<div dir="ltr"><div><div><div>Hi Paul,<br><br>Mistakenly I wrote /etc/ipsec instead of /etc/init.d/ipsec etc. Sorry for the mistake.<br><br></div>Make install in nss is deploying files in include,lib and bin. So I copied(cp -Lr) files from dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/ in /usr/local/include,/usr/lib and /bin folders as previous nss install deployed files there. After this change I do not need to use LD_LIBRARY_PATH and Makefile.inc.local contains,<br><br>NSSFLAGS=-I/usr/local/include/nss -I/usr/local/include/nspr<br>NSSLIBS=-L/usr/lib -lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl<br><br></div></div><div>But still no luck. While debugging I got below logs,<br><br><br>[root@prasad-lab01-pc1 libreswan-3.15]# ipsec verify:<br>Verifying installed system and configuration files<br><br>Version check and ipsec on-path                         [OK]<br>Libreswan 3.15 (netkey) on 2.6.39.4<br>Checking for IPsec support in kernel                    [OK]<br> NETKEY: Testing XFRM related proc values<br>         ICMP default/send_redirects                    [NOT DISABLED]<br><br>  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!<br><br>         ICMP default/accept_redirects                  [NOT DISABLED]<br><br>  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!<br><br>         XFRM larval drop                               [OK]<br>Pluto ipsec.conf syntax                                 [OK]<br>Hardware random device                                  [N/A]<br>Two or more interfaces found, checking IP forwarding    [OK]<br>Checking rp_filter                                      [OK]<br>Checking that pluto is running                          [FAILED]<br>Checking &#39;ip&#39; command                                   [OK]<br>Checking &#39;iptables&#39; command                             [OK]<br>Checking &#39;prelink&#39; command does not interfere with FIPSChecking for obsolete ipsec.conf options                 [OK]<br>Opportunistic Encryption                                [DISABLED]<br><br>ipsec verify: encountered 4 errors - see &#39;man ipsec_verify&#39; for help<br>[root@prasad-lab01-pc1 libreswan-3.15]# service ipsec start<br>Starting pluto IKE daemon for IPsec: .....<br>[root@prasad-lab01-pc1 libreswan-3.15]# service ipsec status<br>ipsec: pluto is stopped<br>[root@prasad-lab01-pc1 libreswan-3.15]# tail /var/log/secure<br>Sep 24 00:37:02 prasad-lab01-pc1 ipsec__plutorun: restarting IPsec after pause...<br>Sep 24 00:37:05 prasad-lab01-pc1 ipsec__plutorun: Starting Pluto subsystem...<br>Sep 24 00:37:05 prasad-lab01-pc1 ipsec__plutorun: !pluto failure!:  exited with error status 127<br>Sep 24 00:37:05 prasad-lab01-pc1 ipsec__plutorun: restarting IPsec after pause...<br>Sep 24 00:37:10 prasad-lab01-pc1 ipsec__plutorun: Starting Pluto subsystem...<br>Sep 24 00:37:10 prasad-lab01-pc1 ipsec__plutorun: !pluto failure!:  exited with error status 127<br>Sep 24 00:37:10 prasad-lab01-pc1 ipsec__plutorun: restarting IPsec after pause...<br>Sep 24 00:37:13 prasad-lab01-pc1 ipsec__plutorun: Starting Pluto subsystem...<br>Sep 24 00:37:13 prasad-lab01-pc1 ipsec__plutorun: !pluto failure!:  exited with error status 127<br>Sep 24 00:37:13 prasad-lab01-pc1 ipsec__plutorun: restarting IPsec after pause...<br><br></div><div>Please correct me or provide me some pointers.<br><br></div><div>Thank You,<br></div><div>Prasad<br></div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 22, 2015 at 10:25 PM, Paul Wouters <span dir="ltr">&lt;<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, 22 Sep 2015, prasad zambare wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Please find the below steps and let me know what I am missing or doing wrong. Please guide me on how can I use or deploy the<br>
compiled binaries of libreswan+nss.<br>
</blockquote>
<br>
</span><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Commented lines from Makefile.inc starting with NSSFLAGS and NSSLIBS (as Makefile.inc.local was not present)<br>
</blockquote>
<br></span>
Makefile.inc.local will never be created by us. The idea is you can<br>
always just copy your Makefile.inc.local into any libreswan-3.xx/<br>
directory and everything in Makefile.inc.local overrides what is in<br>
Makefile.inc.<br>
<br>
So yes, you can change Makefile.inc too.<span class=""><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Appended below lines to Makefile.inc (as i did not find nss folder in /usr/local/include, but found it in<br>
/root/libreconfig/nss-3.16/dist/public/nss)<br>
NSSFLAGS=-I/root/libreconfig/nss-3.16/dist/public/nss -I/usr/local/include/nspr<br>
NSSLIBS=-L/usr/local/lib -lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl<br>
</blockquote>
<br></span>
These should get auto-detected using pkg-config. If not, then your<br>
install of nss or nspr was not complete. You should never need to<br>
link against things in the nss-3.16 source tree!<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Also, set LD_LIBRARY_PATH to /root/libreconfig/nss-3.16/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/lib (to resolve undefined reference<br>
errors)<br>
</blockquote>
<br></span>
That seems wrong. is /usr/local/lib in your /etc/ld.so.conf? You need to<br>
install the nss library and headers using something like &quot;make install&quot;.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Then copied certutil to /usr/bin (to avoid error &quot;/usr/local/sbin/ipsec: line 342: certutil: command not found&quot; while starting<br>
ipsec service)<br>
</blockquote>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
cp ../nss-3.16/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/bin/certutil /usr/bin/<br>
</blockquote>
<br></span>
/usr/local/bin and /usr/local/sbin tend to not be in root&#39;s PATH on<br>
modern linux.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
After these steps when &#39;/etc/ipsec start&#39; ipsec got started but immediately after; the &#39;/etc/ipsec status&#39; showed it has stopped.<br>
</blockquote>
<br></span>
the ipsec command should not be in /etc ???<br>
the ipsec command should be in your path, and then you can issue:<br>
ipsec status<br>
ipsec restart<br>
etc etc.<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div>