[Openswan Users] Openswan doesn't starts because pluto is down

Jorge Jimenez jorge.jimenez at pross.com
Mon Jan 4 10:59:42 EST 2010


Hi Avesh,

I read README.nss and use this command:
	certutil -N -d <path-to-ipsec.d- dir>/ipsec.d
to create a database.
But it doesn't work and I get this messages log:

	Jan  4 20:14:20 pross-mon01 ipsec_setup: Stopping Openswan IPsec...
	Jan  4 20:14:20 pross-mon01 kernel: NET: Unregistered protocol family 15
	Jan  4 20:14:20 pross-mon01 ipsec_setup: ...Openswan IPsec stopped
	Jan  4 20:14:26 pross-mon01 kernel: NET: Registered protocol family 15
	Jan  4 20:14:26 pross-mon01 ipsec_setup: Using NETKEY(XFRM) stack
	Jan  4 20:14:26 pross-mon01 ipsec_setup: Starting Openswan IPsec U2.6.24rc3/K2.6.18-164.el5...
	Jan  4 20:14:26 pross-mon01 kernel: padlock: VIA PadLock not detected.
	Jan  4 20:14:26 pross-mon01 kernel: padlock: VIA PadLock not detected.
	Jan  4 20:14:26 pross-mon01 ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
	Jan  4 20:14:26 pross-mon01 pluto: adjusting ipsec.d to /etc/ipsec.d
	Jan  4 20:14:26 pross-mon01 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
	Jan  4 20:14:26 pross-mon01 ipsec_setup: ...Openswan IPsec started
	Jan  4 20:14:26 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
	Jan  4 20:14:26 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
	Jan  4 20:14:26 pross-mon01 ipsec_starter[15185]: connect(pluto_ctl) failed: No such file or directory
	Jan  4 20:14:26 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
	Jan  4 20:14:26 pross-mon01 ipsec__plutorun: connect(pluto_ctl) failed: No such file or directory
	Jan  4 20:14:26 pross-mon01 ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
	Jan  4 20:14:26 pross-mon01 last message repeated 2 times
	Jan  4 20:14:26 pross-mon01 ipsec__plutorun: pluto apparently already running (?!?), giving up


¡Feliz Navidad y Prospero 2010!

Jorge Jiménez Miguélez
Avinguda Diagonal, 605 - 4ª Planta
08028 - Barcelona
Tel.: 902 01 35 34 - Móvil: 669 83 08 76
http://www.pross.com


-----Mensaje original-----
De: Avesh Agarwal [mailto:avagarwa at redhat.com] 
Enviado el: lunes, 04 de enero de 2010 15:52
Para: Paul Wouters
CC: Jorge Jimenez; users at openswan.org
Asunto: Re: [Openswan Users] Openswan doesn't starts because pluto is down

On 12/28/2009 09:03 AM, Paul Wouters wrote:
> On Mon, 28 Dec 2009, Jorge Jimenez wrote:
>
>    
>> Have you seen my logs? What do you think about?
>>      
> You need to either migrate your configuration to use NSS, or you
> need to recompile openswan without NSS. I assume you're using a
> binary package from fedora or rhel, so check /usr/share/doc/opnswan*
>
> Paul
>
>    

>> ¡Feliz Navidad y Prospero 2010!
>>
>> Jorge Jiménez Miguélez
>> Avinguda Diagonal, 605 - 4ª Planta
>> 08028 - Barcelona
>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>> http://www.pross.com
>>
>>
>> -----Mensaje original-----
>> De: Jorge Jimenez
>> Enviado el: jueves, 24 de diciembre de 2009 9:26
>> Para: Jorge Jimenez; Paul Wouters
>> CC: users at openswan.org
>> Asunto: RE: [Openswan Users] Openswan doesn't starts because pluto is down
>>
>> Sorry Paul,
>>
>> Copy/paste doesn't show fine. I try to send it another time.
>>
>> [root at pross-mon01 log]# /etc/init.d/ipsec start
>> /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>> ipsec_setup: Starting Openswan IPsec U2.6.24rc3/K2.6.18-164.el5...
>> ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>
>> [root at pross-mon01 log]# grep pluto secure
>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: Starting Pluto subsystem...
>> Dec 24 10:40:21 pross-mon01 pluto[7416]: nss directory plutomain: sql:/etc/ipsec.d
>> Dec 24 10:40:21 pross-mon01 pluto[7416]: NSS initialization failed (err -8174)
>>
>>      

Hi,

Please go through README.nss. I think you need to create NSS database 
first, if you want to use Openswan with NSS.

