[Openswan Users] endless loop pluto keeps crashing and trying to restart
Brian Gustin
brian at daviesinc.com
Mon Mar 10 13:27:25 EDT 2008
Debian on 2.6 kernel, running debian packaged openswan 2.4.8
I get this in syslog:
Mar 10 12:28:22 tom ipsec__plutorun: restarting IPsec after pause...
Mar 10 12:28:23 tom ipsec_setup: ...Openswan IPsec stopped
Mar 10 12:28:23 tom ipsec_setup: Stopping Openswan IPsec...
Mar 10 12:28:23 tom ipsec_setup: NETKEY on eth0
66.244.144.232/255.255.255.0 broadcast 66.244.144.255
Mar 10 12:28:23 tom ipsec_setup: ...Openswan IPsec started
Mar 10 12:28:23 tom ipsec_setup: Restarting Openswan IPsec
U2.4.8/K2.6.24.3...
Mar 10 12:28:23 tom ipsec__plutorun: whack: Pluto is not running (no
"/var/run/pluto/pluto.ctl")
Mar 10 12:28:23 tom ipsec__plutorun: !pluto failure!: exited with error
status 1
Mar 10 12:28:23 tom ipsec__plutorun: restarting IPsec after pause...
over and over and over .
root at tom:~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.8/K2.6.24.3 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [FAILED]
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Two or more interfaces found, checking IP forwarding [FAILED]
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Works fine on my Fedora machine (Fedora 5, installed from RPM package,
openswan 2.5.17 )
[root at localhost openswan-2.5.17]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.4/K2.6.20-1.2320.fc5 (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support [DISABLED]
Any help on what I need to look for?
Google search turned up a couple things that Ive tried, with no luck
One mentioned I need xfrm_user, however - I dont hav ethat module on
*EITHER* machine
[root at localhost openswan-2.5.17]# modprobe xfrm_user
FATAL: Module xfrm_user not found.
Also - how the HECK to I get the ipsec processes to stop?
Ive tried killall -9 ipsec but it just restarts a new process, Ive used
/etc/init.d/ipsec stop , it stops, then restarts itself up again
cant seem to find where to get it to stop running
Debian ipsec config:
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg: plutodebug="control parsing"
#
# ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
#
# enable this if you see "failed to find any available worker"
nhelpers=0
dumpdir=/tmp
# Add connections here
# sample VPN connections, see /etc/ipsec.d/examples/
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
Fedora ipsec config:
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
# nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
# Add connections here
# sample VPN connection
#conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=start
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
Trying to read the documentation and setup seems to give me no help
either- the intent is to set up VPN tunnels from remote machines, into
the colo LAN network at the data center, so we can access administrative
machines and routers, etc without having them need a default gateway to
the outside world. (tightening up security)
Im, sure I can figure out the configurations to do THAT, but, the first
trick is, I need to actually have openswan running on both machines
before I can go and set up the configurations.
(I also disabled the firewall on the colo webserver thinking it might be
firewall issue, but it doesnt do anything.)
More information about the Users
mailing list