[Openswan Users] Openswan porting on ARM: /etc/init.d/ipsec start unresponsive ------->to psec_setup: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
satpal parmar
systems.satpal at gmail.com
Fri Sep 30 09:18:40 EDT 2011
Unable to make any real progress. Below is the output of /var/log/messages.
Jan 1 00:29:45 (none) daemon.err ipsec__plutorun: whack: Pluto is not
running (no "/var/run/pluto/pluto.ctl")
Jan 1 00:29:45 (none) daemon.err ipsec__plutorun: !pluto failure!: exited
with error status 1
Jan 1 00:29:45 (none) daemon.err ipsec__plutorun: restarting IPsec after
pause...
Jan 1 00:29:55 (none) daemon.err ipsec_setup: Stopping Openswan IPsec...
Jan 1 00:29:55 (none) daemon.err ipsec_setup: rmmod: remove 'ipv6':
Resource temporarily unavailable
Jan 1 00:29:55 (none) daemon.err ipsec_setup: ...Openswan IPsec stopped
Jan 1 00:29:55 (none) daemon.err ipsec_setup: Starting Openswan IPsec
U2.6.33/K2.6.37-svn3005...
Jan 1 00:29:55 (none) daemon.err ipsec_setup: Using NETKEY(XFRM) stack
(no "/var/run/pluto.ctl")Jan 1 00:29:56 (none) authpriv.err
ipsec__plutorun: Starting Pluto subsystem...
Jan 1 00:29:56 (none) daemon.err ipsec_setup: ...Openswan IPsec started
Jan 1 00:29:56 (none) daemon.err ipsec__plutorun: adjusting ipsec.d to
/etc/ipsec.d
Jan 1 00:29:56 (none) user.warn pluto: adjusting ipsec.d to /etc/ipsec.d
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: Starting Pluto (Openswan
Version 2.6.33; Vendor ID OEghI_w\134ALFy) pid:26492
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: LEAK_DETECTIVE support
[enabled]
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: OCF support for IKE
[disabled]
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: SAref support [disabled]:
Protocol not available
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: SAbind support
[disabled]: Protocol not available
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: NSS support [disabled]
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: HAVE_STATSD notification
support not compiled in
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: Setting NAT-Traversal
port-4500 floating to on
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: port floating
activation criteria nat_t=1/port_float=1
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: NAT-Traversal support
[enabled]
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: using /dev/urandom as
source of random entropy
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: starting up 1
cryptographic helpers
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: started helper pid=26494
(fd:7)
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: Kernel interface
auto-pick
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: Using Linux 2.6 IPsec
interface code on 2.6.37-svn3005 (experimental code)
Jan 1 00:29:56 (none) authpriv.err pluto[26492]: FATAL ERROR: socket() in
init_netlink(). Errno 93: Protocol not supported
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: leak: pluto helpers, item
size: 40
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: leak: 2 * hasher name,
item size: 16
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: leak: 3 * struct event in
event_schedule(), item size: 16
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: leak: private_net_ok
subnets, item size: 128
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: leak: ipsecdir, item
size: 13
Jan 1 00:29:56 (none) authpriv.warn pluto[26492]: leak detective found 8
leaks, total size 213
Jan 1 00:29:56 (none) authpriv.warn pluto[26494]: using /dev/urandom as
source of random entropy
Jan 1 00:29:56 (none) authpriv.warn pluto[26494]: pluto_crypto_helper:
helper (0) is normal exiting
Jan 1 00:29:56 (none) daemon.err ipsec__plutorun: whack: Pluto is not
running (no "/var/run/pluto/pluto.ctl")
Jan 1 00:29:56 (none) daemon.err ipsec__plutorun: !pluto failure!: exited
with error status 1
Jan 1 00:29:56 (none) daemon.err ipsec__plutorun: restarting IPsec after
pause...
-SP
On Fri, Sep 30, 2011 at 2:44 PM, satpal parmar <systems.satpal at gmail.com>wrote:
> Well it seems I was able to make some progress after using the
> lucid explanation of this behavior here :
> http://www.gentoo-wiki.info/HOWTO_OpenSwan_2.6_kernel
>
> Arm on my board is running at 600 mhz which might be slow for
> key generation operation.Moreover I was getting zero entropy for
> /proc/sys/kernel/random/entropy_avail. So I used the solution mention in
> link i.e convert use urandom instead of random in /usr/libexec/ipsec/newhostkey.
> It generated ipsec.secrets in jiffies.
