[Openswan Users] Openswan doesn't starts because pluto is down
Ondrej Valousek
webserv at s3group.cz
Mon Jan 4 11:17:50 EST 2010
Avesh Agarwal wrote:
> On 01/04/2010 11:16 AM, Jorge Jimenez wrote:
>
>> Hi Avesh,
>>
>> I answer your two questions.
>>
>> - I don't have a sql database in my linux machine, I need it?
>>
>>
> If you are running on fedora, then yes.
>
No, you do not need it. I do not know what this prefix means, but NSS
holds the database for you. No additional sql server is needed.....
>
>> - SELinux is disabled in my machine
>>
>> Thanks for your answer and king regards
>>
>>
>> ¡Feliz Navidad y Prospero 2010!
>>
>> Jorge Jiménez Miguélez
>> Avinguda Diagonal, 605 - 4ª Planta
>> 08028 - Barcelona
>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>> http://www.pross.com
>>
>>
>>
>> -----Mensaje original-----
>> De: Avesh Agarwal [mailto:avagarwa at redhat.com]
>> Enviado el: lunes, 04 de enero de 2010 17:05
>> Para: Jorge Jimenez
>> CC: Paul Wouters; users at openswan.org
>> Asunto: Re: [Openswan Users] Openswan doesn't starts because pluto is down
>>
>> On 01/04/2010 10:59 AM, Jorge Jimenez wrote:
>>
>>
>>> Hi Avesh,
>>>
>>> I read README.nss and use this command:
>>> certutil -N -d<path-to-ipsec.d- dir>/ipsec.d
>>> to create a database.
>>> But it doesn't work and I get this messages log:
>>>
>>>
>>>
>>>
>> is NSS intialized now? On fedora, use "sql:" as a prefix like
>> "sql:<path-to-database>", or set NSS_DEFAULT_DB_TYPE="sql" if you do not
>> want to give "sql:" prefix on the command line. It should create
>> cert9.db and key4.db.
>>
>>
>>
>>> Jan 4 20:14:20 pross-mon01 ipsec_setup: Stopping Openswan IPsec...
>>> Jan 4 20:14:20 pross-mon01 kernel: NET: Unregistered protocol family 15
>>> Jan 4 20:14:20 pross-mon01 ipsec_setup: ...Openswan IPsec stopped
>>> Jan 4 20:14:26 pross-mon01 kernel: NET: Registered protocol family 15
>>> Jan 4 20:14:26 pross-mon01 ipsec_setup: Using NETKEY(XFRM) stack
>>> Jan 4 20:14:26 pross-mon01 ipsec_setup: Starting Openswan IPsec U2.6.24rc3/K2.6.18-164.el5...
>>> Jan 4 20:14:26 pross-mon01 kernel: padlock: VIA PadLock not detected.
>>> Jan 4 20:14:26 pross-mon01 kernel: padlock: VIA PadLock not detected.
>>> Jan 4 20:14:26 pross-mon01 ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>> Jan 4 20:14:26 pross-mon01 pluto: adjusting ipsec.d to /etc/ipsec.d
>>> Jan 4 20:14:26 pross-mon01 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
>>> Jan 4 20:14:26 pross-mon01 ipsec_setup: ...Openswan IPsec started
>>> Jan 4 20:14:26 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>> Jan 4 20:14:26 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>> Jan 4 20:14:26 pross-mon01 ipsec_starter[15185]: connect(pluto_ctl) failed: No such file or directory
>>> Jan 4 20:14:26 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>> Jan 4 20:14:26 pross-mon01 ipsec__plutorun: connect(pluto_ctl) failed: No such file or directory
>>> Jan 4 20:14:26 pross-mon01 ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>>> Jan 4 20:14:26 pross-mon01 last message repeated 2 times
>>> Jan 4 20:14:26 pross-mon01 ipsec__plutorun: pluto apparently already running (?!?), giving up
>>>
>>>
>>>
>>>
>>>
>> Also check if pluto is not starting due to selinux policy by putting
>> selinx into permissive mode.
>>
>>
>> Avesh
>>
>>
>>
>>> ¡Feliz Navidad y Prospero 2010!