Regards
Avesh


>> [root at pross-mon01 log]# grep pluto messages
>> Dec 24 10:40:21 pross-mon01 pluto: adjusting ipsec.d to /etc/ipsec.d
>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>> Dec 24 10:40:21 pross-mon01 ipsec_starter[7423]: connect(pluto_ctl) failed: No such file or directory
>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: connect(pluto_ctl) failed: No such file or directory
>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: pluto apparently already running (?!?), giving up
>>
>>
>> ¡Feliz Navidad y Prospero 2010!
>>
>> Jorge Jiménez Miguélez
>> Avinguda Diagonal, 605 - 4ª Planta
>> 08028 - Barcelona
>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>> http://www.pross.com
>>
>>
>>
>> -----Mensaje original-----
>> De: Jorge Jimenez
>> Enviado el: jueves, 24 de diciembre de 2009 9:22
>> Para: Paul Wouters
>> CC: users at openswan.org; Jorge Jimenez
>> Asunto: RE: [Openswan Users] Openswan doesn't starts because pluto is down
>>
>> Hi Paul,
>>
>> Here you are. When I try to start ipsec, it only writes logs in secure and messages files:
>>
>> [root at pross-mon01 log]# /etc/init.d/ipsec start
>> /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>> ipsec_setup: Starting Openswan IPsec U2.6.24rc3/K2.6.18-164.el5...
>> ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>
>> [root at pross-mon01 log]# grep pluto secure
>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: Starting Pluto subsystem...
>> Dec 24 10:40:21 pross-mon01 pluto[7416]: nss directory plutomain: sql:/etc/ipsec.d
>> Dec 24 10:40:21 pross-mon01 pluto[7416]: NSS initialization failed (err -8174)
>>
>> [root at pross-mon01 log]# grep pluto messages
>> Dec 24 10:40:21 pross-mon01 pluto: adjusting ipsec.d to /etc/ipsec.d
>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>> Dec 24 10:40:21 pross-mon01 ipsec_starter[7423]: connect(pluto_ctl) failed: No such file or directory
>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: connect(pluto_ctl) failed: No such file or directory
>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: pluto apparently already running (?!?), giving up
>>
>> Thanks and kind Regards
>>
>> ¡Feliz Navidad y Prospero 2010!
>>
>> Jorge Jiménez Miguélez
>> Avinguda Diagonal, 605 - 4ª Planta
>> 08028 - Barcelona
>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>> http://www.pross.com
>>
>>
>> -----Mensaje original-----
>> De: Paul Wouters [mailto:paul at xelerance.com]
>> Enviado el: jueves, 24 de diciembre de 2009 5:39
>> Para: Jorge Jimenez
>> CC: users at openswan.org
>> Asunto: RE: [Openswan Users] Openswan doesn't starts because pluto is down
>>
>> On Wed, 23 Dec 2009, Jorge Jimenez wrote:
>>
>>      
>>> Thanks for your quickly answer!
>>> Sorry for my English...
>>> I only see in my logs what I sended... How can I increase my logs? What can I do to help you to find the problem...
>>>        
>> Check all the logs in /var/log/*
>> for instance:
>>
>> 	grep pluto /var/log/*
>>
>> Paul
>>
>>      
>>> Thanks and kind regards
>>>
>>>
>>> ¡Feliz Navidad y Prospero 2010!
>>>
>>> Jorge Jiménez Miguélez
>>> Avinguda Diagonal, 605 - 4ª Planta
>>> 08028 - Barcelona
>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>> http://www.pross.com
>>>
>>>
>>> -----Mensaje original-----
>>> De: Paul Wouters [mailto:paul at xelerance.com]
>>> Enviado el: miércoles, 23 de diciembre de 2009 20:01
>>> Para: Jorge Jimenez
>>> CC: users at openswan.org
>>> Asunto: Re: [Openswan Users] Openswan doesn't starts because pluto is down
>>>
>>> On Wed, 23 Dec 2009, Jorge Jimenez wrote:
>>>
>>>        
>>>> Date: Wed, 23 Dec 2009 17:14:59 +0100
>>>> From: Jorge Jimenez<jorge.jimenez at pross.com>
>>>> Cc: Jorge Jimenez<jorge.jimenez at pross.com>
>>>> To: "users at openswan.org"<users at openswan.org>
