[Openswan Users] Openswan doesn't starts because pluto is down

Jorge Jimenez jorge.jimenez at pross.com
Mon Jan 4 11:21:00 EST 2010


No Avesh, It's centos.


¡Feliz Navidad y Prospero 2010!

Jorge Jiménez Miguélez
Avinguda Diagonal, 605 - 4ª Planta
08028 - Barcelona
Tel.: 902 01 35 34 - Móvil: 669 83 08 76
http://www.pross.com



-----Mensaje original-----
De: Avesh Agarwal [mailto:avagarwa at redhat.com]
Enviado el: lunes, 04 de enero de 2010 17:16
Para: Jorge Jimenez
CC: Paul Wouters; users at openswan.org
Asunto: Re: [Openswan Users] Openswan doesn't starts because pluto is down

On 01/04/2010 11:16 AM, Jorge Jimenez wrote:
> Hi Avesh,
>
> I answer your two questions.
>
>          - I don't have a sql database in my linux machine, I need it?
>
If you are running on fedora, then yes.

>          - SELinux is disabled in my machine
>
> Thanks for your answer and king regards
>
>
> ¡Feliz Navidad y Prospero 2010!
>
> Jorge Jiménez Miguélez
> Avinguda Diagonal, 605 - 4ª Planta
> 08028 - Barcelona
> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
> http://www.pross.com
>
>
>
> -----Mensaje original-----
> De: Avesh Agarwal [mailto:avagarwa at redhat.com]
> Enviado el: lunes, 04 de enero de 2010 17:05
> Para: Jorge Jimenez
> CC: Paul Wouters; users at openswan.org
> Asunto: Re: [Openswan Users] Openswan doesn't starts because pluto is down
>
> On 01/04/2010 10:59 AM, Jorge Jimenez wrote:
>
>> Hi Avesh,
>>
>> I read README.nss and use this command:
>>        certutil -N -d<path-to-ipsec.d- dir>/ipsec.d
>> to create a database.
>> But it doesn't work and I get this messages log:
>>
>>
>>
> is NSS intialized now? On fedora, use "sql:" as a prefix like
> "sql:<path-to-database>", or set NSS_DEFAULT_DB_TYPE="sql" if you do not
> want to give "sql:" prefix on the command line. It should create
> cert9.db and key4.db.
>
>
>>        Jan  4 20:14:20 pross-mon01 ipsec_setup: Stopping Openswan IPsec...
>>        Jan  4 20:14:20 pross-mon01 kernel: NET: Unregistered protocol family 15
>>        Jan  4 20:14:20 pross-mon01 ipsec_setup: ...Openswan IPsec stopped
>>        Jan  4 20:14:26 pross-mon01 kernel: NET: Registered protocol family 15
>>        Jan  4 20:14:26 pross-mon01 ipsec_setup: Using NETKEY(XFRM) stack
>>        Jan  4 20:14:26 pross-mon01 ipsec_setup: Starting Openswan IPsec U2.6.24rc3/K2.6.18-164.el5...
>>        Jan  4 20:14:26 pross-mon01 kernel: padlock: VIA PadLock not detected.
>>        Jan  4 20:14:26 pross-mon01 kernel: padlock: VIA PadLock not detected.
>>        Jan  4 20:14:26 pross-mon01 ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>        Jan  4 20:14:26 pross-mon01 pluto: adjusting ipsec.d to /etc/ipsec.d
>>        Jan  4 20:14:26 pross-mon01 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
>>        Jan  4 20:14:26 pross-mon01 ipsec_setup: ...Openswan IPsec started
>>        Jan  4 20:14:26 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>        Jan  4 20:14:26 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>        Jan  4 20:14:26 pross-mon01 ipsec_starter[15185]: connect(pluto_ctl) failed: No such file or directory
>>        Jan  4 20:14:26 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>        Jan  4 20:14:26 pross-mon01 ipsec__plutorun: connect(pluto_ctl) failed: No such file or directory
>>        Jan  4 20:14:26 pross-mon01 ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>>        Jan  4 20:14:26 pross-mon01 last message repeated 2 times
>>        Jan  4 20:14:26 pross-mon01 ipsec__plutorun: pluto apparently already running (?!?), giving up