>
> But for some reason lord pluto was not happy and I got message: ipsec_setup:
> whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
> I goggled for error and someone suggested looking in /var/log/secure but
> there is no /var/log/secure.
>
> Any hint?
>
> -SP
>
>
> On Fri, Sep 30, 2011 at 12:41 PM, satpal parmar <systems.satpal at gmail.com>wrote:
>
>> Something is really fishy.
>>
>> I can see a ipsec.secrets.new file getting created in etc and with
>> growing ' RSA {' entries.
>> Something like:
>>
>> : RSA {
>> : RSA {
>> : RSA {
>> : RSA {
>> : RSA {
>> : RSA {
>> : RSA {
>> : RSA
>>
>> I know about ipsec.secrets but ipsec.secrets.new is something I read
>> about.
>>
>> I am not sure how useful is this info but thought of share it with you
>> all. Still clueless about whats going on.
>>
>> -SP
>>
>> On Fri, Sep 30, 2011 at 10:59 AM, satpal parmar <systems.satpal at gmail.com
>> > wrote:
>>
>>> Hi all
>>>
>>> I am trying to port IPsec 2.6.33 on ARM11 soc running linux kernel 2.6.37
>>> (Netkey IPsec stack). I am experiencing strange behavior.When I start ipsec
>>> (/etc/init.d/ipsec start) console become unresponsive for long period of
>>> time (5+min). I run same thing in background and check the output of ps and
>>> I observed this:
>>>
>>> 58 root 0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug
>>> --uniquei
>>> 962 root 0:00 /bin/sh /usr/local/libexec/ipsec/newhostkey --quiet
>>> 971 root 0:00 /bin/sh /usr/local/libexec/ipsec/newhostkey --quiet
>>> 972 root 0:00 /bin/sh /usr/local/libexec/ipsec/newhostkey --quiet
>>> 973 root 0:00 cat
>>> 974 root 0:00 /usr/local/libexec/ipsec/rsasigkey --random
>>> /dev/random 2
>>> 988 root 0:00 /bin/sh /usr/local/libexec/ipsec/setup restart
>>> 1047 root 0:00 logger -s -p daemon.error -t ipsec_setup
>>> 1131 root 0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug
>>> --uniquei
>>> 1135 root 0:00 /bin/sh /usr/local/libexec/ipsec/newhostkey --quiet
>>> 1136 root 0:00 /bin/sh /usr/local/libexec/ipsec/newhostkey --quiet
>>> 1137 root 0:00 /bin/sh /usr/local/libexec/ipsec/newhostkey --quiet
>>> 1138 root 0:00 cat
>>> 1146 root 0:00 /usr/local/libexec/ipsec/rsasigkey --random
>>> /dev/random 2
>>> 1161 root 0:00 /bin/sh /usr/local/libexec/ipsec/setup restart
>>> 1222 root 0:00 logger -s -p daemon.error -t ipsec_setup
>>> 1306 root 0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug
>>> --uniquei
>>> 1318 root 0:00 /bin/sh /usr/local/libexec/ipsec/newhostkey --quiet
>>> 1323 root 0:00 /bin/sh /usr/local/libexec/ipsec/newhostkey --quiet
>>> 1324 root 0:00 /bin/sh /usr/local/libexec/ipsec/newhostkey --quiet
>>> 1325 root 0:00 cat
>>> 1326 root 0:00 /usr/local/libexec/ipsec/rsasigkey --random
>>> /dev/random 2
>>> 1336 root 0:00 /bin/sh /usr/local/libexec/ipsec/setup restart
>>> 1395 root 0:00 logger -s -p daemon.error -t ipsec_setup
>>> 1479 root 0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug
>>> --uniquei
>>> 1481 root 0:00 /bin/sh /usr/local/libexec/ipsec/newhostkey --quiet
>>> 1482 root 0:00 /bin/sh /usr/local/libexec/ipsec/newhostkey --quiet
>>> 1483 root 0:00 /bin/sh /usr/local/libexec/ipsec/newhostkey --quiet
>>>
>>> Is it an expected behavior? Is anything missing?
>>>
>>> I do not have perl support on my setup so I can not use verfy.
>>>
>>> Ipsec status giving me a cryptic response:
>>>
>>> # ipsec setup --status
>>> IPsec stopped
>>> but...
>>> has subsystem lock (/var/lock/subsys/ipsec)!
>>>
>>> Anyone got any Idea whats going on? Any help will be highly appreciated.
>>>
>>> -SP
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110930/2df45a18/attachment.html
More information about the Users
mailing list