4.32 kernel source compiled and installed (no errors).
2.) Rebooted into new kernel, and pached the kernel with the klips and 
the NAT-T patches:

patch -p1 < openswan-2.4.5rc5.kernel-2.4-klips.patch
patch -p1 < openswan-2.4.5rc5.kernel-2.4-natt.patch

Both patches appeared to apply cleanly, only minor fuzz.

3.) Re-ran make menuconfig and selected ipsec as a module, then all 
other ipsec options/algorithms as monolithic.  Saved config, rebuilt kernel:

make dep clean bzImage modules modules_install install

no errors.

4.) Rebooted into new kernel (patched as above), no errors.
5.) Configured Makefile.inc appropriate for my envioronment, then built 
the openswan-2.4.5.rc5 userland programs:
make programs
make install

again, no errors.

6.) Rebooted, just to make sure... no errors.
7.) The ipsec module loads w/o complaints and reports the 3 default 
encryption algorithms registered w/o issues.  However, ipsec verify 
still reports errors:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan 2.4.5rc5 (klips)
Checking for IPsec support in kernel                            [OK]
KLIPS detected, checking for NAT Traversal support              [FAILED]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [FAILED]
   whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" 
failed (111 Connection refused)
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

The two odd things are that the NAT traversal support is reporting as 
failed, when the kernel is patched for it, and the Makefile.inc was 
configured with the nat-t variables = true.  The second oddity is that 
pluto is still not running.

Here is my ipsec.conf file:

---- BEGIN ipsec.conf ----

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	plutorestartoncrash=no
	dumpdir=/tmp
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	# "raw crypt parsing emitting control klips pfkey natt x509 private"
	# eg:
	plutodebug="all"
	#
	# Only enable klipsdebug=all if you are a developer
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
	interfaces=%defaultroute

# Add connections here

# sample VPN connection
conn sample
	# Left security gateway, subnet behind it, nexthop toward right.
	left=10.0.0.1
	leftsubnet=172.16.0.0/24
	leftnexthop=10.22.33.44
	# Right security gateway, subnet behind it, nexthop toward left.
	right=10.12.12.1
	rightsubnet=192.168.0.0/24
	rightnexthop=10.101.102.103
	type=tunnel
	# To authorize this connection, but not actually start it,
	# at startup, uncomment this.
	auto=start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

-------- END ipsec.conf ------------------
(looks like thunderbird is mangling that a bit)

If you think it would be helpful, I can post the results of a barf and 
the Makefile.inc (either to the list or via external links).  The 4 
expected ipsecX interfaces are present, but pluto will not start.  There 
is no dump file in /tmp that I could detect.

> 
> You might want to disable rp_filter in /etc/sysctl.conf (and enable IP
> forwarding while you're editting the file)

Yup, thanks, did that.
> 
> 
> Can you add plutonorestartoncrash=no and dumpdir=/tmp to the 'config setup'
> section, and see if you are getting a core dump from a crashing pluto? It
> should only do this once per time you start it (and stay down)
> 
Added the two lines, but there was no file emitted into the /tmp dir 
when attempting to start pluto.

<snip>

>>I suspect my problem(s) may be related to not completely cleaning out the
>>remnants of openswan-1.0.10 that exist on the development machine.
>>I can provide online postings of the conf files or any log files as needed,
>>just let me know what (and possibly how to generate the logs).
> 
> 
> It seems like your pluto crashes, which regardless of having old files
> around, should not happen. Do perhaps check if you have two installs
> that are getting mixed up, eg in /usr/local/lib/ipsec and /usr/lib/ipsec (and
> also /usr/local/libexec)
>
I verified that all remnants of openswan-1.0.10 have been removed.  Only 
openswan-2.4.5rc5 scripts and binaries appear to be in the above named 
directories.

> Paul
> --

Thank you again for your continued assistance!

SJ

More information about the Users mailing list