>>
>>
>>
>>
> Also check if pluto is not starting due to selinux policy by putting
> selinx into permissive mode.
>
>
> Avesh
>
>
>> ¡Feliz Navidad y Prospero 2010!
>>
>> Jorge Jiménez Miguélez
>> Avinguda Diagonal, 605 - 4ª Planta
>> 08028 - Barcelona
>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>> http://www.pross.com
>>
>>
>> -----Mensaje original-----
>> De: Avesh Agarwal [mailto:avagarwa at redhat.com]
>> Enviado el: lunes, 04 de enero de 2010 15:52
>> Para: Paul Wouters
>> CC: Jorge Jimenez; users at openswan.org
>> Asunto: Re: [Openswan Users] Openswan doesn't starts because pluto is down
>>
>> On 12/28/2009 09:03 AM, Paul Wouters wrote:
>>
>>
>>> On Mon, 28 Dec 2009, Jorge Jimenez wrote:
>>>
>>>
>>>
>>>
>>>> Have you seen my logs? What do you think about?
>>>>
>>>>
>>>>
>>> You need to either migrate your configuration to use NSS, or you
>>> need to recompile openswan without NSS. I assume you're using a
>>> binary package from fedora or rhel, so check /usr/share/doc/opnswan*
>>>
>>> Paul
>>>
>>>
>>>
>>>
>>
>>>> ¡Feliz Navidad y Prospero 2010!
>>>>
>>>> Jorge Jiménez Miguélez
>>>> Avinguda Diagonal, 605 - 4ª Planta
>>>> 08028 - Barcelona
>>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>>> http://www.pross.com
>>>>
>>>>
>>>> -----Mensaje original-----
>>>> De: Jorge Jimenez
>>>> Enviado el: jueves, 24 de diciembre de 2009 9:26
>>>> Para: Jorge Jimenez; Paul Wouters
>>>> CC: users at openswan.org
>>>> Asunto: RE: [Openswan Users] Openswan doesn't starts because pluto is down
>>>>
>>>> Sorry Paul,
>>>>
>>>> Copy/paste doesn't show fine. I try to send it another time.
>>>>
>>>> [root at pross-mon01 log]# /etc/init.d/ipsec start
>>>> /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>> ipsec_setup: Starting Openswan IPsec U2.6.24rc3/K2.6.18-164.el5...
>>>> ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>>
>>>> [root at pross-mon01 log]# grep pluto secure
>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: Starting Pluto subsystem...
>>>> Dec 24 10:40:21 pross-mon01 pluto[7416]: nss directory plutomain: sql:/etc/ipsec.d
>>>> Dec 24 10:40:21 pross-mon01 pluto[7416]: NSS initialization failed (err -8174)
>>>>
>>>>
>>>>
>>>>
>> Hi,
>>
>> Please go through README.nss. I think you need to create NSS database
>> first, if you want to use Openswan with NSS.
>>
>> Regards
>> Avesh
>>
>>
>>
>>
>>>> [root at pross-mon01 log]# grep pluto messages
>>>> Dec 24 10:40:21 pross-mon01 pluto: adjusting ipsec.d to /etc/ipsec.d
>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>> Dec 24 10:40:21 pross-mon01 ipsec_starter[7423]: connect(pluto_ctl) failed: No such file or directory
>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: connect(pluto_ctl) failed: No such file or directory
>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: pluto apparently already running (?!?), giving up
>>>>
>>>>
>>>> ¡Feliz Navidad y Prospero 2010!
>>>>
>>>> Jorge Jiménez Miguélez
>>>> Avinguda Diagonal, 605 - 4ª Planta
>>>> 08028 - Barcelona
>>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>>> http://www.pross.com
>>>>
>>>>
>>>>
>>>> -----Mensaje original-----
>>>> De: Jorge Jimenez
>>>> Enviado el: jueves, 24 de diciembre de 2009 9:22
>>>> Para: Paul Wouters
>>>> CC: users at openswan.org; Jorge Jimenez
>>>> Asunto: RE: [Openswan Users] Openswan doesn't starts because pluto is down
>>>>
>>>> Hi Paul,
>>>>
>>>> Here you are. When I try to start ipsec, it only writes logs in secure and messages files:
>>>>
>>>> [root at pross-mon01 log]# /etc/init.d/ipsec start
