
<div dir="ltr"><div><div><div>Hi Paul,<br><br></div>Sorry for very late reply. Today I resumed my work with libreswan. Thank you for the help.<br><br></div>Today I managed to compile the libreswan with below steps. But ipsec service is not getting started successfully.<br><br></div>Please find the below steps and let me know what I am missing or doing wrong. Please guide me on how can I use or deploy the compiled binaries of libreswan+nss.<br><br><br><br>Steps<br>--------<br>Downloaded nss-3.16 code from<br><a href="https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_RTM/src/nss-3.16-with-nspr-4.10.4.tar.gz">https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_RTM/src/nss-3.16-with-nspr-4.10.4.tar.gz</a><br><br>Downloaded nsprpub source from<br><a href="https://github.com/makotokato/nsprpub">https://github.com/makotokato/nsprpub</a><br><br>Downloaded libreswan source from<br><a href="https://download.libreswan.org/libreswan-3.15.tar.gz">https://download.libreswan.org/libreswan-3.15.tar.gz</a><br><br>Installed following packages using yum install (Other required packages were already installed)<br>pam-devel<br>libcap-ng-devel<br>curl-devel<br>fipscheck-devel<br>unbound-devel<br>xmlto<br><br>Extracted nsprpub code and compiled + installed using &#39;./configure; make; make install&#39;<br><br>Extracted nss-3.16.1 source code and compiled using<br>cd nss-3.16.1, gmake clean nss_build_all; make install;<br><br>Extracted libreswan-3.15 and cd libreswan-3.15<br><br>Commented 28th line from packaging/makefiles/module24.make to avoid compilation error<br><br>Commented lines from Makefile.inc starting with NSSFLAGS and NSSLIBS (as Makefile.inc.local was not present)<br><br>Appended below lines to Makefile.inc (as i did not find nss folder in /usr/local/include, but found it in /root/libreconfig/nss-3.16/dist/public/nss)<br>NSSFLAGS=-I/root/libreconfig/nss-3.16/dist/public/nss -I/usr/local/include/nspr<br>NSSLIBS=-L/usr/local/lib -lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl<br><br><br>Also, set LD_LIBRARY_PATH to /root/libreconfig/nss-3.16/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/lib (to resolve undefined reference errors)<br><br>Compiled and installed using<br>make clean; make programs; make install<br><br>Checked output of command ipsec --help, The last line shows <br>Linux Libreswan U3.15/K(no kernel code presently loaded) on 2.6.39.4<br><br>Then copied certutil to /usr/bin (to avoid error &quot;/usr/local/sbin/ipsec: line 342: certutil: command not found&quot; while starting ipsec service)<br>cp ../nss-3.16/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/bin/certutil /usr/bin/<br><br>After these steps when &#39;/etc/ipsec start&#39; ipsec got started but immediately after; the &#39;/etc/ipsec status&#39; showed it has stopped.<br><div><br><br></div><div>Thank You,<br></div><div>Prasad<br></div><div><br><br><br><br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 14, 2015 at 11:45 PM, Paul Wouters <span dir="ltr">&lt;<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Mon, 14 Sep 2015, prasad zambare wrote:<br>

<br>

</span><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

Thank you for the quick reply.<br>

<br>

I installed nss-3.16.1 using below steps<br>

1. Downloaded nss-3.16 code from<br>

<a href="https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_RTM/src/nss-3.16-with-nspr-4.10.4.tar.gz" rel="noreferrer" target="_blank">https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_RTM/src/nss-3.16-with-nspr-4.10.4.tar.gz</a><br>

2. Downloaded nsprpub source from<br>

<a href="https://github.com/makotokato/nsprpub" rel="noreferrer" target="_blank">https://github.com/makotokato/nsprpub</a><br>

3. Complied nsprpub code and installed<br>

4. Extracted nss-3.16.1 source code<br>

5. cd nss-3.16.1, gmake clean nss_build_all<br>

6. It got compiled<br>

</blockquote>

<br></span>

Did that install in /usr/local ?<span class=""><br>

<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

7. cd ../libreswan-3.15 and did &#39;make clean; make programs&#39;<br>

</blockquote>

<br></span>

We detect the nss includes via:<br>

<br>

$ pkg-config --cflags nss<br>

-I/usr/include/nss3 -I/usr/include/nspr4<br>

<br>

perhaps your old nss is still there and your new nss is in /usr/local ?<br>

<br>

You can override these by defining them in a Makefile.inc.local:<br>

<br>

#NSSFLAGS?=$(shell pkg-config --cflags nss)<br>

#NSSLIBS?=$(shell pkg-config --libs nss)<br>

NSSFLAGS=-I/usr/local/include/nss3 -I/usr/local/include/nspr4<br>

NSSLIBS=-L/usr/local/lib -lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl<span class="HOEnZb"><font color="#888888"><br>

<br>

Paul</font></span><div class="HOEnZb"><div class="h5"><br>

<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

But still got the same error.<br>

<br>

/root/libreswan-3.15/programs/pluto/ctr_test_vectors.c: In function ‘test_aes_ctr’:<br>

/root/libreswan-3.15/programs/pluto/ctr_test_vectors.c:243: error: ‘CKM_AES_CTR’ undeclared (first use in this function)<br>

/root/libreswan-3.15/programs/pluto/ctr_test_vectors.c:243: error: (Each undeclared identifier is reported only once<br>

