[Openswan Users] Openswan doesn't starts because pluto is down

Avesh Agarwal avagarwa at redhat.com
Mon Jan 4 11:05:19 EST 2010


On 01/04/2010 10:59 AM, Jorge Jimenez wrote:
> Hi Avesh,
>
> I read README.nss and use this command:
> 	certutil -N -d<path-to-ipsec.d- dir>/ipsec.d
> to create a database.
> But it doesn't work and I get this messages log:
>
>    
is NSS intialized now? On fedora, use "sql:" as a prefix like  
"sql:<path-to-database>", or set NSS_DEFAULT_DB_TYPE="sql" if you do not 
want to give "sql:" prefix on the command line. It should create 
cert9.db and key4.db.

> 	Jan  4 20:14:20 pross-mon01 ipsec_setup: Stopping Openswan IPsec...
> 	Jan  4 20:14:20 pross-mon01 kernel: NET: Unregistered protocol family 15
> 	Jan  4 20:14:20 pross-mon01 ipsec_setup: ...Openswan IPsec stopped
> 	Jan  4 20:14:26 pross-mon01 kernel: NET: Registered protocol family 15
> 	Jan  4 20:14:26 pross-mon01 ipsec_setup: Using NETKEY(XFRM) stack
> 	Jan  4 20:14:26 pross-mon01 ipsec_setup: Starting Openswan IPsec U2.6.24rc3/K2.6.18-164.el5...
> 	Jan  4 20:14:26 pross-mon01 kernel: padlock: VIA PadLock not detected.
> 	Jan  4 20:14:26 pross-mon01 kernel: padlock: VIA PadLock not detected.
> 	Jan  4 20:14:26 pross-mon01 ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
> 	Jan  4 20:14:26 pross-mon01 pluto: adjusting ipsec.d to /etc/ipsec.d
> 	Jan  4 20:14:26 pross-mon01 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
> 	Jan  4 20:14:26 pross-mon01 ipsec_setup: ...Openswan IPsec started
> 	Jan  4 20:14:26 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
> 	Jan  4 20:14:26 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
> 	Jan  4 20:14:26 pross-mon01 ipsec_starter[15185]: connect(pluto_ctl) failed: No such file or directory
> 	Jan  4 20:14:26 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
> 	Jan  4 20:14:26 pross-mon01 ipsec__plutorun: connect(pluto_ctl) failed: No such file or directory
> 	Jan  4 20:14:26 pross-mon01 ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
> 	Jan  4 20:14:26 pross-mon01 last message repeated 2 times
> 	Jan  4 20:14:26 pross-mon01 ipsec__plutorun: pluto apparently already running (?!?), giving up
>
>
>    
Also check if pluto is not starting due to selinux policy by putting 
selinx into permissive mode.


