[Swan-dev] 'error: ‘CKM_AES_CTR’ undeclared' while compiling libreswan-3.15

prasad zambare prasadzambare at gmail.com
Fri Sep 25 16:05:29 EEST 2015 

Hi Paul,

Mistakenly I wrote /etc/ipsec instead of /etc/init.d/ipsec etc. Sorry for
the mistake.

Make install in nss is deploying files in include,lib and bin. So I
copied(cp -Lr) files from dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/ in
/usr/local/include,/usr/lib and /bin folders as previous nss install
deployed files there. After this change I do not need to use
LD_LIBRARY_PATH and Makefile.inc.local contains,

NSSFLAGS=-I/usr/local/include/nss -I/usr/local/include/nspr
NSSLIBS=-L/usr/lib -lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4
-lpthread -ldl

But still no luck. While debugging I got below logs,


[root at prasad-lab01-pc1 libreswan-3.15]# ipsec verify:
Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.15 (netkey) on 2.6.39.4
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or
cause sending of bogus ICMP redirects!

         ICMP default/accept_redirects                  [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on
or cause sending of bogus ICMP redirects!

         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [FAILED]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for
obsolete ipsec.conf options                 [OK]
Opportunistic Encryption                                [DISABLED]

ipsec verify: encountered 4 errors - see 'man ipsec_verify' for help
[root at prasad-lab01-pc1 libreswan-3.15]# service ipsec start
Starting pluto IKE daemon for IPsec: .....
[root at prasad-lab01-pc1 libreswan-3.15]# service ipsec status
ipsec: pluto is stopped
[root at prasad-lab01-pc1 libreswan-3.15]# tail /var/log/secure
Sep 24 00:37:02 prasad-lab01-pc1 ipsec__plutorun: restarting IPsec after
pause...
Sep 24 00:37:05 prasad-lab01-pc1 ipsec__plutorun: Starting Pluto
subsystem...
Sep 24 00:37:05 prasad-lab01-pc1 ipsec__plutorun: !pluto failure!:  exited
with error status 127
Sep 24 00:37:05 prasad-lab01-pc1 ipsec__plutorun: restarting IPsec after
pause...
Sep 24 00:37:10 prasad-lab01-pc1 ipsec__plutorun: Starting Pluto
subsystem...
Sep 24 00:37:10 prasad-lab01-pc1 ipsec__plutorun: !pluto failure!:  exited
with error status 127
Sep 24 00:37:10 prasad-lab01-pc1 ipsec__plutorun: restarting IPsec after
pause...
Sep 24 00:37:13 prasad-lab01-pc1 ipsec__plutorun: Starting Pluto
subsystem...
Sep 24 00:37:13 prasad-lab01-pc1 ipsec__plutorun: !pluto failure!:  exited
with error status 127
Sep 24 00:37:13 prasad-lab01-pc1 ipsec__plutorun: restarting IPsec after
pause...

Please correct me or provide me some pointers.

Thank You,
Prasad


On Tue, Sep 22, 2015 at 10:25 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Tue, 22 Sep 2015, prasad zambare wrote:
>
> Please find the below steps and let me know what I am missing or doing
>> wrong. Please guide me on how can I use or deploy the
>> compiled binaries of libreswan+nss.
>>
>
> Commented lines from Makefile.inc starting with NSSFLAGS and NSSLIBS (as
>> Makefile.inc.local was not present)
>>
>
> Makefile.inc.local will never be created by us. The idea is you can
> always just copy your Makefile.inc.local into any libreswan-3.xx/
> directory and everything in Makefile.inc.local overrides what is in
> Makefile.inc.
>
> So yes, you can change Makefile.inc too.
>
>>
>> Appended below lines to Makefile.inc (as i did not find nss folder in
>> /usr/local/include, but found it in
>> /root/libreconfig/nss-3.16/dist/public/nss)
>> NSSFLAGS=-I/root/libreconfig/nss-3.16/dist/public/nss
>> -I/usr/local/include/nspr
>> NSSLIBS=-L/usr/local/lib -lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4
>> -lnspr4 -lpthread -ldl
>>
>
> These should get auto-detected using pkg-config. If not, then your
> install of nss or nspr was not complete. You should never need to
> link against things in the nss-3.16 source tree!
>
> Also, set LD_LIBRARY_PATH to
>> /root/libreconfig/nss-3.16/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/lib (to
>> resolve undefined reference
>> errors)
>>
>
> That seems wrong. is /usr/local/lib in your /etc/ld.so.conf? You need to
> install the nss library and headers using something like "make install".
>
> Then copied certutil to /usr/bin (to avoid error "/usr/local/sbin/ipsec:
>> line 342: certutil: command not found" while starting
>> ipsec service)
>>
>
> cp ../nss-3.16/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/bin/certutil /usr/bin/
>>
>
> /usr/local/bin and /usr/local/sbin tend to not be in root's PATH on
> modern linux.
>
> After these steps when '/etc/ipsec start' ipsec got started but
>> immediately after; the '/etc/ipsec status' showed it has stopped.
>>
>
> the ipsec command should not be in /etc ???
> the ipsec command should be in your path, and then you can issue:
> ipsec status
> ipsec restart
> etc etc.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20150925/9f4734ad/attachment.html>

More information about the Swan-dev mailing list