>>>> /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>> ipsec_setup: Starting Openswan IPsec U2.6.24rc3/K2.6.18-164.el5...
>>>> ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>>
>>>> [root at pross-mon01 log]# grep pluto secure
>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: Starting Pluto subsystem...
>>>> Dec 24 10:40:21 pross-mon01 pluto[7416]: nss directory plutomain: sql:/etc/ipsec.d
>>>> Dec 24 10:40:21 pross-mon01 pluto[7416]: NSS initialization failed (err -8174)
>>>>
>>>> [root at pross-mon01 log]# grep pluto messages
>>>> Dec 24 10:40:21 pross-mon01 pluto: adjusting ipsec.d to /etc/ipsec.d
>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>> Dec 24 10:40:21 pross-mon01 ipsec_starter[7423]: connect(pluto_ctl) failed: No such file or directory
>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: connect(pluto_ctl) failed: No such file or directory
>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>>>> Dec 24 10:40:21 pross-mon01 ipsec__plutorun: pluto apparently already running (?!?), giving up
>>>>
>>>> Thanks and kind Regards
>>>>
>>>> ¡Feliz Navidad y Prospero 2010!
>>>>
>>>> Jorge Jiménez Miguélez
>>>> Avinguda Diagonal, 605 - 4ª Planta
>>>> 08028 - Barcelona
>>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>>> http://www.pross.com
>>>>
>>>>
>>>> -----Mensaje original-----
>>>> De: Paul Wouters [mailto:paul at xelerance.com]
>>>> Enviado el: jueves, 24 de diciembre de 2009 5:39
>>>> Para: Jorge Jimenez
>>>> CC: users at openswan.org
>>>> Asunto: RE: [Openswan Users] Openswan doesn't starts because pluto is down
>>>>
>>>> On Wed, 23 Dec 2009, Jorge Jimenez wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> Thanks for your quickly answer!
>>>>> Sorry for my English...
>>>>> I only see in my logs what I sended... How can I increase my logs? What can I do to help you to find the problem...
>>>>>
>>>>>
>>>>>
>>>> Check all the logs in /var/log/*
>>>> for instance:
>>>>
>>>>      grep pluto /var/log/*
>>>>
>>>> Paul
>>>>
>>>>
>>>>
>>>>
>>>>> Thanks and kind regards
>>>>>
>>>>>
>>>>> ¡Feliz Navidad y Prospero 2010!
>>>>>
>>>>> Jorge Jiménez Miguélez
>>>>> Avinguda Diagonal, 605 - 4ª Planta
>>>>> 08028 - Barcelona
>>>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>>>> http://www.pross.com
>>>>>
>>>>>
>>>>> -----Mensaje original-----
>>>>> De: Paul Wouters [mailto:paul at xelerance.com]
>>>>> Enviado el: miércoles, 23 de diciembre de 2009 20:01
>>>>> Para: Jorge Jimenez
>>>>> CC: users at openswan.org
>>>>> Asunto: Re: [Openswan Users] Openswan doesn't starts because pluto is down
>>>>>
>>>>> On Wed, 23 Dec 2009, Jorge Jimenez wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Date: Wed, 23 Dec 2009 17:14:59 +0100
>>>>>> From: Jorge Jimenez<jorge.jimenez at pross.com>
>>>>>> Cc: Jorge Jimenez<jorge.jimenez at pross.com>
>>>>>> To: "users at openswan.org"<users at openswan.org>
>>>>>> Subject: [Openswan Users] Openswan doesn't starts because pluto is down
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>> I’ve installed Openswan and it doesn’t work.
>>>>>>
>>>>>>
>>>>>>
>>>>> It looks like your pluto is crashing. Please check the logs for a more detailed
>>>>> message. I don't see it below.
>>>>>
>>>>> Paul
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> My message log is:
>>>>>>
>>>>>>
>>>>>>
>>>>>>                    Dec 23 18:14:28 pross-mon01 ipsec_setup: Stopping Openswan IPsec...
>>>>>>
>>>>>> Dec 23 18:14:28 pross-mon01 kernel: NET: Unregistered protocol family 15
>>>>>>