>>>> Subject: [Openswan Users] Openswan doesn't starts because pluto is down
>>>>          
>>>        
>>>> I’ve installed Openswan and it doesn’t work.
>>>>          
>>> It looks like your pluto is crashing. Please check the logs for a more detailed
>>> message. I don't see it below.
>>>
>>> Paul
>>>
>>>        
>>>> My message log is:
>>>>
>>>>   
>>>>
>>>>                  Dec 23 18:14:28 pross-mon01 ipsec_setup: Stopping Openswan IPsec...
>>>>
>>>> Dec 23 18:14:28 pross-mon01 kernel: NET: Unregistered protocol family 15
>>>>
>>>> Dec 23 18:14:28 pross-mon01 ipsec_setup: ...Openswan IPsec stopped
>>>>
>>>> Dec 23 18:14:32 pross-mon01 kernel: NET: Registered protocol family 15
>>>>
>>>> Dec 23 18:14:32 pross-mon01 ipsec_setup: Starting Openswan IPsec U2.6.24rc3/K2.6.18-164.el5...
>>>>
>>>> Dec 23 18:14:33 pross-mon01 ipsec_setup: Using NETKEY(XFRM) stack
>>>>
>>>> Dec 23 18:14:33 pross-mon01 kernel: padlock: VIA PadLock not detected.
>>>>
>>>> Dec 23 18:14:33 pross-mon01 kernel: padlock: VIA PadLock not detected.
>>>>
>>>> Dec 23 18:14:33 pross-mon01 ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
>>>> /proc/sys/crypto/fips_enabled
>>>>
>>>> Dec 23 18:14:33 pross-mon01 pluto: adjusting ipsec.d to /etc/ipsec.d
>>>>
>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
>>>>
>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in
>>>> /proc/sys/crypto/fips_enabled
>>>>
>>>> Dec 23 18:14:33 pross-mon01 ipsec_setup: ...Openswan IPsec started
>>>>
>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in
>>>> /proc/sys/crypto/fips_enabled
>>>>
>>>> Dec 23 18:14:33 pross-mon01 ipsec_starter[19297]: connect(pluto_ctl) failed: No such file or directory
>>>>
>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in
>>>> /proc/sys/crypto/fips_enabled
>>>>
>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: connect(pluto_ctl) failed: No such file or directory
>>>>
>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>>>>
>>>> Dec 23 18:14:34 pross-mon01 last message repeated 2 times
>>>>
>>>> Dec 23 18:14:34 pross-mon01 ipsec__plutorun: pluto apparently already running (?!?), giving up
>>>>
>>>>   
>>>>
>>>> And my ipsec.conf file is:
>>>>
>>>>   
>>>>
>>>>                  version 2.0
>>>>
>>>>   
>>>>
>>>> config setup
>>>>
>>>>          # Debug-logging controls:
>>>>
>>>>          protostack=netkey
>>>>
>>>>          #klipsdebug=none
>>>>
>>>>          klipsdebug="all"
>>>>
>>>>          plutodebug="all"
>>>>
>>>>          #plutodebug=none
>>>>
>>>>          nat_traversal=yes
>>>>
>>>> #       interfaces = "ipsec0=eth0"
>>>>
>>>>   
>>>>
>>>> conn iberobrico
>>>>
>>>>          auto=start
>>>>
>>>>          left=%defaultroute
>>>>
>>>> #       leftprotoport=17/1701
>>>>
>>>>          #leftsubnet=10.10.100.0/24
>>>>
>>>>          right=xxx.xxx.xxx.xxx
>>>>
>>>> #       rightprotoport=17/1701
>>>>
>>>>          rightsubnet=172.254.100.0/24
>>>>
>>>>          #rightid=%any
>>>>
>>>>          keyexchange=ike
>>>>
>>>>          authby=secret
>>>>
>>>>          pfs=no
>>>>
>>>>          rekey=yes
>>>>
>>>>          keyingtries=0
>>>>
>>>> #       type=transport
>>>>
>>>>          esp=3des
>>>>
>>>>          #auth=esp
>>>>
>>>>          compress=yes
>>>>
>>>>   
>>>>
>>>> Can someone help me please.
>>>>
>>>>   
>>>>
>>>> Kind Regards
>>>>
>>>>   
>>>>
>>>> PROSS Nevado
>>>>
>>>> ¡Feliz Navidad y Prospero 2010!
>>>>
>>>>   
>>>>
>>>> Jorge Jiménez Miguélez
>>>>
>>>> Avinguda Diagonal, 605 - 4ª Planta
>>>> 08028 - Barcelona
>>>>
>>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>>> http://www.pross.com
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>          
>>>
>>>        
>>
>>      
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>    




More information about the Users mailing list