>>>
>>> Jorge Jiménez Miguélez
>>> Avinguda Diagonal, 605 - 4ª Planta
>>> 08028 - Barcelona
>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>> http://www.pross.com
>>>
>>>
>>> -----Mensaje original-----
>>> De: Avesh Agarwal [mailto:avagarwa at redhat.com]
>>> Enviado el: lunes, 04 de enero de 2010 15:52
>>> Para: Paul Wouters
>>> CC: Jorge Jimenez; users at openswan.org
>>> Asunto: Re: [Openswan Users] Openswan doesn't starts because pluto is down
>>>
>>> On 12/28/2009 09:03 AM, Paul Wouters wrote:
>>>
>>>
>>>
>>>> On Mon, 28 Dec 2009, Jorge Jimenez wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Have you seen my logs? What do you think about?
>>>>>
>>>>>
>>>>>
>>>>>
>>>> You need to either migrate your configuration to use NSS, or you
>>>> need to recompile openswan without NSS. I assume you're using a
>>>> binary package from fedora or rhel, so check /usr/share/doc/opnswan*
>>>>
>>>> Paul
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>>> ¡Feliz Navidad y Prospero 2010!
>>>>>
>>>>> Jorge Jiménez Miguélez
>>>>> Avinguda Diagonal, 605 - 4ª Planta
>>>>> 08028 - Barcelona
>>>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>>>> http://www.pross.com
>>>>>
>>>>>
>>>>> -----Mensaje original-----
>>>>> De: Jorge Jimenez
>>>>> Enviado el: jueves, 24 de diciembre de 2009 9:26
>>>>> Para: Jorge Jimenez; Paul Wouters
>>>>> CC: users at openswan.org
>>>>> Asunto: RE: [Openswan Users] Openswan doesn't starts because pluto is down
>>>>>
>>>>> Sorry Paul,
>>>>>
>>>>> Copy/paste doesn't show fine. I try to send it another time.
>>>>>
>>>>> [root at pross-mon01 log]# /etc/init.d/ipsec start
>>>>> /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>>> ipsec_setup: Starting Openswan IPsec U2.6.24rc3/K2.6.18-164.el5...
>>>>> ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>>>
>>>>> [root at pross-mon01 log]# grep pluto secure
>>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: Starting Pluto subsystem...
>>>>> Dec 24 10:40:21 pross-mon01 pluto[7416]: nss directory plutomain: sql:/etc/ipsec.d
>>>>> Dec 24 10:40:21 pross-mon01 pluto[7416]: NSS initialization failed (err -8174)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>> Hi,
>>>
>>> Please go through README.nss. I think you need to create NSS database
>>> first, if you want to use Openswan with NSS.
>>>
>>> Regards
>>> Avesh
>>>
>>>
>>>
>>>
>>>
>>>>> [root at pross-mon01 log]# grep pluto messages
>>>>> Dec 24 10:40:21 pross-mon01 pluto: adjusting ipsec.d to /etc/ipsec.d
>>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
>>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>>> Dec 24 10:40:21 pross-mon01 ipsec_starter[7423]: connect(pluto_ctl) failed: No such file or directory
>>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: connect(pluto_ctl) failed: No such file or directory
>>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: pluto apparently already running (?!?), giving up
>>>>>
>>>>>
>>>>> ¡Feliz Navidad y Prospero 2010!
>>>>>
>>>>> Jorge Jiménez Miguélez
>>>>> Avinguda Diagonal, 605 - 4ª Planta
>>>>> 08028 - Barcelona
>>>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>>>> http://www.pross.com
>>>>>
>>>>>
>>>>>
>>>>> -----Mensaje original-----
>>>>> De: Jorge Jimenez
>>>>> Enviado el: jueves, 24 de diciembre de 2009 9:22
>>>>> Para: Paul Wouters
>>>>> CC: users at openswan.org; Jorge Jimenez
>>>>> Asunto: RE: [Openswan Users] Openswan doesn't starts because pluto is down
>>>>>
>>>>> Hi Paul,
>>>>>
>>>>> Here you are. When I try to start ipsec, it only writes logs in secure and messages files:
>>>>>
>>>>> [root at pross-mon01 log]# /etc/init.d/ipsec start
>>>>> /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>>> ipsec_setup: Starting Openswan IPsec U2.6.24rc3/K2.6.18-164.el5...