>>>>>> Dec 23 18:14:28 pross-mon01 ipsec_setup: ...Openswan IPsec stopped
>>>>>>
>>>>>> Dec 23 18:14:32 pross-mon01 kernel: NET: Registered protocol family 15
>>>>>>
>>>>>> Dec 23 18:14:32 pross-mon01 ipsec_setup: Starting Openswan IPsec U2.6.24rc3/K2.6.18-164.el5...
>>>>>>
>>>>>> Dec 23 18:14:33 pross-mon01 ipsec_setup: Using NETKEY(XFRM) stack
>>>>>>
>>>>>> Dec 23 18:14:33 pross-mon01 kernel: padlock: VIA PadLock not detected.
>>>>>>
>>>>>> Dec 23 18:14:33 pross-mon01 kernel: padlock: VIA PadLock not detected.
>>>>>>
>>>>>> Dec 23 18:14:33 pross-mon01 ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
>>>>>> /proc/sys/crypto/fips_enabled
>>>>>>
>>>>>> Dec 23 18:14:33 pross-mon01 pluto: adjusting ipsec.d to /etc/ipsec.d
>>>>>>
>>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
>>>>>>
>>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in
>>>>>> /proc/sys/crypto/fips_enabled
>>>>>>
>>>>>> Dec 23 18:14:33 pross-mon01 ipsec_setup: ...Openswan IPsec started
>>>>>>
>>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in
>>>>>> /proc/sys/crypto/fips_enabled
>>>>>>
>>>>>> Dec 23 18:14:33 pross-mon01 ipsec_starter[19297]: connect(pluto_ctl) failed: No such file or directory
>>>>>>
>>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in
>>>>>> /proc/sys/crypto/fips_enabled
>>>>>>
>>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: connect(pluto_ctl) failed: No such file or directory
>>>>>>
>>>>>> Dec 23 18:14:33 pross-mon01 ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
>>>>>>
>>>>>> Dec 23 18:14:34 pross-mon01 last message repeated 2 times
>>>>>>
>>>>>> Dec 23 18:14:34 pross-mon01 ipsec__plutorun: pluto apparently already running (?!?), giving up
>>>>>>
>>>>>>
>>>>>>
>>>>>> And my ipsec.conf file is:
>>>>>>
>>>>>>
>>>>>>
>>>>>>                    version 2.0
>>>>>>
>>>>>>
>>>>>>
>>>>>> config setup
>>>>>>
>>>>>>            # Debug-logging controls:
>>>>>>
>>>>>>            protostack=netkey
>>>>>>
>>>>>>            #klipsdebug=none
>>>>>>
>>>>>>            klipsdebug="all"
>>>>>>
>>>>>>            plutodebug="all"
>>>>>>
>>>>>>            #plutodebug=none
>>>>>>
>>>>>>            nat_traversal=yes
>>>>>>
>>>>>> #       interfaces = "ipsec0=eth0"
>>>>>>
>>>>>>
>>>>>>
>>>>>> conn iberobrico
>>>>>>
>>>>>>            auto=start
>>>>>>
>>>>>>            left=%defaultroute
>>>>>>
>>>>>> #       leftprotoport=17/1701
>>>>>>
>>>>>>            #leftsubnet=10.10.100.0/24
>>>>>>
>>>>>>            right=xxx.xxx.xxx.xxx
>>>>>>
>>>>>> #       rightprotoport=17/1701
>>>>>>
>>>>>>            rightsubnet=172.254.100.0/24
>>>>>>
>>>>>>            #rightid=%any
>>>>>>
>>>>>>            keyexchange=ike
>>>>>>
>>>>>>            authby=secret
>>>>>>
>>>>>>            pfs=no
>>>>>>
>>>>>>            rekey=yes
>>>>>>
>>>>>>            keyingtries=0
>>>>>>
>>>>>> #       type=transport
>>>>>>
>>>>>>            esp=3des
>>>>>>
>>>>>>            #auth=esp
>>>>>>
>>>>>>            compress=yes
>>>>>>
>>>>>>
>>>>>>
>>>>>> Can someone help me please.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Kind Regards
>>>>>>
>>>>>>
>>>>>>
>>>>>> PROSS Nevado
>>>>>>
>>>>>> ¡Feliz Navidad y Prospero 2010!
>>>>>>
>>>>>>
>>>>>>
>>>>>> Jorge Jiménez Miguélez
>>>>>>
>>>>>> Avinguda Diagonal, 605 - 4ª Planta
>>>>>> 08028 - Barcelona
>>>>>>
>>>>>> Tel.: 902 01 35 34 - Móvil: 669 83 08 76
>>>>>> http://www.pross.com
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>> _______________________________________________
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>
>>>
>>>
>>
>>
>
>




More information about the Users mailing list