[Openswan Users] Openswan fails to start.

Jim Barber jim.barber at ddihealth.com
Mon Oct 2 21:03:20 EDT 2006 

Hi all.

I have successfully configured Openswan on two other hosts fine.
I am now trying to configure it on another host and for some reason it fails to start.

The messages in my auth.log are like so:

Oct  3 10:43:08 firewall ipsec__plutorun: Starting Pluto subsystem...
Oct  3 10:43:08 firewall pluto[8431]: Starting Pluto (Openswan Version 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OElLO]RdWNRD)
Oct  3 10:43:09 firewall pluto[8431]: Setting NAT-Traversal port-4500 floating to off
Oct  3 10:43:09 firewall pluto[8431]:    port floating activation criteria nat_t=0/port_fload=1
Oct  3 10:43:09 firewall pluto[8431]:   including NAT-Traversal patch (Version 0.6c) [disabled]
Oct  3 10:43:09 firewall pluto[8431]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random
Oct  3 10:43:09 firewall pluto[8431]: WARNING: Using /dev/urandom as the source of random
Oct  3 10:43:09 firewall pluto[8431]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Oct  3 10:43:09 firewall pluto[8431]: starting up 1 cryptographic helpers
Oct  3 10:43:09 firewall pluto[8463]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random
Oct  3 10:43:09 firewall pluto[8463]: WARNING: Using /dev/urandom as the source of random
Oct  3 10:43:09 firewall pluto[8431]: started helper pid=8463 (fd:6)
Oct  3 10:43:09 firewall pluto[8431]: Using Linux 2.6 IPsec interface code on 2.6.18
Oct  3 10:43:09 firewall pluto[8431]: FATAL ERROR: Failed to bind bcast socket in init_netlink(). Errno 2: No such file or directory

Similar messages are in my syslog file too:

Oct  3 10:43:08 firewall kernel: NET: Registered protocol family 15
Oct  3 10:43:08 firewall ipsec_setup: KLIPS ipsec0 on net XXX.XXX.XXX.XXX/255.255.255.248 broadcast XXX.XXX.XXX.ZZZ
Oct  3 10:43:08 firewall ipsec_setup: ...Openswan IPsec started
Oct  3 10:43:08 firewall ipsec_setup: Starting Openswan IPsec 2.4.6...
Oct  3 10:43:08 firewall ipsec_setup: insmod /lib/modules/2.6.18/kernel/net/key/af_key.ko
Oct  3 10:43:08 firewall ipsec_setup: insmod /lib/modules/2.6.18/kernel/net/ipv4/xfrm4_tunnel.ko
Oct  3 10:43:09 firewall ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Oct  3 10:43:09 firewall ipsec__plutorun: ...could not add conn "ddi"
Oct  3 10:43:09 firewall ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Oct  3 10:43:09 firewall ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Oct  3 10:43:09 firewall ipsec__plutorun: ...could not route conn "ddi"
Oct  3 10:43:09 firewall ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Oct  3 10:43:09 firewall ipsec__plutorun: ...could not start conn "ddi"
Oct  3 10:43:09 firewall ipsec__plutorun: !pluto failure!:  exited with error status 1
Oct  3 10:43:09 firewall ipsec__plutorun: restarting IPsec after pause...

The output from an 'ipsec verify' command is as follows:

	Checking your system to see if IPsec got installed and started correctly:
	Version check and ipsec on-path                                 [OK]
	Linux Openswan U2.4.6/K2.6.18 (netkey)
	Checking for IPsec support in kernel                            [OK]
	NETKEY detected, testing for disabled ICMP send_redirects       [OK]
	NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
	Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
	  ipsec showhostkey: no default key in "/etc/ipsec.secrets"
	Checking that pluto is running                                  [FAILED]
	  whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
	Two or more interfaces found, checking IP forwarding            [FAILED]
	  whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
	Checking NAT and MASQUERADEing
	Checking for 'ip' command                                       [OK]
	Checking for 'iptables' command                                 [OK]
	Opportunistic Encryption Support                                [DISABLED]

Which looks okay to me apart from it complaining about pluto not running because I can't start it.

The configuration is very basic too.
I'm just trying to configure one IPSec tunnel using a pre-shared key like so in the /etc/ipsec.conf file:

	version 2.0

	config setup
		virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:!172.16.0.0/12

	conn %default
		auto=add
		authby=secret
		compress=yes
		keyingtries=0
		left=XXX.XXX.XXX.XXX

	conn ddi
		auto=start
		leftsourceip=172.16.0.9
		leftsubnet=172.16.0.0/12
		right=YYY.YYY.YYY.YYY
		rightsubnet=10.128.0.0/16

	include /etc/ipsec.d/examples/no_oe.conf

Where XXX.XXX.XXX.XXX is the public IP of the host, and YYY.YYY.YYY.YYY is the public IP of the remote host to tunnel to.
Both of these values are definitely correct.

The /etc/ipsec.secrets file is also very basic:

	: RSA /etc/ipsec.d/private/firewallKey.pem

	XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY : PSK "pre-shared key string removed"

Things that are different about this host are that it's much older hardware running a Celeron processor, and it's also running a newer 2.6.18 kernel.
The tunnel should be using NETKEY for it's IPSec implementation.

The host is running Debian and is using the openswan_2.4.6+dfsg-1 Debian package.

So the final error seems to be:

	FATAL ERROR: Failed to bind bcast socket in init_netlink(). Errno 2: No such file or directory

I'm not sure why it's failing to bind a broadcast socket...
Unfortunately it isn't telling me what file or directory it is failing to open or write to, but I suspect it's something else that is wrong?

Any ideas?

-- 
----------
Jim Barber
DDI Health

More information about the Users mailing list