[Openswan Users] More bizarre ipsec problems; service ipsec stop hangs; random hosts offline; /var/log/secure going nuts...

Greg Scott GregScott at Infrasupport.com
Thu Jul 29 05:58:59 EDT 2010 

Trying to troubleshoot this error from /var/log/secure:

Jul 29 03:44:32 MN-fw1 pluto[5926]: "/etc/ipsec.d/hostkey.secrets" line
14: malformed end of RSA private key -- indented '}' required

This is what /etc/ipsec.d/hostkey.secrets looks like - notice that it
**does** have the indented "}" at the end.  I've never touched this file
by hand other than to doctor up the copy I am posting here:

[root at MN-fw1 ~]# cd /etc/ipsec.d
[root at MN-fw1 ipsec.d]# more hostkey.secrets
: RSA   {
        # RSA 2192 bits   MN-fw1   Tue Jun  8 20:18:59 2010
        # for signatures only, UNSAFE FOR ENCRYPTION
        #pubkey=0sAQOwd0G2W...(removed)
        Modulus: 0xb07741b65...(removed)
        PublicExponent: 0x03
        # everything after this point is CKA_ID in hex format when using
NSS
        PrivateExponent: 0x365 (digits removed)
        Prime1: 0x36589f9061b (digits removed)
        Prime2: 0x36589f9061b (digits removed)
        Exponent1: 0x36589 (digits removed)
        Exponent2: 0x3658 (digits removed)
        Coefficient: 0x3658 (digits removed)
        CKAIDNSS: 0x36589 (digits removed)
        }
# do not change the indenting of that "}"

Hmmmm - well, the error called out line 14 but I noticed the '}' is
really on line 15.  What if I doctor this file by hand and put that
brace at the end of line 14?

Nope - trying every combination of spaces, tab, single space, space with
tabs, putting at the end of line 14 or spaces or tabs at the beginning
of line 15, I still see that error.  

Even more distressing - why is ipsec even looking at this file at all?
Isn't it supposed to read all the stuff it cares about from the NSS
database now?

So now it's 4 in the morning, I have a headache, and I have to figure
out how to remove 2.6.28dr7 and reinstall the RPM I erased.  Well -
maybe I'll try 2.6.27 as long as I'm this far into it.  

Just to make sure I am not nuts - here is an extract from
/var/log/secure from July 19 with the Fedora 2.6.25 RPM, the last time I
restarted this tunnel.  Note it read hostkey.secrets just fine.

.
.
.
Jul 19 10:04:11 MN-fw1 pluto[1888]: adding interface eth1/eth1
192.168.0.10:4500
Jul 19 10:04:11 MN-fw1 pluto[1888]: adding interface lo/lo 127.0.0.1:500
Jul 19 10:04:11 MN-fw1 pluto[1888]: adding interface lo/lo
127.0.0.1:4500
Jul 19 10:04:11 MN-fw1 pluto[1888]: adding interface lo/lo ::1:500
Jul 19 10:04:11 MN-fw1 pluto[1888]: loading secrets from
"/etc/ipsec.secrets"
Jul 19 10:04:11 MN-fw1 pluto[1888]: loading secrets from
"/etc/ipsec.d/hostkey.secrets"
Jul 19 10:04:11 MN-fw1 pluto[1888]: loaded private key for keyid:
PPK_RSA:AQOwd0G2W
.
.
.


OK... downloaded and installed 2.6.27.... same problem:

Jul 29 04:52:33 MN-fw1 pluto[18891]: adding interface eth2/eth2
192.168.253.1:500
Jul 29 04:52:33 MN-fw1 pluto[18891]: adding interface eth2/eth2
192.168.253.1:4500
Jul 29 04:52:33 MN-fw1 pluto[18891]: adding interface lo/lo
127.0.0.1:500
Jul 29 04:52:33 MN-fw1 pluto[18891]: adding interface lo/lo
127.0.0.1:4500
Jul 29 04:52:33 MN-fw1 pluto[18891]: adding interface lo/lo ::1:500
Jul 29 04:52:33 MN-fw1 pluto[18891]: loading secrets from
"/etc/ipsec.secrets"
Jul 29 04:52:33 MN-fw1 pluto[18891]: loading secrets from
"/etc/ipsec.d/hostkey.secrets"
Jul 29 04:52:33 MN-fw1 pluto[18891]: "/etc/ipsec.d/hostkey.secrets" line
14: malformed end of RSA private key -- indented '}' required
.
.
.
[root at MN-fw1 openswan-2.6.27]# ipsec version
Linux Openswan U2.6.27/K2.6.33.5-112.fc13.i686.PAE (netkey)
See `ipsec --copyright' for copyright information.
[root at MN-fw1 openswan-2.6.27]# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...
[root at MN-fw1 openswan-2.6.27]#

So I'll go back to the Fedora 2.6.25 RPM and try the new version again
later.

