[Openswan Users] Pluto not running

Miguel Goyanes mgoyanes at gmail.com
Mon Nov 11 10:13:41 UTC 2013


Hi.

I've deleted all content of ipsec.d and now pluto runs.

Thanks,

Miguel


On Mon, Nov 11, 2013 at 3:11 PM, Leto <letoams at gmail.com> wrote:

> nss initialisation fails sounds like you did not run "ipsec initnss" to
> create a new nss db. or with selinux enabled it might need a restorecon -Rv
> /etc/ipsec.d
>
> (libreswan on fedora/rhel performs these steps on post on package install,
> but Debian/Ubuntu packages still need to be updated for that)
>
> sent from a tiny device
>
> On 2013-11-11, at 6:34, Miguel Goyanes <mgoyanes at gmail.com> wrote:
>
> Hello.
>
> I'm failing to start ipsec.
>
> If I do the below commands I get this message:
>
> [root at localhost ~]# service ipsec start
> Redirecting to /bin/systemctl start  ipsec.service
> [root at localhost ~]# service ipsec status
> Redirecting to /bin/systemctl status  ipsec.service
> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>    Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
>    Active: failed (Result: start-limit) since Mon 2013-11-11 11:28:08 WET;
> 1s ago
>   Process: 18430 ExecStopPost=/sbin/ip xfrm state flush (code=exited,
> status=0/SUCCESS)
>   Process: 18428 ExecStopPost=/sbin/ip xfrm policy flush (code=exited,
> status=0/SUCCESS)
>   Process: 18425 ExecStop=/usr/sbin/ipsec whack --shutdown (code=exited,
> status=1/FAILURE)
>   Process: 18421 ExecStart=/bin/sh -c eval `/usr/libexec/ipsec/pluto
> --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS` (code=exited,
> status=0/SUCCESS)
>   Process: 18354 ExecStartPre=/usr/libexec/ipsec/_stackmanager start
> (code=exited, status=0/SUCCESS)
>   Process: 18352 ExecStartPre=/usr/sbin/ipsec addconn --config
> /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
>
> Nov 11 11:28:08 localhost.localdomain systemd[1]: Unit ipsec.service
> entered failed state.
> Nov 11 11:28:08 localhost.localdomain systemd[1]: ipsec.service holdoff
> time over, scheduling restart.
> Nov 11 11:28:08 localhost.localdomain systemd[1]: Stopping Internet Key
> Exchange (IKE) Protocol Daemon for IPsec...
> Nov 11 11:28:08 localhost.localdomain systemd[1]: Starting Internet Key
> Exchange (IKE) Protocol Daemon for IPsec...
> Nov 11 11:28:08 localhost.localdomain systemd[1]: ipsec.service start
> request repeated too quickly, refusing to start.
> Nov 11 11:28:08 localhost.localdomain systemd[1]: Failed to start Internet
> Key Exchange (IKE) Protocol Daemon for IPsec.
> Nov 11 11:28:08 localhost.localdomain systemd[1]: Unit ipsec.service
> entered failed state.
>
>
> Then if I check:
>
> [root at localhost ~]# ipsec verify
> Verifying installed system and configuration files
>
> Version check and ipsec on-path                   [OK]
> Libreswan 3.5 (netkey) on 3.11.1-200.fc19.x86_64
> Checking for IPsec support in kernel               [OK]
>  NETKEY: Testing XFRM related proc values
>          ICMP default/send_redirects               [NOT DISABLED]
>
>   Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on
> or cause sending of bogus ICMP redirects!
>
>          ICMP default/accept_redirects             [NOT DISABLED]
>
>   Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on
> or cause sending of bogus ICMP redirects!
>
>          XFRM larval drop                         [OK]
> Pluto ipsec.conf syntax                           [OK]
> Hardware random device                             [N/A]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking rp_filter                                 [ENABLED]
>  /proc/sys/net/ipv4/conf/cint0/rp_filter           [ENABLED]
>  /proc/sys/net/ipv4/conf/default/rp_filter         [ENABLED]
>  /proc/sys/net/ipv4/conf/gw0/rp_filter             [ENABLED]
>  /proc/sys/net/ipv4/conf/p2p1/rp_filter           [ENABLED]
>  /proc/sys/net/ipv4/conf/rw0/rp_filter             [ENABLED]
>   rp_filter is not fully aware of IPsec and should be disabled
> Checking that pluto is running                     [FAILED]
> Checking NAT and MASQUERADEing                     [TEST INCOMPLETE]
> Checking 'ip' command                             [OK]
> Checking 'iptables' command                       [OK]
> Checking 'prelink' command does not interfere with FIPS [PRESENT]
> Checking for obsolete ipsec.conf options           [OK]
> Opportunistic Encryption                           [DISABLED]
>
> ipsec verify: encountered 15 errors - see 'man ipsec_verify' for help
>
>
>
> My /var/log/secure has this:
>
> Nov 11 11:28:08 localhost pluto[18424]: nss directory plutomain:
> /etc/ipsec.d
> Nov 11 11:28:08 localhost pluto[18424]: NSS initialization failed (err
> -8015)
>
>
>
> Please help me. How can I fix this error???
>
>
>
> Thanks,
>
> Miguel
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131111/be8e84eb/attachment-0001.html>


More information about the Users mailing list