[Swan] Cannot start ipsec service using systemd
Philippe Vouters
philippe.vouters at laposte.net
Fri Jan 4 14:05:01 EET 2013
Dear Elison,
I am running Fedora 17 i686 with SELinux policy set to permissive. I
just dowloaded https://download.libreswan.org/libreswan-3.0.tar.gz
and performed the following commands from my user account:
$ sudo yum remove libreswan
$ sudo mv /etc/ipsec.conf.rpmsave /etc/ipsec.conf
$ tar -zxvf download/libreswan-3.0.tar.gz
$ cd libreswan-3.0/
$ make programs
$ sudo make install
$ sudo systemctl start ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Fri, 04 Jan 2013 12:42:54
+0100; 14s ago
Process: 2154
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
status=0/SUCCESS)
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 2215 (sh)
CGroup: name=systemd:/system/ipsec.service
2215 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
2216 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
2217 /usr/local/libexec/ipsec/pluto --config
/etc/ipsec...
2242 _pluto_adns
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
find_host_pair_conn ...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: added connection
descr...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | reaped addconn
helpe...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | find_host_pair:
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | find_host_pair:
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | find_host_pair:
comp...
Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
connect_to_host_pair...
[philippe at victor libreswan-3.0]$ sudo systemctl stop ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: inactive (dead) since Fri, 04 Jan 2013 12:50:26
+0100; 2s ago
Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 2215 ExecStart=/usr/bin/sh -c eval
`/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
$PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)
Process: 2154
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
status=0/SUCCESS)
Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/ipsec.service
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: shutting down
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: "roadwarrior":
deletin...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: "macintosh-l2tp":
dele...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
"roadwarrior-l2tp": de...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
connectio...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
"roadwarrior-l2tp-upda...
Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | crl fetch
request li...
So would it happen you still have /etc/rc.d/init.d/ipsec* ?
On my side:
[philippe at victor libreswan-3.0]$ ls /etc/rc.d/init.d/ipsec*
ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
Would it also happen but it looks at first glance unlikely that you are
facing some SELinux issue ?
Can you give us the output of the following:
[philippe at victor libreswan-3.0]$ sudo getenforce
Permissive
If getenforce returns Enforcing, can you perform the following commands:
[philippe at victor libreswan-3.0]$ sudo restorecon /usr/local/sbin -Rv
[philippe at victor libreswan-3.0]$ sudo restorecon
/usr/local/libexec/ipsec -Rv
[philippe at victor libreswan-3.0]$
Once the above points clean,
[philippe at victor libreswan-3.0]$ sudo systemctl --system daemon-reload
[philippe at victor libreswan-3.0]$ sudo systemctl restart ipsec.service
[philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Fri, 04 Jan 2013 12:58:55
+0100; 6s ago
Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
(code=exited, status=0/SUCCESS)
Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
(code=exited, status=0/SUCCESS)
Process: 2572 ExecStop=/usr/local/sbin/ipsec whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 2947
ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited,
status=0/SUCCESS)
Process: 2942 ExecStartPre=/usr/local/sbin/ipsec addconn
--config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 3011 (sh)
CGroup: name=systemd:/system/ipsec.service
3011 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
3012 /usr/bin/sh -c eval
`/usr/local/libexec/ipsec/plut...
3013 /usr/local/libexec/ipsec/pluto --config
/etc/ipsec...
3038 _pluto_adns
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
find_host_pair_conn ...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: added connection
descr...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | reaped addconn
helpe...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | find_host_pair:
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | find_host_pair:
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | find_host_pair:
comp...
Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
connect_to_host_pair...
Thank you so much in advance to keep us informed.
Best regards,
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
Le 04/01/2013 10:51, Elison Niven a écrit :
> Hi,
>
> I downloaded libreswan and installed from source on Fedora 16.
> # Install dependencies
> $ yum install unbound-devel libcap-ng-devel xmto
>
> # Remove openswan, racoon
> $ yum remove openswan ipsec-tools
>
> # Make and install libreswan
> # make programs
> $ make install
>
> $ systemctl --system daemon-reload
> $ systemctl enable ipsec.service
> $ service ipsec start
> Redirecting to /bin/systemctl start ipsec.service
>
> $ service ipsec status
> Redirecting to /bin/systemctl status ipsec.service
> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
> Loaded: loaded (/lib/systemd/system/ipsec.service; enabled)
> Active: failed since Fri, 04 Jan 2013 15:11:52 +0530; 2s ago
> Process: 13445 ExecStopPost=/sbin/ip xfrm state flush
> (code=exited, status=0/SUCCESS)
> Process: 13443 ExecStopPost=/sbin/ip xfrm policy flush
> (code=exited, status=0/SUCCESS)
> Process: 13440 ExecStop=/usr/local/sbin/ipsec whack --shutdown
> (code=exited, status=1/FAILURE)
> Process: 13438 ExecStart=/usr/bin/sh -c eval
> `/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
> $PLUTO_OPTIONS` (code=exited, status=203/EXEC)
> Process: 13379
> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
> (code=exited, status=0/SUCCESS)
> Process: 13376 ExecStartPre=/usr/local/sbin/ipsec addconn
> --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
> CGroup: name=systemd:/system/ipsec.service
>
>
> I can start pluto manually by executing the commands in the systemd
> unit file marked for ExecStartPre and ExecStart.
>
> $ cat /etc/systemd/system/multi-user.target.wants/ipsec.service
> [Unit]
> Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
> After=syslog.target
> After=network.target
> #After=remote-fs.target
>
> [Service]
> Type=simple
> Restart=always
> EnvironmentFile=-/etc/sysconfig/pluto
> #Environment=IPSEC_LIBDIR=/usr/local/libexec/ipsec
> #Environment=IPSEC_SBINDIR=/usr/local/sbin
> #Environment=IPSEC_EXECDIR=/usr/local/libexec/ipsec/ipsec
> #PIDFile=/var/run/pluto/pluto.pid
> #
> ExecStartPre=/usr/local/sbin/ipsec addconn --config /etc/ipsec.conf
> --checkconfig
> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
> ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
> --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
> ExecStop=/usr/local/sbin/ipsec whack --shutdown
> ExecStopPost=/sbin/ip xfrm policy flush
> ExecStopPost=/sbin/ip xfrm state flush
> ExecReload=/usr/local/sbin/ipsec whack --listen
>
> [Install]
> WantedBy=multi-user.target
> Alias=syslog.service
>
> Any help?
>
More information about the Swan
mailing list