Btw - is there any automation to remove a version built from a .tar.gz
file?  I know make clean cleans up the source tree - but what removes
all the binaries that make programs install builds?

- Greg



-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Greg Scott
Sent: Thursday, July 29, 2010 3:51 AM
To: users at openswan.org
Subject: Re: [Openswan Users] More bizarre ipsec problems;service ipsec
stop hangs; random hosts offline;/var/log/secure going nuts...

I installed Openswan-2.6.28dr7. Looks like maybe this doesn't use that
NSS database, while the RPM from Red Hat does use the NSS database.  So
my keys are messed up.  Also, the directories where the .tar.gz build
finds some of the scripts are different from the Red Hat RPM.  I can
deal with the different directories but the key problems are going to
make me crazy.  Well I guess I can deal with that too, just a pain...

[root at MN-fw1 gregs]# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec appears to be already stopped!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting Openswan IPsec
U2.6.28dr7/K2.6.33.5-112.fc13.i686.PAE...
ipsec_setup: multiple ip addresses, using  70.91.177.201 on br0
[root at MN-fw1 gregs]# tail /var/log/secure -f
Jul 29 03:44:32 MN-fw1 pluto[5926]: adding interface lo/lo
127.0.0.1:4500
Jul 29 03:44:32 MN-fw1 pluto[5926]: adding interface lo/lo ::1:500
Jul 29 03:44:32 MN-fw1 pluto[5926]: loading secrets from
"/etc/ipsec.secrets"
Jul 29 03:44:32 MN-fw1 pluto[5926]: loading secrets from
"/etc/ipsec.d/hostkey.secrets"
Jul 29 03:44:32 MN-fw1 pluto[5926]: "/etc/ipsec.d/hostkey.secrets" line
14: malformed end of RSA private key -- indented '}' required
Jul 29 03:44:32 MN-fw1 pluto[5926]: "mn-hq": prepare-client output:
/etc/ipsec.d/mn-updown.sh: line 5: /usr/libexec/ipsec/_updown: No such
file or directory
Jul 29 03:44:32 MN-fw1 pluto[5926]: "mn-hq": route-client output:
/etc/ipsec.d/mn-updown.sh: line 5: /usr/libexec/ipsec/_updown: No such
file or directory
Jul 29 03:44:32 MN-fw1 pluto[5926]: "mn-hq" #1: initiating Main Mode
Jul 29 03:44:32 MN-fw1 pluto[5926]: ERROR: asynchronous network error
report on br0 (sport=500) for message to 69.66.252.178 port 500,
complainant 69.66.252.178: Connection refused [errno 111, origin ICMP
type 3 code 3 (not authenticated)]
Jul 29 03:44:32 MN-fw1 pluto[5926]: initiate on demand from
192.168.0.63:137 to 10.0.0.2:137 proto=17 state: fos_start because:
acquire
Jul 29 03:44:43 MN-fw1 pluto[5926]: ERROR: asynchronous network error
report on br0 (sport=500) for message to 69.66.252.178 port 500,
complainant 69.66.252.178: Connection refused [errno 111, origin ICMP
type 3 code 3 (not authenticated)]
^C
[root at MN-fw1 gregs]#


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Thursday, July 22, 2010 10:59 PM
To: Greg Scott
Subject: RE: [Openswan Users] More bizarre ipsec problems; service ipsec
stop hangs; random hosts offline; /var/log/secure going nuts...

Try 2.6.28dr6. It has the fix that I think might actually solve it for
you,
which was not undoing that patch that I thought earlier. Please try that
one.
ftp://ftp.openswan.org/openswan/development/openswan-2.6.28dr6.tar.gz

Please do let me know as well if you confirm this fixes your issue

Paul
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list