[Openswan Users] pluto won't talk over port 500 on very old system

Neal Murphy neal.p.murphy at alum.wpi.edu
Fri Aug 23 07:05:55 UTC 2013

On Friday, August 23, 2013 01:02:09 AM Leto wrote:
> can you show is the logs? I'm also not sure what 3.1-rc2 refers to? kernel
> version?

Sorry, I left something out. I'm preparing the next version of the Smoothwall 
Express open source firewall, presently at version 3.1-rc2. This is what I 
installed on the old PIII Gateway system.

The kernel version is 3.4 (3.4.53 in SWE3.1-rc2).

I can certainly supply log files, though they are wholly uninteresting right 
now. They show what I expect to see during startup. And they show no progress 
beyond STATE_MAIN_R2. tcpdump shows no port 500 traffic out of the old PIII 
and shows traffic into it. I'll put these dull logs in another msg 
(/var/log/secure, /var/log/messages, lsmod, and even 'ipsec barf' if desired.

I'd really prefer to provide logs and traces that show a lot more of what's 
happening. I can even provide side-by-side logs from a system that (normally) 
works and from the one that doesn't. I can even provide openswan build logs. 
But how do I make openswan (pluto) be more verbose?

And what's the preferred way to make large logs available? Attachments to the 
email? Off-list storage?

> did you try libreswan?

I looked at it a while ago (first release maybe), when it required several new 
packages (like NSS). It was different enough and new enough that I didn't want 
to change*. I haven't dismissed libreswan; if it reaches a state where it is 
easily built and doesn't differ too much from openswan, I'll certainly 
consider changing. Especially since libreswan is being very actively 


* The main idea of SWE3.1 is to be SWE3.0 on the surface, but be greatly 
modernized underneath. SWE3.0 was built with GCC3.5, glibc 2.3.2, binutils 
v2.17.20070103cvs, iptables v1.4.4. The kernel was recently changed from 
2.6.16 to 2.6.32, and openswan was also bumped to 2.6.33. It's taken me four 
years to modernize the foundation (linux/gcc/glibc/binutils/iptables, enhanced 
build system); if I don't limit the changes, it'll never be released. Having 
learned as I went, I wouldn't be surprised if I blundered with setting the 
ARCH, building glibc/binutils/gcc, or configuring the kernel. Some of that 
stuff is akin to black magic.

> sent from a tiny device
> On 2013-08-23, at 0:29, Neal Murphy <neal.p.murphy at alum.wpi.edu> wrote:
> > Howdy!
> > 
> > I've been preparing Smoothwall Express v3.1 for some time. (Linux 3.4,
> > GCC 4.7, Openswan 2.6.38, et alia). IPSEC has been working well between
> > newer systems during my testing all along. Atoms, Athlons and PhenomIIs
> > all behave well. VPNs come up right away, no troubles. Express 3.1 still
> > uses only the old "ike=3des-md5" and "esp=3des-md5". (Yes, this really
> > needs to be modernized.)
> > 
> > But I just ran into a problem I don't understand. A user has a Latitude
> > C510 (PIII-1200) that won't bring up VPN; but a marginally newer D600
> > (Celeron) does work. So I finally loaded 3.1-rc2 onto a year 2000
> > Gateway (PIII-600). And pluto doesn't want to talk over port 500
> > (ISAKMP). The same ISO installed on a PhenomII in KVMs (32- and 64-bit)
> > work fine. I think I can rule out bad hardware.
> > 
> > I do see pluto respond with its "Huh?" packet when it receives a bogus
> > packet on UDP port 500. But it never acknowledges the STATE_MAIN_I1
> > packets it receives, and I think it almost never sends any packets out.
> > That is, it doesn't 'speak the protocol'.
> > 
> > I *think* I see that the old Gateway does not load some of the crypto
> > modules. I suspect it is related to the ARCH I use to build the system,
> > and/or how the kernel is built. But I'm really at a loss.
> > 
> > Do any of you have any clues, any pointers? Ever run into something like
> > this before? Any thoughts as to why pluto on an old PIII would silently
> > not communicate over port 500, but does work well on newer CPUs?

More information about the Users mailing list