>>>>> ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>>>
>>>>> [root at pross-mon01 log]# grep pluto secure
>>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: Starting Pluto subsystem...
>>>>> Dec 24 10:40:21 pross-mon01 pluto[7416]: nss directory plutomain: sql:/etc/ipsec.d
>>>>> Dec 24 10:40:21 pross-mon01 pluto[7416]: NSS initialization failed (err -8174)
>>>>>
>>>>> [root at pross-mon01 log]# grep pluto messages
>>>>> Dec 24 10:40:21 pross-mon01 pluto: adjusting ipsec.d to /etc/ipsec.d
>>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
>>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>>> Dec 24 10:40:21 pross-mon01 ipsec_starter[7423]: connect(pluto_ctl) failed: No such file or directory
>>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: connect(pluto_ctl) failed: No such file or directory
>>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: pluto apparently already running (?!?), giving up
>>>>>
>>>>> Thanks and kind Regards
>>>>>
>>>>> ¡Feliz Navidad y Prospero 2010!
>>>>>
>>>>> Jorge Jiménez Miguélez
>>>>> Avinguda Diagonal, 605 - 4ª Planta
>>>>> 08028 - Barcelona
>>>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>>>> http://www.pross.com
>>>>>
>>>>>
>>>>> -----Mensaje original-----
>>>>> De: Paul Wouters [mailto:paul at xelerance.com]
>>>>> Enviado el: jueves, 24 de diciembre de 2009 5:39
>>>>> Para: Jorge Jimenez
>>>>> CC: users at openswan.org
>>>>> Asunto: RE: [Openswan Users] Openswan doesn't starts because pluto is down
>>>>>
>>>>> On Wed, 23 Dec 2009, Jorge Jimenez wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Thanks for your quickly answer!
>>>>>> Sorry for my English...
>>>>>> I only see in my logs what I sended... How can I increase my logs? What can I do to help you to find the problem...
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Check all the logs in /var/log/*
>>>>> for instance:
>>>>>
>>>>> grep pluto /var/log/*
>>>>>
>>>>> Paul
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Thanks and kind regards
>>>>>>
>>>>>>
>>>>>> ¡Feliz Navidad y Prospero 2010!
>>>>>>
>>>>>> Jorge Jiménez Miguélez
>>>>>> Avinguda Diagonal, 605 - 4ª Planta
>>>>>> 08028 - Barcelona
>>>>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>>>>> http://www.pross.com
>>>>>>
>>>>>>
>>>>>> -----Mensaje original-----
>>>>>> De: Paul Wouters [mailto:paul at xelerance.com]
>>>>>> Enviado el: miércoles, 23 de diciembre de 2009 20:01
>>>>>> Para: Jorge Jimenez
>>>>>> CC: users at openswan.org
>>>>>> Asunto: Re: [Openswan Users] Openswan doesn't starts because pluto is down
>>>>>>
>>>>>> On Wed, 23 Dec 2009, Jorge Jimenez wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Date: Wed, 23 Dec 2009 17:14:59 +0100
>>>>>>> From: Jorge Jimenez<jorge.jimenez at pross.com>
>>>>>>> Cc: Jorge Jimenez<jorge.jimenez at pross.com>
>>>>>>> To: "users at openswan.org"<users at openswan.org>
>>>>>>> Subject: [Openswan Users] Openswan doesn't starts because pluto is down
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>> I’ve installed Openswan and it doesn’t work.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> It looks like your pluto is crashing. Please check the logs for a more detailed
>>>>>> message. I don't see it below.
>>>>>>
>>>>>> Paul
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> My message log is:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Dec 23 18:14:28 pross-mon01 ipsec_setup: Stopping Openswan IPsec...
>>>>>>>
>>>>>>> Dec 23 18:14:28 pross-mon01 kernel: NET: Unregistered protocol family 15
>>>>>>>
>>>>>>> Dec 23 18:14:28 pross-mon01 ipsec_setup: ...Openswan IPsec stopped
>>>>>>>
>>>>>>> Dec 23 18:14:32 pross-mon01 kernel: NET: Registered protocol family 15
>>>>>>>
>>>>>>> Dec 23 18:14:32 pross-mon01 ipsec_setup: Starting Openswan IPsec U2.6.24rc3/K2.6.18-164.el5...