Avesh

> ¡Feliz Navidad y Prospero 2010!
>
> Jorge Jiménez Miguélez
> Avinguda Diagonal, 605 - 4ª Planta
> 08028 - Barcelona
> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
> http://www.pross.com
>
>
> -----Mensaje original-----
> De: Avesh Agarwal [mailto:avagarwa at redhat.com]
> Enviado el: lunes, 04 de enero de 2010 15:52
> Para: Paul Wouters
> CC: Jorge Jimenez; users at openswan.org
> Asunto: Re: [Openswan Users] Openswan doesn't starts because pluto is down
>
> On 12/28/2009 09:03 AM, Paul Wouters wrote:
>    
>> On Mon, 28 Dec 2009, Jorge Jimenez wrote:
>>
>>
>>      
>>> Have you seen my logs? What do you think about?
>>>
>>>        
>> You need to either migrate your configuration to use NSS, or you
>> need to recompile openswan without NSS. I assume you're using a
>> binary package from fedora or rhel, so check /usr/share/doc/opnswan*
>>
>> Paul
>>
>>
>>      
>    
>>> ¡Feliz Navidad y Prospero 2010!
>>>
>>> Jorge Jiménez Miguélez
>>> Avinguda Diagonal, 605 - 4ª Planta
>>> 08028 - Barcelona
>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>> http://www.pross.com
>>>
>>>
>>> -----Mensaje original-----
>>> De: Jorge Jimenez
>>> Enviado el: jueves, 24 de diciembre de 2009 9:26
>>> Para: Jorge Jimenez; Paul Wouters
>>> CC: users at openswan.org
>>> Asunto: RE: [Openswan Users] Openswan doesn't starts because pluto is down
>>>
>>> Sorry Paul,
>>>
>>> Copy/paste doesn't show fine. I try to send it another time.
>>>
>>> [root at pross-mon01 log]# /etc/init.d/ipsec start
>>> /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>> ipsec_setup: Starting Openswan IPsec U2.6.24rc3/K2.6.18-164.el5...
>>> ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>
>>> [root at pross-mon01 log]# grep pluto secure
>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: Starting Pluto subsystem...
>>> Dec 24 10:40:21 pross-mon01 pluto[7416]: nss directory plutomain: sql:/etc/ipsec.d
>>> Dec 24 10:40:21 pross-mon01 pluto[7416]: NSS initialization failed (err -8174)
>>>
>>>
>>>        
> Hi,
>
> Please go through README.nss. I think you need to create NSS database
> first, if you want to use Openswan with NSS.
>
> Regards
> Avesh
>
>
>    
>>> [root at pross-mon01 log]# grep pluto messages
>>> Dec 24 10:40:21 pross-mon01 pluto: adjusting ipsec.d to /etc/ipsec.d
>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>> Dec 24 10:40:21 pross-mon01 ipsec_starter[7423]: connect(pluto_ctl) failed: No such file or directory
>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: connect(pluto_ctl) failed: No such file or directory
>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: pluto apparently already running (?!?), giving up
>>>
>>>
>>> ¡Feliz Navidad y Prospero 2010!
>>>
>>> Jorge Jiménez Miguélez
>>> Avinguda Diagonal, 605 - 4ª Planta
>>> 08028 - Barcelona
>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>> http://www.pross.com
>>>
>>>
>>>
>>> -----Mensaje original-----
>>> De: Jorge Jimenez
>>> Enviado el: jueves, 24 de diciembre de 2009 9:22
>>> Para: Paul Wouters
>>> CC: users at openswan.org; Jorge Jimenez
>>> Asunto: RE: [Openswan Users] Openswan doesn't starts because pluto is down
>>>
>>> Hi Paul,
>>>
>>> Here you are. When I try to start ipsec, it only writes logs in secure and messages files:
>>>
>>> [root at pross-mon01 log]# /etc/init.d/ipsec start
>>> /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>> ipsec_setup: Starting Openswan IPsec U2.6.24rc3/K2.6.18-164.el5...
>>> ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>
>>> [root at pross-mon01 log]# grep pluto secure
>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: Starting Pluto subsystem...
>>> Dec 24 10:40:21 pross-mon01 pluto[7416]: nss directory plutomain: sql:/etc/ipsec.d
>>> Dec 24 10:40:21 pross-mon01 pluto[7416]: NSS initialization failed (err -8174)
>>>
>>> [root at pross-mon01 log]# grep pluto messages
>>> Dec 24 10:40:21 pross-mon01 pluto: adjusting ipsec.d to /etc/ipsec.d
>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>> Dec 24 10:40:21 pross-mon01 ipsec_starter[7423]: connect(pluto_ctl) failed: No such file or directory
>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: connect(pluto_ctl) failed: No such file or directory
>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: pluto apparently already running (?!?), giving up
>>>
>>> Thanks and kind Regards
>>>
>>> ¡Feliz Navidad y Prospero 2010!
>>>
>>> Jorge Jiménez Miguélez
>>> Avinguda Diagonal, 605 - 4ª Planta
>>> 08028 - Barcelona
>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>> http://www.pross.com
>>>
>>>
>>> -----Mensaje original-----
>>> De: Paul Wouters [mailto:paul at xelerance.com]
>>> Enviado el: jueves, 24 de diciembre de 2009 5:39
>>> Para: Jorge Jimenez
>>> CC: users at openswan.org
>>> Asunto: RE: [Openswan Users] Openswan doesn't starts because pluto is down
>>>
>>> On Wed, 23 Dec 2009, Jorge Jimenez wrote:
>>>
>>>
>>>        
>>>> Thanks for your quickly answer!
>>>> Sorry for my English...
