[Openswan Users] Kernel 2.4.32 + openswan-2.4.5rc5
hivemynd at hivemynd.net
Tue Mar 7 13:56:44 CET 2006
Hi Paul and list,
I was able to perform the additional steps and checks recommended below,
but haven't seemed to proceed much further, other than the constant
"IPSEC EVENT: KLIPS device ipsec0 shut down" messages have stopped now
(thanks to the config setup option I believe). Here is what I have
done (and redone) so far (abbreviated):
1.) Clean 2.4.32 kernel source compiled and installed (no errors).
2.) Rebooted into new kernel, and pached the kernel with the klips and
the NAT-T patches:
patch -p1 < openswan-2.4.5rc5.kernel-2.4-klips.patch
patch -p1 < openswan-2.4.5rc5.kernel-2.4-natt.patch
Both patches appeared to apply cleanly, only minor fuzz.
3.) Re-ran make menuconfig and selected ipsec as a module, then all
other ipsec options/algorithms as monolithic. Saved config, rebuilt kernel:
make dep clean bzImage modules modules_install install
4.) Rebooted into new kernel (patched as above), no errors.
5.) Configured Makefile.inc appropriate for my envioronment, then built
the openswan-2.4.5.rc5 userland programs:
again, no errors.
6.) Rebooted, just to make sure... no errors.
7.) The ipsec module loads w/o complaints and reports the 3 default
encryption algorithms registered w/o issues. However, ipsec verify
still reports errors:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.4.5rc5 (klips)
Checking for IPsec support in kernel [OK]
KLIPS detected, checking for NAT Traversal support [FAILED]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [FAILED]
whack: is Pluto running? connect() for "/var/run/pluto/pluto.ctl"
failed (111 Connection refused)
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
The two odd things are that the NAT traversal support is reporting as
failed, when the kernel is patched for it, and the Makefile.inc was
configured with the nat-t variables = true. The second oddity is that
pluto is still not running.
Here is my ipsec.conf file:
---- BEGIN ipsec.conf ----
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# Only enable klipsdebug=all if you are a developer
# NAT-TRAVERSAL support, see README.NAT-Traversal
# Add connections here
# sample VPN connection
# Left security gateway, subnet behind it, nexthop toward right.
# Right security gateway, subnet behind it, nexthop toward left.
# To authorize this connection, but not actually start it,
# at startup, uncomment this.
#Disable Opportunistic Encryption
-------- END ipsec.conf ------------------
(looks like thunderbird is mangling that a bit)
If you think it would be helpful, I can post the results of a barf and
the Makefile.inc (either to the list or via external links). The 4
expected ipsecX interfaces are present, but pluto will not start. There
is no dump file in /tmp that I could detect.
> You might want to disable rp_filter in /etc/sysctl.conf (and enable IP
> forwarding while you're editting the file)
Yup, thanks, did that.
> Can you add plutonorestartoncrash=no and dumpdir=/tmp to the 'config setup'
> section, and see if you are getting a core dump from a crashing pluto? It
> should only do this once per time you start it (and stay down)
Added the two lines, but there was no file emitted into the /tmp dir
when attempting to start pluto.
>>I suspect my problem(s) may be related to not completely cleaning out the
>>remnants of openswan-1.0.10 that exist on the development machine.
>>I can provide online postings of the conf files or any log files as needed,
>>just let me know what (and possibly how to generate the logs).
> It seems like your pluto crashes, which regardless of having old files
> around, should not happen. Do perhaps check if you have two installs
> that are getting mixed up, eg in /usr/local/lib/ipsec and /usr/lib/ipsec (and
> also /usr/local/libexec)
I verified that all remnants of openswan-1.0.10 have been removed. Only
openswan-2.4.5rc5 scripts and binaries appear to be in the above named
Thank you again for your continued assistance!
More information about the Users