[Openswan Users] Downloaded the latest and greatest source ... now problems ?

jchludzinski jchludzinski at vivaldi.net
Sat Apr 6 05:28:53 EDT 2019 

Update:

After having read thru openswan-2.6.51.3/docs/README.nss, I:

root at raspberrypi /etc/ipsec.d# certutil -N -d /etc/ipsec.d/

This created 4 .db files:

root at raspberrypi /etc/ipsec.d# ls -l *.db
-rw------- 1 root root 65536 Apr  5 21:48 cert8.db
-rw------- 1 root root 28672 Apr  5 21:24 cert9.db
-rw------- 1 root root 16384 Apr  5 21:48 key3.db
-rw------- 1 root root 28672 Apr  5 21:24 key4.db
-rw------- 1 root root 16384 Apr  5 21:22 secmod.db

Checking further, I found:

root at raspberrypi /etc/ipsec.d# ls *.db | xargs file
cert8.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
cert9.db: SQLite 3.x database, last written using SQLite version 3016002
key3.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
key4.db: SQLite 3.x database, last written using SQLite version 3016002
secmod.db: Berkeley DB 1.85 (Hash, version 2, native byte-order) 

*** Why am I getting Berkeley and SQLite 3.x DBs?

Then I created nsspassword:

root at raspberrypi /etc/ipsec.d# echo cert8.db:<password> > nsspassword
root at raspberrypi /etc/ipsec.d# echo cert9.db:<password> > nsspassword

Now I get:

pi at raspberrypi ~> systemctl status ipsec
...
Apr 05 21:50:33 raspberrypi pluto[1227]: adding interface lo/lo ::1:500
(AF_INET6)
Apr 05 21:50:33 raspberrypi ipsec__plutorun[1223]: 002 adding interface
lo/lo ::1:500 (AF_INET6)
Apr 05 21:50:33 raspberrypi pluto[1227]: loading secrets from
"/etc/ipsec.secrets"
Apr 05 21:50:33 raspberrypi ipsec__plutorun[1223]: 002 loading secrets
from "/etc/ipsec.secrets"
Apr 05 21:50:33 raspberrypi pluto[1227]: loading secrets from
"/var/lib/openswan/ipsec.secrets.inc"
Apr 05 21:50:33 raspberrypi ipsec__plutorun[1223]: 002 loading secrets
from "/var/lib/openswan/ipsec.secrets.inc"
Apr 05 21:50:33 raspberrypi pluto[1227]:     could not open host cert
with nick name '/etc/ipsec.d/private/raspberrypiKey.pem' in NSS DB
Apr 05 21:50:33 raspberrypi ipsec__plutorun[1223]: 002     could not
open host cert with nick name '/etc/ipsec.d/private/raspberrypiKey.pem'
in NSS DB
Apr 05 21:50:33 raspberrypi pluto[1227]:
"/var/lib/openswan/ipsec.secrets.inc" line 1: NSS certficate not found
Apr 05 21:50:33 raspberrypi ipsec__plutorun[1223]: 003
"/var/lib/openswan/ipsec.secrets.inc" line 1: NSS certficate not found

and:

root at raspberrypi /etc/ipsec.d# ipsec verify
Checking if IPsec got installed and started correctly:

Version check and ipsec on-path                       [OK]
Openswan U2.6.51.2/K4.14.79-v7+ (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel                  [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                  [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause
act on or cause sending of bogus ICMP redirects!

         ICMP default/accept_redirects                [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will
cause act on or cause sending of bogus ICMP redirects!