>>>> I only see in my logs what I sended... How can I increase my logs? What can I do to help you to find the problem...
>>>>
>>>>          
>>> Check all the logs in /var/log/*
>>> for instance:
>>>
>>> 	grep pluto /var/log/*
>>>
>>> Paul
>>>
>>>
>>>        
>>>> Thanks and kind regards
>>>>
>>>>
>>>> ¡Feliz Navidad y Prospero 2010!
>>>>
>>>> Jorge Jiménez Miguélez
>>>> Avinguda Diagonal, 605 - 4ª Planta
>>>> 08028 - Barcelona
>>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>>> http://www.pross.com
>>>>
>>>>
>>>> -----Mensaje original-----
>>>> De: Paul Wouters [mailto:paul at xelerance.com]
>>>> Enviado el: miércoles, 23 de diciembre de 2009 20:01
>>>> Para: Jorge Jimenez
>>>> CC: users at openswan.org
>>>> Asunto: Re: [Openswan Users] Openswan doesn't starts because pluto is down
>>>>
>>>> On Wed, 23 Dec 2009, Jorge Jimenez wrote:
>>>>
>>>>
>>>>          
>>>>> Date: Wed, 23 Dec 2009 17:14:59 +0100
>>>>> From: Jorge Jimenez<jorge.jimenez at pross.com>
>>>>> Cc: Jorge Jimenez<jorge.jimenez at pross.com>
>>>>> To: "users at openswan.org"<users at openswan.org>
>>>>> Subject: [Openswan Users] Openswan doesn't starts because pluto is down
>>>>>
>>>>>            
>>>>
>>>>          
>>>>> I’ve installed Openswan and it doesn’t work.
>>>>>
>>>>>            
>>>> It looks like your pluto is crashing. Please check the logs for a more detailed
>>>> message. I don't see it below.
>>>>
>>>> Paul
>>>>
>>>>
>>>>          
>>>>> My message log is:
>>>>>
>>>>>
>>>>>
>>>>>                   Dec 23 18:14:28 pross-mon01 ipsec_setup: Stopping Openswan IPsec...
>>>>>
>>>>> Dec 23 18:14:28 pross-mon01 kernel: NET: Unregistered protocol family 15
>>>>>
>>>>> Dec 23 18:14:28 pross-mon01 ipsec_setup: ...Openswan IPsec stopped
>>>>>
>>>>> Dec 23 18:14:32 pross-mon01 kernel: NET: Registered protocol family 15
>>>>>
>>>>> Dec 23 18:14:32 pross-mon01 ipsec_setup: Starting Openswan IPsec U2.6.24rc3/K2.6.18-164.el5...
>>>>>
>>>>> Dec 23 18:14:33 pross-mon01 ipsec_setup: Using NETKEY(XFRM) stack
>>>>>
>>>>> Dec 23 18:14:33 pross-mon01 kernel: padlock: VIA PadLock not detected.
>>>>>
>>>>> Dec 23 18:14:33 pross-mon01 kernel: padlock: VIA PadLock not detected.
>>>>>
>>>>> Dec 23 18:14:33 pross-mon01 ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
>>>>> /proc/sys/crypto/fips_enabled
>>>>>
>>>>> Dec 23 18:14:33 pross-mon01 pluto: adjusting ipsec.d to /etc/ipsec.d
>>>>>
>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
>>>>>
>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in
>>>>> /proc/sys/crypto/fips_enabled
>>>>>
>>>>> Dec 23 18:14:33 pross-mon01 ipsec_setup: ...Openswan IPsec started
>>>>>
>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in
>>>>> /proc/sys/crypto/fips_enabled
>>>>>
>>>>> Dec 23 18:14:33 pross-mon01 ipsec_starter[19297]: connect(pluto_ctl) failed: No such file or directory
>>>>>
>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in
>>>>> /proc/sys/crypto/fips_enabled
>>>>>
>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: connect(pluto_ctl) failed: No such file or directory
>>>>>
>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>>>>>
>>>>> Dec 23 18:14:34 pross-mon01 last message repeated 2 times
>>>>>
>>>>> Dec 23 18:14:34 pross-mon01 ipsec__plutorun: pluto apparently already running (?!?), giving up
>>>>>
>>>>>
>>>>>
>>>>> And my ipsec.conf file is:
>>>>>
>>>>>
>>>>>
>>>>>                   version 2.0
>>>>>
>>>>>
>>>>>
>>>>> config setup
>>>>>
>>>>>           # Debug-logging controls:
>>>>>
>>>>>           protostack=netkey
>>>>>
>>>>>           #klipsdebug=none
>>>>>
>>>>>           klipsdebug="all"
>>>>>
>>>>>           plutodebug="all"
>>>>>
>>>>>           #plutodebug=none
>>>>>
>>>>>           nat_traversal=yes
>>>>>
>>>>> #       interfaces = "ipsec0=eth0"
>>>>>
>>>>>
>>>>>
>>>>> conn iberobrico
>>>>>
>>>>>           auto=start
>>>>>
>>>>>           left=%defaultroute
>>>>>
>>>>> #       leftprotoport=17/1701
>>>>>
>>>>>           #leftsubnet=10.10.100.0/24
>>>>>
>>>>>           right=xxx.xxx.xxx.xxx
>>>>>
>>>>> #       rightprotoport=17/1701
>>>>>
>>>>>           rightsubnet=172.254.100.0/24
>>>>>
>>>>>           #rightid=%any
>>>>>
>>>>>           keyexchange=ike
>>>>>
>>>>>           authby=secret
>>>>>
>>>>>           pfs=no
>>>>>
>>>>>           rekey=yes
>>>>>
>>>>>           keyingtries=0
>>>>>
>>>>> #       type=transport
>>>>>
>>>>>           esp=3des
>>>>>
>>>>>           #auth=esp
>>>>>
>>>>>           compress=yes
>>>>>
>>>>>
>>>>>
>>>>> Can someone help me please.
>>>>>
>>>>>
>>>>>
>>>>> Kind Regards
>>>>>
>>>>>
>>>>>
>>>>> PROSS Nevado
>>>>>
>>>>> ¡Feliz Navidad y Prospero 2010!
>>>>>
>>>>>
>>>>>
>>>>> Jorge Jiménez Miguélez
>>>>>
>>>>> Avinguda Diagonal, 605 - 4ª Planta
>>>>> 08028 - Barcelona
>>>>>
>>>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>>>> http://www.pross.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>            
>>>>
>>>>          
>>>
>>>        
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>      
>
>    



More information about the Users mailing list