[Openswan Users] Downloaded the latest and greatest source ... now problems ?
jchludzinski
jchludzinski at vivaldi.net
Sat Apr 6 05:28:53 EDT 2019
Update:
After having read thru openswan-2.6.51.3/docs/README.nss, I:
root at raspberrypi /etc/ipsec.d# certutil -N -d /etc/ipsec.d/
This created 4 .db files:
root at raspberrypi /etc/ipsec.d# ls -l *.db
-rw------- 1 root root 65536 Apr 5 21:48 cert8.db
-rw------- 1 root root 28672 Apr 5 21:24 cert9.db
-rw------- 1 root root 16384 Apr 5 21:48 key3.db
-rw------- 1 root root 28672 Apr 5 21:24 key4.db
-rw------- 1 root root 16384 Apr 5 21:22 secmod.db
Checking further, I found:
root at raspberrypi /etc/ipsec.d# ls *.db | xargs file
cert8.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
cert9.db: SQLite 3.x database, last written using SQLite version 3016002
key3.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
key4.db: SQLite 3.x database, last written using SQLite version 3016002
secmod.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
*** Why am I getting Berkeley and SQLite 3.x DBs?
Then I created nsspassword:
root at raspberrypi /etc/ipsec.d# echo cert8.db:<password> > nsspassword
root at raspberrypi /etc/ipsec.d# echo cert9.db:<password> > nsspassword
Now I get:
pi at raspberrypi ~> systemctl status ipsec
...
Apr 05 21:50:33 raspberrypi pluto[1227]: adding interface lo/lo ::1:500
(AF_INET6)
Apr 05 21:50:33 raspberrypi ipsec__plutorun[1223]: 002 adding interface
lo/lo ::1:500 (AF_INET6)
Apr 05 21:50:33 raspberrypi pluto[1227]: loading secrets from
"/etc/ipsec.secrets"
Apr 05 21:50:33 raspberrypi ipsec__plutorun[1223]: 002 loading secrets
from "/etc/ipsec.secrets"
Apr 05 21:50:33 raspberrypi pluto[1227]: loading secrets from
"/var/lib/openswan/ipsec.secrets.inc"
Apr 05 21:50:33 raspberrypi ipsec__plutorun[1223]: 002 loading secrets
from "/var/lib/openswan/ipsec.secrets.inc"
Apr 05 21:50:33 raspberrypi pluto[1227]: could not open host cert
with nick name '/etc/ipsec.d/private/raspberrypiKey.pem' in NSS DB
Apr 05 21:50:33 raspberrypi ipsec__plutorun[1223]: 002 could not
open host cert with nick name '/etc/ipsec.d/private/raspberrypiKey.pem'
in NSS DB
Apr 05 21:50:33 raspberrypi pluto[1227]:
"/var/lib/openswan/ipsec.secrets.inc" line 1: NSS certficate not found
Apr 05 21:50:33 raspberrypi ipsec__plutorun[1223]: 003
"/var/lib/openswan/ipsec.secrets.inc" line 1: NSS certficate not found
and:
root at raspberrypi /etc/ipsec.d# ipsec verify
Checking if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Openswan U2.6.51.2/K4.14.79-v7+ (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause
act on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will
cause act on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Hardware random device check [N/A]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [FAILED]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
ipsec verify: encountered errors
I'm not sure why I'm getting: "Pluto listening for IKE on udp 500
[FAILED]"
On 2019-04-05 19:53, jchludzinski wrote:
> I downloaded the latest and greatest source from
> https://www.openswan.org. I wanted to build openswan with support for
> NSS. This appears to have worked using the USE_LIBNSS environment
> variable.
>
> Next:
> $ set -x USE_LIBNSS true
> (I use the fish shell, like all sane people).
>
> Then:
> $ make programs
> $ sudo make install
>
> Then I try:
>
> ~/openswan-2.6.51.3> sudo systemctl start ipsec
>
> ~/openswan-2.6.51.3> systemctl status ipsec
>
> ● ipsec.service - LSB: Start Openswan IPsec at boot time
> Loaded: loaded (/etc/init.d/ipsec; generated; vendor preset: enabled)
> Active: active (running) since Fri 2019-04-05 19:32:19 EDT; 16min ago
> Docs: man:systemd-sysv-generator(8)
> Process: 24261 ExecStop=/etc/init.d/ipsec stop (code=exited, status=0/SUCCESS)
> Process: 24360 ExecStart=/etc/init.d/ipsec start (code=exited,
> status=0/SUCCESS)
> CGroup: /system.slice/ipsec.service
> ├─24502 /bin/sh /usr/local/lib/ipsec/_plutorun --debug
> --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no
> --nat_traversal yes --keep_alive --protostack auto --force_keepali
> ├─24503 logger -s -p daemon error -t ipsec__plutorun
> ├─24504 /bin/sh /usr/local/lib/ipsec/_plutorun --debug
> --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no
> --nat_traversal yes --keep_alive --protostack auto --force_keepali
> ├─24505 /bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post
> ├─24507 /usr/local/libexec/ipsec/pluto --nofork
> --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto
> --uniqueids --nat_traversal --virtual_private
> %v4:10.0.0.0/8,%v4:192.168
> └─24518 _pluto_adns -- <idle>
>
> Apr 05 19:32:20 raspberrypi pluto[24507]: adding interface lo/lo
> ::1:500 (AF_INET6)
> Apr 05 19:32:20 raspberrypi ipsec__plutorun[24503]: 002 adding
> interface lo/lo ::1:500 (AF_INET6)
> Apr 05 19:32:20 raspberrypi pluto[24507]: loading secrets from
> "/etc/ipsec.secrets"
> Apr 05 19:32:20 raspberrypi ipsec__plutorun[24503]: 002 loading
> secrets from "/etc/ipsec.secrets"
> Apr 05 19:32:20 raspberrypi pluto[24507]: loading secrets from
> "/var/lib/openswan/ipsec.secrets.inc"
> Apr 05 19:32:20 raspberrypi ipsec__plutorun[24503]: 002 loading
> secrets from "/var/lib/openswan/ipsec.secrets.inc"
> Apr 05 19:32:20 raspberrypi pluto[24507]: could not open host cert
> with nick name '/etc/ipsec.d/private/raspberrypiKey.pem' in NSS DB
> Apr 05 19:32:20 raspberrypi ipsec__plutorun[24503]: 002 could not
> open host cert with nick name
> '/etc/ipsec.d/private/raspberrypiKey.pem' in NSS DB
> Apr 05 19:32:20 raspberrypi pluto[24507]:
> "/var/lib/openswan/ipsec.secrets.inc" line 1: NSS certficate not found
> Apr 05 19:32:20 raspberrypi ipsec__plutorun[24503]: 003
> "/var/lib/openswan/ipsec.secrets.inc" line 1: NSS certficate not found
>
> How to I get past the final 4 messages?
--
NULL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20190406/a1a6b995/attachment.html>
More information about the Users
mailing list