         XFRM larval drop                             [OK]
Hardware random device check                          [N/A]
Two or more interfaces found, checking IP forwarding    [FAILED]
Checking rp_filter                                    [OK]
Checking that pluto is running                        [OK]
 Pluto listening for IKE on udp 500                   [FAILED]
 Pluto listening for IKE on tcp 500                   [NOT IMPLEMENTED]
 Pluto listening for IKE/NAT-T on udp 4500            [DISABLED]
 Pluto listening for IKE/NAT-T on tcp 4500            [NOT IMPLEMENTED]
 Pluto listening for IKE on tcp 10000 (cisco)         [NOT IMPLEMENTED]
Checking NAT and MASQUERADEing                        [TEST INCOMPLETE]
Checking 'ip' command                                 [OK]
Checking 'iptables' command                           [OK]

ipsec verify: encountered errors

I'm not sure why I'm getting: "Pluto listening for IKE on udp 500 
[FAILED]" 

On 2019-04-05 19:53, jchludzinski wrote: 

> I downloaded the latest and greatest source from
> https://www.openswan.org. I wanted to build openswan with support for
> NSS. This appears to have worked using the USE_LIBNSS environment
> variable.
> 
> Next:
> $ set -x USE_LIBNSS true
> (I use the fish shell, like all sane people).
> 
> Then:
> $ make programs
> $ sudo make install
> 
> Then I try:
> 
> ~/openswan-2.6.51.3> sudo systemctl start ipsec
> 
> ~/openswan-2.6.51.3> systemctl status ipsec
> 
> ● ipsec.service - LSB: Start Openswan IPsec at boot time
> Loaded: loaded (/etc/init.d/ipsec; generated; vendor preset: enabled)
> Active: active (running) since Fri 2019-04-05 19:32:19 EDT; 16min ago
> Docs: man:systemd-sysv-generator(8)
> Process: 24261 ExecStop=/etc/init.d/ipsec stop (code=exited, status=0/SUCCESS)
> Process: 24360 ExecStart=/etc/init.d/ipsec start (code=exited,
> status=0/SUCCESS)
> CGroup: /system.slice/ipsec.service
> ├─24502 /bin/sh /usr/local/lib/ipsec/_plutorun --debug
> --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no
> --nat_traversal yes --keep_alive --protostack auto --force_keepali
> ├─24503 logger -s -p daemon error -t ipsec__plutorun
> ├─24504 /bin/sh /usr/local/lib/ipsec/_plutorun --debug
> --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no
> --nat_traversal yes --keep_alive --protostack auto --force_keepali
> ├─24505 /bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post
> ├─24507 /usr/local/libexec/ipsec/pluto --nofork
> --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto
> --uniqueids --nat_traversal --virtual_private
> %v4:10.0.0.0/8,%v4:192.168
> └─24518 _pluto_adns -- <idle>
> 
> Apr 05 19:32:20 raspberrypi pluto[24507]: adding interface lo/lo
> ::1:500 (AF_INET6)
> Apr 05 19:32:20 raspberrypi ipsec__plutorun[24503]: 002 adding
> interface lo/lo ::1:500 (AF_INET6)
> Apr 05 19:32:20 raspberrypi pluto[24507]: loading secrets from
> "/etc/ipsec.secrets"
> Apr 05 19:32:20 raspberrypi ipsec__plutorun[24503]: 002 loading
> secrets from "/etc/ipsec.secrets"
> Apr 05 19:32:20 raspberrypi pluto[24507]: loading secrets from
> "/var/lib/openswan/ipsec.secrets.inc"
> Apr 05 19:32:20 raspberrypi ipsec__plutorun[24503]: 002 loading
> secrets from "/var/lib/openswan/ipsec.secrets.inc"
> Apr 05 19:32:20 raspberrypi pluto[24507]:     could not open host cert
> with nick name '/etc/ipsec.d/private/raspberrypiKey.pem' in NSS DB
> Apr 05 19:32:20 raspberrypi ipsec__plutorun[24503]: 002     could not
> open host cert with nick name
> '/etc/ipsec.d/private/raspberrypiKey.pem' in NSS DB
> Apr 05 19:32:20 raspberrypi pluto[24507]:
> "/var/lib/openswan/ipsec.secrets.inc" line 1: NSS certficate not found
> Apr 05 19:32:20 raspberrypi ipsec__plutorun[24503]: 003
> "/var/lib/openswan/ipsec.secrets.inc" line 1: NSS certficate not found
> 
> How to I get past the final 4 messages?

-- 
NULL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20190406/a1a6b995/attachment.html>

More information about the Users mailing list