>>>>>>>
>>>>>>> Dec 23 18:14:33 pross-mon01 ipsec_setup: Using NETKEY(XFRM) stack
>>>>>>>
>>>>>>> Dec 23 18:14:33 pross-mon01 kernel: padlock: VIA PadLock not detected.
>>>>>>>
>>>>>>> Dec 23 18:14:33 pross-mon01 kernel: padlock: VIA PadLock not detected.
>>>>>>>
>>>>>>> Dec 23 18:14:33 pross-mon01 ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
>>>>>>> /proc/sys/crypto/fips_enabled
>>>>>>>
>>>>>>> Dec 23 18:14:33 pross-mon01 pluto: adjusting ipsec.d to /etc/ipsec.d
>>>>>>>
>>>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
>>>>>>>
>>>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in
>>>>>>> /proc/sys/crypto/fips_enabled
>>>>>>>
>>>>>>> Dec 23 18:14:33 pross-mon01 ipsec_setup: ...Openswan IPsec started
>>>>>>>
>>>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in
>>>>>>> /proc/sys/crypto/fips_enabled
>>>>>>>
>>>>>>> Dec 23 18:14:33 pross-mon01 ipsec_starter[19297]: connect(pluto_ctl) failed: No such file or directory
>>>>>>>
>>>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in
>>>>>>> /proc/sys/crypto/fips_enabled
>>>>>>>
>>>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: connect(pluto_ctl) failed: No such file or directory
>>>>>>>
>>>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>>>>>>>
>>>>>>> Dec 23 18:14:34 pross-mon01 last message repeated 2 times
>>>>>>>
>>>>>>> Dec 23 18:14:34 pross-mon01 ipsec__plutorun: pluto apparently already running (?!?), giving up
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> And my ipsec.conf file is:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> version 2.0
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> config setup
>>>>>>>
>>>>>>> # Debug-logging controls:
>>>>>>>
>>>>>>> protostack=netkey
>>>>>>>
>>>>>>> #klipsdebug=none
>>>>>>>
>>>>>>> klipsdebug="all"
>>>>>>>
>>>>>>> plutodebug="all"
>>>>>>>
>>>>>>> #plutodebug=none
>>>>>>>
>>>>>>> nat_traversal=yes
>>>>>>>
>>>>>>> # interfaces = "ipsec0=eth0"
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> conn iberobrico
>>>>>>>
>>>>>>> auto=start
>>>>>>>
>>>>>>> left=%defaultroute
>>>>>>>
>>>>>>> # leftprotoport=17/1701
>>>>>>>
>>>>>>> #leftsubnet=10.10.100.0/24
>>>>>>>
>>>>>>> right=xxx.xxx.xxx.xxx
>>>>>>>
>>>>>>> # rightprotoport=17/1701
>>>>>>>
>>>>>>> rightsubnet=172.254.100.0/24
>>>>>>>
>>>>>>> #rightid=%any
>>>>>>>
>>>>>>> keyexchange=ike
>>>>>>>
>>>>>>> authby=secret
>>>>>>>
>>>>>>> pfs=no
>>>>>>>
>>>>>>> rekey=yes
>>>>>>>
>>>>>>> keyingtries=0
>>>>>>>
>>>>>>> # type=transport
>>>>>>>
>>>>>>> esp=3des
>>>>>>>
>>>>>>> #auth=esp
>>>>>>>
>>>>>>> compress=yes
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Can someone help me please.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Kind Regards
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> PROSS Nevado
>>>>>>>
>>>>>>> ¡Feliz Navidad y Prospero 2010!
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Jorge Jiménez Miguélez
>>>>>>>
>>>>>>> Avinguda Diagonal, 605 - 4ª Planta
>>>>>>> 08028 - Barcelona
>>>>>>>
>>>>>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>>>>>> http://www.pross.com
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Users at openswan.org
>>>> http://lists.openswan.org/mailman/listinfo/users
>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list