/root/libreswan-3.15/programs/pluto/ctr_test_vectors.c:243: error: for each function it appears in.)<br>

make[3]: *** [ctr_test_vectors.o] Error 1<br>

<br>

<br>

Please let me know what went wrong? Please help me on this.<br>

<br>

Thank You,<br>

Prasad<br>

<br>

On Mon, Sep 14, 2015 at 9:13 PM, Paul Wouters &lt;<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>&gt; wrote:<br>

      On Mon, 14 Sep 2015, prasad zambare wrote:<br>

<br>

            I am getting compilation error while compiling libreswan-3.15 source code.<br>

<br>

            make[3]: Entering directory `/root/libreswan-3.15/OBJ.linux.i386/programs/pluto&#39;<br>

            cc   -g -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-all -fno-strict-aliasing -fPIE -DPIE<br>

            -DFORCE_PR_ASSERT -DDNSSEC -DFIPS_CHECK<br>

            -DFIPSPRODUCTCHECK=\&quot;/etc/system-fips\&quot; -DKLIPS -DLIBCURL -DUSE_LINUX_AUDIT -DUSE_MD5 -DHAVE_NM -DUSE_SHA2 -DUSE_SHA1<br>

            -DFIPSPRODUCTCHECK=\&quot;/etc/system-fips\&quot;<br>

            -DIPSEC_CONF=\&quot;/etc/ipsec.conf\&quot; -DIPSEC_CONFDDIR=\&quot;/etc/ipsec.d\&quot; -DIPSEC_NSSDIR=\&quot;/etc/ipsec.d\&quot;<br>

            -DIPSEC_CONFDIR=\&quot;/etc\&quot; -DIPSEC_EXECDIR=\&quot;/usr/local/libexec/ipsec\&quot;<br>

            -DIPSEC_SBINDIR=\&quot;/usr/local/sbin\&quot; -DIPSEC_VARDIR=\&quot;/var\&quot; -DPOLICYGROUPSDIR=\&quot;/etc/ipsec.d/policies\&quot;<br>

            -DSHARED_SECRETS_FILE=\&quot;/etc/ipsec.secrets\&quot; -DGCC_LINT<br>

            -DALLOW_MICROSOFT_BAD_PROPOSAL  -Wall -Wextra -Wformat -Wformat-nonliteral -Wformat-security -Wundef<br>

            -Wmissing-declarations -Wredundant-decls -Wnested-externs<br>

            -I/root/libreswan-3.15/ports/linux/include -I/root/libreswan-3.15/ports/linux/include<br>

            -I/root/libreswan-3.15/ports/linux/include -I/root/libreswan-3.15/ports/linux/include <br>

            -I/root/libreswan-3.15/programs/pluto/linux26 -I/root/libreswan-3.15/include -I/root/libreswan-3.15/lib/libcrypto<br>

            -I/root/libreswan-3.15/linux/include   -DUSE_KEYRR   -DNETKEY_SUPPORT<br>

            -DKERNEL26_HAS_KAME_DUPLICATES -DPFKEY  -DUSE_TWOFISH -DUSE_SERPENT -DKLIPS -DPFKEY    -DUSE_AES -DUSE_3DES -DUSE_SHA2<br>

            -DUSE_SHA1 -DUSE_MD5 -DUSE_CAMELLIA   -DXAUTH_HAVE_PAM -DLIBCURL   <br>

            -DFIPS_CHECK -DHAVE_LIBCAP_NG -DHAVE_NM -I/usr/include/nss3 -I/usr/include/nspr4     \<br>

                            -MMD -MF ./ctr_test_vectors.d \<br>

                            -o ./ctr_test_vectors.o \<br>

                            -c /root/libreswan-3.15/programs/pluto/ctr_test_vectors.c<br>

            /root/libreswan-3.15/programs/pluto/ctr_test_vectors.c: In function ‘test_aes_ctr’:<br>

            /root/libreswan-3.15/programs/pluto/ctr_test_vectors.c:243: error: ‘CKM_AES_CTR’ undeclared (first use in this<br>

            function)<br>

            /root/libreswan-3.15/programs/pluto/ctr_test_vectors.c:243: error: (Each undeclared identifier is reported only once<br>

            /root/libreswan-3.15/programs/pluto/ctr_test_vectors.c:243: error: for each function it appears in.)<br>

            make[3]: *** [ctr_test_vectors.o] Error 1<br>

            make[3]: Leaving directory `/root/libreswan-3.15/OBJ.linux.i386/programs/pluto&#39;<br>

            make[2]: *** [local-base] Error 2<br>

            make[2]: Leaving directory `/root/libreswan-3.15/programs/pluto&#39;<br>

            make[1]: *** [all] Error 2<br>

            make[1]: Leaving directory `/root/libreswan-3.15/programs&#39;<br>

            make: *** [all] Error 2<br>

<br>

            Tried searching on internet but did not find the solution. Please provide some pointers so that I can fix this issue.<br>

<br>

<br>

It seems you have an old version of nss then? AES CTR was introduced in<br>

nss-3.14 (not libreswan-3.14)<br>

<br>

You should be using at least nss-3.16.<br>

<br>

Paul<br>

<br>

<br>

<br>

<br>

</blockquote>

</div></div></blockquote></div><br></div>